Azure Storage Account without Secure transfer enabled
Description
Azure Storage Accounts provide the capability to store a variety of data types, including blobs, files, queues, tables, and disks. Ensuring the secure transport of this data is crucial to prevent potential eavesdropping and man-in-the-middle attacks.
This policy ensures that the 'supportsHttpsTrafficOnly' property for Azure Storage Accounts is set to 'true'. By setting this property to 'true', only HTTPS traffic is allowed to the storage service. Notably, since the API version 2019-04-01, the default value for 'supportsHttpsTrafficOnly' has been set to 'true'. However, it's important to verify this for Storage Accounts, especially those created before this API version.
HTTPS ensures that the data between the client and server is encrypted, adding a layer of security for data in transit.
Code Example
resource "azurerm_storage_account" "example" {
name = "examplestoracc"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
+ enable_https_traffic_only = true # Ensure only HTTPS traffic is allowed.
}Remediation
Terraform
Resources:
- azurerm_storage_account
Arguments:
- enable_https_traffic_only
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0514 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, |
| Checkov ID | CKV_AZURE_3 |