Storage account does not use the latest version of TLS encryption
ID |
storage_accounts_minimum_tls_version |
Severity |
high |
Vendor |
Azure |
Resource |
SQL server |
Tags |
reachable |
Description
Storage account should use the latest version of TLS encryption.
Communication between a client application and an Azure Storage account is encrypted using Transport Layer Security (TLS). TLS is a standard cryptographic protocol that ensures privacy and data integrity between clients and services over the Internet.
Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
Microsoft recommends enabling the latest version of TLS protocol (TLS 1.2) for all your Microsoft Azure App Service web applications. PCI DSS information security standard requires that all websites accepting credit card payments uses TLS 1.2 after June 30, 2018.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "bad", (1)
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "remote",
"properties": {
"minimumTlsVersion": "TLS1_0",
"supportsHttpsTrafficOnly": true,
"allowBlobPublicAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": []
}
},
"dependsOn": [],
"sku": {
"name": "Standard_LRS"
},
"kind": "BlobStorage",
"tags": {}
}
]
}| 1 | Insecure TLS version. |
Terraform
resource "azurerm_storage_account" "storage" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_0" (1)
network_rules {
default_action = "Allow"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
}| 1 | Insecure TLS version. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "good", (1)
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "remote",
"properties": {
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": true,
"allowBlobPublicAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": []
}
},
"dependsOn": [],
"sku": {
"name": "Standard_LRS"
},
"kind": "BlobStorage",
"tags": {}
}
]
}| 1 | Storage account has a proper TLS version. |
Terraform
resource "azurerm_storage_account" "storage" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_2" # FIXED
network_rules {
default_action = "Allow"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
}Runtime
Azure Portal
To change the policy Log in to Azure Portal and then:
-
Navigate to your
storage account. -
Select
Configuration. -
Under
Minimum TLS version, use the drop-down to select the minimum version of TLS required to access data in this storage account, as shown in the following image.