Ensure that your Microsoft Azure Storage SAS tokens are configured to allow access requests over the HTTPS protocol only. A Shared Access Signature (SAS) is a URI that grants restricted access rights to your Azure Storage resources. A SAS token is the query string that includes all of the information required to authenticate the Shared Access Signature, as well as to specify the Azure Storage service and resource, the permissions required for access, and the time-frame for which the signature is valid.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
To adhere to cloud security best practices, always use the HTTPS protocol when creating or providing a Shared Access Signature (SAS) to your clients. If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack should be able to read the SAS token and use it to compromise sensitive data or allow for data corruption.
To determine if your storage account SAS tokens are allowed over HTTPS protocol only, perform the following actions:Note: Currently, the SAS token configuration cannot be audited using the Azure Management Console and/or the Azure CLI. Until Microsoft Azure makes SAS transfer protocol a setting rather than a parameter provided at token creation, the audit process would require manual verification.
Remediation / Resolution
To re-create your Shared Access Signature (SAS) tokens for compliance, use the SignedProtocol (spr) parameter to configured the tokens to allow access requests over HTTPS only. To create and configure compliant SAS tokens, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Allow Shared Access Signature Tokens Over HTTPS Only
Risk level: Medium