Azure Shared Key Authentication Enabled on Storage Account

The Azure Storage account allows authentication using the legacy Shared Key mechanism because shared_access_key_enabled is not explicitly set to false. This permits any party with access to the storage account key to authenticate directly against the storage account, bypassing Azure AD-based authentication, RBAC, Conditional Access, Privileged Identity Management, and other identity-governed controls. If the account key is leaked, exposed in deployment output, stored insecurely, or shared too broadly, an attacker may gain broad access to storage resources without requiring a valid Azure AD identity.

Remediation

Explicitly disable Shared Key authentication by setting shared_access_key_enabled = false on the storage account. Use Azure AD authentication with least-privilege RBAC roles for all access to storage resources. Rotate existing storage account keys after disabling legacy key-based access, and review any applications or services that may still depend on Shared Key authentication.

Metadata

Severity: high
Slug: azure-shared-key-authentication-enabled-on-storage-account

CWEs

284: Improper Access Control

OWASP

A05:2021: Security Misconfiguration

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

Azure Labs

Azure 1 lab

Explore 1 lab in Azure.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.