Cyscale
Back to controls

Ensure Shared Access Signature Tokens Expire Within One Hour

> In its original form, this control cannot be audited since SAS tokens are not stored in Azure. Cyscale checks the [SAS expiration policy](https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#about-sas-expiration-policies) for each storage account.

Category

Controls

Low

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

In its original form, this control cannot be audited since SAS tokens are not stored in Azure. Cyscale checks the SAS expiration policy for each storage account.

Expire shared access signature tokens within an hour.

Rationale

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. It can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible, preferably no longer than an hour.

Default Value

By default, the expiration for shared access signature tokens is 8 hours.

Remediation guidance

There is no way to change existing SAS tokens since they are not stored in Azure.

We recommend setting a SAS expiration policy. While the policy does not enforce the upper expiration limit when creating tokens, this seems to be an upcoming feature. The policy helps you track the usage of SAS tokens valid over a longer interval than the SAS expiration policy recommends.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Without SAS Expiration Policy

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { sasPolicyExpirationAction: "" }
        {
          AND: [
            { NOT: { sasPolicySasExpirationPeriod_STARTS_WITH: "0.00" } }
            { NOT: { sasPolicySasExpirationPeriod: "0.01:00:00" } }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon