Azure Application Gateway is configured with SSL policy having TLS version 1.1 or lower
Description
This policy is verifying that the Application Gateway in Azure is set to use secure protocols for communication while data is in transit. In short, it is ensuring that encrypted channels are used when data is moved across the network. It's essential for the security of data as unsecured protocols can potentially expose the data to risks such as unauthorized access, data leaks, or privacy breaches. Unencrypted data could be intercepted in transit and viewed or stolen by malicious actors, creating a significant security vulnerability. Therefore, only secure protocols should be used for in-transit communication to protect the data and maintain its confidentiality and integrity.
Code Example
resource "azurerm_application_gateway" "example" {
name = "example-appgateway"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
ssl_policy {
policy_type = "Predefined"
policy_name = "AppGwSslPolicy20170401"
disabled_protocols = [
"TLSv1_0",
"TLSv1_1",
]
}
...
}Remediation
Terraform
- Resource: azurerm_application_gateway
- Arguments: ssl_policy.policy_type
To fix this issue, you need to ensure that your Application Gateway resource is configured to use secure protocols for in transit communication, such as HTTPS. Your Terraform code will need to include a `ssl_policy` block within the `gateway` block, and specify a minimum version of `TLSv1_2`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0725 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_218 |