Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Ensure Storage Account Access Keys are Periodically Regenerated

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageAccounts-002

Ensure that storage account access keys are periodically regenerated to maintain security and prevent unauthorized access resulting from key compromise.

Security
Operational
excellence

Cryptographic key rotation is essential for maintaining the security of your storage accounts. When access keys remain static for extended periods, the risk of compromise increases significantly. Rotating keys periodically ensures that even if a key is inadvertently exposed through logs, configuration files, or other means, the exposure window is limited. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For the purposes of this security recommendation, 90 days is prescribed as the default rotation period. Review and adjustment of the 90 day period is recommended based on your organization's security requirements, compliance obligations, and risk tolerance.

Failure to properly coordinate key rotation can result in service interruptions and application failures.

Audit

To determine if storage account access keys are periodically regenerated, perform the following operations:

Using Azure Console

  1. Sign in to the Azure portal.

  2. Navigate to Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

  3. Click on the name of the storage account you want to examine.

  4. In the left navigation panel, under Security + networking, select Access keys.

  5. Review the Last rotated field for both key1 and key2.

  6. Verify that the Last rotated date for each key is within your organization's acceptable rotation period (recommended: 90 days or less).

  7. If the Last rotated field indicates a number of days greater than 90 (or greater than your organization's defined period of validity), the key should be rotated.

  8. Repeat steps no. 3 - 7 for each storage account in the current subscription.

  9. Repeat steps no. 2 - 8 for each subscription in your Azure account.

Using Azure CLI

  1. Run storage account list command (Windows/macOS/Linux) to list all storage accounts in a subscription:

    az storage account list \
	--subscription <subscription-id> \
	--query '[*].{Name:name, ResourceGroup:resourceGroup, Id:id}' \
	--output table

  2. The command output should return a list of storage accounts with their details:

    Name                    ResourceGroup           Id
----------------------  ----------------------  -----------------------------------------------------
ccstorageaccount01      production-rg           /subscriptions/.../storageAccounts/ccstorageaccount01
ccstorageaccount02      development-rg          /subscriptions/.../storageAccounts/ccstorageaccount02

  3. For each storage account, run monitor activity-log list command to check if the access key was regenerated in the past 90 days:

    az monitor activity-log list \
	--namespace Microsoft.Storage \
	--offset 90d \
	--query "[?authorization.action=='Microsoft.Storage/storageAccounts/regenerateKey/action']" \
	--resource-id "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>"

  4. The command output should contain the following elements if the key was successfully regenerated within the past 90 days:

    [
	{
		"authorization": {
		"action": "Microsoft.Storage/storageAccounts/regenerateKey/action",
		"scope": "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>"
		},
		"status": {
		"localizedValue": "Succeeded",
		"value": "Succeeded"
		}
	}
]

    Verify that the output contains:

    • "authorization"/"scope": Matches your storage account resource ID
    • "authorization"/"action": "Microsoft.Storage/storageAccounts/regenerateKey/action"
    • "status"/"localizedValue": "Succeeded"
    • "status"/"value": "Succeeded"

  5. If the command returns an empty array [] or no results, the access keys have not been regenerated within the past 90 days.

  6. Repeat steps no. 3 - 5 for each storage account in the subscription.

  7. Repeat steps no. 1 - 6 for each subscription in your Azure account.

Audit

Azure provides a built-in policy to detect expired storage account keys:

Using Azure Policy

  1. Sign in to the Azure portal.

  2. Navigate to Policy at https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions.

  3. Search for Policy ID: 044985bb-afe1-42cd-8a36-9d5d42424537 or Policy Name: Storage account keys should not be expired.

  4. Assign this policy to your subscriptions or management groups to continuously monitor storage account key rotation status.

  5. Review policy compliance reports to identify storage accounts with expired keys.

Remediation / Resolution

To regenerate storage account access keys, perform the following operations:

Using Azure Console

Important: Before regenerating keys, identify all applications and services using the current key and plan the rotation to avoid service disruption.

  1. Sign in to the Azure portal.

  2. Navigate to Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

  3. Click on the name of the storage account with outdated keys.

  4. In the left navigation panel, under Security + networking, select Access keys.

  5. Identify which key needs to be rotated (key1 or key2) based on the Last rotated date.

  6. Best Practice - Rotate keys one at a time:

    • If rotating key1: First update all applications to use key2, then rotate key1
    • If rotating key2: First update all applications to use key1, then rotate key2

  7. Click Rotate key next to the outdated key.

  8. In the confirmation prompt, click Yes to confirm that you want to regenerate the access key.

  9. After Azure regenerates the access key, verify that the Last rotated field shows (0 days ago).

  10. Update all applications and services to use the newly regenerated key.

  11. Repeat steps no. 3 - 10 for each storage account that requires key rotation.

  12. Repeat steps no. 2 - 11 for each subscription in your Azure account.

Using Azure CLI

Important: Before regenerating keys, identify all applications and services using the current key and plan the rotation to avoid service disruption.

  1. Run storage account list command to get the storage account details:

    az storage account list \
	--subscription <subscription-id> \
	--query '[*].{Name:name, ResourceGroup:resourceGroup}' \
	--output table

  2. Run storage account keys renew command to regenerate a specific key (replace <key-name> with either key1 or key2):

    az storage account keys renew \
	--account-name <storage-account-name> \
	--resource-group <resource-group> \
	--key <key-name>

  3. The command output should return the regenerated key details:

    [
	{
		"creationTime": "2024-01-15T10:30:45.123456+00:00",
		"keyName": "key1",
		"permissions": "FULL",
		"value": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234=="
	},
	{
		"creationTime": "2023-10-20T08:15:30.654321+00:00",
		"keyName": "key2",
		"permissions": "FULL",
		"value": "efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678efgh5678=="
	}
]

  4. Update all applications and services to use the newly regenerated key value.

  5. After updating applications to use the regenerated key, you can rotate the second key following the same process.

  6. Repeat steps no. 2 - 5 for each storage account that requires key rotation.

  7. Repeat steps no. 1 - 6 for each subscription in your Azure account.

By default, access keys are not regenerated periodically. Organizations must manually regenerate keys or implement automated key rotation processes to maintain security compliance.

References

Publication date Jun 7, 2019

Related StorageAccounts rules