Ensure that shared access signature tokens expire within an hour

Aditya Kota 1 Reputation point
2020-06-02T16:50:22.717+00:00

I want address a CIS control 3.4 Ensure that shared access signature tokens expire within an hour

Additional info the control

https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Azure_Foundations_Benchmark_v1_1_0.pdf

Control number 3.4.

I was hoping to address this recommendation to create a stored access policy on the blob container with dynamic values for date and time variables or i am open to any other ideas. Also realized when researching this that SAS tokens are not logged in the Azure Activity

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
527 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,536 Reputation points Microsoft Employee
    2020-06-02T23:42:21.857+00:00

    Hi anonymous user

    Thank you for the recommendation!

    When generated a SAS token within the portal you can also assign a specific "start and expiry date/time", which should make it easier for users to manage expiration times.

    Within the Activity Logs, I noticed that the "generating" of the actual SAS token wasn't logged either. However, since the SAS token is issued to specific users for certain actions such as "read, write, delete, create, etc...", the actions performed by the user using the SAS token should be logged within the activity logs.

    Please let me know if you have any other questions.

    Thank you!

    ----------

    Additional Links:
    Activity Logs

    0 comments No comments

  2. Aditya Kota 1 Reputation point
    2020-06-03T14:22:38.263+00:00

    Thanks James!

    We can educate users to generate SAS tokens for that duration but i was thinking if there is policy that is governing this process it would be ideal for an enterprise to adhere to framework such as CIS.

    So, based on your response there isnt way to generate Stored access policies dynamically? or is there any other way to achieve this SAS token duration limit?