reviewed | severity | pillar | category | resource | online version |
---|---|---|---|---|---|
2024-04-09 |
Critical |
Security |
SE:07 Encryption |
Cosmos DB |
Cosmos DB accounts should reject TLS versions older than 1.2.
The minimum version of TLS that Azure Cosmos DB accepts for client communication is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure Cosmos DB lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
To deploy database accounts that pass this rule:
- Set the
properties.minimalTlsVersion
property toTls12
.
For example:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-11-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"enableFreeTier": false,
"consistencyPolicy": {
"defaultConsistencyLevel": "Session"
},
"databaseAccountOfferType": "Standard",
"locations": [
{
"locationName": "[parameters('location')]",
"failoverPriority": 0,
"isZoneRedundant": true
}
],
"disableKeyBasedMetadataWriteAccess": true,
"minimalTlsVersion": "Tls12"
}
}
To deploy database accounts that pass this rule:
- Set the
properties.minimalTlsVersion
property toTls12
.
For example:
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
name: name
location: location
properties: {
enableFreeTier: false
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
databaseAccountOfferType: 'Standard'
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: true
}
]
disableKeyBasedMetadataWriteAccess: true
minimalTlsVersion: 'Tls12'
}
}