Azure Storage account shared key access enabled
Description
AlphaSOC detected enabling of shared key access on an Azure Storage account via
Microsoft.Storage/storageAccounts/write with allowSharedKeyAccess set to
true. Shared key access provides full administrative access to the storage
account using storage account keys.
While shared key access is often necessary for legacy applications, enabling it weakens security posture by allowing authentication outside of Azure AD. Storage account keys provide broad access and are difficult to audit compared to Azure AD authentication.
Impact
Shared key access enables authentication using storage account keys, which provide full account access and cannot be scoped to specific permissions. Keys can be used from any location and are more difficult to monitor than Azure AD authentication. If keys are compromised, attackers gain unrestricted storage access.
Severity
| Severity | Condition |
|---|---|
Informational | Shared key access enabled on storage account |
Investigation and Remediation
Review Azure Activity logs to identify who enabled shared key access and determine if it is required for application compatibility. Assess which applications use shared key authentication versus Azure AD.
If shared key access is not required, disable it to enforce Azure AD authentication only. If it must remain enabled, ensure storage account keys are properly protected and regularly rotated. Implement monitoring for key listing operations and consider using Azure Key Vault to manage key access.
Known False Positives
- Legacy applications requiring shared key authentication
- Third-party integrations not supporting Azure AD authentication