Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 7.12 Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway

Description

The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. Application gateways use TLS 1.2 for the Min protocol version by default and allow for the use of TLS versions 1.0, 1.1, and 1.3. NIST strongly suggests the use of TLS 1.2 and recommends the adoption of TLS 1.3.

TLS 1.0 and 1.1 are outdated and vulnerable to security risks. Since TLS 1.2 and TLS 1.3 provide enhanced security and improved performance, it is highly recommended to use TLS 1.2 or higher whenever possible.

Remediation

Remediate from Azure Portal

  1. Go to Application gateways.
  2. Click the name of an application gateway.
  3. Under Settings, click Listeners.
  4. Under SSL Policy, next to the Selected SSL Policy name, click change.
  5. Select an appropriate SSL policy with a Min protocol version of TLSv1_2 or higher.
  6. Click Save.
  7. Repeat steps 1-6 for each application gateway requiring remediation.

Remediate from Azure CLI

Run the following command to list available SSL policy options:

az network application-gateway ssl-policy list-options

Run the following command to list available predefined SSL policies:

az network application-gateway ssl-policy predefined list

For each application gateway requiring remediation, run the following command to set a predefined SSL policy:

az network application-gateway ssl-policy set --resource-group <resourcegroup> --gateway-name <application-gateway> --name <ssl-policy> --policy-type Predefined

Alternatively, run the following command to set a custom SSL policy:

az network application-gateway ssl-policy set --resource-group <resourcegroup> --gateway-name <application-gateway> --policy-type Custom --minprotocol-version <min-protocol-version> --cipher-suites <cipher-suites>

Default Value

Min protocol version is set to TLSv1_2 by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_7_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_7_12 --share

SQL

This control uses a named query:

select
  ag.id as resource,
  case
    when ssl_policy is null or ((ssl_policy ->> 'minProtocolVersion') in ('TLSv1_2' , 'TLSv1_3')) then 'ok'
    else 'alarm'
  end as status,
  case
    when ssl_policy is null then ag.name || ' minimum TLS version set to TLSv1_2.'
    else ag.name || ' minimum TLS version set to ' || (ssl_policy ->> 'minProtocolVersion') || '.'
  end as reason
  
  , ag.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_application_gateway ag
  left join azure_subscription sub on sub.subscription_id = ag.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 7.12
cis_level = 1
cis_section_id = 7
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/Network