Merge pull request #215900 from tamram/tamram22-1018

ShannonLeavitt · web-flow · commit 697aebed0e5a · 2022-10-26T09:35:26.000-06:00
SAS expiration policy/stored access policy
diff --git a/articles/storage/blobs/TOC.yml b/articles/storage/blobs/TOC.yml
@@ -374,9 +374,9 @@ items:
             href: sas-service-create.md
           - name: Create an account SAS (.NET)
             href: ../common/storage-account-sas-create-dotnet.md?toc=/azure/storage/blobs/toc.json
-          - name: Define a stored access policy
+          - name: Create a stored access policy
             href: ../common/storage-stored-access-policy-define-dotnet.md?toc=/azure/storage/blobs/toc.json
-          - name: Create a SAS expiration policy
+          - name: Configure a SAS expiration policy
             href: ../common/sas-expiration-policy.md?toc=/azure/storage/blobs/toc.json
         - name: Manage anonymous read access to blob data
           items:
diff --git a/articles/storage/blobs/blob-containers-portal.md b/articles/storage/blobs/blob-containers-portal.md
@@ -32,7 +32,7 @@ To create a container in the [Azure portal](https://portal.azure.com), follow th
 
 1. In the portal navigation pane on the left side of the screen, select **Storage accounts** and choose a storage account. If the navigation pane isn't visible, select the menu button to toggle its visibility.
 
-    :::image type="content" source="media/blob-containers-portal/menu-expand-sml.png" alt-text="Screenshot of the Azure Portal homepage showing the location of the Menu button in the browser." lightbox="media/blob-containers-portal/menu-expand-lrg.png":::
+    :::image type="content" source="media/blob-containers-portal/menu-expand-sml.png" alt-text="Screenshot of the Azure portal homepage showing the location of the Menu button in the browser." lightbox="media/blob-containers-portal/menu-expand-lrg.png":::
 
 1. In the navigation pane for the storage account, scroll to the **Data storage** section and select **Containers**.
 1. Within the **Containers** pane, select the **+ Container** button to open the **New container** pane.
@@ -107,7 +107,7 @@ To generate an SAS token using the [Azure portal](https://portal.azure.com), fol
 1. Select the checkbox next to the name of the container for which you'll generate an SAS token.
 1. Select the container's **More** button (**...**), and select **Generate SAS** to display the **Generate SAS** pane.
 
-    :::image type="content" source="media/blob-containers-portal/select-container-sas-sml.png" alt-text="Screenshot showing how to access container shared access signature settings within the Azure portal" lightbox="media/blob-containers-portal/select-container-sas-lrg.png":::
+    :::image type="content" source="media/blob-containers-portal/select-container-sas-sml.png" alt-text="Screenshot showing how to access container shared access signature settings in the Azure portal." lightbox="media/blob-containers-portal/select-container-sas-lrg.png":::
 
 1. Within the **Generate SAS** pane, select the **Account key** value for the **Signing method** field.
 1. In the **Signing method** field, select **Account key**. Choosing the account key will result in the creation of a service SAS.
@@ -137,11 +137,11 @@ Configuring a stored access policy is a two-step process: the policy must first
 1. Select the checkbox next to the name of the container for which you'll generate an SAS token.
 1. Select the container's **More** button (**...**), and select **Access policy** to display the **Access policy** pane.
 
-    :::image type="content" source="media/blob-containers-portal/select-container-policy-sml.png" alt-text="Screenshot showing how to access container stored access policy settings within the Azure portal." lightbox="media/blob-containers-portal/select-container-policy-lrg.png":::
+    :::image type="content" source="media/blob-containers-portal/select-container-policy-sml.png" alt-text="Screenshot showing how to access container stored access policy settings in the Azure portal." lightbox="media/blob-containers-portal/select-container-policy-lrg.png":::
 
 1. Within the **Access policy** pane, select **+ Add policy** in the **Stored access policies** section to display the **Add policy** pane. Any existing policies will be displayed in either the appropriate section.
 
-    :::image type="content" source="media/blob-containers-portal/select-add-policy-sml.png" alt-text="Screenshot showing how to add a stored access policy settings within the Azure portal." lightbox="media/blob-containers-portal/select-add-policy-lrg.png":::
+    :::image type="content" source="media/blob-containers-portal/select-add-policy-sml.png" alt-text="Screenshot showing how to add a stored access policy in the Azure portal." lightbox="media/blob-containers-portal/select-add-policy-lrg.png":::
 
 1. Within the **Add policy** pane, select the **Identifier** box and add a name for your new policy.
 1. Select the **Permissions** field, then select the check boxes corresponding to the permissions desired for your new policy.
@@ -151,7 +151,7 @@ Configuring a stored access policy is a two-step process: the policy must first
     > [!CAUTION]
     > Although your policy is now displayed in the **Stored access policy** table, it is still not applied to the container. If you navigate away from the **Access policy** pane at this point, the policy will *not* be saved or applied and you will lose your work.
 
