What is CIS Azure 3.2?

CIS Azure 3.2 (Ensure Storage Accounts use HTTPS-only transport) requires: All storage account traffic must use HTTPS encryption. This is a high-severity control.

How does EchelonGraph detect CIS Azure 3.2 violations?

EchelonGraph automatically detects CIS Azure 3.2 violations using scanner rule AZ-STG-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Azure 3.2?

Which storage accounts allow HTTP access? Is the minimum TLS version set to 1.2? Are shared access signatures (SAS) configured to require HTTPS?

🔵CIS Azure 3.2Rule: AZ-STG-002high

Ensure Storage Accounts use HTTPS-only transport

Description

All storage account traffic must use HTTPS encryption.

⚠️ Risk Impact

HTTP traffic can be intercepted and data can be read or modified in transit.

🔍 How EchelonGraph Detects This

AZ-STG-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Enable HTTPS-only: az storage account update --name ACCOUNT --https-only true

💀 Real-World Attack Scenario

An application was configured to access Azure Blob Storage over HTTP within a shared VNet. An attacker who compromised another VM in the VNet used ARP spoofing to intercept the unencrypted storage traffic, capturing customer PII including names, addresses, and payment information.

💰 Cost of Non-Compliance

PCI DSS Requirement 4.1: Strong cryptography for cardholder data in transit. Non-compliance: $5K-$100K/month. HIPAA §164.312(e)(1) requires transmission security for ePHI.

📋 Audit Questions

1.Which storage accounts allow HTTP access?
2.Is the minimum TLS version set to 1.2?
3.Are shared access signatures (SAS) configured to require HTTPS?

🎯 MITRE ATT&CK Mapping

T1040 — Network SniffingT1557 — Adversary-in-the-Middle

⚡ Common Pitfalls

⛔Setting HTTPS-only but not enforcing minimum TLS 1.2
⛔SAS tokens generated without HTTPS-only constraint
⛔Legacy applications that don't support HTTPS for storage connections

📈 Business Value

HTTPS-only enforcement prevents data interception even within compromised networks. It's a zero-cost security control required by every compliance framework.

⏱️ Effort Estimate

Manual

30 minutes to update all storage accounts

With EchelonGraph

EchelonGraph monitors HTTPS enforcement across all storage accounts

🔗 Cross-Framework References

SOC2-CC6.7ISO27001-A.10.1.1PCI-4.1

Automate CIS Azure 3.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →