Verify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
Why this matters
Enforcing SSL connections ensures that data transmitted between client applications and the MySQL database server is encrypted in transit. This protects sensitive information—such as credentials and query data—from interception or tampering by malicious actors. Without SSL enforcement, unencrypted traffic may be vulnerable to "man-in-the-middle" (MitM) attacks, exposing organizations to both operational and compliance risks. Enabling this setting is a foundational control for maintaining secure data flows in cloud environments.
What this check does
This Auto Check verifies whether SSL enforcement is enabled on the MySQL server.
Check Logic:
Passes if:
- The
sslEnforcement
parameter is set toEnabled
Fails if:
- The parameter is unset, null, or set to
Disabled
Applies to:
- Azure Database for MySQL – Single Server
- The check queries the SSL enforcement setting via Azure’s management API.
How to fix it
Azure Portal:
- Go to Azure Database for MySQL servers
- Select the server to configure
- Click Connection security
- Under SSL settings, set Enforce SSL connection to Enabled
- Click Save
Azure CLI:
az mysql server update \
--resource-group <resourceGroupName> \
--name <serverName> \
--ssl-enforcement Enabled
PowerShell:
Not supported via PowerShell per current CIS guidance. Use CLI or Portal.
Exceptions
No standard exceptions are recommended. If SSL enforcement must be disabled for application compatibility, document the business justification and implement compensating controls such as application-level encryption or private networking.
- Further resources
https://docs.microsoft.com/en-us/azure/mysql/single-server/concepts-ssl-connection-security
https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-ssl
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit