bmt 0.10.2 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.11/mappings/templates.json +17 -0
  4. data/lib/data/0.11/mappings/templates.schema.json +62 -0
  5. data/lib/data/0.11/methodologies/active_directory.json +426 -0
  6. data/lib/data/0.11/methodologies/ai_llm.json +280 -0
  7. data/lib/data/0.11/methodologies/api_testing.json +687 -0
  8. data/lib/data/0.11/methodologies/binaries.json +252 -0
  9. data/lib/data/0.11/methodologies/cloud_config_aws.json +621 -0
  10. data/lib/data/0.11/methodologies/cloud_config_azure.json +2122 -0
  11. data/lib/data/0.11/methodologies/cloud_config_gcp.json +431 -0
  12. data/lib/data/0.11/methodologies/hardware_testing.json +216 -0
  13. data/lib/data/0.11/methodologies/internal_network.json +454 -0
  14. data/lib/data/0.11/methodologies/mobile_android.json +514 -0
  15. data/lib/data/0.11/methodologies/mobile_ios.json +438 -0
  16. data/lib/data/0.11/methodologies/network.json +207 -0
  17. data/lib/data/0.11/methodologies/template.json +83 -0
  18. data/lib/data/0.11/methodologies/website_testing.json +1078 -0
  19. data/lib/data/0.11/schema.json +124 -0
  20. metadata +20 -7
data/lib/data/0.11/methodologies/cloud_config_azure.json ADDED
@@ -0,0 +1,2122 @@
1
+ {
2
+ "metadata": {
3
+ "title": "Microsoft Azure Cloud Configuration Review Methodology",
4
+ "release_date": "2026-05-06T00:00:00+00:00",
5
+ "description": "Methodology based on Microsoft Azure Benchmark v6.0.0",
6
+ "vrt_version": "1.15.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "storage_services",
12
+ "title": "Storage Services",
13
+ "description": "Securing data at rest and in transit through soft delete, encryption settings, and network access rules.",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "confirm_soft_delete_for_azure_file_shares_is_enabled_automated",
18
+ "title": "Confirm Soft Delete for Azure File Shares is Enabled (Automated)",
19
+ "description": "Soft delete allows for the recovery of data mistakenly deleted from Azure File shares.",
20
+ "caption": ""
21
+ },
22
+ {
23
+ "key": "confirm_smb_protocol_version_is_set_to_smb_311_or_higher_for_smb_file_shares_automated",
24
+ "title": "Confirm SMB protocol version is Set to SMB 3.1.1 or Higher for SMB file shares (Automated)",
25
+ "description": "Using the latest SMB version prevents the exploitation of known vulnerabilities in older protocols.",
26
+ "caption": ""
27
+ },
28
+ {
29
+ "key": "confirm_smb_channel_encryption_is_set_to_aes256gcm_or_higher_for_smb_file_shares_automated",
30
+ "title": "Confirm SMB channel encryption is Set to AES-256-GCM or Higher for SMB file shares (Automated)",
31
+ "description": "Strong channel encryption protects data confidentiality and integrity during transmission over SMB.",
32
+ "caption": ""
33
+ },
34
+ {
35
+ "key": "confirm_that_soft_delete_for_blobs_on_azure_blob_storage_storage_accounts_is_enabled_automated",
36
+ "title": "Confirm That Soft Delete for Blobs on Azure Blob Storage Storage Accounts is Enabled (Automated)",
37
+ "description": "Protects blob data from accidental or malicious deletion by enabling a recovery retention period.",
38
+ "caption": ""
39
+ },
40
+ {
41
+ "key": "confirm_that_soft_delete_for_containers_on_azure_blob_storage_storage_accounts_is_enabled_automated",
42
+ "title": "Confirm that Soft Delete for Containers on Azure Blob Storage Storage Accounts is Enabled (Automated)",
43
+ "description": "Ensures that even if containers are deleted, they remain recoverable for a specific period.",
44
+ "caption": ""
45
+ },
46
+ {
47
+ "key": "confirm_versioning_is_set_to_enabled_on_azure_blob_storage_storage_accounts_automated",
48
+ "title": "Confirm Versioning is Set to Enabled on Azure Blob Storage Storage Accounts (Automated)",
49
+ "description": "Retains previous versions of blobs to facilitate recovery from accidental modification or deletion.",
50
+ "caption": ""
51
+ },
52
+ {
53
+ "key": "confirm_that_enable_key_rotation_reminders_is_enabled_for_each_storage_account_automated",
54
+ "title": "Confirm That Enable key rotation reminders is Enabled for Each Storage Account (Automated)",
55
+ "description": "Reminders help maintain a healthy cadence for rotating storage account access keys.",
56
+ "caption": ""
57
+ },
58
+ {
59
