Use secure protocols for Storage Accounts

Security · Storage Account · Rule · 2020_09 · Critical

Storage Accounts should not accept weak or deprecated transport protocols for client-server communication.

Description

The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

When clients connect using an older version of TLS that is disabled, the connection will fail.

Recommendation

Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

Examples

Configure with Azure template

To deploy Storage Accounts that pass this rule:

• Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

Azure Template snippet

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep

To deploy Storage Accounts that pass this rule:

• Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

Azure Bicep snippet

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Storage accounts should have the specified minimum TLS version /providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0

Links

• SE:07 Encryption
• Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
• DP-3: Encrypt sensitive data in transit
• TLS encryption in Azure
• Preparing for TLS 1.2 in Microsoft Azure
• Use Azure Policy to enforce the minimum TLS version
• Azure deployment reference

Comments