Secure transfer required is not enabled

ID

storage_accounts_transport_encryption

Severity

high

Vendor

Azure

Resource

SQL server

Tags

reachable

Description

Secure transport should be enabled for Storage Accounts.

Microsoft recommends that you always require secure transfer for all of your storage accounts. When secure transfer is required a call to an Azure Storage REST API operation must be made over HTTPS. A request made over HTTP is rejected.

See Require secure transfer to ensure secure connections.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "bad", (1)
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "location": "remote",
      "properties": {
        "supportsHttpsTrafficOnly": false
      }
    }
  ]
}
1 Storage account has not secure transport enabled.

Terraform

resource "azurerm_storage_account" "disabled" {
  name                     = "storageaccountname"
  resource_group_name      = "azurerm_resource_group.example.name"
  location                 = "azurerm_resource_group.example.location"
  account_tier             = "Standard"
  account_replication_type = "GRS"

  enable_https_traffic_only = false (1)
}
1 Unsafe HTTP traffic allowed.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "good", (1)
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "location": "remote",
      "properties": {
        "supportsHttpsTrafficOnly": true
      }
    }
  ]
}
1 Storage account has secure transport enabled.

Terraform

resource "azurerm_storage_account" "disabled" {
  name                     = "storageaccountname"
  resource_group_name      = "azurerm_resource_group.example.name"
  location                 = "azurerm_resource_group.example.location"
  account_tier             = "Standard"
  account_replication_type = "GRS"

  enable_https_traffic_only = true # FIXED
}

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

  • Navigate to your storage account.

  • Select Configuration.

  • Select Enabled for Secure transfer required.

  • Save.

CLI Command

To enable secure transport, use the following command:

$ az storage account update -g <resource group name: -n <storage account Name> --https-only true

See Update the properties of a storage account.