Skip to main content

lacework-global-536

Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" (Automated)

Profile Applicability

• Level 1

Description

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. You can configure this minimum TLS version to be later protocols such as TLS 1.2.

Rationale

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Impact

When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.

Audit

From Azure Console

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Storage Accounts
  3. Click on each Storage Account
  4. Under Setting section, Click on Configuration
  5. Ensure that the minimum TLS version is set to be Version 1.2

From Azure CLI

Get a list of all storage accounts and their resource groups

az storage account list | jq '.[] | {name, resourceGroup}'

Then query the minimumTLSVersion field

az storage account show \
--name <storage-account> \
--resource-group <resource-group> \
--query minimumTlsVersion \
--output tsv

From Azure Powershell

To get the minimum TLS version, run the following command:

(Get-AzStorageAccount -Name <STORAGEACCOUNTNAME> -ResourceGroupName <RESOURCEGROUPNAME>).MinimumTlsVersion

Remediation

From Azure Console

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Storage Accounts.
  3. Click each Storage Account.
  4. Under Setting section, click Configuration.
  5. Set the minimum TLS version to be Version 1.2.

From Azure CLI

az storage account update \
--name <storage-account> \
--resource-group <resource-group> \
--min-tls-version TLS1_2

From Azure Powershell

To set the minimum TLS version, run the following command:

Set-AzStorageAccount -AccountName <storage_account_name>
-ResourceGroupName <resource_group_name>
-MinimumTlsVersion TLS1_2

References

https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit