Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.35
Covered by Spectral: No
Category: Storage


StorageAccount should have minimumTlsVersion='TLS1_2'


From Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Storage Accounts
  3. Click on each Storage Account
  4. Under Setting section, Click on Configuration
  5. Set the minimum TLS version to be Version 1.2
  6. Click on Save.

From TF
Set the 'min_tls_version' to 'TLS1_2':

resource "azurerm_storage_account" "example" {
	min_tls_version   = "TLS1_2"

From Command Line

az storage account update --name STORAGEACCOUNTNAME --resource-group RESOURCEGROUPNAME --min-tls-version TLS1_2


  1. https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
  2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset