github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/use_secure_tls_policy.go (about) 1 package storage 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckUseSecureTlsPolicy = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0011", 14 Provider: providers.AzureProvider, 15 Service: "storage", 16 ShortCode: "use-secure-tls-policy", 17 Summary: "The minimum TLS version for Storage Accounts should be TLS1_2", 18 Impact: "The TLS version being outdated and has known vulnerabilities", 19 Resolution: "Use a more recent TLS/SSL policy for the load balancer", 20 Explanation: `Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. 21 22 Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. 23 24 This check will warn if the minimum TLS is not set to TLS1_2.`, 25 Links: []string{ 26 "https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version", 27 }, 28 Terraform: &scan.EngineMetadata{ 29 GoodExamples: terraformUseSecureTlsPolicyGoodExamples, 30 BadExamples: terraformUseSecureTlsPolicyBadExamples, 31 Links: terraformUseSecureTlsPolicyLinks, 32 RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, 33 }, 34 Severity: severity.Critical, 35 }, 36 func(s *state.State) (results scan.Results) { 37 for _, account := range s.Azure.Storage.Accounts { 38 if account.Metadata.IsUnmanaged() { 39 continue 40 } 41 if account.MinimumTLSVersion.NotEqualTo("TLS1_2") { 42 results.Add( 43 "Storage account uses an insecure TLS version.", 44 account.MinimumTLSVersion, 45 ) 46 } else { 47 results.AddPassed(&account) 48 } 49 } 50 return 51 }, 52 )