Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for TLS Protocol Latest Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RedisCache-002

Ensure that all your Microsoft Azure Redis Cache servers are using the latest available version of TLS encryption protocol in order to enhance the security of the SSL/TLS connection between the cache servers and their web applications, and comply with the industry standards.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Transport Layer Security (TLS) protocol is designed to facilitate privacy and data security for communications over different types of networks, including the Internet. TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST. These two TLS protocol versions do not support the modern encryption methods and cipher suites recommended by the Payment Card Industry (PCI) compliance standards. To follow cloud security best practices and PCI security compliance standards, Cloud Conformity strongly recommends enabling the latest version of the TLS protocol (i.e. TLS version 1.2) for all Microsoft Azure Redis Cache servers that are using in-transit encryption.

Audit

To determine if your Azure Redis Cache servers are configured to use the latest version of the TLS protocol, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cache for Redis to show the Redis Cache servers deployed in the selected subscription.

05 Click on the name of the Redis Cache server that you want to examine.

06 In the navigation panel, under Settings, select Advanced settings to access the SSL/TLS settings available for the selected server.

07 On the Advanced settings page, check the Minimum TLS Version configuration setting value. If the setting value is set to 1.0 or 1.1, the selected Microsoft Azure Redis Cache server does not use the latest available version of TLS protocol (i.e. TLS version 1.2).

08 Repeat steps no. 5 – 7 for each Redis Cache server available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run redis list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Redis Cache servers created in the current Azure subscription: 

az redis list
	--query '[*].id'

02 The command output should return the requested cache server IDs: 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-prod-server-cache",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-app-cache-server"
]

03 Run redis show command (Windows/macOS/Linux) using the ID of the Redis Cache server that you want to examine as identifier parameter and custom query filters to describe the Transport Layer Security (TLS) protocol version configured for the selected cache server: 

az redis show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-prod-server-cache"
	--query '{"MinimumTLSVersion":minimumTlsVersion}'

04 The command output should return the requested configuration setting value: 

{
  "MinimumTLSVersion": "1.1"
}

If the "MinimumTLSVersion" attribute value is set to 1.0 or 1.1, as shown in the example above, the selected Microsoft Azure Redis Cache server does not use the latest available version of TLS protocol.

05 Repeat step no. 3 and 4 for each Redis Cache server deployed within the current subscription.

06 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update the SSL/TLS configuration settings for your Microsoft Azure Redis Cache servers in order to enable the latest version of the TLS protocol (i.e. TLS 1.2), perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cache for Redis to display all Azure Redis Cache servers launched in the selected subscription.

05 Click on the name of the Redis Cache server that you want to reconfigure.

06 In the navigation panel, under Settings, select Advanced settings to access the SSL/TLS configuration settings available for the selected server.

07 On the Advanced settings page, select 1.2 from the Minimum TLS Version dropdown list to enable the latest version of the TLS protocol (TLS version 1.2) for the selected Microsoft Azure Redis Cache server.

08 Repeat steps no. 5 – 7 for each Redis Cache server available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run redis update command (Windows/macOS/Linux) using the ID of the Redis Cache server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to enable the latest version of the TLS protocol (i.e. TLS 1.2) for the selected cache server: 

az redis update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-prod-server-cache"
	--set minimumTlsVersion=1.2

02 The command output should return the metadata available for the reconfigured Redis Cache server: 

{
  "accessKeys": null,
  "enableNonSslPort": false,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-prod-server-cache",

  ...

  "minimumTlsVersion": "1.2",

  ...

  "location": "West Europe",
  "name": "cc-prod-server-cache",
  "provisioningState": "Succeeded",
  "redisVersion": "4.0.14",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "type": "Microsoft.Cache/Redis"
}

03 Repeat step no. 1 and 2 for each Redis Cache server available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Mar 27, 2020

Related RedisCache rules