Skip to content

Enforce encrypted Storage connections#

Security · Storage Account · Azure.Storage.SecureTransfer

Storage accounts should only accept encrypted connections.

Description#

Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.

To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.

Recommendation#

Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.supportsHttpsTrafficOnly property to true.

For example:

{
    "comments": "Storage Account",
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2019-06-01",
    "name": "st0000001",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_GRS",
        "tier": "Standard"
    },
    "kind": "StorageV2",
    "properties": {
        "supportsHttpsTrafficOnly": true,
        "minimumTlsVersion": "TLS1_2",
        "allowBlobPublicAccess": false,
        "accessTier": "Hot"
    }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.supportsHttpsTrafficOnly property to true.

For example:

resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  name: 'st0000001'
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    supportsHttpsTrafficOnly: true
    accessTier: 'Hot'
    allowBlobPublicAccess: false
    minimumTlsVersion: 'TLS1_2'
  }
}

Last update: 2021-09-24