Control: 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Description
In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.
TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.
Remediation
From Azure Console
- Login to Azure Portal using https://portal.azure.com.
- Go to
Storage Accounts
. - Click on each Storage Account.
- Under
Setting
section, Click onConfiguration
. - Set the
minimum TLS version
to be Version 1.2.
From Azure CLI
az storage account update \--name <storage-account> \--resource-group <resource-group> \--min-tls-version TLS1_2
From Azure Powershell
To set the minimum TLS version, run the following command:
Set-AzStorageAccount -AccountName <STORAGEACCOUNTNAME> `-ResourceGroupName <RESOURCEGROUPNAME> `-MinimumTlsVersion TLS1_2
Default Value
If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.
If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v210_3_15
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v210_3_15 --share
SQL
This control uses a named query:
storage_account_min_tls_1_2