🛡️ Azure Storage Account Minimum TLS Version is not set to TLS 1.2 or higher🟢

• Contextual name: 🛡️ Minimum TLS Version is not set to TLS 1.2 or higher🟢
• ID: /ce/ca/azure/storage/minimum-tls-version
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage Account
  • 🔌 Azure Storage Account - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Configure Minimum TLS Version
• Internal: dec-x-b94bd368

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b94bd368	1

Description

Open File

Description

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

Rationale

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Impact

When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if its Minimum TLS Version is not set to TLS1_2.

Default Value

If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.

If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.

References

1. https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal

... see more

Remediation

Open File

Remediation

From Azure Console

1. Go to Storage Accounts.
2. For each storage account, under Settings, click Configuration.
3. Set the Minimum TLS version to Version 1.2.
4. Click Save.

From Azure CLI

az storage account update \ 
    --name <storage-account> \ 
    --resource-group <resource-group> \ 
    --min-tls-version TLS1_2

From Azure PowerShell

To set the minimum TLS version, run the following command:

Set-AzStorageAccount -AccountName <STORAGEACCOUNTNAME> ` -ResourceGroupName <RESOURCEGROUPNAME> ` -MinimumTlsVersion TLS1_2

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22		no data
💼 CIS Azure v1.4.0 → 💼 3.12 Ensure the "Minimum TLS version" is set to "Version 1.2" - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated)			1		no data
💼 CIS Azure v4.0.0 → 💼 10.3.7 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			42		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26		no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	16		no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16		no data
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	10		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	15		no data