Documentation > Azure > Services > Management & Governance > Azure Policy > Samples > Secure Transfer

Azure Policy Sample: Secure Transfer

This sample demonstrates how to create an Azure Policy definition that enforces secure transfer for Azure Storage accounts. This policy helps ensure that data stored in Azure Storage is protected by requiring that all communications with the storage account are performed over HTTPS.

Policy Definition

The following JSON defines the Azure Policy for secure transfer. This definition specifies that if a storage account is created or updated, and its secure transfer setting is disabled, the policy will deny the action.

policyDefinition.json

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Storage/storageAccounts"
                },
                {
                    "anyOf": [
                        {
                            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                            "exists": "false"
                        },
                        {
                            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                            "equals": false
                        }
                    ]
                }
            ]
        },
        "then": {
            "effect": "Deny"
        }
    },
    "parameters": {
        "effect": {
            "type": "String",
            "metadata": {
                "displayName": "Effect",
                "description": "The effect of the policy on the resource."
            },
            "allowedValues": [
                "Deny",
                "Audit",
                "Disabled"
            ],
            "defaultValue": "Deny"
        }
    }
}

Explanation

Important Considerations

When using the Deny effect, be aware that it will block the creation or modification of storage accounts that do not meet the secure transfer requirement. Ensure this aligns with your organizational security policies.

How to Deploy

You can deploy this policy using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure CLI

  1. Save the policy definition to a file named policyDefinition.json.

    Run the following command to create the policy definition:

    Azure CLI command
    
az policy definition create --name "SecureTransferForStorage" --display-name "Azure Storage Secure Transfer Required" --description "Enforces that all Azure Storage accounts require secure transfer enabled." --rules policyDefinition.json --params policyDefinition.json

  2. Assign the policy definition to a scope (e.g., subscription or resource group):

    Azure CLI command
    
az policy assignment create --name "SecureTransferAssignment" --display-name "Enforce Secure Transfer for Storage" --scope "/subscriptions/YOUR_SUBSCRIPTION_ID" --policy "SecureTransferForStorage" --params '{ "effect": "Deny" }'

    Replace YOUR_SUBSCRIPTION_ID with your actual Azure subscription ID.

Using Azure Portal

  1. Navigate to the Azure Policy definitions page.
  2. Click + Add policy definition.
  3. For Definition location, select the desired subscription or management group.
  4. Enter a Name (e.g., Azure Storage Secure Transfer Required) and Description.
  5. In the Policy rule section, paste the JSON definition provided above.
  6. Configure any Parameters as needed (e.g., setting the default Effect to Deny).
  7. Click Save.
  8. Once the definition is created, navigate to Policy assignments.
  9. Click Assign policy.
  10. Select the Scope (subscription or resource group) where you want to apply the policy.
  11. Choose the policy definition you just created.
  12. Configure the Parameters (e.g., select Deny for the Effect).
  13. Review and click Create.

Related Azure Policy Samples