Ensure HTTPS is allowed for Azure CDN Endpoint

MEDIUM

Description

Keeping HTTPS endpoints disabled may leave application vulnerable to MiTM and other attacks.

Remediation

Certain endpoint settings cannot be updated in the Azure Console, so to disable HTTP, a new endpoint will need to be created. Be sure to stop and/or delete the existing endpoint.

In Azure Console -

Open the Azure Portal and go to Front Door and CDN profiles.
Select the CDN you wish to edit.
Under Overview, create a new Endpoint.
Uncheck the box for HTTP Port and make sure the box is check for HTTPS Port.
Configure the rest as needed.

In Terraform -

In the azurerm_cdn_endpoint resource, set is_http_allowed to false.
Set is_https_allowed to true.

References:
https://learn.microsoft.com/en-us/azure/cdn/cdn-create-a-storage-account-with-cdn
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint

Policy Details

Rule Reference ID: AC_AZURE_0199

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_cdn_endpoint

Resource Category: Virtual Network

Resource Type: CDN Endpoint

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1

Detections

Analytics