v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

Description

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Remediation

From Azure Portal

  1. Go to Storage Accounts.
  2. For each storage account, under Settings, click Configuration.
  3. Set the Minimum TLS version to Version 1.2.
  4. Click Save.

From Azure CLI

az storage account update \
 --name <storage-account> \
 --resource-group <resource-group> \
 --min-tls-version TLS1_2

From PowerShell

To set the minimum TLS version, run the following command:

Set-AzStorageAccount -AccountName <STORAGEACCOUNTNAME> `
 -ResourceGroupName <RESOURCEGROUPNAME> `
 -MinimumTlsVersion TLS1_2

Default Value

If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.

If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_4_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_4_15 --share

SQL

This control uses a named query:

storage_account_min_tls_1_2

Tags

category = Compliance
cis = true
cis_item_id = 4.15
cis_level = 1
cis_section_id = 4
cis_type = automated
cis_version = v3.0.0
plugin = azure
service = Azure/Storage