Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On'

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

Risk Level: High
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.IAM.15
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

FunctionApp should have inner.clientCertEnabled=true

REMEDIATION

From Portal
Note: For Linux apps on the Consumption (Serverless) plan, please skip to 'From Command Line'.

  1. Go to 'App Services' from Azure Management console and choose your Function App.
  2. Under 'Settings, select 'Configuration' on the navigation menu.
  3. Select 'General Settings' (Not applicable for Linux OS on Consumption (Serverless) Hosting option).
  4. Go to 'Client Certificate mode' under 'Incoming Client Certificates' and select 'Require' Button.
  5. Click Save.

Note: By default, Client Certificate mode is set to Ignore.

From TF
Set the 'client_cert_mode' argument to 'Required':

resource "azurerm_function_app" "example" {
	..
	client_cert_mode = "Required"
	..
}

From Command Line
Run

az functionapp update --resource-group RESOURCEGROUPNAME --name FUNCTIONAPPNAME  --set clientCertEnabled=true

References

  1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
  2. https://learn.microsoft.com/en-us/answers/questions/923617/general-settings-in-consumption-function-app
  3. https://docs.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-update
  4. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#client_cert_mode

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset