AZU014 - Storage accounts should be configured to only accept transfers that are over secure connections

Written by tfsec

Explanation

You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account.

When you require secure transfer, any requests originating from an insecure connection are rejected.

Microsoft recommends that you always require secure transfer for all of your storage accounts.

Insecure Example

The following example will fail the AZU014 check.

resource "azurerm_storage_account" "bad_example" {
  name                      = "storageaccountname"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  account_tier              = "Standard"
  account_replication_type  = "GRS"
  enable_https_traffic_only = false
}

Secure Example

The following example will pass the AZU014 check.

resource "azurerm_storage_account" "good_example" {
  name                      = "storageaccountname"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  account_tier              = "Standard"
  account_replication_type  = "GRS"
  enable_https_traffic_only = true
}

Related Links

• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only

• https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer

---