Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol. A Microsoft Azure Storage account contains data objects such as files, blobs, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP/HTTPS. All data stored within your Azure Storage account is secure, scalable, durable, and highly available.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
The "Secure transfer required" feature enhances the security of your storage account by allowing requests only from secure connections. For example, when the REST API is used to access one of your Azure storage accounts, you must connect by using HTTPS, otherwise, Azure Storage service rejects requests that use the HTTP protocol. Also, when you are using the Azure Storage Files service, the requests made without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some variants of the Linux SMB client.
Audit
To determine if secure data transfer is enabled within Azure Storage accounts configuration, perform the following actions:
Remediation / Resolution
To enable encryption of data-in-transit for all your Microsoft Azure Storage accounts, perform the following actions:
References
- Azure Official Documentation
- Create a storage account
- Encryption in Transit
- Require secure transfer in Azure Storage
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az storage account show
- az storage account update