Ensure latest TLS/SSL version is in use for Azure API Management

MEDIUM

Description

Using the latest version of TLS can help keep data in-transit protected from man-in-the-middle and similar attacks.

Remediation

In Azure Console -

Open the Azure Portal and go to API Management.
Choose the API you wish to edit.
Under Security, select Protocols + ciphers.
Under Client protocol, check the box for each insecure version (SSLv3, TLS 1.1, and TLS 1.0), then select Disable.
Repeat for Backend protocol.
Select Save.

In Terraform -

In the azurerm_api_management, set security.enable_backend_ssl30 to false, or remove completely (the default is false).
In the azurerm_api_management, set security.enable_frontend_ssl30 to false, or remove completely (the default is false).
Repeat for insecure TLS versions (TLS 1.1 and TLS 1.0).

References:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-manage-protocols-ciphers
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management#security

Policy Details

Rule Reference ID: AC_AZURE_0224

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_api_management

Resource Category: Virtual Network

Resource Type: API Management

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0