Skip to content

Storage Account minimum TLS version#

Security · Storage Account · Rule · 2020_09 · Critical

Storage Accounts should reject TLS versions older than 1.2.

Description#

The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation#

Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Comments