---
title: Storage Account access keys should be periodically regenerated
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Storage Account access keys should be
  periodically regenerated
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Storage Account access keys should be periodically regenerated
 
## Description{% #description %}

Regenerate Storage Account access keys at least every 90 days so that a leaked key has a bounded lifetime. Azure generates two 512-bit access keys (`key1` and `key2`) per account, and both should have been regenerated within the last 90 days.

This rule passes when both access keys were last regenerated within the past 90 days. Accounts whose key creation timestamps are unavailable fail, since key rotation cannot be confirmed without them.

## Remediation{% #remediation %}

Regenerate any access key that has not been rotated in the last 90 days, and configure a key expiration policy to automate rotation reminders. See [Manually rotate access keys](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage#manually-rotate-access-keys) and [Create a key expiration policy](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage#create-a-key-expiration-policy).