+ "key": "confirm_that_storage_account_access_keys_are_periodically_regenerated_automated",
60
+ "title": "Confirm That Storage Account Access keys are Periodically Regenerated (Automated)",
61
+ "description": "Rotating access keys guarantees that compromised credentials cannot be exploited over the long term.",
62
+ "caption": ""
63
+ },
64
+ {
65
+ "key": "confirm_allow_storage_account_key_access_for_azure_storage_accounts_is_disabled_automated",
66
+ "title": "Confirm Allow storage account key access for Azure Storage Accounts is Disabled (Automated)",
67
+ "description": "Disallowing shared key access forces clients to use Entra ID for authorization, which is more secure.",
68
+ "caption": ""
69
+ },
70
+ {
71
+ "key": "confirm_private_endpoints_are_used_to_access_storage_accounts_automated",
72
+ "title": "Confirm Private Endpoints are Used to Access Storage Accounts (Automated)",
73
+ "description": "Secures traffic from storage accounts to requesting resources using encrypted Private Link.",
74
+ "caption": ""
75
+ },
76
+ {
77
+ "key": "confirm_that_public_network_access_is_disabled_for_storage_accounts_automated",
78
+ "title": "Confirm that Public Network Access is Disabled for Storage Accounts (Automated)",
79
+ "description": "Disabling public network access guarantees storage accounts are not exposed on the public internet.",
80
+ "caption": ""
81
+ },
82
+ {
83
+ "key": "confirm_default_network_access_rule_for_storage_accounts_is_set_to_deny_automated",
84
+ "title": "Confirm Default Network Access Rule for Storage Accounts is Set to Deny (Automated)",
85
+ "description": "Restricting standard setting access to Deny guarantees that only authorized networks can connect to the storage account.",
86
+ "caption": ""
87
+ },
88
+ {
89
+ "key": "confirm_that_default_to_microsoft_entra_authorization_in_the_azure_portal_is_set_to_enabled_automated",
90
+ "title": "Confirm that Default to Microsoft Entra authorization in the Azure portal is Set to Enabled (Automated)",
91
+ "description": "Authorizes portal requests with Entra ID by standard setting, providing superior security over Shared Key.",
92
+ "caption": ""
93
+ },
94
+ {
95
+ "key": "confirm_that_secure_transfer_required_is_set_to_enabled_automated",
96
+ "title": "Confirm that Secure transfer required is Set to Enabled (Automated)",
97
+ "description": "Forces all connections to use HTTPS or encrypted SMB, protecting data in transit.",
98
+ "caption": ""
99
+ },
100
+ {
101
+ "key": "confirm_allow_trusted_microsoft_services_to_access_this_resource_is_enabled_for_storage_account_access_automated",
102
+ "title": "Confirm Allow trusted Microsoft services to access this resource is Enabled for Storage Account Access (Automated)",
103
+ "description": "Allows critical Azure services like Backup and Monitor to bypass firewall rules using strong authentication.",
104
+ "caption": ""
105
+ },
106
+ {
107
+ "key": "confirm_the_minimum_tls_version_for_storage_accounts_is_set_to_version_12_automated",
108
+ "title": "Confirm the Minimum TLS version for Storage Accounts is Set to Version 1.2 (Automated)",
109
+ "description": "Mitigates risks associated with legacy TLS 1.0/1.1 protocols.",
110
+ "caption": ""
111
+ },
112
+ {
113
+ "key": "confirm_cross_tenant_replication_is_not_enabled_automated",
114
+ "title": "Confirm Cross Tenant Replication is Not Enabled (Automated)",
115
+ "description": "Disabling this feature guarantees data is not replicated across different tenant boundaries without explicit authorization.",
116
+ "caption": ""
117
+ },
118
+ {
119
+ "key": "confirm_that_allow_blob_anonymous_access_is_set_to_disabled_automated",
120
+ "title": "Confirm that Allow Blob Anonymous Access is Set to Disabled (Automated)",
121
+ "description": "Disallows public anonymous access to blobs, preventing data exfiltration via enumeration.",
122
+ "caption": ""
123
+ },
124
+ {
125
+ "key": "confirm_azure_resource_manager_delete_locks_are_applied_to_azure_storage_accounts_manual",
126
+ "title": "Confirm Azure Resource Manager Delete Locks are Applied to Azure Storage Accounts (Manual)",
127
+ "description": "Delete locks prevent accidental or unauthorized removal of the entire storage account resource.",
128
+ "caption": ""
129
+ },
130
+ {
131
+ "key": "confirm_azure_resource_manager_readonly_locks_are_considered_for_azure_storage_accounts_manual",
