lacework-global-536
Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" (Automated)
Profile Applicability
• Level 1
Description
In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. You can configure this minimum TLS version to be later protocols such as TLS 1.2.
Rationale
TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.
Impact
When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.
Audit
From Azure Console
- Login to Azure Portal using https://portal.azure.com
- Go to
Storage Accounts
- Click on each Storage Account
- Under
Setting
section, Click onConfiguration
- Ensure that the
minimum TLS version
is set to be Version 1.2
From Azure CLI
Get a list of all storage accounts and their resource groups
az storage account list | jq '.[] | {name, resourceGroup}'
Then query the minimumTLSVersion field
az storage account show \
--name <storage-account> \
--resource-group <resource-group> \
--query minimumTlsVersion \
--output tsv
From Azure Powershell
To get the minimum TLS version, run the following command:
(Get-AzStorageAccount -Name <STORAGEACCOUNTNAME> -ResourceGroupName <RESOURCEGROUPNAME>).MinimumTlsVersion
Remediation
From Azure Console
- Login to Azure Portal using https://portal.azure.com.
- Go to
Storage Accounts
. - Click each Storage Account.
- Under
Setting
section, clickConfiguration
. - Set the
minimum TLS version
to be Version 1.2.
From Azure CLI
az storage account update \
--name <storage-account> \
--resource-group <resource-group> \
--min-tls-version TLS1_2
From Azure Powershell
To set the minimum TLS version, run the following command:
Set-AzStorageAccount -AccountName <storage_account_name>
-ResourceGroupName <resource_group_name>
-MinimumTlsVersion TLS1_2
References
https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit