Control: 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

Description

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Remediation

From Azure Console

Login to Azure Portal using https://portal.azure.com
Go to Storage Accounts
Click on each Storage Account
Under Setting section, Click on Configuration
Set the minimum TLS version to be Version 1.2

From Azure CLI

az storage account update \
    --name <storage-account> \
    --resource-group <resource-group> \
    --min-tls-version TLS1_2

From Azure Powershell

To set the minimum TLS version, run the following command:

Set-AzStorageAccount -AccountName <STORAGEACCOUNTNAME> `
                     -ResourceGroupName <RESOURCEGROUPNAME> `
                     -MinimumTlsVersion TLS1_2

Default Value

If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.

If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v150_3_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v150_3_15 --share

SQL

This control uses a named query:

storage_account_min_tls_1_2