Storage Account minimum TLS version#
Security · Storage Account · 2020_09
Storage Accounts should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy Storage Accounts that pass this rule:
- Set the
properties.minimumTlsVersion
property toTLS1_2
or newer.
For example:
Azure Template snippet
{
"comments": "Storage Account",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "st0000001",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": false,
"accessTier": "Hot"
}
}
Configure with Bicep#
To deploy Storage Accounts that pass this rule:
- Set the
properties.minimumTlsVersion
property toTLS1_2
or newer.
For example:
Azure Bicep snippet
resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = {
name: 'st0000001'
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
supportsHttpsTrafficOnly: true
accessTier: 'Hot'
allowBlobPublicAccess: false
minimumTlsVersion: 'TLS1_2'
networkAcls: {
defaultAction: 'Deny'
}
}
}
Links#
- Data encryption in Azure
- TLS encryption in Azure
- Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
- Preparing for TLS 1.2 in Microsoft Azure
- Use Azure Policy to enforce the minimum TLS version
- Azure deployment reference
Last update:
2022-10-17