Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Secure Transfer in Azure Storage

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-001

Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol. A Microsoft Azure Storage account contains data objects such as files, blobs, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP/HTTPS. All data stored within your Azure Storage account is secure, scalable, durable, and highly available.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The "Secure transfer required" feature enhances the security of your storage account by allowing requests only from secure connections. For example, when the REST API is used to access one of your Azure storage accounts, you must connect by using HTTPS, otherwise, Azure Storage service rejects requests that use the HTTP protocol. Also, when you are using the Azure Storage Files service, the requests made without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some variants of the Linux SMB client.


Audit

To determine if secure data transfer is enabled within Azure Storage accounts configuration, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to examine.

04 In the navigation panel, choose Configuration to access the selected storage account configuration settings.

05 On the Configuration page, check the Secure transfer required setting status. If Secure transfer required is set to Disabled, the data in transit between clients and the resources available in the selected Azure Storage account is not encrypted.

06 Repeat steps no. 3 – 5 for each storage account available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list
	--query '[*].name'

02 The command output should return the requested identifiers (i.e. storage account names):

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234",
  "123412341234abcdabcdabcd"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to retrieve the configuration status for the "Secure transfer required" security feature:

az storage account show
	--name abcd1234abcd1234abcd1234
	--query 'enableHttpsTrafficOnly'

04 The command output should return the requested feature status (true for enabled, false for disabled):

false

If the command output returns false, as shown in the example above, the data in transit between clients and the resources available in the selected Azure Storage account (i.e. files, blobs, queues, tables, and disks) is not encrypted.

05 Repeat step no. 3 and 4 for each storage account available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable encryption of data-in-transit for all your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to examine.

04 In the navigation panel, choose Configuration to access the selected storage account configuration settings.

05 On the Configuration page, select Enabled next to Secure transfer required setting to enable encryption for data in transit between clients and the selected Azure Storage account.

06 Click Save to apply the configuration changes. If successful, the following message should be displayed: "Successfully updated storage account". Once the changes are saved, only HTTPS requests are allowed to the selected storage account.

07 Repeat steps no. 3 – 6 for each storage account created within the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account update command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to reconfigure as identifier parameter (see Audit section part I to identify the right account name), to enable encryption of data-in-transit for the selected storage account by setting --https-only parameter to true (the command does not produce an output):

az storage account update
	--name abcd1234abcd1234abcd1234
	--https-only true

02 Repeat step no. 1 for each storage account created within the current Azure subscription.

03 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

References

Publication date May 31, 2019