terraform.azure.security.storage.storage-enforce-https.storage-enforce-https
semgrepAuthor
unknown
Download Count*
License
Detected a Storage that was not configured to deny action by default. Add enable_https_traffic_only = true in your resource block.
Run Locally
Run in CI
Defintion
rules:
- id: storage-enforce-https
message: Detected a Storage that was not configured to deny action by default.
Add `enable_https_traffic_only = true` in your resource block.
patterns:
- pattern-not-inside: |
resource "azurerm_storage_account" "..." {
...
enable_https_traffic_only = true
...
}
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
enable_https_traffic_only = false
...
}
metadata:
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only
- https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- hcl
severity: WARNING
Examples
storage-enforce-https.tf
# pass
resource "azurerm_storage_account" "good_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
enable_https_traffic_only = true
}
# fail
# ruleid: storage-enforce-https
resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
enable_https_traffic_only = false
}
Short Link: https://sg.run/0y9v