rules/findings/azure/appservices/azure-app-service-client-certificate-disabled.json
|
{
"args": [], "provider": "Azure", "serviceType": "_ARG_0_", "serviceName": "Hosted Services", "displayName": "Ensure incoming client certificates are enabled and required", "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", "rationale": "The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client with valid certificates can access the app.", "impact": "Utilizing and maintaining client certificates will require additional work to obtain and manage replacement and key rotation.<br/><br/>NOTE: This recommendation cannot be implemented if following the recommendation titled \"Ensure 'HTTP Version' is set to '2.0' (if in use).\" This recommendation should only be considered for scenarios where HTTP versions prior to 2.0 are required for an app, and mutual certificate authentication is desired for validating clients.", "remediation": { "text": " #### Remediate from Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under the Settings section, Click on Configuration, then General settings 5. Set the option Client certificate mode located under Incoming client certificates ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-authenticate-server-and-services", "https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth", "https://learn.microsoft.com/en-us/cli/azure/webapp", "https://learn.microsoft.com/en-us/powershell/module/az.websites/get-azwebapp" ], "compliance": [ { "name": "_ARG_1_", "version": "_ARG_2_", "reference": "_ARG_3_", "profile": [ "Level 1" ] } ], "level": "low", "tags": [], "rule": { "path": "az_app_services", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "properties.clientCertEnabled", "ne", "true" ], [ "properties.clientCertMode", "ne", "Required" ] ], "operator":"or" } ] }, { "connectOperator": "and", "filter": [ { "include": "_ARG_4_" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "properties.clientCertEnabled":"Client Certificate Enabled", "properties.clientCertMode":"Client Certificate Mode" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "name", "location", "resourceGroupName", "properties" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "properties.clientCertEnabled":"Client Certificate Enabled", "properties.clientCertMode":"Client Certificate Mode" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure incoming client certificates are enabled and required for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure__ARG_0__client_certificate_disabled", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_app_service__ARG_5_" } |