nyanbinary23h ago

So, great. Azure Storage accounts always deploy with access keys, even if you disable their usage during creation.

From the docs:

Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. You can also manually rotate your keys.

So, hear me out, Microsoft. What if we just didnt deploy those keys unless needed. KV is pretty cheap, all things considered (at least for basic versions), but like... what if we didnt require customers to manually set up some automation for something they dont need.

If you have disabled shared key access and you are seeing Shared Key authorization reported in the diagnostic logs, this indicates that trusted access is being used to access storage. For more details, see Trusted access for resources registered in your Microsoft Entra tenant.

Ok, so, disabling the feature doesnt actually disable the feature? Or are you overloading names of features again?

If you plan to manually rotate access keys, Microsoft recommends that you set a key expiration policy. For more information, see Create a key expiration policy.
After you create the key expiration policy, you can use Azure Policy to monitor whether a storage account's keys have been rotated within the recommended interval. For details, see Check for key expiration policy violations.

I didnt intend to rotate anything, thank you very much. Why would I. That feature is disabled...

Show threadnyanbinary
Why am I so annoyed by this? Because this is indeed popping up 100s of times in our CSPM...
Apr 3 at 4:37pmWeb