Ensure Web App uses the latest version of TLS encryption
Error: Web App does not use the latest version of TLS encryption
Bridgecrew Policy ID: BC_AZR_NETWORKING_6
Checkov Check ID: CKV_AZURE_15
Severity: MEDIUM
Web App does not use the latest version of TLS encryption
Description
The Transport Layer Security (TLS) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, for example, PCI DSS.
App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. For secure web app connections it is highly recommended to only use the latest TLS 1.2 version.
Fix - Runtime
Azure Portal
To change the policy using the Azure Portal, follow these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to App Services.
- For each Web App, click App.
a) Navigate to Setting section.
b) Click SSL Settings.
c) Navigate to Protocol Settings section.
d) Set Minimum TLS Version to 1.2.
CLI Command
To set TLS Version for an existing app, use the following command:
az webapp config set
--resource-group <RESOURCE_GROUP_NAME>
--name <APP_NAME>
--min-tls-version 1.2
Fix - Buildtime
Terraform
- Resource: azurerm_app_service
- Argument: min_tls_version
resource "azurerm_app_service" "example" {
...
- min_tls_version = <version>
}
}
Updated 6 months ago