Profile Applicability:
- Level 1
Description:
The 'Secure transfer required' setting enforces that all requests to an Azure Storage Account use secure protocols such as HTTPS or SMB over TLS. Enabling this setting ensures data is transmitted securely, protecting it from interception or tampering in transit.
Rationale:
Enforcing secure transfer mitigates risks related to data exposure and man-in-the-middle attacks by requiring encrypted communication channels. This aligns with best practices for protecting sensitive data and helps meet compliance requirements.
Impact:
Pros:
Ensures data confidentiality and integrity during transfer.
Enhances security posture and compliance adherence.
Cons:
May require updates to legacy applications that do not support secure protocols.
Could cause temporary service disruptions if clients attempt insecure connections.
Default Value:
Secure transfer is enabled by default on most Azure Storage Accounts but should be verified.
Pre-requisites:
Permissions to modify storage account settings.
Awareness of application compatibility with HTTPS/SMB over TLS.
Remediation
Test Plan:
Using Azure Portal:
Log in to https://portal.azure.com.
Navigate to Storage Accounts and select the target account.
Under Configuration, check that Secure transfer required is enabled.
Using Azure CLI:
Check secure transfer status:
az storage account show --name --resource-group --query enableHttpsTrafficOnlyConfirm the value is true.
Implementation Plan
Using Azure Portal:
In the storage account Configuration settings, enable Secure transfer required.
Save the changes.
Verify client applications use secure protocols.
Using Azure CLI:
Enable secure transfer:
az storage account update --name --resource-group --https-only true
Confirm the update.
Backout Plan
Using Azure Portal:
Disable Secure transfer required if necessary.
Inform affected users and monitor.
Using Azure CLI:
Disable secure transfer:
az storage account update --name --resource-group --https-only false
References: