More Info:

Ensure TLS version on MySQL flexible servers is set to the default value.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure TLS Version Is Set To TLSV1.2 For MySQL Flexible Database Server” for Azure using Azure console, please follow the below steps:
  1. Login to Azure portal (https://portal.azure.com/).
  2. Navigate to “Azure Database for MySQL Flexible Server” service.
  3. Select the “Flexible server” for which you want to remediate the misconfiguration.
  4. Under the “Settings” section, click on “Connection security”.
  5. Under the “Connection security” tab, select “TLS 1.2” from the “TLS version” drop-down list.
  6. Click on the “Save” button to save the changes.
Once you have completed these steps, your Azure MySQL Flexible Server will be configured to use TLS version 1.2 for connection security.

To remediate the misconfiguration “Ensure TLS Version Is Set To TLSV1.2 For MySQL Flexible Database Server” for AZURE using AZURE CLI, you can follow the below steps:Step 1: Open the AZURE CLI and login to your account using the following command:
az login
Step 2: Once you are logged in, set the subscription where your MySQL Flexible Database Server is located using the following command:
az account set --subscription <subscription_id>
Step 3: Next, retrieve the resource ID of your MySQL Flexible Database Server using the following command:
az mysql flexible-server list --query "[?name=='<server_name>'].id" -o tsv
Replace <server_name> with the name of your MySQL Flexible Database Server.Step 4: Now, update the TLS version to TLSv1.2 for your MySQL Flexible Database Server using the following command:
az mysql flexible-server update --name <server_name> --resource-group <resource_group_name> --tls-version "TLSv1.2"
Replace <server_name> with the name of your MySQL Flexible Database Server and <resource_group_name> with the name of the resource group where your MySQL Flexible Database Server is located.Step 5: Verify that the TLS version has been updated to TLSv1.2 for your MySQL Flexible Database Server using the following command:
az mysql flexible-server show --name <server_name> --resource-group <resource_group_name> --query "tlsVersion"
Replace <server_name> with the name of your MySQL Flexible Database Server and <resource_group_name> with the name of the resource group where your MySQL Flexible Database Server is located.Once you have completed these steps, the misconfiguration “Ensure TLS Version Is Set To TLSV1.2 For MySQL Flexible Database Server” will be remediated for your AZURE MySQL Flexible Database Server.
To remediate the misconfiguration “Ensure TLS Version Is Set To TLSV1.2 For MySQL Flexible Database Server” in AZURE using Python, you can use the Azure SDK for Python. Here are the steps to remediate the misconfiguration:
  1. Import the required libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.rdbms import MySQLManagementClient
from azure.mgmt.rdbms.models import ServerUpdateParameters
  1. Set the Azure credentials:
credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
resource_group_name = 'your_resource_group_name'
server_name = 'your_server_name'
  1. Instantiate the MySQLManagementClient:
client = MySQLManagementClient(credential, subscription_id)
  1. Get the current server configuration:
server = client.servers.get(resource_group_name, server_name)
  1. Update the server configuration to set TLS version to TLSv1.2:
server_update_params = ServerUpdateParameters(tls_version="TLSv1.2")
client.servers.update(resource_group_name, server_name, server_update_params)
  1. Verify the updated configuration:
server = client.servers.get(resource_group_name, server_name)
print(server.tls_version)
Note: Make sure to replace the placeholders “your_subscription_id”, “your_resource_group_name”, and “your_server_name” with your actual values. Also, make sure to authenticate the Azure credentials before running the code.

Additional Reading: