Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request - replace Deny-Sql-minTLS with built-in

Open vegazbabz opened this issue 2 years ago • 3 comments

Replace the policy "Azure SQL Database should have the minimal TLS version set to the highest version" (Deny-Sql-minTLS) with the built-in policy "Azure SQL Database should be running TLS version 1.2 or newer".

Reasoning: No reason to have min. TLS version as a parameter. v1.2 (or 1.3) is the only version to use. Rest is insecure and should never be used. Legacy apps running this, should be exempted from this policy, however, it should not be the organization’s default to have 1.0 or 1.1, which is why it should not be supported in a policy used for an initiative for the LZ MG.

It is currently part of the policy initiative "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" (Enforce-EncryptTransit).

vegazbabz avatar Jan 26 '24 23:01 vegazbabz

Thanks @vegazbabz

For the policy enhancement suggestions here, we will triage and come back to you with any further questions or clarity we may have or require and let you know an outcome.

If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests

Thanks - the ALZ Team

jtracey93 avatar Jan 31 '24 19:01 jtracey93

If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests

Thanks - the ALZ Team

Already checked this out and reported one there. However, this seems to be for new policies and not for enhancements of existing. If that is not correct, then please update the descriptions :)

vegazbabz avatar Feb 04 '24 16:02 vegazbabz

@springstone, see above comment around form

jtracey93 avatar Feb 05 '24 12:02 jtracey93

Addressed in PR https://github.com/Azure/Enterprise-Scale/pull/1622

Springstone avatar Apr 22 '24 14:04 Springstone