Azure App Service Web App Client Certificate Is Disabled

This policy identifies Azure web apps which are not set with client certificate. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure App Service Web app doesn't require Client Certs.
JSON Query:
$.resource[*].azurerm_app_service exists and ($.resource[*].azurerm_app_service[*].*.*.client_cert_enabled anyNull or $.resource[*].azurerm_app_service[*].*.*.client_cert_enabled anyFalse)
Recommendation:
Recommended solution for making sure App Service Web app requires Client Certs.
It is recommended that Azure App Service Web app requires Client Certs. Please make sure your template has "client_cert_enabled" and it is set to true.
For example:
"azurerm_app_service": [ { "<app_service_name>": [ { "location": "${azurerm_resource_group.example.location}", "name": "example-app-service", "resource_group_name": "${azurerm_resource_group.example.name}", "client_cert_enabled": true } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Navigate to App Services.
  3. Click on the reported App.
  4. Under Setting section, Click on 'Configuration'.
  5. Under 'General Settings' tab, In 'Incoming client certificates', Set 'Require incoming certificate' to 'On'.
Remediation CLI Command:
az webapp update --resource-group ${resourceGroup} --name ${resourceName} --set clientCertEnabled=true
CLI Command Description:
This CLI command requires 'Microsoft.Web/sites/{app_name}/config/*' permission. Successful execution enables Client certificates, only clients that have a valid certificate will be able to reach the app.

Compliance

There is 1 standard that is applicable to this policy:
  • CIS v1.1 (Azure)

Recommended For You