Ensure TLS 1.2 or greater is used for IoT Hub

HIGH

Description

Organizations should try to utilize the latest version of TLS and modern ciphers to protect data from man-in-the-middle and similar attacks.

Remediation

The min_tls_version is read only attribute and cannot be modified after creating the IoT Hub. Follow the steps below to create a new IoT Hub with
appropriate TLS configuration

In Azure Console -

Go to Azure IoT Hub device provisioning service.
Click Create.
Choose the Subscription, Resource group, Region, Tier and the name of the IoT Hub.
In Networking Choose Min TLS Version to 1.2.
Click Review and Create.

In Terraform -

In the azurerm_iothub resource, set min_tls_version to 1.2.

References:
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-create-through-portal#create-an-iot-hub
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/iothub#min_tls_version
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-tls-support?WT.mc_id=IoT-MVP-5004034#tls-12-enforcement-available-in-select-regions

Policy Details

Rule Reference ID: AC_AZURE_0095

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_iothub

Resource Category: Virtual Network

Resource Type: IoT Hub

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0