Secure transfer required is not enabled

ID

storage_accounts_transport_encryption

Severity

high

Vendor

Azure

Resource

SQL server

Tags

asvs50-v11.3.1, asvs50-v14.2.2, reachable

Description

Secure transport should be enabled for Storage Accounts.

Microsoft recommends that you always require secure transfer for all of your storage accounts. When secure transfer is required a call to an Azure Storage REST API operation must be made over HTTPS. A request made over HTTP is rejected.

See Require secure transfer to ensure secure connections.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "bad", (1)
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "location": "remote",
      "properties": {
        "supportsHttpsTrafficOnly": false
      }
    }
  ]
}
1 Storage account has not secure transport enabled.

Terraform

resource "azurerm_storage_account" "disabled" {
  name                     = "storageaccountname"
  resource_group_name      = "azurerm_resource_group.example.name"
  location                 = "azurerm_resource_group.example.location"
  account_tier             = "Standard"
  account_replication_type = "GRS"

  enable_https_traffic_only = false (1)
}
1 Unsafe HTTP traffic allowed.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "good", (1)
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "location": "remote",
      "properties": {
        "supportsHttpsTrafficOnly": true
      }
    }
  ]
}
1 Storage account has secure transport enabled.

Terraform

resource "azurerm_storage_account" "disabled" {
  name                     = "storageaccountname"
  resource_group_name      = "azurerm_resource_group.example.name"
  location                 = "azurerm_resource_group.example.location"
  account_tier             = "Standard"
  account_replication_type = "GRS"

  enable_https_traffic_only = true # FIXED
}

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

  • Navigate to your storage account.

  • Select Configuration.

  • Select Enabled for Secure transfer required.

  • Save.

CLI Command

To enable secure transport, use the following command:

$ az storage account update -g <resource group name: -n <storage account Name> --https-only true

See Update the properties of a storage account.