Storage Account minimum TLS version#
Security · Storage Account · Rule · 2020_09 · Critical
Storage Accounts should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy Storage Accounts that pass this rule:
- Set the
properties.minimumTlsVersion
property toTLS1_2
or newer.
For example:
Azure Template snippet
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
}
}
Configure with Bicep#
To deploy Storage Accounts that pass this rule:
- Set the
properties.minimumTlsVersion
property toTLS1_2
or newer.
For example:
Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Storage accounts should have the specified minimum TLS version
/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0
Links#
- SE:07 Encryption
- TLS encryption in Azure
- Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
- DP-3: Encrypt sensitive data in transit
- Preparing for TLS 1.2 in Microsoft Azure
- Use Azure Policy to enforce the minimum TLS version
- Azure deployment reference