Description:
The "Minimum TLS version" setting in Azure Storage Accounts defines the minimum version of the Transport Layer Security (TLS) protocol allowed for secure communication with storage services. By setting the minimum TLS version to 1.2, you ensure that all connections to the storage account are secured with a strong encryption standard. TLS 1.2 is the recommended version for secure communication, as it provides enhanced security features compared to earlier versions.
Rationale:
Enforcing TLS 1.2 for communication with Azure Storage Accounts is crucial to maintain the confidentiality and integrity of data in transit. Older versions of TLS (such as TLS 1.0 and 1.1) are known to have security vulnerabilities and are deprecated. By ensuring that TLS 1.2 is enforced, organizations can reduce the risk of attacks such as man-in-the-middle attacks, data breaches, and unauthorized access. This is essential for meeting compliance standards such as GDPR, HIPAA, and SOC 2, which require strong encryption for data protection.
Impact:
Enforcing TLS 1.2 may break compatibility with older clients or systems that do not support this protocol version. However, it is considered a best practice to discontinue support for older TLS versions to ensure the security of communication channels. Organizations should evaluate their environment to ensure that all clients can support TLS 1.2 or higher.
Default Value:
By default, Azure Storage Accounts allow TLS 1.0, 1.1, and 1.2. It is essential to explicitly configure the minimum TLS version to 1.2 for improved security.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure Azure Storage Account settings.
Azure Storage Account: Ensure the target storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if the 'Minimum TLS version' is set to TLS 1.2 for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check TLS version settings:
In the left-hand menu, select Security + networking and click TLS/SSL settings.
Verify that the Minimum TLS version is set to 1.2.
Implementation:
You can enforce this setting using Azure Policy to ensure that the minimum TLS version is automatically configured for all storage accounts.
Create a custom Azure Policy to ensure the 'Minimum TLS version' is set to TLS 1.2:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Minimum TLS Version is Set to 1.2 for Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that the 'Minimum TLS Version' for storage accounts is set to TLS 1.2.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/minTlsVersion",
"notEquals": "TLS1_2"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the policy, assign it to the relevant subscriptions or resource groups to ensure that the minimum TLS version is set to 1.2 for all storage accounts.
Backout Plan:
If you need to change the minimum TLS version for any reason, follow these steps:
Sign in to the Azure portal with the appropriate permissions.
Navigate to the Azure Storage Account.
Go to the TLS/SSL settings:
In the left-hand menu, select Security + networking and click TLS/SSL settings.
Adjust the 'Minimum TLS Version':
Choose a different TLS version if necessary, such as TLS 1.0 or TLS 1.1.
Save the changes.
If the setting was automated through Azure Policy, modify or remove the policy as required.