Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.
Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.35
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should have minimumTlsVersion='TLS1_2'
REMEDIATION
From Portal
- Login to Azure Portal using https://portal.azure.com
- Go to
Storage Accounts
- Click on each Storage Account
- Under
Setting
section, Click onConfiguration
- Set the
minimum TLS version
to be Version 1.2 - Click on Save.
From TF
Set the 'min_tls_version' to 'TLS1_2':
resource "azurerm_storage_account" "example" {
..
min_tls_version = "TLS1_2"
..
}
From Command Line
Run
az storage account update --name STORAGEACCOUNTNAME --resource-group RESOURCEGROUPNAME --min-tls-version TLS1_2
References
- https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
- https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-update
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago