Microsoft To Tighten Azure Storage Default Permissions
Microsoft on Wednesday pledged to tighten how Azure Functions works with Azure Storage to address security concerns that were raised by Orca Security.
Orca Security on Wednesday published an account describing a security issue with Azure Storage that could enable remote code execution by an attacker. In its account, Orca indicated that it is "possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access tokens of higher privileged identities, move laterally, access critical business assets, and execute remote code (RCE)."
The key problem lies with an Azure Storage "shared key authorization" configuration that's enabled by default. Despite its default configuration, Microsoft recommends avoiding shared key authorization and using Azure Active Directory credentials instead as a best security practice.
Here's how Orca Security described this conundrum:
By default, Azure Storage account requests can be authorized with either Azure Active Directory (Azure AD) credentials or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key authorization, and is recommended by Microsoft.
"Here we have default behavior, but it is highly recommended to disallow it as a security best practice," Orca Security noted regarding Microsoft's shared key authorization default setting.
Microsoft's announcement claimed that the security issue demonstrated by Orca Security "was not a security issue." Nonetheless, it is planning to improve how Azure Functions works with Azure Storage accounts. It plans to roll out "identity-based connections to AzureWebJobsStorage" so that "identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization."
Azure Web Storage customers can address these potential issues now by enabling least privilege access controls for storage accounts, while also monitoring Activity Logs for account keys access attempts, Microsoft indicated. They can also use Microsoft Defender for Cloud to protect storage accounts.
Microsoft also stressed that using its Azure services involves customers accepting a "shared responsibility model." Here's how Microsoft put it:
Per the shared responsibility model, access management is a responsibility of the cloud customer and an important aspect of creating role assignments is the selection of the correct scope of assignment adhering to the security principle of least privilege. Apps and users should not be given broader access than is strictly necessary.
Orca Security's broader point that Azure Storage customers are getting a default configuration that's contrary to Microsoft's recommended security practices seems to have gone unaddressed in Microsoft's announcement. However, Microsoft's plans establish identity-based access by default to AzureWebJobsStorage seems to be a positive step.
Microsoft indicated that its identity-based connections for AzureWebJobsStorage capability is currently at the preview stage, but it'll be designed to prevent the use of "over-privileged permissions."
In the meantime, Microsoft recommended using Role-Based Access Control at the administrative level and least-access permissions as safeguards for organizations using Azure Storage. Organizations should also monitor Azure Storage to "detect unusual or unauthorized changes on a storage resource."