📝 Azure MySQL Flexible Server TLS Version is not set to TLS 1.2 🟢

Contextual name: 📝 Flexible Server TLS Version is not set to TLS 1.2 🟢
ID: /ce/ca/azure/mysql-database/flexible-server-latest-tls-version
Located in: 📁 Azure MySQL Database

Flags

Our Metadata

Policy Type: COMPLIANCE_POLICY
Policy Category:
- SECURITY

Similar Policies

Cloud Conformity
- Configure TLS Version for MySQL Flexible Database Servers
Internal
- dec-x-aeac09d6

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-aeac09d6	1

Logic

🧠 prod.logic.yaml 🟢
- 📕 Azure MySQL Server
- 🔌 Azure MySQL Server - object.extracts.yaml
- 🧪 test-data.json

Description

Open File

Description

Ensure tls_version on MySQL flexible servers is set to use TLS version 1.2 or higher.

Rationale

TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit

From Azure Portal

Login to Azure Portal using https://portal.azure.com.

Go to Azure Database for MySQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type tls_version.

Ensure tls_version is set to TLSv1.2 (or higher).

From Azure CLI

Ensure the Value of the below command contains TLSv1.2 or higher, and does not contain anything lower than TLSv1.2:
az mysql flexible-server parameter show --resource-group <resourceGroup> --server-name <serverName> --name tls_version
Example output:

... see more

Remediation

Open File

Remediation

From Azure Portal

Login to Azure Portal using https://portal.azure.com.

Go to Azure Database for MySQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type tls_version.

Click on the VALUE dropdown next to tls_version, and check TLSv1.2 (or higher).

Uncheck anything lower than TLSv1.2.

Click Save.

From Azure CLI

Use the below command to update MySQL flexible servers to use TLS version 1.2:
az mysql flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name tls_version --value TLSv1.2
From PowerShell

Use the below command to update MySQL flexible servers to use TLS version 1.2:
Update-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name tls_version -Value TLSv1.2

policy.yaml

Open File

Linked Framework Sections

Section	Internal Rules	Policies
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).	17	18
💼 CIS Azure v1.4.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)	1	1
💼 CIS Azure v1.5.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)	1	1
💼 CIS Azure v2.0.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)	1	1
💼 CIS Azure v3.0.0 → 💼 5.3.2 Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server (Automated)		1
💼 Cloudaware Framework → 💼 Data Encryption		31
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)	20	21
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)		13
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)	6	10
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		10
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)		13
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		10
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer	8	9
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains	25	27
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption	11	13
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection	8	10

Flags​

Our Metadata​

Similar Policies​

Similar Internal Rules​

Logic​

Description​

Description​

Rationale​

Audit​

From Azure Portal​

From Azure CLI​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Flags

Our Metadata

Similar Policies

Similar Internal Rules

Logic

Description

Description

Rationale

Audit

From Azure Portal

From Azure CLI

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections