Ensure Azure MariaDB server is using latest TLS (1.2)

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Ensure Azure MariaDB server is using latest TLS (1.2)

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 8f0e6b2d-3c9a-4f1e-8d2a-7b6c5d4e3f21

Cloud Provider: Azure

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

Using outdated TLS versions in Azure MariaDB servers exposes your database to known vulnerabilities and encryption weaknesses, potentially allowing attackers to intercept and decrypt sensitive data. Without proper SSL enforcement and TLS 1.2 (or higher) configuration, your database communications remain susceptible to man-in-the-middle attacks and other security exploits that have been addressed in newer TLS versions.

To secure your Azure MariaDB server, you must set both the ssl_enforcement_enabled flag to true and ssl_minimal_tls_version_enforced to TLS1_2, as shown in the following example:

resource "azurerm_mariadb_server" "good_example" {
  name                = "good-mariadb-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["true"]
  ssl_minimal_tls_version_enforced = ["TLS1_2"]
}

Compliant Code Examples

# Passing example: ssl_minimal_tls_version_enforced not defined (defaults to TLS1_2)
resource "azurerm_mariadb_server" "good_example_default" {
  name                = "good-mariadb-server-default"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled = ["true"]
  # ssl_minimal_tls_version_enforced not specified → defaults to TLS1_2
}

# Passing example: Correct enforcement and TLS settings
resource "azurerm_mariadb_server" "good_example" {
  name                = "good-mariadb-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["true"]
  ssl_minimal_tls_version_enforced = ["TLS1_2"] # Correct setting
}

Non-Compliant Code Examples

# Failing example: ssl_enforcement_enabled is not "true"
resource "azurerm_mariadb_server" "bad_example" {
  name                = "bad-mariadb-server"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["false"]  # ❌ Incorrect value
  ssl_minimal_tls_version_enforced = ["TLS1_2"] # Even if TLS is correct, enforcement flag is wrong
}

# Failing example: ssl_enforcement_enabled is "true" but minimal TLS is set incorrectly
resource "azurerm_mariadb_server" "bad_example2" {
  name                = "bad-mariadb-server-2"
  location            = "East US"
  resource_group_name = "example-rg"

  ssl_enforcement_enabled          = ["true"]
  ssl_minimal_tls_version_enforced = ["TLS1_0"] # ❌ Incorrect TLS version
}