Cosmos DB account minimum TLS version#
Security · Cosmos DB · Rule · 2024_06 · Critical
Cosmos DB accounts should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that Azure Cosmos DB accepts for client communication is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure Cosmos DB lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy database accounts that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTls12.
For example:
Azure Template snippet
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-11-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"enableFreeTier": false,
"consistencyPolicy": {
"defaultConsistencyLevel": "Session"
},
"databaseAccountOfferType": "Standard",
"locations": [
{
"locationName": "[parameters('location')]",
"failoverPriority": 0,
"isZoneRedundant": true
}
],
"disableKeyBasedMetadataWriteAccess": true,
"minimalTlsVersion": "Tls12"
}
}
Configure with Bicep#
To deploy database accounts that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTls12.
For example:
Azure Bicep snippet
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
name: name
location: location
properties: {
enableFreeTier: false
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
databaseAccountOfferType: 'Standard'
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: true
}
]
disableKeyBasedMetadataWriteAccess: true
minimalTlsVersion: 'Tls12'
}
}
Links#
- SE:07 Encryption
- Self-serve minimum TLS version enforcement in Azure Cosmos DB
- TLS encryption in Azure
- Preparing for TLS 1.2 in Microsoft Azure
- Azure resource deployment