-    :::image type="content" source="media/blob-containers-portal/select-save-policy-sml.png" alt-text="Screenshot showing how to define a stored access policy within the Azure portal." lightbox="media/blob-containers-portal/select-save-policy-lrg.png":::
+    :::image type="content" source="media/blob-containers-portal/select-save-policy-sml.png" alt-text="Screenshot showing how to create a stored access policy within the Azure portal." lightbox="media/blob-containers-portal/select-save-policy-lrg.png":::
 
 1. In the **Access policy** pane, select **+ Add policy** to define another policy, or select **Save** to apply your new policy to the container. After creating at least one stored access policy, you'll be able to associate other secure access signatures (SAS) with it.
 
@@ -183,7 +183,7 @@ To acquire a lease using the Azure portal, follow these steps:
 1. Select the checkbox next to the name of the container for which you'll acquire a lease.
 1. Select the container's **More** button (**...**), and select **Acquire lease** to request a new lease and display the details in the **Lease status** pane.
 
-    :::image type="content" source="media/blob-containers-portal/acquire-container-lease-sml.png" alt-text="Screenshot showing how to access container lease settings within the Azure portal." lightbox="media/blob-containers-portal/acquire-container-lease-lrg.png":::
+    :::image type="content" source="media/blob-containers-portal/acquire-container-lease-sml.png" alt-text="Screenshot showing how to access container lease settings in the Azure portal." lightbox="media/blob-containers-portal/acquire-container-lease-lrg.png":::
 
 1. The **Container** and **Lease ID** property values of the newly requested lease are displayed within the **Lease status** pane. Copy and paste these values in a secure location. They'll only be displayed once and can't be retrieved after the pane is closed.
 
@@ -247,4 +247,4 @@ You can restore a soft-deleted container and its contents within the retention p
 - [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=%2fazure%2fstorage%2fblobs%2ftoc.json)
 - [Manage blob containers using PowerShell](blob-containers-powershell.md)
 
-<!--Point-in-time restore: /azure/storage/blobs/point-in-time-restore-manage?tabs=portal-->
+<!--Point-in-time restore: /azure/storage/blobs/point-in-time-restore-manage?tabs=portal-->
diff --git a/articles/storage/common/sas-expiration-policy.md b/articles/storage/common/sas-expiration-policy.md
@@ -1,19 +1,19 @@
 ---
-title: Create an expiration policy for shared access signatures 
+title: Configure an expiration policy for shared access signatures (SAS)
 titleSuffix: Azure Storage
-description: Create a policy on the storage account that defines the length of time that a shared access signature (SAS) should be valid. Learn how to monitor policy violations to remediate security risks. 
+description: Configure a policy on the storage account that defines the length of time that a shared access signature (SAS) should be valid. Learn how to monitor policy violations to remediate security risks. 
 services: storage
 author: jimmart-dev
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 04/18/2022
+ms.date: 10/25/2022
 ms.author: jammart
 ms.reviewer: nachakra
 ms.subservice: common
 ---
 
-# Create an expiration policy for shared access signatures
+# Configure an expiration policy for shared access signatures
 
 You can use a shared access signature (SAS) to delegate access to resources in your Azure Storage account. A SAS token includes the targeted resource, the permissions granted, and the interval over which access is permitted. Best practices recommend that you limit the interval for a SAS in case it is compromised. By setting a SAS expiration policy for your storage accounts, you can provide a recommended upper expiration limit when a user creates a service SAS or an account SAS.
 
@@ -31,16 +31,16 @@ A SAS expiration policy does not prevent a user from creating a SAS with an expi
 
 When a SAS expiration policy is in effect for the storage account, the signed start field is required for every SAS. If the signed start field is not included on the SAS, and you have configured a diagnostic setting for logging with Azure Monitor, then Azure Storage writes a message to the **SasExpiryStatus** property in the logs whenever a user creates or uses a SAS without a value for the signed start field.
 
-## Create a SAS expiration policy
+## Configure a SAS expiration policy
 
-When you create a SAS expiration policy on a storage account, the policy applies to each type of SAS that is signed with the account key. The types of shared access signatures that are signed with the account key are the service SAS and the account SAS.
+When you configure a SAS expiration policy on a storage account, the policy applies to each type of SAS that is signed with the account key. The types of shared access signatures that are signed with the account key are the service SAS and the account SAS.
 
 > [!NOTE]
-> Before you can create a SAS expiration policy, you may need to rotate each of your account access keys at least once.
+> Before you can configure a SAS expiration policy, you may need to rotate each of your account access keys at least once.
 
 ### [Azure portal](#tab/azure-portal)
 
-To create a SAS expiration policy in the Azure portal, follow these steps:
+To configure a SAS expiration policy in the Azure portal, follow these steps:
 
 1. Navigate to your storage account in the Azure portal.
 1. Under **Settings**, select **Configuration**.
@@ -53,7 +53,7 @@ To create a SAS expiration policy in the Azure portal, follow these steps:
 
 ### [PowerShell](#tab/azure-powershell)
 
-To create a SAS expiration policy, use the [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) command, and then set the `-SasExpirationPeriod` parameter to the number of days, hours, minutes, and seconds that a SAS token can be active from the time that a SAS is signed. The string that you provide the `-SasExpirationPeriod` parameter uses the following format: `<days>.<hours>:<minutes>:<seconds>`. For example, if you wanted the SAS to expire 1 day, 12 hours, 5 minutes, and 6 seconds after it is signed, then you would use the string `1.12:05:06`.
+To configure a SAS expiration policy, use the [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) command, and then set the `-SasExpirationPeriod` parameter to the number of days, hours, minutes, and seconds that a SAS token can be active from the time that a SAS is signed. The string that you provide the `-SasExpirationPeriod` parameter uses the following format: `<days>.<hours>:<minutes>:<seconds>`. For example, if you wanted the SAS to expire 1 day, 12 hours, 5 minutes, and 6 seconds after it is signed, then you would use the string `1.12:05:06`.
 
 ```powershell
 $account = Set-AzStorageAccount -ResourceGroupName <resource-group> `
@@ -77,7 +77,7 @@ The SAS expiration period appears in the console output.
 
 ### [Azure CLI](#tab/azure-cli)
 
-To create a SAS expiration policy, use the [az storage account update](/cli/azure/storage/account#az-storage-account-update) command, and then set the `--key-exp-days` parameter to the number of days, hours, minutes, and seconds that a SAS token can be active from the time that a SAS is signed. The string that you provide the `--key-exp-days` parameter uses the following format: `<days>.<hours>:<minutes>:<seconds>`. For example, if you wanted the SAS to expire 1 day, 12 hours, 5 minutes, and 6 seconds after it is signed, then you would use the string `1.12:05:06`.
+To configure a SAS expiration policy, use the [az storage account update](/cli/azure/storage/account#az-storage-account-update) command, and then set the `--key-exp-days` parameter to the number of days, hours, minutes, and seconds that a SAS token can be active from the time that a SAS is signed. The string that you provide the `--key-exp-days` parameter uses the following format: `<days>.<hours>:<minutes>:<seconds>`. For example, if you wanted the SAS to expire 1 day, 12 hours, 5 minutes, and 6 seconds after it is signed, then you would use the string `1.12:05:06`.
 
 ```azurecli-interactive
 az storage account update \
@@ -153,7 +153,7 @@ To monitor your storage accounts for compliance with the key expiration policy,
 
     :::image type="content" source="media/sas-expiration-policy/policy-compliance-report-portal-inline.png" alt-text="Screenshot showing how to view the compliance report for the SAS expiration built-in policy" lightbox="media/sas-expiration-policy/policy-compliance-report-portal-expanded.png":::
 
-To bring a storage account into compliance, configure a SAS expiration policy for that account, as described in [Create a SAS expiration policy](#create-a-sas-expiration-policy).
+To bring a storage account into compliance, configure a SAS expiration policy for that account, as described in [Configure a SAS expiration policy](#configure-a-sas-expiration-policy).
 
 ## See also
 
diff --git a/articles/storage/common/storage-sas-overview.md b/articles/storage/common/storage-sas-overview.md
@@ -160,7 +160,7 @@ The following recommendations for using shared access signatures can help mitiga
 
 - **Configure a SAS expiration policy for the storage account.** A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning. If Azure Storage logging with Azure Monitor is enabled, then an entry is written to the Azure Storage logs. To learn more, see [Create an expiration policy for shared access signatures](sas-expiration-policy.md).
 
-- **Define a stored access policy for a service SAS.** Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future. There is a limit of five stored access policies per container.
+- **Create a stored access policy for a service SAS.** Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future. There is a limit of five stored access policies per container.
 
 - **Use near-term expiration times on an ad hoc SAS service SAS or account SAS.** In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.
 
diff --git a/articles/storage/common/storage-stored-access-policy-define-dotnet.md b/articles/storage/common/storage-stored-access-policy-define-dotnet.md
@@ -30,7 +30,7 @@ The following Azure Storage resources support stored access policies:
 >
 > Stored access policies are supported for a service SAS only. Stored access policies are not supported for account SAS or user delegation SAS.
 
-For more information about stored access policies, see [Define a stored access policy](/rest/api/storageservices/define-stored-access-policy).
+For more information about stored access policies, see [Create a stored access policy](/rest/api/storageservices/define-stored-access-policy).
 
 ## Create a stored access policy
 
@@ -125,5 +125,5 @@ private static async Task CreateStoredAccessPolicyAsync(CloudBlobContainer conta
 ## See also
 
 - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](storage-sas-overview.md)
-- [Define a stored access policy](/rest/api/storageservices/define-stored-access-policy)
+- [Create a stored access policy](/rest/api/storageservices/define-stored-access-policy)
 - [Configure Azure Storage connection strings](storage-configure-connection-string.md)
