Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.35
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount should have minimumTlsVersion='TLS1_2'

REMEDIATION

From Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Storage Accounts
  3. Click on each Storage Account
  4. Under Setting section, Click on Configuration
  5. Set the minimum TLS version to be Version 1.2
  6. Click on Save.

From TF
Set the 'min_tls_version' to 'TLS1_2':

resource "azurerm_storage_account" "example" {
	..
	min_tls_version   = "TLS1_2"
	..
}

From Command Line
Run

az storage account update --name STORAGEACCOUNTNAME --resource-group RESOURCEGROUPNAME --min-tls-version TLS1_2

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
  2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset