📝 Azure Storage Account Minimum TLS Version is not set to TLS 1.2 or higher 🟢

Contextual name: 📝 Minimum TLS Version is not set to TLS 1.2 or higher 🟢
ID: /ce/ca/azure/storage/minimum-tls-version
Located in: 📁 Azure Storage

Flags

Our Metadata

Policy Type: COMPLIANCE_POLICY
Policy Category:
- SECURITY

Similar Policies

Cloud Conformity
- Configure Minimum TLS Version
Internal
- dec-x-b94bd368

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b94bd368	1

Logic

🧠 prod.logic.yaml 🟢
- 📗 Azure Storage Account
- 🔌 Azure Storage Account - object.extracts.yaml
- 🧪 test-data.json

Description

Open File

Description

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

Rationale

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Impact

When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if its Minimum TLS Version is not set to TLS1_2.

Default Value

If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.

If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.

References

https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal

... see more

Remediation

Open File

Remediation

From Azure Console

Go to Storage Accounts.

For each storage account, under Settings, click Configuration.

Set the Minimum TLS version to Version 1.2.

Click Save.

From Azure CLI
az storage account update \ 
    --name <storage-account> \ 
    --resource-group <resource-group> \ 
    --min-tls-version TLS1_2
From Azure PowerShell

To set the minimum TLS version, run the following command:
Set-AzStorageAccount -AccountName <STORAGEACCOUNTNAME> ` -ResourceGroupName <RESOURCEGROUPNAME> ` -MinimumTlsVersion TLS1_2

policy.yaml

Open File

Linked Framework Sections

Section	Internal Rules	Policies
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).	21	22
💼 CIS Azure v1.4.0 → 💼 3.12 Ensure the "Minimum TLS version" is set to "Version 1.2" - Level 1 (Automated)	1	1
💼 CIS Azure v1.5.0 → 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated)	1	1
💼 CIS Azure v2.0.0 → 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated)	1	1
💼 CIS Azure v2.1.0 → 💼 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" - Level 1 (Automated)	1	1
💼 CIS Azure v3.0.0 → 💼 4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated)		1
💼 CIS Azure v4.0.0 → 💼 10.3.7 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated)		1
💼 Cloudaware Framework → 💼 Data Encryption		42
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)	25	26
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)		17
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)	8	16
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		16
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)		17
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		16
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer	8	10
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains	30	32
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption	12	17
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection	8	15

Flags​

Our Metadata​

Similar Policies​

Similar Internal Rules​

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Default Value​

References​

Remediation​

Remediation​

From Azure Console​

From Azure CLI​

From Azure PowerShell​

policy.yaml​

Linked Framework Sections​

Flags

Our Metadata

Similar Policies

Similar Internal Rules

Logic

Description

Description

Rationale

Impact

Audit

Default Value

References

Remediation

Remediation

From Azure Console

From Azure CLI

From Azure PowerShell

policy.yaml

Linked Framework Sections