Access Keys Not Rotated
More Info:
When a storage account is created, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result in these keys being compromised. The access keys storage accounts should be rotated at least every 90 days.Risk Level
MediumAddress
SecurityCompliance Standards
CISAZURE, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of Access Keys not rotated in Azure, you can follow the below steps:
- Login to the Azure portal with your credentials.
- Navigate to ‘Azure Active Directory’ from the left-hand menu.
- Click on ‘Users’ from the ‘Manage’ section.
- Select the user whose access keys need to be rotated.
- Click on ‘Reset Password’ from the top menu.
- In the ‘Reset Password’ window, select ‘Auto-generate password’.
- Click on ‘Reset’.
- The new password will be displayed on the screen. Copy this password to a secure location.
- Click on ‘Show Password’ to view the password again if required.
- Click on ‘Close’ to exit the ‘Reset Password’ window.
Using CLI
Using CLI
Access keys not being rotated can pose a security risk as it increases the chances of unauthorized access to your Azure resources. To remediate this issue, you can follow the below steps using Azure CLI:
-
Login to your Azure account using Azure CLI by running the command
az login. -
Once you are logged in, run the following command to list all the storage accounts in your subscription:
az storage account list --query [*].name --output tsv -
Select the storage account that you want to remediate and run the following command to list all the access keys associated with it:
az storage account keys list --account-name <storage-account-name> --query [*].value --output tsv -
Once you have the access keys, create a new access key to replace the existing one by running the following command:
az storage account keys renew --account-name <storage-account-name> --key primaryThis will generate a new access key and invalidate the old one. -
Repeat step 4 for the secondary key as well by running the following command:
az storage account keys renew --account-name <storage-account-name> --key secondary - Finally, verify that the keys have been rotated successfully by running the command in step 3 again. Note: It is recommended to automate the access key rotation process using Azure Key Vault or Azure Functions to ensure that the keys are rotated on a regular basis.
Using Python
Using Python
To remediate the issue of Access Keys not rotated in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using pip.Step 2: Create a connection to Azure using the Step 3: Use the Step 4: For each user, check if the access key has been rotated in the last Step 5: Remediate the issue by rotating the access key for the user.Note: You will need to define the
ServicePrincipalCredentials class. You will need to provide the tenant_id, client_id, and client_secret.azure.mgmt.authorization package to get a list of all the users in your Azure subscription.n days (where n is a value you define).generate_access_key() function to generate a new access key. This function should return a string that meets the Azure password requirements.