terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.

Run Locally

Run in CI

Defintion

rules:
  - id: storage-use-secure-tls-policy
    message: "Azure Storage currently supports three versions of the TLS protocol:
      1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints,
      but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
      This check will warn if the minimum TLS is not set to TLS1_2."
    patterns:
      - pattern-either:
          - pattern-inside: |
              resource "azurerm_storage_account" "..." {
                ...
                min_tls_version = "$ANYTHING"
                ...
              }
          - pattern-inside: |
              resource "azurerm_storage_account" "..." {
                ...
              }
      - pattern-not-inside: |
          resource "azurerm_storage_account" "..." {
            ...
            min_tls_version = "TLS1_2"
            ...
          }
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version
        - https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: ERROR

Examples

storage-use-secure-tls-policy.tf

# pass

resource "azurerm_storage_account" "good_example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  min_tls_version          = "TLS1_2"
}

# fail
# ruleid: storage-use-secure-tls-policy
resource "azurerm_storage_account" "bad_example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
}

# ruleid: storage-use-secure-tls-policy
resource "azurerm_storage_account" "bad_example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  min_tls_version          = "TLS1_1"
}

# ruleid: storage-use-secure-tls-policy
resource "azurerm_storage_account" "bad_example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  min_tls_version          = "TLS1_0"
}