Description:

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.


Rationale:

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.


Impact:

When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.


Audit:

From Azure Console

1. Login to Azure Portal using https://portal.azure.com

2. Go to Storage Accounts

3. Click on each Storage Account

4. Under Setting section, Click on Configuration

5. Ensure that the minimum TLS version is set to be Version 1.2


From Azure CLI

Get a list of all storage accounts and their resource groups

az storage account list | jq '.[] | {name, resourceGroup}'
Then query the minimumTLSVersion field
az storage account show \
 --name <storage-account> \
 --resource-group <resource-group> \
 --query minimumTlsVersion \
 --output tsv

From Azure PowerShell

To get the minimum TLS version, run the following command:

(Get-AzStorageAccount -Name <STORAGEACCOUNTNAME> -ResourceGroupName
<RESOURCEGROUPNAME>).MinimumTlsVersion

Remediation:

From Azure Console

1. Login to Azure Portal using https://portal.azure.com

2. Go to Storage Accounts

3. Click on each Storage Account

4. Under Setting section, Click on Configuration

5. Set the minimum TLS version to be Version 1.2


From Azure CLI

az storage account update \
 --name <storage-account> \
 --resource-group <resource-group> \
 --min-tls-version TLS1_2

From Azure PowerShell

To set the minimum TLS version, run the following command:

Set-AzStorageAccount -AccountName <STORAGEACCOUNTNAME> `
 -ResourceGroupName <RESOURCEGROUPNAME> `
-MinimumTlsVersion TLS1_2

Default Value:

If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2. If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.

References:

1. https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-securityconfigure-minimum-version?tabs=portal

2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- data-protection#dp-3-encrypt-sensitive-data-in-transit