Skip to content

Governance Anti Patterns Encryption

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 6 revisions

Encryption

TLS enforcement, encryption at rest, and transport security detection

Domain: encryption

Checks (3)

Check Description
ANTI-ENC-001 TLS version below 1.2 detected — set minimum TLS version to 1.2.
ANTI-ENC-002 HTTPS not enforced — set https_only = true.
ANTI-ENC-003 SSL enforcement disabled — enable SSL and set minimum TLS 1.2.

ANTI-ENC-001

TLS version below 1.2 detected — set minimum TLS version to 1.2.

Rationale: TLS 1.0 and 1.1 have known vulnerabilities (BEAST, POODLE) and are deprecated by compliance frameworks.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Storage/storageAccounts
  • Microsoft.Sql/servers
  • Microsoft.Cache/redis
  • Microsoft.Web/sites
  • Microsoft.KeyVault/vaults
  • Microsoft.ServiceBus/namespaces
  • Microsoft.EventHub/namespaces
  • Microsoft.DocumentDB/databaseAccounts
  • 'min_tls_version = "1.0"'
  • 'min_tls_version = "1.1"'
  • 'minimum_tls_version = "1.0"'
  • 'minimum_tls_version = "1.1"'
  • 'tls1_0'
  • 'tls1_1'
  • 'min_tls_version = "1.2"'
  • 'minimum_tls_version = "1.2"'
  • 'minimalTlsVersion = "1.2"'
  • 'minimumTlsVersion = "TLS1_2"'

ANTI-ENC-002

HTTPS not enforced — set https_only = true.

Rationale: HTTP transmits data in plaintext, exposing credentials and data to network interception.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Web/sites
  • 'https_only = false'
  • 'https_required = false'
  • 'https_only = true'
  • 'httpsOnly = true'

ANTI-ENC-003

SSL enforcement disabled — enable SSL and set minimum TLS 1.2.

Rationale: Disabled SSL allows unencrypted database connections, exposing query data and credentials in transit.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.DBforMySQL/flexibleServers
  • Microsoft.DBforPostgreSQL/flexibleServers
  • 'ssl_enforcement_enabled = false'
  • 'ssl_minimal_tls_version_enforced = "tldisabled"'
  • 'ssl_enforcement_enabled = true'
  • 'sslEnforcement = "Enabled"'
  • 'ssl_minimal_tls_version_enforced = "TLS1_2"'
  • 'minimalTlsVersion = "TLS1_2"'

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally