Azure Storage Account Access Keys
Bridgecrew Policy ID: BC_GIT_3
Severity: LOW
Azure Storage Account Access Keys
Description
When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization. Leaking this key can thus compromise the concerned data.
Fix - Buildtime
Azure
Step 1: Revoke the exposed secret.
To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/revokeUserDelegationKeys?api-version=2021-04-01
Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.
Step 3: Inspect Azure Activity Logs to ensure the key was not utilized during the compromised period.
Updated 11 months ago