Ensure that 'Secure transfer required' is set to 'Enabled'
The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. Azure storage does not support HTTPS for custom domain names, so this option is not applied when using a custom domain name.
Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.06
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
StorageAccount should have httpsOnlyTraffic=true
REMEDIATION
From Portal
- Go to 'Storage accounts' and choose your storage account
- Select 'Configuration' under 'Settings' in the navigation menu
- Set 'Secure transfer required' to 'Enabled'
- Save
From TF
Set the 'enable_https_traffic_only' argument to 'true':
resource "azurerm_storage_account" "example" {
..
enable_https_traffic_only = true
..
}
From Command Line
Run
az storage account update --name STORAGE ACCOUNT --resource-group RESOURCE GROUP --https-only true
References
- https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
- https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.0.0
- Azure CIS Foundations v. 1.1.0
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.3.0.1
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure CloudGuard SOC2 based on AICPA TSC 2017
- Azure Dashboard System Ruleset
- Azure GDPR Readiness
- Azure HIPAA
- Azure HITRUST v9.5.0
- Azure ISO 27001:2013
- Azure ITSG-33
- Azure LGPD regulation
- Azure NIST 800-171
- Azure NIST 800-53 Rev 4
- Azure NIST 800-53 Rev 5
- Azure NIST CSF v1.1
- Azure New Zealand Information Security Manual (NZISM) v.3.4
- Azure PCI-DSS 3.2
- CloudGuard Azure All Rules Ruleset
- Microsoft Cloud Security Benchmark
Updated over 1 year ago