🛡️ Azure MySQL Flexible Server TLS Version is not set to TLS 1.2🟢

Contextual name: 🛡️ Flexible Server TLS Version is not set to TLS 1.2🟢
ID: /ce/ca/azure/mysql-database/flexible-server-latest-tls-version
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure MySQL Server
- 🔌 Azure MySQL Server - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Configure TLS Version for MySQL Flexible Database Servers
Internal: dec-x-aeac09d6

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-aeac09d6	1

Description

Open File

Description

Ensure tls_version on MySQL flexible servers is set to TLS version 1.2 or higher.

Rationale

TLS connectivity provides an additional layer of security by connecting the database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between the database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit

From Azure Portal

Log in to Azure Portal using https://portal.azure.com.

Go to Azure Database for MySQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type tls_version.

Ensure tls_version is set to TLSv1.2 (or higher).

From Azure CLI

Ensure the value of the following command contains TLSv1.2 or higher, and does not contain anything lower than TLSv1.2:
az mysql flexible-server parameter show \
    --resource-group {{resource-group-name}} \
    --server-name {{server-name}} \

... [see more](description.md)

Remediation

Open File

Remediation

From Azure Portal

Log in to Azure Portal using https://portal.azure.com.

Go to Azure Database for MySQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type tls_version.

Click on the VALUE dropdown next to tls_version, and check TLSv1.2 (or higher).

Uncheck anything lower than TLSv1.2.

Click Save.

From Azure CLI

Use the following command to update MySQL flexible servers to use TLS version 1.2:
az mysql flexible-server parameter set \
    --resource-group {{resource-group-name}} \
    --server-name {{server-name}} \
    --name tls_version \
    --value TLSv1.2
From PowerShell

Use the following command to update MySQL flexible servers to use TLS version 1.2:
Update-AzMySqlFlexibleServerConfiguration `
    -ResourceGroupName {{resource-group-name}} `
    -ServerName {{server-name}} `
    -Name tls_version `
    -Value TLSv1.2

policy.yaml

Open File

Linked Framework Sections

Section	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).	21	22	no data
💼 CIS Azure v1.4.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)	1	1	no data
💼 CIS Azure v1.5.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)	1	1	no data
💼 CIS Azure v2.0.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)	1	1	no data
💼 CIS Azure v2.1.0 → 💼 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server - Level 1 (Automated)		1	no data
💼 CIS Azure v3.0.0 → 💼 5.3.2 Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server (Automated)		1	no data
💼 Cloudaware Framework → 💼 Cryptographic Configuration		18	no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)	26	27	no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)		21	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)	8	24	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		24	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)		21	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		24	no data
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer	8	10	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains	31	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption	12	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection	8	23	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

From Azure Portal​

From Azure CLI​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

From Azure Portal

From Azure CLI

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections