Disabling certificate-based authentication can reduce an organization's ability to react against attacks on its critical functions and data if any. Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and certificate-based authentication. Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa. In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster (by massively revoking certificates, for example). == Ask Yourself Whether * This Azure resource is essential for the information system infrastructure. * This Azure resource is essential for mission-critical functions. * Compliance policies require access to this resource to be authenticated with certificates. There is a risk if you answered yes to any of those questions. == Recommended Secure Coding Practices Enable certificate-based authentication. == Sensitive Code Example For https://azure.microsoft.com/en-us/services/app-service/[App Service]: ---- resource "azurerm_app_service" "example" { client_cert_enabled = false # Sensitive } ---- For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]: ---- resource "azurerm_function_app" "example" { client_cert_mode = "Optional" # Sensitive } ---- For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]: ---- resource "azurerm_data_factory_linked_service_web" "example" { authentication_type = "Basic" # Sensitive } ---- For https://azure.microsoft.com/en-us/services/api-management/[API Management]: ---- resource "azurerm_api_management" "example" { sku_name = "Consumption_1" client_certificate_mode = "Optional" # Sensitive } ---- For https://azure.microsoft.com/fr-fr/services/app-service/containers/[Linux and Windows Web Apps]: ---- resource "azurerm_linux_web_app" "example" { client_cert_enabled = false # Sensitive } resource "azurerm_linux_web_app" "exemple2" { client_cert_enabled = true client_cert_mode = "Optional" # Sensitive } ---- == Compliant Solution For https://azure.microsoft.com/en-us/services/app-service/[App Service]: [source,terraform] ---- resource "azurerm_app_service" "example" { client_cert_enabled = true } ---- For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]: [source,terraform] ---- resource "azurerm_function_app" "example" { client_cert_mode = "Required" } ---- For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]: [source,terraform] ---- resource "azurerm_data_factory_linked_service_web" "example" { authentication_type = "ClientCertificate" } ---- For https://azure.microsoft.com/en-us/services/api-management/[API Management]: [source,terraform] ---- resource "azurerm_api_management" "example" { sku_name = "Consumption_1" client_certificate_mode = "Required" } ---- For https://azure.microsoft.com/fr-fr/services/app-service/containers/[Linux and Windows Web Apps]: [source,terraform] ---- resource "azurerm_linux_web_app" "exemple" { client_cert_enabled = true client_cert_mode = "Required" } ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control * https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control * https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message For these resources: * `api_management`: * `app_service` * `data_factory_linked_service_sftp` * `data_factory_linked_service_web` * `linux_web_app` * `windows_web_app` (if both parameters are non-compliant, flag `client_cert_enabled` first) These messages apply: * If an assignment is missing: Omitting {property_name} disables certificate-based authentication. Make sure it is safe here. * If the assignment is security-sensitive: Make sure that disabling certificate-based authentication is safe here. * For `function_app` and `logic_app_standard`: ** Omitting `client_cert_mode` makes certificate-based authentication optional. Make sure it is safe here. ** Make sure that setting certificate-based authentication as optional is safe here. Make sure that disabling certificate-based authentication is safe here. === Highlighting * If one (out of one) assignement is missing: Highlight the resource * If an assignement is security-sensitive: Highlight the assignement * For `linux_web_app` and `windows_web_app`: ** If both assignements are present and security-sensitive: Highlight `client_cert_enabled = false` endif::env-github,rspecator-view[]