Enable Secure Transfer for Azure Storage Accounts

Written by Ibhadogiemu Esemuede Okougbo on the 07th Oct 2021

Exported on 07-Oct-2021 22:09:51

Using Attune to enable HTTPS traffic on all Azure Storage Accounts

This Blueprint is used to enable only HTTPS traffic on all Azure Storage Accounts.

An Azure storage account is a container that holds a set of Azure storage services together.

It holds Storage data objects like blobs, file shares, queues, tables, and disks.

The data is accessible from anywhere in the world over HTTP or HTTPS.

Information security audit requires storage accounts to accept requests from only secure connections (HTTPS).

The use of HTTPS protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.

Pre-Blueprint Attune setup
  1. On the Inputs tab, create a Windows Node for the host you wish to run this Blueprint.
  2. On the Inputs tab, create a Windows Credentials to connect to the host you wish to run this Blueprint.
  3. On the Inputs tab, create a Text value to store the values below:
    • AzureUserName: This is the Username of the Azure Administrator (DataType: String).
    • AzurePassword: This is the Password of the Azure Administrator (DataType: String).
Blueprint Steps
  1. Check and Install the Azure AzPowerShell Module
  2. Enable HTTPS traffic on all Azure Storage Accounts

Parameters

Name Type Script Reference Default Value Comment
Attune Node Windows Server attuneNode This is an Attune Node
Attune Node Credential Windows OS Credential attuneNodeCredential This is an Attune Node Credential
AzurePassword Text azurepassword PassW0rd@101 This is the Azure Administrator's Password
AzureUserName Text azureusername admin@contoso.com This is Azure Administrator's Username

1 - Install Azure Az PowerShell Module

This step installs the Azure Az PowerShell Module

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then, checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, it checks if the Az PowerShell module is installed.

If it's not installed, it then goes ahead to install the module.

The connection details have changed from the last step.

Login as user on node

  1. Connect via RDP 
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program 
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
# Check if the Execution Policy of the process is already set
}else{

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy 


#Region Check if Az Module is installed 
#Region if module is installed, update module if version is not up to Version "4.1.13.0"
if($null -ne (Get-InstalledModule -Name Az -ErrorVariable +ErrorAzV -ErrorAction SilentlyContinue)) {

    # Get the  Az module installed and save it in a variable
    $Script:GetAzModule = Get-InstalledModule -Name Az -ErrorVariable +ErrorAzV -ErrorAction SilentlyContinue

    # Writes a message to the screen
    Write-Output "Az PowerShell Module exists ... checking ..."

    # Gets the build number for the  Az Module 
    $Script:AzModuleBuild = ($Script:GetAzModule).Version

    # Checks the build number to meet requirements 
    if($Script:AzModuleBuild -like "*6.3.0*") {

        # Saves and converts Module version name to a variable
        $Script:OutVersion = ((($Script:GetAzModule).Version)).tostring()

        # Writes a message to the screen
        Write-Output "Az Module Version $Script:OutVersion meets the minimum requirement."

    # Check if the build version is on 13
    }else{

        # Writes a message to the screen
        Write-Output "Updating the Az PowerShell Module..."

        # Uppdates the  AzPowerShell Module to the latest version
        Update-Module -Name Az -Confirm:$false -Force 

        # Writes a message to the screen
        Write-Output "Az PowerShell Module is updated :)"
    }
#EndRegion if the module is installed, update module if the version is not up to Version "4.1.13.0"
#Region If the module is not installed, install it 
}else{

    # Writes a message to the screen
    Write-Output "Az PowerShell Module is not installed"
    
    # Writes a message to the screen
    Write-Output "Az PowerShell Module is installing..."

    # Install Az Powershell Module 
    Install-Module -Name Az -MaximumVersion "6.3.0" -Scope "CurrentUser" -AllowClobber:$true -Confirm:$false -Force

    # Writes a message to the screen
    Write-Output "Az PowerShell Module is installed :)"
}
#EndRegion If the module is not installed, install it

2 - Enable Secure Transfer

This step enables HTTPS traffic on Azure Storage Accounts

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, the AzPowerShell module is imported to the current session.

