Azure Function, Consumption plan, Linux, mitigating "FTPS should be required"

1
votes

Per an Azure Support response in an Azure Docs github issue (https://github.com/MicrosoftDocs/azure-docs/issues/75652), Consumption-tier Azure Functions on Linux don't support the General Settings tab

[I]t is by design that "General Setting" tab is not available for Linux Consumption function app.

Additionally, they don't support FTP or FTPS connections at all

When using the Consumption hosting plan, your function code and binding configuration files are stored in Azure File storage in the main storage account, not persistent file server. Actually it is not even possible to FTP to it. You will see /home folder is empty.

Finally, an Azure Advisor "High Impact" Security recommendation states

FTPS should be required in your function app

Given that there's no way to change it in the portal, how can you mitigate the recommendation?

2
linuxazureazure-functions

2 Answers

1
votes

I used a slightly differnet approach and updated the FTPS setting by name and resouce group. Handy if you dont have the app id handy. Although its sounds like a fairly benign finding, I opted to just mitigate it by hand. Here's the call I used.

az functionapp config set --ftps-state FtpsOnly --name <appname>  --resource-group <resource-group>
0
votes

Disabling FTP/FTPS can be done through the Azure CLI:

az functionapp config set --ids "YOUR APP ID HERE" --ftps-state Disabled

Given that FTP/FTPS isn't useful on Azure Functions Consumption plans (per the noted support response), you can also run the following to disable FTP/FTPS on all Azure Functions:

az functionapp list | ConvertFrom-Json | ForEach-Object -Process {az functionapp config set --ids $_.id --ftps-state Disabled}

Alternatively, you can mark the Azure Advisor recommendation as Mitigated through the Azure Portal. This can be done by clicking into the recommendation, checking all the affected resources listed under "Unhealthy resources", then clicking "Exempt".