Azure Storage Account Access Keys

Bridgecrew Policy ID: BC_GIT_3
Severity: LOW

Azure Storage Account Access Keys

Description

When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization. Leaking this key can thus compromise the concerned data.

Fix - Buildtime

Azure

Step 1: Revoke the exposed secret.
To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/revokeUserDelegationKeys?api-version=2021-04-01

Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.

Step 3: Inspect Azure Activity Logs to ensure the key was not utilized during the compromised period.