nuclei-templates/cloud/azure/storageaccounts/azure-storage-overly-permissive-sap.yaml

id: azure-storage-overly-permissive-sap
info:
  name: Azure Storage Overly Permissive Stored Access Policies
  author: princechaddha
  severity: high
  description: |
    Ensure that your Microsoft Azure Storage shared access signatures don't have full access to your storage account resources (i.e. blob objects, files, tables, and queues) via stored access policies. A stored access policy provides an additional level of control over service-level shared access signatures, enhancing security by managing constraints for one or more shared access signatures.    
  impact: |
    Having overly permissive stored access policies can expose your storage resources to unnecessary risks, violating the principle of least privilege.    
  remediation: |
    Review and restrict the permissions in your stored access policies to ensure they align with the principle of least privilege.    
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
  tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config

flow: |
  code(1);
  for (let accountName of iterate(template.accountNames)) {
    set("accountName", accountName);
    code(2);
    for (let containerName of iterate(template.containerNames)) {
      set("containerName", containerName);
      code(3);
    }
  }  

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].name'      

    extractors:
      - type: json
        name: accountNames
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage container list --account-name "$accountName" --query '[*].name'      

    extractors:
      - type: json
        name: containerNames
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage container policy list --account-name "$accountName" --container-name "$containerName"      

    matchers:
      - type: word
        words:
          - '{}'

    extractors:
      - type: dsl
        dsl:
          - 'accountName + " with container " + containerName + " has overly permissive stored access policies"'
# digest: 490a0046304402205f55a9e3c87c8d7deddd5bfa965a2719337dd923e3546da1f58459e51b67eb7f0220237c0611682c444f26e722516a7ae9912f66601cc142a968fc65d0ce3e930112:922c64590222798bb761d5b6d8e72950