Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Minimum TLS Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-021

Ensure that all your Microsoft Azure Storage accounts are using the latest available version of the TLS protocol in order to enhance the security of the connection between your storage accounts and their clients/applications, and comply with the industry standards.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Operational
excellence

The Transport Layer Security (TLS) protocol is designed to facilitate privacy and data security for communications over different types of networks, including the Internet. TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST. These two TLS protocol versions do not support the modern encryption methods and cipher suites recommended by the Payment Card Industry (PCI) compliance standards. To follow cloud security best practices and PCI security compliance standards, enforce using the latest version of the TLS protocol (i.e. TLS version 1.2) for all the requests made to your Azure Storage accounts. By default, the minimum TLS version set for storage accounts is TLS version 1.0.


Audit

To determine if your Azure Storage accounts are configured to use TLS version 1.2, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the navigation panel, under Settings, choose Configuration to access the selected storage account configuration settings.

06 On the Configuration page, check the TLS version selected from the Minimum TLS Version dropdown list. If the TLS version selected is different than Version 1.2, the selected Azure Storage account does not use the latest available version of TLS protocol (i.e. TLS version 1.2).

07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each storage account available in the current Azure subscription:

az storage account list
  --query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to examine as the identifier parameter and custom query filters to describe the Transport Layer Security (TLS) protocol version configured for the selected storage account:

az storage account show
  --name abcd1234abcd1234abcd1234
  --query 'minimumTlsVersion'

04 The command output should return the TLS version used by the selected storage account:

"TLS1_0"

If the TLS version returned by the storage account show command output is different than "TLS1_2", as shown in the output example above, the selected Azure Storage account does not use the latest available version of TLS protocol (i.e. TLS version 1.2).

05 Repeat steps no. 3 and 4 for each storage account available in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To update the configuration settings for your Microsoft Azure Storage accounts in order to enable the latest version of the TLS protocol (i.e. TLS 1.2), perform the following actions:

Note: Increasing the TLS version will prevent connections using a lower TLS version from connecting to your Azure Storage account, therefore the applications leveraging legacy versions of the TLS protocol will fail.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name (link) of the Azure Storage account that you want to reconfigure.

05 In the navigation panel, under Settings, choose Configuration to access the selected storage account configuration settings.

06 On the Configuration page, under Minimum TLS Version, select Version 1.2 to enable the latest version of the TLS protocol (TLS version 1.2) for the selected Microsoft Azure Storage account. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 for each storage account available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account update command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to reconfigure as the identifier parameter, to enable the latest version of the TLS protocol (i.e. TLS 1.2) for the selected storage account (the command does not produce an output):

az storage account update
  --name abcd1234abcd1234abcd1234
  --min-tls-version TLS1_2

02 Repeat step no. 1 for each storage account available within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 2, 2022