132
+ "title": "Confirm Azure Resource Manager ReadOnly Locks are Considered for Azure Storage Accounts (Manual)",
133
+ "description": "Provides enhanced protection by preventing modifications and listKeys operations for high-security workloads.",
134
+ "caption": ""
135
+ },
136
+ {
137
+ "key": "confirm_redundancy_is_set_to_georedundant_storage_grs_on_critical_azure_storage_accounts_automated",
138
+ "title": "Confirm Redundancy is Set to geo-redundant storage (GRS) on Critical Azure Storage Accounts (Automated)",
139
+ "description": "Protects critical data from regional failures by maintaining a copy in a separate geographical location.",
140
+ "caption": ""
141
+ },
142
+ {
143
+ "key": "confirm_allowed_protocols_for_shared_access_signature_sas_tokens_is_configured_as_https_only_manual",
144
+ "title": "Confirm Allowed Protocols for shared access signature (SAS) tokens is configured as HTTPS Only (Manual)",
145
+ "description": "Shared access signatures (SAS) can be used to grant limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for a request made with the SAS. It is recommended to allow requests over HTTPS only.",
146
+ "caption": ""
147
+ },
148
+ {
149
+ "key": "confirm_that_shared_access_signature_sas_tokens_expire_within_an_hour_manual",
150
+ "title": "Confirm that shared access signature (SAS) tokens expire within an hour (Manual)",
151
+ "description": "Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. It enables users to interact with the resources without exposing account keys, offering precise control over the permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.",
152
+ "caption": ""
153
+ },
154
+ {
155
+ "key": "confirm_stored_access_policies_sap_are_used_when_generating_shared_access_signature_sas_tokens_manual",
156
+ "title": "Confirm stored access policies (SAP) are used when generating shared access signature (SAS) tokens (Manual)",
157
+ "description": "Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.",
158
+ "caption": ""
159
+ },
160
+ {
161
+ "key": "confirm_critical_data_is_encrypted_with_microsoft_managed_keys_mmk_manual",
162
+ "title": "Confirm Critical Data is Encrypted with Microsoft Managed Keys (MMK) (Manual)",
163
+ "description": "Microsoft Managed Keys (MMK) (also known as Platform-managed keys (PMK)) offers a very low overhead method of encrypting data at rest and implementing encryption key management. Keys maintained in an MMK implementation are automatically managed by Azure and require no customer interaction.",
164
+ "caption": ""
165
+ },
166
+ {
167
+ "key": "confirm_critical_data_is_encrypted_with_customer_managed_keys_cmk_manual",
168
+ "title": "Confirm Critical Data is Encrypted with Customer Managed Keys (CMK) (Manual)",
169
+ "description": "Customer Managed Keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using Customer Managed Keys (CMK) rather than Microsoft Managed keys.",
170
+ "caption": ""
171
+ },
172
+ {
173
+ "key": "confirm_public_network_access_is_disabled_automated",
174
+ "title": "Confirm public network access is Disabled (Automated)",
175
+ "description": "Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints and Azure Role-Based Access Control (RBAC) to securely manage access within trusted networks.",
176
+ "caption": ""
177
+ },
178
+ {
179
+ "key": "confirm_network_access_rules_are_set_to_denybydefault_automated",
180
+ "title": "Confirm Network Access Rules are set to Deny-by-default (Automated)",
181
+ "description": "Restricting standard setting network access offers a foundational level of security to networked resources. To limit access to selected networks, the standard setting must be changed.",
182
+ "caption": ""
183
+ },
184
+ {
185
+ "key": "confirm_private_endpoints_are_used_to_access_service_automated",
186
+ "title": "Confirm Private Endpoints are used to access services (Automated)",
187
+ "description": "Use private endpoints to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.",
188
+ "caption": ""
189
+ },
190
+ {
191
+ "key": "confirm_key_encryption_key_is_configured_as_a_customermanaged_key_for_azure_managed_lustre_file_systems_automated",
192
+ "title": "Confirm Key encryption key is configured as a customer-managed key for Azure Managed Lustre file systems (Automated)",
193
+ "description": "Enable customer-managed encryption keys (CMEK) for Azure Managed Lustre file systems to enhance data security and provide greater control over encryption processes. By using CMEK, organizations can manage their own encryption keys within Azure Key Vault, allowing them to rotate, revoke, or otherwise control access to these keys in accordance with their security policies.",
194
+ "caption": ""
195
+ },
196
+ {
197
+ "key": "confirm_soft_delete_on_backup_vaults_is_enabled_automated",
198
+ "title": "Confirm soft delete on Backup vaults is Enabled (Automated)",
199
+ "description": "Soft delete offers additional protection for Backup vault data. With soft delete enabled, deleted backup data can be recovered within the retention period.",
200
+ "caption": ""
201
+ },
202
+ {
203
+ "key": "confirm_immutability_for_backup_vaults_is_enabled_automated",
204
+ "title": "Confirm immutability for Backup vaults is Enabled (Automated)",
205
+ "description": "Immutable vaults safeguard backup data by preventing any operations that could result in the loss of recovery points. The immutable vault setting can be locked, making it irreversible and preventing malicious actors from disabling it and deleting backups.",
206
+ "caption": ""
207
+ },
208
+ {
209
+ "key": "confirm_backup_data_in_backup_vaults_is_encrypted_using_customermanaged_keys_cmk_automated",
210
+ "title": "Confirm backup data in Backup vaults is encrypted using customer-managed keys (CMK) (Automated)",
211
+ "description": "Backup vaults offer two encryption options: Microsoft-managed keys, which provide automatic encryption without user intervention, and customer-managed keys (CMK), which allow organizations to retain full control over their encryption keys for enhanced security and compliance.",
212
+ "caption": ""
213
+ },
214
+ {
215
+ "key": "confirm_use_infrastructure_encryption_for_this_vault_is_enabled_on_backup_vaults_automated",
216
+ "title": "Confirm Use infrastructure encryption for this vault is enabled on Backup vaults (Automated)",
217
+ "description": "In addition to using customer-managed keys for encryption at rest in the Backup vault, you can enable an additional layer of platform-managed infrastructure encryption. This dual-layer approach enhances the protection of your backup data.",
218
+ "caption": ""
219
+ },
220
+ {
221
+ "key": "confirm_cross_region_restore_is_configured_as_enabled_on_backup_vaults_automated",
222
+ "title": "Confirm Cross Region Restore is configured as Enabled on Backup vaults (Automated)",
223
+ "description": "Cross region restore enables data restoration in a secondary Azure paired region, even when the primary region is fully operational. This allows organizations to conduct drills and validate regional resiliency, thereby ensuring preparedness for potential outages.",
224
+ "caption": ""
225
+ },
226
+ {
227
+ "key": "confirm_cross_subscription_restore_is_configured_as_disabled_or_permanently_disabled_on_backup_vaults_automated",
228
+ "title": "Confirm Cross Subscription Restore is configured as Disabled or Permanently Disabled on Backup vaults (Automated)",
229
+ "description": "Disable cross subscription restore for Backup vaults to ensure that backup data can only be restored within the same subscription as the Backup vault, preventing restoration to targets in other subscriptions.",
230
+ "caption": ""
231
+ },
232
+ {
233
+ "key": "confirm_soft_delete_on_recovery_services_vaults_is_enabled_automated",
234
+ "title": "Confirm soft delete on Recovery Services vaults is Enabled (Automated)",
235
+ "description": "Soft delete offers additional protection for Recovery Services vault data. With soft delete enabled, deleted backup data can be recovered within the retention period.",
236
+ "caption": ""
237
+ },
238
+ {
239
+ "key": "confirm_immutability_for_recovery_services_vaults_is_enabled_automated",
240
+ "title": "Confirm immutability for Recovery Services vaults is Enabled (Automated)",
241
+ "description": "Immutable vaults safeguard backup data by preventing any operations that could result in the loss of recovery points. The immutable vault setting can be locked, making it irreversible and preventing malicious actors from disabling it and deleting backups.",
242
+ "caption": ""
