Skip to content

Storage Account minimum TLS version#

Security · Storage Account · Azure.Storage.MinTLS

Storage Accounts should reject TLS versions older than 1.2.

Description#

The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation#

Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

{
    "comments": "Storage Account",
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2019-06-01",
    "name": "st0000001",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_GRS",
        "tier": "Standard"
    },
    "kind": "StorageV2",
    "properties": {
        "supportsHttpsTrafficOnly": true,
        "minimumTlsVersion": "TLS1_2",
        "allowBlobPublicAccess": false,
        "accessTier": "Hot"
    }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  name: 'st0000001'
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    supportsHttpsTrafficOnly: true
    accessTier: 'Hot'
    allowBlobPublicAccess: false
    minimumTlsVersion: 'TLS1_2'
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Last update: 2021-09-24