Description:
The 'Secure Transfer Required' setting in Azure Storage Accounts ensures that all connections to the storage account use secure protocols, specifically HTTPS, rather than HTTP. When enabled, this setting enforces that all data transfers (both for reading and writing data) to the storage account are secured using Transport Layer Security (TLS), preventing potential eavesdropping and tampering with the data during transfer.
Rationale:
Enabling 'Secure Transfer Required' is a critical security measure for ensuring that data in transit is protected. Unsecured connections over HTTP can expose sensitive data to risks such as man-in-the-middle attacks or data leaks. By enforcing HTTPS, the storage account ensures compliance with security standards such as SOC 2, HIPAA, and GDPR, which require encrypted communications for data protection.
Impact:
Enabling this setting ensures that all data exchanges with the storage account are encrypted, protecting the confidentiality and integrity of the data. However, this may prevent legacy systems or non-compliant clients that do not support HTTPS from accessing the storage account. Ensure that all clients interacting with the storage account can support HTTPS.
Default Value:
By default, Azure Storage Accounts have the 'Secure transfer required' setting disabled, meaning that HTTP access is allowed. This setting must be explicitly enabled to enforce secure transfer.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure Azure Storage Account settings.
Azure Storage Account: Ensure the storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if 'Secure Transfer Required' is enabled for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check 'Secure transfer required' setting:
In the left-hand menu, under Settings, click on Configuration.
Verify that the 'Secure transfer required' setting is Enabled.
Implementation:
To enforce 'Secure Transfer Required' automatically across all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure the setting is enabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Secure Transfer is Required for Azure Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that 'Secure transfer required' is enabled for all Azure storage accounts to enforce encrypted communications.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts.allowBlobPublicAccess",
"equals": "false"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the policy, assign it to the relevant subscriptions or resource groups to ensure that the 'Secure Transfer Required' setting is enforced across all storage accounts.
Backout Plan:
If you need to disable 'Secure Transfer Required':
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Configuration settings:
In the left-hand menu, under Settings, click on Configuration.
Disable the 'Secure transfer required' setting:
Change 'Secure transfer required' to Disabled and save the changes.
If the setting was automated through Azure Policy, modify or remove the policy to allow non-secure connections.