include::../../../shared_content/secrets/description.adoc[] == Why is this an issue? include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? Access keys are used to authenticate to Azure Event Grid resources and can be employed for event publication to the resource. Shared Access Secrets (SAS) are generated from access keys and used to authenticate specific resources with particular permissions within a defined time frame. + Using Shared Access Signatures is always better than using access keys, because they reduce risk thanks to their scope and time limitation. However, hardcoding secret tokens is always a bad practice, and still exposes the resources to attacks. + This is a risk unless the whole resource is free of sensitive data. Note that the Microsoft docs can use different terminologies for these two tokens: * Access Keys are also called SAS keys * Shared Access Secrets are also called SAS tokens Below are some real-world scenarios that illustrate some impacts of an attacker exploiting these types of secrets. // Set value that can be used to refer to the type of secret in, for example: // "An attacker can use this {secret_type} to ..." :secret_type: secret // Where possible, use predefined content for common impacts. This content can // be found in the folder "shared_content/secrets/impact". // When using predefined content, search for any required variables to be set and include them in this file. // Not adding them will not trigger warnings. include::../../../shared_content/secrets/impact/non_repudiation.adoc[] include::../../../shared_content/secrets/impact/data_compromise.adoc[] include::../../../shared_content/secrets/impact/financial_loss.adoc[] == How to fix it include::../../../shared_content/secrets/fix/revoke.adoc[] include::../../../shared_content/secrets/fix/vault.adoc[] On top of that, use the Azure SDK as much as possible and their diverse credential objects. === Code examples ==== Noncompliant code example :example_secret: r=https%3a%2f%2fexample.westeurope-1.eventgrid.azure.net%2fapi%2fevents&e=1%2f1%2f0001%2012%3a02%3a52%20AM&s=gdcIr5dXR4dC3sNyK4Qree4XogaRma3YdtH7%2boCxSQo%3d :example_name: aeg-sas-token :example_env: AEG_SAS_TOKEN include::../../../shared_content/secrets/examples.adoc[] == Resources include::../../../shared_content/secrets/resources/standards.adoc[]