Control: 5.3.2 Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
Description
Ensure tls_version on MySQL flexible servers is set to use TLS version 1.2 or higher.
TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
Remediation
From Azure Portal
- Login to Azure Portal using https://portal.azure.com.
- Go to
Azure Database for MySQL flexible servers. - For each database, under
Settings, clickServer parameters. - In the filter bar, type
tls_version. - Click on the VALUE dropdown next to
tls_version, and checkTLSv1.2(or higher). - Uncheck anything lower than
TLSv1.2. - Click
Save.
From Azure CLI
Use the below command to update MySQL flexible servers to use TLS version 1.2:
az mysql flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name tls_version --value TLSv1.2
From PowerShell
Use the below command to update MySQL flexible servers to use TLS version 1.2:
Update-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name tls_version -Value TLSv1.2
Default Value
By default, TLS is set to v1.2 for MySQL Flexible servers.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_5_3_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_5_3_2 --shareSQL
This control uses a named query:
mysql_flexible_server_min_tls_1_2