Description
In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.
Rationaleβ
TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.
Impactβ
When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.
Auditβ
From Azure Consoleβ
- Go to
Storage Accounts. - For each storage account, under
Settings, clickConfiguration. - Ensure that the
Minimum TLS versionis set toVersion 1.2.
From Azure CLIβ
Get a list of all storage accounts and their resource groups:
az storage account list | jq '.[] | {name, resourceGroup}'
Then query the minimumTLSVersion field:
az storage account show \
--name <storage-account> \
--resource-group <resource-group> \
--query minimumTlsVersion \
--output tsv
From Azure PowerShellβ
To get the minimum TLS version, run the following command:
(Get-AzStorageAccount -Name <STORAGEACCOUNTNAME> -ResourceGroupName <RESOURCEGROUPNAME>).MinimumTlsVersion
From Azure Policyβ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: fe83a0eb-a853-422d-aac2-1bffd182c5d0 - Name:
Storage accounts should have the specified minimum TLS version
Default Valueβ
If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.
If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.