Skip to main content

lacework-global-552

Set 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server (Automated)

Profile Applicability

• Level 1

Description

Set TLS version on Azure Database for MySQL Flexible Servers to TLSV1.2 or higher.

Rationale

TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for MySQL flexible servers
  3. For each database, click on Server parameters under Settings
  4. In the search box, type in tls_version
  5. Ensure tls_version is set to TLSV1.2

From Azure CLI

Ensure the output of the below command contains the key value pair "values": "TLSV1.2".

 az mysql flexible-server parameter show --name tls_version --resource-group <resourceGroupName> --server-name <serverName>

Example output:

{
"allowedValues": "TLSv1,TLSv1.1,TLSv1.2",
"dataType": "Set",
"defaultValue": "TLSv1.2",
"description": "Which protocols the server permits for encrypted connections. By default, TLS 1.2 is enforced",
"id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DBforMySQL/flexibleServers/<serverName>/configurations/tls_version",
"isConfigPendingRestart": "False",
"isDynamicConfig": "False",
"isReadOnly": "False",
"name": "tls_version",
"resourceGroup": "<resourceGroupName>",
"source": "system-default",
"systemData": null,
"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
"value": "TLSv1.2"
}

Remediation

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for MySQL Flexible Servers.
  3. For each database, click Server parameters under Settings.
  4. In the search box, type in tls_version.
  5. In the tls_version Value dropdown, select TLSv1.2 or greater, and clear any values less than TLSv1.2.

From Azure CLI

Use the below command to set Azure Database for MySQL Flexible Servers to use version 1.2 (or higher) for the tls_version parameter.

az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSV1.2

Additional Information

There are two versions of Azure Database for MySQL Flexible Server that you can use, versions 5.7 and 8.0.

Version 8.0 of Azure Database for MySQL Flexible Server uses TLSv1.2 by default but TLSv1.3 is available, and you can use it instead or together with TLSv1.2.

For version 5.7 of Azure Database for MySQL Flexible Server select only TLSv1.2. Azure deprecated Version 5.7 of Azure Database for MySQL Flexible Server in October 2023.

References

https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security
https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default
https://learn.microsoft.com/en-us/azure/mysql/concepts-version-policy#major-version-retirement-policy