Ensure Web App is using the latest version of TLS encryption

App Service currently allows Web App to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for Web App secure connections.

Risk Level: High
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.19
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

WebApp should have config.minTlsVersions.value='1.2'

REMEDIATION

From Portal

  1. Go to 'App Services' and choose your App Service.
  2. Select 'TLS/SSL settings' under 'Settings' on the navigation menu.
  3. Under 'Bindings' set 'Minimum TLS Version' to '1.2'.

From TF
Set the 'min_tls_version' argument to '1.2':

resource "azurerm_app_service" "web_app" {
	..
	site_config {
		..
		min_tls_version = "1.2"
		..
	}
	..
}

From Command Line
Run

az webapp config set --resource-group RESOURCE GROUP --name WEB APP NAME --min-tls-version 1.2

References

  1. https://docs.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset