lacework-global-552
4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server (Automated)
Profile Applicability
• Level 1
Description
Ensure TLS version
on MySQL flexible
servers is set to the default value.
Rationale
TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
Audit
From Azure Portal
- Login to Azure Portal using https://portal.azure.com
- Go to
Azure Database for MySQL flexible servers
- For each database, click on
Server parameters
underSettings
- In the search box, type in
tls_version
- Ensure
tls_version
is set toTLSV1.2
From Azure CLI
Ensure the output of the below command contains the key value pair "values": "TLSV1.2"
.
az mysql flexible-server parameter show --name tls_version --resource-group <resourceGroupName> --server-name <serverName>
Example output:
{
"allowedValues": "TLSv1,TLSv1.1,TLSv1.2",
"dataType": "Set",
"defaultValue": "TLSv1.2",
"description": "Which protocols the server permits for encrypted connections. By default, TLS 1.2 is enforced",
"id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DBforMySQL/flexibleServers/<serverName>/configurations/tls_version",
"isConfigPendingRestart": "False",
"isDynamicConfig": "False",
"isReadOnly": "False",
"name": "tls_version",
"resourceGroup": "<resourceGroupName>",
"source": "system-default",
"systemData": null,
"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
"value": "TLSv1.2"
}
Remediation
From Azure Portal
- Login to Azure Portal using https://portal.azure.com
- Go to
Azure Database for MySQL flexible servers
- For each database, click on
Server parameters
underSettings
- In the search box, type in
tls_version
- Click on the VALUE dropdown, and ensure only
TLSV1.2
is selected fortls_version
From Azure CLI
Use the below command to set MYSQL flexible databases to used version 1.2 for the tls_version
parameter.
az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSV1.2
Additional Information
There are two versions of Azure Database for MySQL Flexible Server that can be used, versions 5.7 and 8.0.
For version 8.0 of Azure Database for MySQL Flexible Server TLSV1.2 is selected by default but TLSV1.3 is available and can be used instead or together with TLSV1.2.
For version 5.7 of Azure Database for MySQL Flexible Server only TLSV1.2 should be selected. Version 5.7 of Azure Database for MySQL Flexible Server will be deprecated in October 2023.
References
https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security
https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default
https://learn.microsoft.com/en-us/azure/mysql/concepts-version-policy#major-version-retirement-policy