Developing Solutions for Microsoft Azure: Revoking Compromised User Delegation SAS Tokens

Revoking Compromised User Delegation SAS Tokens

Question

You develop a REST API.

You implement a user delegation SAS token to communicate with Azure Blob storage.

The token is compromised.

You need to revoke the token.

What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

AB.

A: Revoke a user delegation SAS - To revoke a user delegation SAS from the Azure CLI, call the az storage account revoke-delegation-keys command.

This command revokes all of the user delegation keys associated with the specified storage account.

Any shared access signatures associated with those keys are invalidated.

B: To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier.

Changing the signed identifier breaks the associations between any existing signatures and the stored access policy.

Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it.

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/blobs/storage-blob-user-delegation-sas-create-cli.md https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy#modifying-or-revoking-a-stored-access-policy

When a user delegation SAS token is compromised, it is necessary to revoke the token to ensure that the data stored in the Azure Blob storage remains secure. Here are the possible ways to achieve this goal:

A. Revoke the delegation key: To revoke the delegation key, you can remove the delegation key from the user delegation SAS token. This can be done using Azure PowerShell or Azure CLI. After removing the delegation key, the token will no longer be valid and cannot be used to access the storage account.

B. Delete the stored access policy: Azure Blob storage allows you to create stored access policies that grant a set of permissions to a security principal. If a user delegation SAS token is compromised, you can delete the stored access policy associated with the token. This will remove the permissions granted to the security principal, and the token will no longer be valid.

C. Regenerate the account key: You can regenerate the account key associated with the storage account to revoke the user delegation SAS token. This will invalidate all existing SAS tokens that are associated with the storage account. After regenerating the account key, you will need to update the application code to use the new account key to generate new SAS tokens.

D. Remove the role assignment for the security principle: If the user delegation SAS token was issued to a security principal that has been granted a role assignment, you can remove the role assignment to revoke the token. This can be done using Azure PowerShell or Azure CLI. After removing the role assignment, the security principal will no longer have the permissions to access the storage account, and the token will no longer be valid.

In summary, the two possible ways to revoke a compromised user delegation SAS token are to revoke the delegation key and delete the stored access policy or regenerate the account key or remove the role assignment for the security principal.