Merge pull request #1058 from naveednawazkhan/patch-5

Update bc-azure-2-41.adoc
hlxsites · Jan 19, 2025 · 7899be5 · 7899be5
2 parents b91df7d + 3b5a91c
commit 7899be5
Showing 1 changed file with 21 additions and 20 deletions.
diff --git a/...e-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc b/...e-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
@@ -24,35 +24,36 @@
 
 === Description
 
-This policy is checking to make sure that your Azure storage account has a Shared Access Signature (SAS) expiration policy configured. A SAS is a string containing a security token that can be appended to a URL granting access to resources in your storage account. If this does not have an expiration policy set, it can pose a significant security risk. It means that once someone obtains the SAS, they can have potentially ongoing access to sensitive data in your storage account, even if they should no longer have that access. Therefore, not having a SAS expiration policy can lead to unauthorized data access, data loss or corruption.
+This policy identifies Azure Storage accounts not configured with SAS expiration policy.
+
+A Shared Access Signature (SAS) expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning. If Azure Storage logging with Azure Monitor is enabled, then an entry is written to the Azure Storage logs. It is recommended that you limit the interval for a SAS in case it is compromised.
+
+For more details:
+https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy
 
 === Fix - Buildtime
 
 *Terraform*
 
 * *Resource:* azurerm_storage_account
-* *Arguments:* sas_policy.expiration_period
+* *Arguments:* shared_access_key_enabled, sas_policy.expiration_period
+
+To mitigate this issue, implement one of the following options:
+
+* Set the `shared_access_key_enabled` attribute in the `azurerm_storage_account` resource to 'false'
+* Configure a `sas_policy` with a defined `expiration_period` if the `shared_access_key_enabled` attribute is set to 'true'
 
-To fix this issue, the shared_access_key_enabled is not mandatory, but if it is set to true, you need to configure your Azure Storage Account with a Shared Access Signature (SAS) expiration policy. This ensures that the SAS tokens, which are used for delegating access to your storage account resources, have an expiration time so as not to indefinitely expose your resources.
+
+Example:
 
 [source,go]
 ----
-resource "azurerm_storage_account" "pass_1" {
-  name                     = "pud-storage2023abc1"
-  resource_group_name      = var.rg-name
-  location                 = var.location
-  account_tier             = "Standard"
-  account_replication_type = "GRS"
-  shared_access_key_enabled = false
-
-  sas_policy {
-+   expiration_period = "90.00:00:00"
-    expiration_action = "Log"
-  }
-
-  tags = {
-    bc_status = "pass"
-  }
+resource "azurerm_storage_account" "example" {
+  ...
+  shared_access_key_enabled = true
+
++  sas_policy {
++    expiration_period = "01.12:00:00"
++  }
 }
 ----
-