Manage SAS Token by Name and Include in Audit Logs
Give SAS tokens a name when generating then:
- allow report/table of all generated token
- allow revoke of exisiting token (or modification of access)
- use the SAS token name in storage audit logs
At the moment, the storage access logs do not show any useful information about who has made access, and this is critical to a practical audit function.
Thank you for your feedback. Currently you can use a stored access policy to manage revocation of an existing token. You are also able to track requests made using an existing stored access policy in the storage account logs. See https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1#controlling-a-sas-with-a-stored-access-policy for more details. For any further questions, or to discuss your specific scenario, send us an email at firstname.lastname@example.org.
Jolin Tsai commented
You could only create 5 policy rules on 1 container. It's quite inconvenient.
Are there any updates on this? the last note from Microsoft of "Under Review" was in 2017.
Danny den Braver commented
We would definitly like to have similar kind of functionality.
Our Security department demands us to monitor sas token usage, and set a maximum expiration date. This currently does not seem to be possible.
Ben Hatton commented
Thanks for the feedback. It looks like the SAS Policy is present in the "si" parameter of the query, and this is getting logged when it is provided in the URL. I am connecting via Logic App which does not seem to (anymore?) permit a connection using a SAS, only with account key, so that won't work in my specific situation.