Skip to content

Enforce encrypted Storage connections#

Security · Storage Account · Rule · 2020_06 · Important

Storage accounts should only accept encrypted connections.

Description#

Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.

To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.

Storage Accounts that are deployed with a newer API version will have this option enabled by default. However, this does not prevent the option from being disabled.

Recommendation#

Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • For API versions older then 2019-04-01, set the properties.supportsHttpsTrafficOnly property to true.
  • For API versions 2019-04-01 and newer:
    • Omit the properties.supportsHttpsTrafficOnly property OR
    • Explicitly set the properties.supportsHttpsTrafficOnly property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • For API versions older then 2019-04-01, set the properties.supportsHttpsTrafficOnly property to true.
  • For API versions 2019-04-01 and newer:
    • Omit the properties.supportsHttpsTrafficOnly property OR
    • Explicitly set the properties.supportsHttpsTrafficOnly property to true.

For example:

Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Comments