Storage Accounts Without Secure Transfer Enabled

The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Storage Accounts without Secure transfer enabled.
JSON Query:
$.resource[*].azurerm_storage_account exists and ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyNull or $.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyFalse)
Recommendation:
Recommended solution to enable Secure transfer for Azure Storage Accounts.
Ensure that Secure transfer is enabled for Azure Storage Accounts. Please make sure the template has "enable_https_traffic_only" set as "true".
For example:
"azurerm_storage_account": [ { "<storage_account_name>": [ { "account_replication_type": "GRS", "account_tier": "Standard", "enable_https_traffic_only": true, "location": "${azurerm_resource_group.b.location}", "name": "storageaccountname", "resource_group_name": "${azurerm_resource_group.b.name}" } ] } ]

Run Rule Recommendation

  1. Login to Azure Portal.
  2. Go to Storage Accounts.
  3. For each storage account, go to Configuration.
  4. Set 'Secure transfer required' to Enabled.
Remediation CLI Command:
az storage account update --ids ${resourceId} --https-only true
CLI Command Description:
This CLI command requires 'Microsoft.Storage/storageAccounts/*' permission. Successful execution will enable secure transfer for this storage account.

Compliance

There are 13 standards that are applicable to this policy:
  • NIST 800-53 Rev4
  • HITRUST CSF v9.3
  • NIST CSF
  • CIS v1.1 (Azure)
  • GDPR
  • ISO 27001:2013
  • CSA CCM v3.0.1
  • PCI DSS v3.2
  • HIPAA
  • SOC 2
  • MITRE ATT&CK [Beta]
  • PIPEDA
  • CCPA 2018

Recommended For You