Revoking Access to Azure Storage Account - SAS and Stored Access Policies
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Sub1.
You have an Azure Storage account named sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to sa1.
Solution: You generate new SASs.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
Instead you should create a new stored access policy.
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it.
https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-PolicyThe proposed solution of generating new SASs will revoke the access to the Azure Storage account, so the answer is Yes, it meets the goal of revoking all access to sa1.
Shared access signatures (SASs) and stored access policies are both used to grant temporary access to an Azure Storage account's resources. SASs grant access to specific resources such as blobs or files, while stored access policies grant access to all resources of a particular type in the storage account.
In the scenario described, unauthorized users have accessed the file service and the blob service of the Azure Storage account. The proposed solution of generating new SASs will create new tokens that provide access to resources in the storage account, effectively revoking access for all users who previously held the old SASs.
To generate new SASs, you can create new stored access policies and generate new SAS tokens based on those policies. Alternatively, you can update existing stored access policies to modify the permissions and then generate new SAS tokens based on the updated policies. It is recommended to remove any unused or unnecessary stored access policies to minimize the attack surface.
In summary, generating new SASs is a valid solution to revoke all access to the Azure Storage account, so the answer is Yes. However, it's worth noting that this solution only addresses the current situation of unauthorized access and does not prevent future unauthorized access. It's important to follow Azure security best practices, such as enabling Azure AD authentication, implementing RBAC, and regularly reviewing access policies to prevent unauthorized access in the future.
