Ensure that 'Secure transfer required' is set to 'Enabled'

The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. Azure storage does not support HTTPS for custom domain names, so this option is not applied when using a custom domain name.

Suggest Edits

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.06
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount should have httpsOnlyTraffic=true

REMEDIATION

From Portal

  1. Go to 'Storage accounts' and choose your storage account
  2. Select 'Configuration' under 'Settings' in the navigation menu
  3. Set 'Secure transfer required' to 'Enabled'
  4. Save

From TF
Set the 'enable_https_traffic_only' argument to 'true':

resource "azurerm_storage_account" "example" {
	..
	enable_https_traffic_only = true
	..
}

From Command Line
Run

az storage account update --name STORAGE ACCOUNT  --resource-group RESOURCE GROUP --https-only true

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
  2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.0.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure Dashboard System Ruleset
  • Azure GDPR Readiness
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure ITSG-33
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark

Updated 7 months ago