Ensure that shared access signature tokens expire within an hour

Question

I want address a CIS control 3.4 Ensure that shared access signature tokens expire within an hour

Additional info the control

https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Azure_Foundations_Benchmark_v1_1_0.pdf

Control number 3.4.

I was hoping to address this recommendation to create a stored access policy on the blob container with dynamic values for date and time variables or i am open to any other ideas. Also realized when researching this that SAS tokens are not logged in the Azure Activity

Answer 1

Hi anonymous user

Thank you for the recommendation!

When generated a SAS token within the portal you can also assign a specific "start and expiry date/time", which should make it easier for users to manage expiration times.

Within the Activity Logs, I noticed that the "generating" of the actual SAS token wasn't logged either. However, since the SAS token is issued to specific users for certain actions such as "read, write, delete, create, etc...", the actions performed by the user using the SAS token should be logged within the activity logs.

Please let me know if you have any other questions.

Thank you!

----------

Additional Links:
Activity Logs

Answer 2

Thanks James!

We can educate users to generate SAS tokens for that duration but i was thinking if there is policy that is governing this process it would be ideal for an enterprise to adhere to framework such as CIS.

So, based on your response there isnt way to generate Stored access policies dynamically? or is there any other way to achieve this SAS token duration limit?