Skill Being Reviewed
Skill name: azure-review
Skill path: skills/cloud/azure-review/
False Positive Analysis
Benign or misleading case that can be over-credited:
resource "azurerm_storage_account" "records" {
allow_blob_public_access = false
min_tls_version = "TLS1_2"
shared_access_key_enabled = true
}
# Operational export process creates account SAS links:
# sv=2025-01-01&ss=bf&srt=sco&sp=rwdlacupiytfx&se=2028-12-31T23:59:59Z
Why this is a false positive:
The skill can mark storage accounts as safe because public access is disabled, HTTPS is enforced, and TLS is modern. Long-lived account SAS tokens can still grant broad bearer access without appearing as anonymous public blob access. SAS expiry, permissions, stored access policies, and revocation evidence need separate checks.
Coverage Gaps
Missed variant 1: long-lived account SAS with broad permissions
Account SAS grants read/write/delete/list across blob and file services until 2028. No stored access policy is used, so revocation requires key rotation.
Missed variant 2: cross-tenant external sharing
The container is private, but external guest users retain Storage Blob Data Contributor through a group not reviewed by subscription owners.
Edge Cases
- User delegation SAS is safer than account SAS but still needs expiry, scope, and audit evidence.
- Stored access policies can become stale.
- Trusted Azure services can bypass network rules if misconfigured.
- ADLS Gen2 ACLs can diverge from RBAC assignments.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Microsoft Defender for Cloud |
Partial |
Can flag storage hardening, but SAS inventory/effective exposure need review. |
| Azure Policy |
Partial |
Can constrain shared key/public access, but SAS tokens are operational artifacts. |
| Storage analytics logs |
Partial |
Can show SAS usage if enabled and retained. |
Overall Assessment
Strengths: Clear CIS Azure benchmark flow and useful severity examples for public storage, Defender, Key Vault, networking, and App Service.
Needs improvement: Storage review should include bearer-token access paths and effective external principals.
Priority recommendations:
- Add SAS token evidence fields.
- Require short expiry and least-privilege SAS scope.
- Prefer user delegation SAS and document account SAS exceptions.
- Add external guest/group and ADLS ACL effective-access checks.
Related Reviews Checked
Searches for azure-review SAS token storage account did not show a close existing review. This review is storage-token specific, not a general Azure benchmark refresh.
Bounty Info
Skill Being Reviewed
Skill name:
azure-reviewSkill path:
skills/cloud/azure-review/False Positive Analysis
Benign or misleading case that can be over-credited:
Why this is a false positive:
The skill can mark storage accounts as safe because public access is disabled, HTTPS is enforced, and TLS is modern. Long-lived account SAS tokens can still grant broad bearer access without appearing as anonymous public blob access. SAS expiry, permissions, stored access policies, and revocation evidence need separate checks.
Coverage Gaps
Missed variant 1: long-lived account SAS with broad permissions
Account SAS grants read/write/delete/list across blob and file services until 2028. No stored access policy is used, so revocation requires key rotation.
Missed variant 2: cross-tenant external sharing
The container is private, but external guest users retain Storage Blob Data Contributor through a group not reviewed by subscription owners.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths: Clear CIS Azure benchmark flow and useful severity examples for public storage, Defender, Key Vault, networking, and App Service.
Needs improvement: Storage review should include bearer-token access paths and effective external principals.
Priority recommendations:
Related Reviews Checked
Searches for
azure-review SAS token storage accountdid not show a close existing review. This review is storage-token specific, not a general Azure benchmark refresh.Bounty Info