Ensure Function App is using the latest version of TLS encryption

App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for function app secure connections.

Risk Level: High
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.CRY.25
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

FunctionApp should have config.minTlsVersions.value='1.2'

REMEDIATION

From Portal

  1. Sign on to Azure portal and navigate to 'Function App'
  2. Click on the name of the Function App service web you want to examine
  3. In the navigation panel,under Settings, select 'TLS/SSL settings'
  4. In the 'Minimum TLS Version' toggle select 1.2

From TF
Set the 'min_tls_version' argument to 'true':

resource 'azurerm_function_app' 'example' {
	..
	min_tls_version = 1.2
	..
}

Note: By default min_tls_version is set to 1.2 for new function apps

From Command Line
Run

az functionapp config set --resource-group RESOURCEGROUPNAME --name FUNCTIONAPPNAME --min-tls-version 1.2

References

  1. https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts
  2. https://docs.microsoft.com/en-us/cli/azure/functionapp/config?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark