Enforce encrypted Storage connections
March 21, 2025 ยท View on GitHub
SYNOPSIS
Storage accounts should only accept encrypted connections.
DESCRIPTION
Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.
To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.
Storage Accounts that are deployed with a newer API version will have this option enabled by default. However, this does not prevent the option from being disabled.
RECOMMENDATION
Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.
EXAMPLES
Configure with Azure template
To deploy Storage Accounts that pass this rule:
- For API versions older then 2019-04-01, set the
properties.supportsHttpsTrafficOnlyproperty totrue. - For API versions 2019-04-01 and newer:
- Omit the
properties.supportsHttpsTrafficOnlyproperty OR - Explicitly set the
properties.supportsHttpsTrafficOnlyproperty totrue.
- Omit the
For example:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
}
}
Configure with Bicep
To deploy Storage Accounts that pass this rule:
- For API versions older then 2019-04-01, set the
properties.supportsHttpsTrafficOnlyproperty totrue. - For API versions 2019-04-01 and newer:
- Omit the
properties.supportsHttpsTrafficOnlyproperty OR - Explicitly set the
properties.supportsHttpsTrafficOnlyproperty totrue.
- Omit the
For example:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Secure transfer to storage accounts should be enabled
/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9 - Configure secure transfer of data on a storage account
/providers/Microsoft.Authorization/policyDefinitions/f81e3117-0093-4b17-8a60-82363134f0eb