Azure App Service Web App Doesn't Use Latest TLS Version

This policy identifies Azure web apps which are not set with latest version of TLS encryption. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure App Service Web app doesn't use latest TLS version.
JSON Query:
$.resource.*.azurerm_app_service[*].*[*].site_config[?( @.min_tls_version!='1.2' && @.min_tls_version )] size greater than 0
Recommendation:
Recommended solution for making sure App Service Web app uses latest TLS version.
It is recommended that Azure App Service Web app uses latest TLS version. Please make sure if your template have "min_tls_version", it is set to "1.2".
For example:
azurerm_app_service": [ { "<app_service_name>": [ { "site_config": [ { "dotnet_framework_version": "v4.0", "min_tls_version": "1.2", "scm_type": "LocalGit" } ] } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Navigate to App Services.
  3. Click on the reported App.
  4. Under Setting section, Click on 'TLS/SSL settings'.
  5. In 'Protocol Settings', Set 'Minimum TLS Version' to '1.2'.
Remediation CLI Command:
az webapp config set --resource-group ${resourceGroup} --name ${resourceName} --min-tls-version 1.2
CLI Command Description:
This CLI command requires 'Microsoft.Web/sites/{app_name}/config/*' permission. Successful execution sets web app TLS encryption version to latest TLS version(i.e. TLS 1.2).

Compliance

There are 4 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PIPEDA
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You