last sync: 2025-Jul-07 17:23:16 UTC

Storage accounts should have the specified minimum TLS version

Azure BuiltIn Policy definition

Source Azure Portal
Display name Storage accounts should have the specified minimum TLS version
Id fe83a0eb-a853-422d-aac2-1bffd182c5d0
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/minimumTlsVersion Microsoft.Storage storageAccounts properties.minimumTlsVersion True True
Rule resource types IF (1)
Compliance
The following 16 compliance controls are associated with this Policy definition 'Storage accounts should have the specified minimum TLS version' (fe83a0eb-a853-422d-aac2-1bffd182c5d0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ACAT_Security_Policies ACAT_Security_Policies ACAT Security Policies Guidelines for M365 Certification Protecting systems and resources Shared n/a Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. link 16
CIS_Azure_2.0.0 3.15 CIS_Azure_2.0.0_3.15 CIS Microsoft Azure Foundations Benchmark recommendation 3.15 3 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" Shared When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail. In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit. link 4
CIS_Azure_Foundations_v2.1.0 3.15 CIS_Azure_Foundations_v2.1.0_3.15 CIS Azure Foundations v2.1.0 3.15 Storage Accounts Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" Shared n/a In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. 1
CIS_Azure_Foundations_v3.0.0 4.15 CIS_Azure_Foundations_v3.0.0_4.15 CIS Azure Foundations v3.0.0 4.15 4 Ensure the 'Minimum TLS version' for Storage Accounts is set to 'Version 1.2' Shared n/a Verify that the 'Minimum TLS version' for Azure storage accounts is set to 'Version 1.2'. This control is essential for ensuring secure data transmission by enforcing the use of a strong TLS protocol, protecting against vulnerabilities associated with older versions. 1
CIS_Controls_v8.1 3.10 CIS_Controls_v8.1_3.10 404 not found n/a n/a 8
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
K_ISMS_P_2018 2.10.1 K_ISMS_P_2018_2.10.1 K ISMS P 2018 2.10.1 2.10 Establish Procedures for Managing the Security of System Operations Shared n/a Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. 455
K_ISMS_P_2018 2.10.2 K_ISMS_P_2018_2.10.2 K ISMS P 2018 2.10.2 2.10 Establish Protective Measures for Administrator Privileges and Security Configurations Shared n/a Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. 431
K_ISMS_P_2018 2.10.4 K_ISMS_P_2018_2.10.4 K ISMS P 2018 2.10.4 2.10 Establish Protective Measures when Working with Electronic Transactions or Fintech Services Shared n/a Establish and implement protective measures such as authentication and encryption to prevent information leakage, data alteration, or fraud when working with electronic transactions and Fintech services. In the event connections to external systems are required, safety must be checked. 45
K_ISMS_P_2018 2.10.5 K_ISMS_P_2018_2.10.5 K ISMS P 2018 2.10.5 2.10 Establish Secure Data Transmission Procedures with External Organizations Shared n/a Establish secure transmission policies, transmission methods, and technical measures for protecting personal information and important information if transmitting data to external organizations. Agreement on management responsibilities for data transmission must be established. 30
K_ISMS_P_2018 2.7.1b K_ISMS_P_2018_2.7.1b K ISMS P 2018 2.7.1b 2.7 Ensure Data is Encrypted at Rest and In-Transit Shared n/a Ensure data is encrypted when storing and transmitting personal and important information. 70
New_Zealand_ISM 17.4.16.C.01 New_Zealand_ISM_17.4.16.C.01 New_Zealand_ISM_17.4.16.C.01 17. Cryptography 17.4.16.C.01 Using TLS n/a Agencies SHOULD use the current version of TLS (version 1.3). 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20240509 Encryption Deprecated ALZ
[Preview]: Control the use of Storage Accounts in a Virtual Enclave ca122c06-05f6-4423-9018-ccb523168eb2 VirtualEnclaves Preview BuiltIn true
ACAT for Microsoft 365 Certification 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v2.1.0 fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v3.0.0 470a962c-86a0-433b-803a-3c176b5ce79c Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20241211 Encryption GA ALZ
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
K ISMS P 2018 e0782c37-30da-4a78-9f92-50bfe7aa2553 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-22 19:50:54 add fe83a0eb-a853-422d-aac2-1bffd182c5d0
JSON compare n/a
JSON
api-version=2021-06-01
EPAC