#1 Global Leader in Data Protection & Ransomware Recovery
#1 Global Leader in Data Protection & Ransomware Recovery
BACK TO KB LIST

Azure Storage Account Key Security Advisory

KB ID: 4449
Product: Veeam Backup & Replication | 12
Veeam Backup for Microsoft 365 | 7.0
Veeam Agent for Microsoft Windows | 6.0
Veeam Agent for Linux | 6.0
Veeam Backup for Microsoft Azure | 5.0
Veeam Agent for Mac | 2.0
Published: 2023-05-12
Last Modified: 2023-05-31
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Purpose

This article highlights a flaw in the design of Microsoft Azure roles that could lead to breaches between control and data planes. If a control plane user's account is compromised, it can be used to access and alter files stored in the storage accounts accessible to them.

Cause

The ListKeys permission allows "control plane" users, who are not supposed to be able to modify data, to list access keys. These access keys can then be used to read and write data to the storage accounts. An example of a role with the ListKeys permissions is Storage Account Contributor.



Example Diagram:
Shared Keys
  • User1 belongs to Resource Group A and can list all keys within that Resource Group.
    • Storage Account A
    • Storage Account B
  • User2 belongs to Storage Account A and can only list the key for that Storage Account.
    • Storage Account A.
  • User3 belongs to Resource Group A and Resource Group B. and can list all keys within both groups. 
    • Storage Account A
    • Storage Account B
    • Storage Account C
    • Storage Account D
  • User4 is a top-level account and can list Keys within all Resource Groups.
    • Storage Account A
    • Storage Account B
    • Storage Account C
    • Storage Account D
    • Storage Account E
    • Storage Account F

Solution

We strongly encourage customers to review:

 

Veeam's Additional Recommendations:

  • Limit the number of users that have access to your storage accounts.
  • Storage accounts used to store sensitive data should be placed in separate resource groups.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.