@Daniel Avadanei If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
It is not possible to get the list of SAS URLs because they are not stored anywhere in Azure Storage.
Is there a way to pull what SAS keys are being used to access a Storage Account?
You enabled Azure activity log which logs the management plane operations, for example, create a storage account, update property of a storage account. It doesn’t help you as you try to analyze the data requests to storage account. You should use Storage analytics logs: https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=/azure/storage/blobs/toc.json
However, I don’t see the direct solution to figure out the actual SAS token and the mapping with SAS policy.
There are two upcoming features that might address general concerns on SAS. One is that we are adding hash of SAS in the new logging integration with Azure Monitor. Another is that we are going to add SAS expiry policy to warn when long expiry is longer than the configured time.
Note: When creating a SAS, specify only those permissions that are required by the client to perform its function. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.
If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.