Insufficient Transport Layer Security in Azure
Play Azure Labs on this vulnerability with SecureFlag!
Storage
Microsoft Azure Storage, with its comprehensive approach to security, provides robust support for TLS to ensure data in transit remains confidential and secure.
TLS Version
Azure Storage allows you to set a minimum TLS version, enabling you to ensure that only the most secure and up-to-date versions of TLS are used for communication. Older versions like TLS 1.0 and 1.1 have known vulnerabilities. Ensure you’re using TLS 1.2 or higher.
resource "azurerm_storage_account" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
min_tls_version = "TLS1_2"
}
HTTPS Only
By default, Azure Storage accounts accept requests over both HTTP and HTTPS. However, for maximum security, accepting requests only over HTTPS is recommended.
resource "azurerm_storage_account" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
enable_https_traffic_only = true
}
Automatic Certificate Renewal
Setting Azure certificates for auto-renewal helps automate the certificate management process, reducing the risk of service disruptions due to expired certificates.
resource "azurerm_key_vault_certificate" "example" {
name = var.example_name
key_vault_id = azurerm_key_vault.example.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 10
}
}
}
}