Risk Level: High
Cloud Entity: My SQL DB Flexible Server
CloudGuard Rule ID: D9.AZU.CRY.33
Covered by Spectral: Yes
Category: Database

GSL LOGIC

MySQLDBFlexibleServer should have parameters with [ name='tls_version' and value='TLSv1.2' ]

REMEDIATION

From Portal

Login to Azure Portal using https://portal.azure.com
Go to Azure Database for MySQL flexible servers
For each database, click on Server parameters under Settings
In the search box, type in tls_version
Click on the VALUE dropdown, and ensure only TLSV1.2 is selected for tls_version

From TF
Set the 'ssl_enforcement_enabled' to 'true':

resource 'azurerm_mysql_server' 'example' {
	..
	ssl_minimal_tls_version_enforced  = "TLS1_2"
	..
}

From Command Line
Run

az mysql flexible-server parameter set --name tls_version --resource-group RESOURCEGROUPNAME --server-name SERVERNAME --value TLSV1.2

References

My SQL DB Flexible Server

Azure Database for MySQL Flexible Server is a fully managed production-ready database service designed for more granular control and flexibility over database management functions and configuration settings. The flexible server architecture allows users to opt for high availability within single availability zone and across multiple availability zones.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset