Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You regenerate the access keys.
Does this meet the goal?
A. Yes
B. No
The answer here is YES (A).
You can easily regenerate “the” access key that was used to create the SAS, then generate another SAS using the other (secondary key) or new keys and use that instead.
Note: A service SAS that is not associated with a stored access policy cannot be revoked. For this reason, limiting the expiry time so that the SAS is valid for one hour or less is recommended. Agreed that revoking an SAP linked with a SAS will work, but as the question suggested regenerating the access keys will also invalidate the SAS generated from it.
https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations
Answer: A: Yes