Then the values below are set:

  1. UserName: This is the Username of the Azure Administrator corresponding to the AzureUserName set in the Inputs Tab.
  2. PasswordString: This is the Password of the Azure Administrator corresponding to the AzurePassword set in the Inputs Tab.

Next, a connection to Azure is made.

Then loops through all resource groups and checks for storage accounts.

Next, it enables HTTPS Traffic on those storage accounts

Finally, the Azure PowerShell session is disconnected.

This step has the following parameters

Name Script Reference Default Value
AzureUserName {azureusername.value} admin@contoso.com
AzurePassword {azurepassword.value} PassW0rd@101

Login as user on node

  1. Connect via RDP 
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program 
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
# Check if the Execution Policy of the process is already set
}else{

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy 


#Region Enable Https for StorageAccounts
# Import Module for Az PowerShell
Import-Module -Name Az


#Region assign variables
# Save accesskey to this Variable
$Script:UserName = "{azureusername.value}"

# Save secretkey to this variable
$Script:PasswordString = "{azurepassword.value}"
#EndRegion assign variables


#Region for Connection to Azure 
# Set the password and convert it to secure string to the variable
$Script:Password = ConvertTo-SecureString $Script:PasswordString -AsPlainText -Force

# set the credentials to the variable
$Script:UserCredential = New-Object System.Management.Automation.PSCredential ($Script:UserName,$Script:Password)

# Connect using set credentials to Azure
Connect-AzAccount -Credential $Script:UserCredential
#EndRegion for Connection to Azure 


# Get all Resources Groups and saves them in the Variable ALlRGS
$Script:AllRGS = Get-AzResourceGroup

# loops through all resource groups
foreach ($AllRG in $Script:AllRGS ) {

    # Set the variable for Rg name with no storage account 
    $Script:RGNameNS = ($AllRG).ResourceGroupName

    # Writes a message to the screen
    Write-Output "Checking if Resource Groups $Script:RGNameNS has Storage Accounts...... `n"

    # Gets all resources of resource type 'Microsoft.Storage/storageAccounts' from each resource group and saves it in a variable
    $Script:StorageAccounts = Get-AzResource -ResourceGroupName ($AllRG).ResourceGroupName | Where-Object { $_.ResourceType -like "Microsoft.Storage/storageAccounts" }

    # Set the variable for Rg name with storage account 
    $Script:RGName = ($Script:StorageAccounts).ResourceGroupName

    # checks if the variable is null
    if (!($Script:StorageAccounts)) {

        # Writes a message to the screen
        Write-Output "Resource Group $Script:RGNameNS has no Storage Account `n"

    }else{

        # Writes a message to the screen
        Write-Output "Resource Group $Script:RGName has Storage Account(s) `n"

        # looping through all storage accounts
        foreach ($StorageAccount in $Script:StorageAccounts) {

            # Set storage account name 
            $Script:StorageName = ($StorageAccount).Name

            # Set the variable for sub Rg name 
            $Script:RGNameSub = ($StorageAccount).ResourceGroupName

            # Writes a message to the screen
            Write-Output "Setting EnableHttpsTrafficeOnly property of Storage Account with Name '$Script:StorageName' - to True..... `n"

            # Pause Script for 1 millisecond in case Microsoft has any throttling Policy on CMDLET "Set-AzStorageAccount"
            Start-Sleep -Milliseconds 1

            # Set storage account EnableHttpsTrafficeOnly to $True
            Set-AzStorageAccount -ResourceGroupName $Script:RGNameSub -Name $Script:StorageName -EnableHttpsTrafficOnly $true -Force

            # Writes a message to the screen
            Write-Output "`n Done `n"

        }
    }
}
#EndRegion Enable Https for StorageAccounts


#Region Disconnect the Azure session
Disconnect-AzAccount
#EndRegion Disconnect the Azure session