From c8d97746ce101ea2aa96cf4ac44e021f9c7b2379 Mon Sep 17 00:00:00 2001
From: Naveed Nawaz <73508041+naveednawazkhan@users.noreply.github.com>
Date: Thu, 9 Jan 2025 11:22:37 -0600
Subject: [PATCH 1/2] Update bc-azure-2-41.adoc

Github issue: https://github.com/bridgecrewio/checkov/issues/6140
---
 .../azure-iam-policies/bc-azure-2-41.adoc     | 37 +++++++++----------
 1 file changed, 17 insertions(+), 20 deletions(-)

diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
index 203ce2827f..8c02e11c6b 100644
--- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
+++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
@@ -24,35 +24,32 @@
 
 === Description
 
-This policy is checking to make sure that your Azure storage account has a Shared Access Signature (SAS) expiration policy configured. A SAS is a string containing a security token that can be appended to a URL granting access to resources in your storage account. If this does not have an expiration policy set, it can pose a significant security risk. It means that once someone obtains the SAS, they can have potentially ongoing access to sensitive data in your storage account, even if they should no longer have that access. Therefore, not having a SAS expiration policy can lead to unauthorized data access, data loss or corruption.
+This policy identifies Azure Storage accounts not configured with SAS expiration policy.
+
+A Shared Access Signature (SAS) expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning. If Azure Storage logging with Azure Monitor is enabled, then an entry is written to the Azure Storage logs. It is recommended that you limit the interval for a SAS in case it is compromised.
+
+For more details:
+https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy
 
 === Fix - Buildtime
 
 *Terraform*
 
 * *Resource:* azurerm_storage_account
-* *Arguments:* sas_policy.expiration_period
+* *Arguments:* shared_access_key_enabled, sas_policy.expiration_period
+
+To mitigate this issue, ensure that the `shared_access_key_enabled` attribute in the `azurerm_storage_account` resource is set to `false`, or configure a `sas_policy` with a defined `expiration_period` if `shared_access_key_enabled` is set to `true`.
 
-To fix this issue, the shared_access_key_enabled is not mandatory, but if it is set to true, you need to configure your Azure Storage Account with a Shared Access Signature (SAS) expiration policy. This ensures that the SAS tokens, which are used for delegating access to your storage account resources, have an expiration time so as not to indefinitely expose your resources.
+Example:
 
 [source,go]
 ----
-resource "azurerm_storage_account" "pass_1" {
-  name                     = "pud-storage2023abc1"
-  resource_group_name      = var.rg-name
-  location                 = var.location
-  account_tier             = "Standard"
-  account_replication_type = "GRS"
-  shared_access_key_enabled = false
-
-  sas_policy {
-+   expiration_period = "90.00:00:00"
-    expiration_action = "Log"
-  }
-
-  tags = {
-    bc_status = "pass"
-  }
+resource "azurerm_storage_account" "example" {
+  ...
+  shared_access_key_enabled = true
+
++  sas_policy {
++    expiration_period = "01.12:00:00"
++  }
 }
 ----
-

From 3b5a91c495bfa72992b99e6ff5260471b6d1ce41 Mon Sep 17 00:00:00 2001
From: Naveed Nawaz <73508041+naveednawazkhan@users.noreply.github.com>
Date: Thu, 16 Jan 2025 08:44:09 -0600
Subject: [PATCH 2/2] Update bc-azure-2-41.adoc

---
 .../azure-policies/azure-iam-policies/bc-azure-2-41.adoc    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
index 8c02e11c6b..471af4c546 100644
--- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
+++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41.adoc
@@ -38,7 +38,11 @@ https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy
 * *Resource:* azurerm_storage_account
 * *Arguments:* shared_access_key_enabled, sas_policy.expiration_period
 
-To mitigate this issue, ensure that the `shared_access_key_enabled` attribute in the `azurerm_storage_account` resource is set to `false`, or configure a `sas_policy` with a defined `expiration_period` if `shared_access_key_enabled` is set to `true`.
+To mitigate this issue, implement one of the following options:
+ 
+* Set the `shared_access_key_enabled` attribute in the `azurerm_storage_account` resource to 'false'
+* Configure a `sas_policy` with a defined `expiration_period` if the `shared_access_key_enabled` attribute is set to 'true'
+
 
 Example: