Minimum TLS version

Security · Event Hub · Rule · 2023_03 · Critical

Event Hub namespaces should reject TLS versions older than 1.2.

Description

The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

When clients connect using an older version of TLS that is disabled, the connection will fail.

Recommendation

Configure the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

Examples

Configure with Azure template

To deploy Event Hub namespaces that pass this rule:

• Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Template snippet

{
  "type": "Microsoft.EventHub/namespaces",
  "apiVersion": "2024-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "Standard"
  },
  "properties": {
    "disableLocalAuth": true,
    "minimumTlsVersion": "1.2",
    "publicNetworkAccess": "Disabled",
    "isAutoInflateEnabled": true,
    "maximumThroughputUnits": 10,
    "zoneRedundant": true
  }
}

Configure with Bicep

To deploy Event Hub namespaces that pass this rule:

• Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Bicep snippet

resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'Standard'
  }
  properties: {
    disableLocalAuth: true
    minimumTlsVersion: '1.2'
    publicNetworkAccess: 'Disabled'
    isAutoInflateEnabled: true
    maximumThroughputUnits: 10
    zoneRedundant: true
  }
}

Configure with Azure Verified Modules

A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/event-hub/namespace:<version>

Links

• SE:07 Encryption
• DP-3: Encrypt sensitive data in transit
• Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace
• Preparing for TLS 1.2 in Microsoft Azure
• Azure deployment reference

Comments