Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,537 questions
Hello Hari Krishna,
I understand that you would like to know the maximum time to limit the SAS URL expiry date.
Creating SAS tokens with extended expiration periods, such as 10 years, may pose security risks and challenges. Although longer expiration durations can offer convenience, they also expand the attack surface and heighten the potential consequences of a compromised token. Please be informed that if a SAS token with a long expiration time (like 10 years) means that if the token is compromised, an attacker could potentially have access to your Azure resources for a very long time. This increases the risk of unauthorized access.
Creating SAS tokens with a validity period exceeding six months or a year is typically regarded as less secure due to various security concerns.
Security Concerns Associated with Extended Lifespan SAS Tokens:
- A longer expiration time means that if a SAS token is compromised, the attacker has a longer period to exploit that access. This increases the risk of unauthorized access to your Azure resources.
- If you need to revoke access (for example, if a user leaves the organization or if a security incident occurs), it can be more challenging with long-lived tokens. You would need to regenerate the SAS token and update all clients using it, which can be cumbersome.
- Tokens with extended lifespans may result in misuse if not adequately managed. For instance, if a developer embeds a SAS token directly into an application, there is a risk that the token could be revealed in logs or within version control systems.
I understand that you have established a secure configuration for your Landing Zone Resources by disabling public network access and activating private endpoints. It is important to note that utilizing distinct storage account SAS URLs or tokens within the web application is a commendable practice for facilitating secure data transfer and communication. This method effectively limits access to authorized clients and office personnel, thereby improving the overall security of your web applications and sites.
- Grant only the necessary permissions to the SAS token. Avoid granting excessive permissions that are not required by the application. Use the shortest possible expiry time that meets your application's needs. For most scenarios, expiry times ranging from a few hours to a few days are sufficient.
- Regularly rotate SAS tokens to minimize the impact of compromised tokens. Store and manage SAS tokens securely. Avoid hardcoding tokens in your application code or storing them in insecure locations.
If you have any particular inquiries or require additional clarification on this matter, please do not hesitate to reach out.
References:
Manage storage account access keys: https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
Hope the above answer helps! Please let us know do you have any further queries.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)