Disabling certificate-based authentication can reduce an organization’s ability to react against attacks on its critical functions and data if
any.
Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and
certificate-based authentication.
Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa. In case of a
security incident, certificates help bring investigators traceability and allow security operations teams to react faster (by massively revoking
certificates, for example).
Ask Yourself Whether
- This Azure resource is essential for the information system infrastructure.
- This Azure resource is essential for mission-critical functions.
- Compliance policies require access to this resource to be authenticated with certificates.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Enable certificate-based authentication.
Sensitive Code Example
For App Service:
resource "azurerm_app_service" "example" {
client_cert_enabled = false # Sensitive
}
For Logic App Standards and Function Apps:
resource "azurerm_function_app" "example" {
client_cert_mode = "Optional" # Sensitive
}
For Data Factory Linked Services:
resource "azurerm_data_factory_linked_service_web" "example" {
authentication_type = "Basic" # Sensitive
}
For API Management:
resource "azurerm_api_management" "example" {
sku_name = "Consumption_1"
client_certificate_mode = "Optional" # Sensitive
}
For Linux and Windows Web Apps:
resource "azurerm_linux_web_app" "example" {
client_cert_enabled = false # Sensitive
}
resource "azurerm_linux_web_app" "exemple2" {
client_cert_enabled = true
client_cert_mode = "Optional" # Sensitive
}
Compliant Solution
For App Service:
resource "azurerm_app_service" "example" {
client_cert_enabled = true
}
For Logic App Standards and Function Apps:
resource "azurerm_function_app" "example" {
client_cert_mode = "Required"
}
For Data Factory Linked Services:
resource "azurerm_data_factory_linked_service_web" "example" {
authentication_type = "ClientCertificate"
}
For API Management:
resource "azurerm_api_management" "example" {
sku_name = "Consumption_1"
client_certificate_mode = "Required"
}
For Linux and Windows Web Apps:
resource "azurerm_linux_web_app" "exemple" {
client_cert_enabled = true
client_cert_mode = "Required"
}
See