last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

App Service Environment should be configured with strongest TLS Cipher suites

Name App Service Environment should be configured with strongest TLS Cipher suites
Azure Portal
Id 817dcf37-e83d-4999-a472-644eada2ea1e
Version 1.0.0
details on versioning
Category App Service
Microsoft docs
Description The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-06-22 14:29:30 add 817dcf37-e83d-4999-a472-644eada2ea1e
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "App Service Environment should be configured with strongest TLS Cipher suites",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "kind",
            "like": "ASE*"
          },
          {
            "field": "type",
            "equals": "Microsoft.Web/hostingEnvironments"
          },
          {
            "count": {
            "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*]",
              "where": {
                "allOf": [
                  {
                  "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].name",
                    "contains": "FrontEndSSLCipherSuiteOrder"
                  },
                  {
                  "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].value",
                    "contains": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
                  },
                  {
                  "field": "Microsoft.Web/HostingEnvironments/clusterSettings[*].value",
                    "contains": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                  },
                  {
                  "value": "[less(length(field('Microsoft.Web/HostingEnvironments/clusterSettings[*].value')), 80)]",
                    "equals": "true"
                  }
                ]
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/817dcf37-e83d-4999-a472-644eada2ea1e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "817dcf37-e83d-4999-a472-644eada2ea1e"
}