Verify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server

Framework Reference: A.8.24 Integration: Azure – MySQL Single Server

Why this matters
Enforcing SSL connections ensures that data transmitted between client applications and the MySQL database server is encrypted in transit. This protects sensitive information—such as credentials and query data—from interception or tampering by malicious actors. Without SSL enforcement, unencrypted traffic may be vulnerable to "man-in-the-middle" (MitM) attacks, exposing organizations to both operational and compliance risks. Enabling this setting is a foundational control for maintaining secure data flows in cloud environments.


What this check does
This Auto Check verifies whether SSL enforcement is enabled on the MySQL server.

Check Logic:
Passes if:

  • The sslEnforcement parameter is set to Enabled

Fails if:

  • The parameter is unset, null, or set to Disabled

Applies to:

  • Azure Database for MySQL – Single Server
  • The check queries the SSL enforcement setting via Azure’s management API.

How to fix it

Azure Portal:

  1. Go to Azure Database for MySQL servers
  2. Select the server to configure
  3. Click Connection security
  4. Under SSL settings, set Enforce SSL connection to Enabled
  5. Click Save

Azure CLI:

az mysql server update \  --resource-group <resourceGroupName> \  --name <serverName> \  --ssl-enforcement Enabled

PowerShell:

Not supported via PowerShell per current CIS guidance. Use CLI or Portal.


Exceptions
No standard exceptions are recommended. If SSL enforcement must be disabled for application compatibility, document the business justification and implement compensating controls such as application-level encryption or private networking.


Was this article helpful?