Can Shared Access Signatures + Policies + $log data be used to enforce storage quotas?

183 views Asked by At

I'm exploring if I can use the Azure Storage $logs in conjunction with an Access Policy to create and enforce end user quotas. The Access policy will allow me to terminate new sessions that are invalid for whatever reason.

This question is primarily about active connections, since I'm pretty sure there is no issue or risk with non streaming data.

Assuming that I'm aggressively reading the $logs, and disable Shared Access Signatures once a threshold is reached, what "missing data" would there be for exploitation?

For example:

  • Are open / in progress uploads or downloads logged? (I can't audit what I can't yet see)

  • Once a policy is revoked, are the associated sessions terminated? (They can upload, download, or perhaps seek within the stream)

  • Can I read a log that is "open" by the Azure logging service and keep somewhat up-to-date metrics?

My assumption is that none of this occurs, and even with an Access Policy, there are several avenues for abuse.

1

There are 1 answers

2
Bruce Chen On BEST ANSWER

Are open / in progress uploads or downloads logged? (I can't audit what I can't yet see)

As I known, operations against Azure Storage Service are based on Storage Service REST API. Here is the detailed operations that are logged for the corresponding storage service, you could refer to this official document.

Once a policy is revoked, are the associated sessions terminated? (They can upload, download, or perhaps seek within the stream)

I have tried to upload my large file to Azure Blob with SAS & Access Policies, when I revoked the policy then the subsequent uploading request would be interrupted and return 403 as follows:

For downloading large file, if the request reaches Azure Storage Service and the authentication is passed, then I revoked the policy. At this point, the pre-authenticated downloading request would continue and the file would be downloaded successfully. All my tests completely correspond with Gaurav Mantri's comments.

Can I read a log that is "open" by the Azure logging service and keep somewhat up-to-date metrics?

Per my understanding, we could leverage Microsoft Azure Storage Explorer to retrieve Storage Analytic Log files for a simple way. We could download the log file and verify the detailed requests. As I known, there is no any in-build features or tools which could read Storage Analytic Log and keep your opened log content somewhat up-to-date.