What is the best maximum time we can limit the SAS URL expiry date?

Rajoli Hari Krishna 636

Hi MS Team,

We have migrated our Azure Subscription Resources to Azure Landing Zone Subscription and all the web apps are connecting to the storage account using SAS URL with some limitation on the permission wise and the expiry time limit.

Earlier We use to generate the SAS URL for every 6 months/1 year but now the dev team is asking us to generate the SAS tokens more than 6 months i.e., 10 years.

Is that safer to generate the SAS URL/token for more than 6 months or a year?

Note: Our Landing Zone Resources are disabled with public network access and enabled with private endpoint and only the authorized clients and office staff would be eligible to access the web app/sites so there were many places we used different storage accounts SAS URLs/tokens in the web application for the secure data transfer and communication purpose.

Nandamuri Pranay Teja 805 Reputation points Microsoft External Staff

2025-03-04T07:48:40.3566667+00:00
Hello Hari Krishna,

I understand that you would like to know the maximum time to limit the SAS URL expiry date.

Creating SAS tokens with extended expiration periods, such as 10 years, may pose security risks and challenges. Although longer expiration durations can offer convenience, they also expand the attack surface and heighten the potential consequences of a compromised token. Please be informed that if a SAS token with a long expiration time (like 10 years) means that if the token is compromised, an attacker could potentially have access to your Azure resources for a very long time. This increases the risk of unauthorized access.

Creating SAS tokens with a validity period exceeding six months or a year is typically regarded as less secure due to various security concerns.

Security Concerns Associated with Extended Lifespan SAS Tokens:

A longer expiration time means that if a SAS token is compromised, the attacker has a longer period to exploit that access. This increases the risk of unauthorized access to your Azure resources.

If you need to revoke access (for example, if a user leaves the organization or if a security incident occurs), it can be more challenging with long-lived tokens. You would need to regenerate the SAS token and update all clients using it, which can be cumbersome.

Tokens with extended lifespans may result in misuse if not adequately managed. For instance, if a developer embeds a SAS token directly into an application, there is a risk that the token could be revealed in logs or within version control systems.

I understand that you have established a secure configuration for your Landing Zone Resources by disabling public network access and activating private endpoints. It is important to note that utilizing distinct storage account SAS URLs or tokens within the web application is a commendable practice for facilitating secure data transfer and communication. This method effectively limits access to authorized clients and office personnel, thereby improving the overall security of your web applications and sites.

Grant only the necessary permissions to the SAS token. Avoid granting excessive permissions that are not required by the application. Use the shortest possible expiry time that meets your application's needs. For most scenarios, expiry times ranging from a few hours to a few days are sufficient.

Regularly rotate SAS tokens to minimize the impact of compromised tokens. Store and manage SAS tokens securely. Avoid hardcoding tokens in your application code or storing them in insecure locations.

If you have any particular inquiries or require additional clarification on this matter, please do not hesitate to reach out.

References:

Manage storage account access keys: https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

1 answer

Abiola Akinbade 23,770 Reputation points

2025-03-04T07:48:06.73+00:00

Hello Rajoli Hari Krishna,

Thanks for your question.

There is no hard limit on SAS expiry.

It’s advisable to set the shortest feasible expiration time for SAS tokens to reduce potential exposure if a token is compromised. It’s prudent to also follow least privilege, limiting both the permissions and the validity period of SAS tokens.

This is a general security practice. I will refer you to your companies policies regarding secrets and tokens.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

What is the best maximum time we can limit the SAS URL expiry date?

1 answer

Your answer