terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy
semgrep
Author
unknown
Download Count*
License
Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.
Run Locally
Run in CI
Defintion
rules:
- id: storage-use-secure-tls-policy
message: "Azure Storage currently supports three versions of the TLS protocol:
1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints,
but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
This check will warn if the minimum TLS is not set to TLS1_2."
patterns:
- pattern-either:
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
min_tls_version = "$ANYTHING"
...
}
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
}
- pattern-not-inside: |
resource "azurerm_storage_account" "..." {
...
min_tls_version = "TLS1_2"
...
}
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version
- https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: ERROR
Examples
storage-use-secure-tls-policy.tf
# pass
resource "azurerm_storage_account" "good_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
min_tls_version = "TLS1_2"
}
# fail
# ruleid: storage-use-secure-tls-policy
resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
}
# ruleid: storage-use-secure-tls-policy
resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
min_tls_version = "TLS1_1"
}
# ruleid: storage-use-secure-tls-policy
resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
min_tls_version = "TLS1_0"
}
Short Link: https://sg.run/KXD7