Merge pull request #1613 from rieck-srlabs/bugfix/1609-ignore-storage…

…-accounts-without-access-keys

Improves 'Access Keys Not Rotated' check

ScoutSuite/output/data/html/partials/azure/services.storageaccounts.subscriptions.id.storage_accounts.html

@@ -10,6 +10,7 @@ <h4 class="list-group-item-heading">Information</h4>
         <div class="list-group-item-text item-margin">Public Traffic: <span id="storageaccounts.subscriptions.{{@../key}}.storage_accounts.{{@key}}.public_traffic_allowed">{{convert_bool_to_enabled public_traffic_allowed }}</span></div>
         <div class="list-group-item-text item-margin">HTTPS Required: <span id="storageaccounts.subscriptions.{{@../key}}.storage_accounts.{{@key}}.https_traffic_enabled">{{convert_bool_to_enabled https_traffic_enabled}}</span></div>
         <div class="list-group-item-text item-margin">Microsoft Trusted Services: <span id="storageaccounts.subscriptions.{{@../key}}.storage_accounts.{{@key}}.trusted_microsoft_services_enabled">{{convert_bool_to_enabled trusted_microsoft_services_enabled }}</span></div>
+        <div class="list-group-item-text item-margin">Access Key Usage: <span id="storageaccounts.subscriptions.{{@../key}}.storage_accounts.{{@key}}.shared_key_access_allowed">{{convert_bool_to_enabled shared_key_access_allowed}}</span></div>
         <div class="list-group-item-text item-margin">Last Access Key Rotation:
             <span id="storageaccounts.subscriptions.{{@../key}}.storage_accounts.{{@key}}.access_keys_rotated">
                 {{#if access_keys_last_rotation_date }}

ScoutSuite/providers/azure/resources/storageaccounts/storage_accounts.py

@@ -45,6 +45,8 @@ def _parse_storage_account(self, raw_storage_account):
         storage_account['trusted_microsoft_services_enabled'] = \
             self._is_trusted_microsoft_services_enabled(raw_storage_account)
         storage_account['bypass'] = raw_storage_account.network_rule_set.bypass
+        # The default value (null) is equivalent to True
+        storage_account['shared_key_access_allowed'] = raw_storage_account.allow_shared_key_access != False
         storage_account['access_keys_last_rotation_date'] = \
             self._parse_access_keys_last_rotation_date(raw_storage_account.activity_logs)
         storage_account['encryption_key_source'] = raw_storage_account.encryption.key_source

ScoutSuite/providers/azure/rules/findings/storageaccount-access-keys-not-rotated.json

@@ -21,18 +21,26 @@
     "dashboard_name": "Storage Accounts",
     "path": "storageaccounts.subscriptions.id.storage_accounts.id",
     "conditions": [
-        "or",
+        "and",
         [
-            "storageaccounts.subscriptions.id.storage_accounts.id.access_keys_last_rotation_date",
-            "equal",
-            "None"
+            "storageaccounts.subscriptions.id.storage_accounts.id.shared_key_access_allowed",
+            "true",
+            ""
         ],
         [
-            "storageaccounts.subscriptions.id.storage_accounts.id.access_keys_last_rotation_date",
-            "olderThan",
+            "or",
             [
-                "_ARG_0_",
-                "days"
+                "storageaccounts.subscriptions.id.storage_accounts.id.access_keys_last_rotation_date",
+                "equal",
+                "None"
+            ],
+            [
+                "storageaccounts.subscriptions.id.storage_accounts.id.access_keys_last_rotation_date",
+                "olderThan",
+                [
+                    "_ARG_0_",
+                    "days"
+                ]
             ]
         ]
     ],

requirements.txt

@@ -35,7 +35,7 @@ azure-identity==1.5.0
 ## for resources
 
 azure-mgmt-resource==15.0.0
-azure-mgmt-storage==16.0.0
+azure-mgmt-storage==17.0.0
 azure-mgmt-monitor==2.0.0
 azure-mgmt-sql==1.0.0
 azure-mgmt-security==1.0.0