Ensure that all your Microsoft Azure Storage accounts are using the latest available version of the TLS protocol in order to enhance the security of the connection between your storage accounts and their clients/applications, and comply with the industry standards.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
excellence
The Transport Layer Security (TLS) protocol is designed to facilitate privacy and data security for communications over different types of networks, including the Internet. TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST. These two TLS protocol versions do not support the modern encryption methods and cipher suites recommended by the Payment Card Industry (PCI) compliance standards. To follow cloud security best practices and PCI security compliance standards, enforce using the latest version of the TLS protocol (i.e. TLS version 1.2) for all the requests made to your Azure Storage accounts. By default, the minimum TLS version set for storage accounts is TLS version 1.0.
Audit
To determine if your Azure Storage accounts are configured to use TLS version 1.2, perform the following actions:
Remediation / Resolution
To update the configuration settings for your Microsoft Azure Storage accounts in order to enable the latest version of the TLS protocol (i.e. TLS 1.2), perform the following actions:
Note: Increasing the TLS version will prevent connections using a lower TLS version from connecting to your Azure Storage account, therefore the applications leveraging legacy versions of the TLS protocol will fail.References
- Azure Official Documentation
- Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az storage account show
- az storage account update