enforce-https
Default Severity: high
Explanation
You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account.
When you require secure transfer, any requests originating from an insecure connection are rejected.
Microsoft recommends that you always require secure transfer for all of your storage accounts.
Possible Impact
Insecure transfer of data into secure accounts could be read if intercepted
Suggested Resolution
Only allow secure connection for transferring data into storage accounts
Insecure Example
The following example will fail the azure-storage-enforce-https check.
resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
enable_https_traffic_only = false
}
Secure Example
The following example will pass the azure-storage-enforce-https check.
resource "azurerm_storage_account" "good_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
enable_https_traffic_only = true
}