TLS enforcement, encryption at rest, and transport security detection

Domain: encryption

---

Check	Description
ANTI-ENC-001	TLS version below 1.2 detected — set minimum TLS version to 1.2.
ANTI-ENC-002	HTTPS not enforced — set https_only = true.
ANTI-ENC-003	SSL enforcement disabled — enable SSL and set minimum TLS 1.2.

---

TLS version below 1.2 detected — set minimum TLS version to 1.2.

Rationale: TLS 1.0 and 1.1 have known vulnerabilities (BEAST, POODLE) and are deprecated by compliance frameworks.
Agents: terraform-agent, bicep-agent

Services	Triggers On	Correct Patterns
Microsoft.Storage/storageAccounts Microsoft.Sql/servers Microsoft.Cache/redis Microsoft.Web/sites Microsoft.KeyVault/vaults Microsoft.ServiceBus/namespaces Microsoft.EventHub/namespaces Microsoft.DocumentDB/databaseAccounts	'min_tls_version = "1.0"' 'min_tls_version = "1.1"' 'minimum_tls_version = "1.0"' 'minimum_tls_version = "1.1"' 'tls1_0' 'tls1_1'	'min_tls_version = "1.2"' 'minimum_tls_version = "1.2"' 'minimalTlsVersion = "1.2"' 'minimumTlsVersion = "TLS1_2"'

---

HTTPS not enforced — set https_only = true.

Rationale: HTTP transmits data in plaintext, exposing credentials and data to network interception.
Agents: terraform-agent, bicep-agent

Services	Triggers On	Correct Patterns
Microsoft.Web/sites	'https_only = false' 'https_required = false'	'https_only = true' 'httpsOnly = true'

---

SSL enforcement disabled — enable SSL and set minimum TLS 1.2.

Rationale: Disabled SSL allows unencrypted database connections, exposing query data and credentials in transit.
Agents: terraform-agent, bicep-agent

Services	Triggers On	Correct Patterns
Microsoft.DBforMySQL/flexibleServers Microsoft.DBforPostgreSQL/flexibleServers	'ssl_enforcement_enabled = false' 'ssl_minimal_tls_version_enforced = "tldisabled"'	'ssl_enforcement_enabled = true' 'sslEnforcement = "Enabled"' 'ssl_minimal_tls_version_enforced = "TLS1_2"' 'minimalTlsVersion = "TLS1_2"'

---