Forget sophisticated attacks for a moment. How many times have we seen sensitive data exposed because someone forgot the absolute basics? Unencrypted data in transit is a gift to any attacker sniffing traffic.
Your Azure storage accounts are no exception. If you’re allowing HTTP access, you’re broadcasting your data to anyone who cares to listen. This isn’t theoretical; I’ve personally seen organizations burned by this oversight, especially with data being accessed from less secure endpoints.
The fix is simple, mandatory, and frankly, non-negotiable. Enforce HTTPS for all traffic. It encrypts data in transit, protecting against eavesdropping and man-in-the-middle attacks. If you’re not doing this, you’re leaving a gaping hole for your data to walk right out the door.
Here’s how you check and fix it:
Check: az storage account list –query “[].{Name:name, HTTPS:enableHttpsTrafficOnly}” –output table
Fix: az storage account update –name
This is a critical control. Implement it. Now.
The fix
# Check all storage accounts
az storage account list --query "[].{Name:name, HTTPS:enableHttpsTrafficOnly}" --output table
# Enable on specific account
az storage account update --name <account> --resource-group <rg> --https-only true
Reference: CIS Azure Foundations Benchmark 3.1