Azure App Service Web app doesn't use latest TLS version
Description
The Transport Layer Security (TLS) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, for example, PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. For secure web app connections it is highly recommended to only use the latest TLS 1.2 version.
Code Example
resource "azurerm_app_service" "example" {
...
- min_tls_version = <version>
}
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * App Services*.
. For each Web App, click App. + a) Navigate to *Setting *section. + b) Click * SSL Settings. + c) Navigate to *Protocol Settings section. + d) Set * Minimum TLS Version to * 1.2.
- CLI Command*
To set TLS Version for an existing app, use the following command:
az webapp config set --resource-group & lt;RESOURCE_GROUP_NAME> --name & lt;APP_NAME> --min-tls-version 1.2
=== Fix - Buildtime
Terraform
- Resource: azurerm_app_service
- Arguments: min_tls_version
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0526 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_15 |