243
+ },
244
+ {
245
+ "key": "confirm_backup_data_in_recovery_services_vaults_is_encrypted_using_customermanaged_keys_cmk_automated",
246
+ "title": "Confirm backup data in Recovery Services vaults is encrypted using customer-managed keys (CMK) (Automated)",
247
+ "description": "Recovery Services vaults offer two encryption options: Microsoft-managed keys, which provide automatic encryption without user intervention, and customer-managed keys (CMK), which allow organizations to retain full control over their encryption keys for enhanced security and compliance.",
248
+ "caption": ""
249
+ },
250
+ {
251
+ "key": "confirm_use_infrastructure_encryption_for_this_vault_is_enabled_on_recovery_services_vaults_automated",
252
+ "title": "Confirm Use infrastructure encryption for this vault is enabled on Recovery Services vaults (Automated)",
253
+ "description": "In addition to using customer-managed keys for encryption at rest in the Recovery Services vault, you can enable an additional layer of platform-managed infrastructure encryption. This dual-layer approach enhances the protection of your backup data.",
254
+ "caption": ""
255
+ },
256
+ {
257
+ "key": "confirm_public_network_access_on_recovery_services_vaults_is_disabled_automated",
258
+ "title": "Confirm public network access on Recovery Services vaults is Disabled (Automated)",
259
+ "description": "Disable public network access on Recovery Services vaults to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints and Azure Role-Based Access Control (RBAC) to securely manage access within trusted networks.",
260
+ "caption": ""
261
+ },
262
+ {
263
+ "key": "confirm_cross_region_restore_is_configured_as_enabled_on_recovery_services_vaults_automated",
264
+ "title": "Confirm Cross Region Restore is configured as Enabled on Recovery Services vaults (Automated)",
265
+ "description": "Cross region restore enables data restoration in a secondary Azure paired region, even when the primary region is fully operational. This allows organizations to conduct drills and validate regional resiliency, thereby ensuring preparedness for potential outages.",
266
+ "caption": ""
267
+ },
268
+ {
269
+ "key": "confirm_cross_subscription_restore_is_configured_as_disabled_or_permanently_disabled_on_recovery_services_vaults_automated",
270
+ "title": "Confirm Cross Subscription Restore is configured as Disabled or Permanently Disabled on Recovery Services vaults (Automated)",
271
+ "description": "Disable cross subscription restore for Recovery Services vaults to ensure that backup data can only be restored within the same subscription as the Recovery Services vault, preventing restoration to targets in other subscriptions.",
272
+ "caption": ""
273
+ },
274
+ {
275
+ "key": "confirm_soft_delete_for_azure_file_shares_is_enabled_automated",
276
+ "title": "Confirm soft delete for Azure File Shares is Enabled (Automated)",
277
+ "description": "Azure Files offers soft delete for file shares, allowing you to easily recover your data when it is mistakenly deleted by an application or another storage account user.",
278
+ "caption": ""
279
+ },
280
+ {
281
+ "key": "confirm_root_squash_for_nfs_file_shares_is_configured_automated",
282
+ "title": "Confirm root squash for NFS file shares is configured (Automated)",
283
+ "description": "Permissions for NFS file shares are enforced by the client OS rather than by the Azure Files service. Root squash is an administrative security feature in NFS that prevents unauthorized root-level access to the NFS server by client machines. This functionality is an important part of protecting user data and system settings from manipulation by untrusted or compromised clients.",
284
+ "caption": ""
285
+ },
286
+ {
287
+ "key": "confirm_smb_protocol_version_is_configured_as_smb_311_or_higher_for_smb_file_shares_automated",
288
+ "title": "Confirm SMB protocol version is configured as SMB 3.1.1 or higher for SMB file shares (Automated)",
289
+ "description": "Ensure that SMB file shares are configured to use the latest supported SMB protocol version. Keeping the SMB protocol updated helps mitigate risks associated with older SMB versions, which may contain vulnerabilities and lack essential security controls.",
290
+ "caption": ""
291
+ },
292
+ {
293
+ "key": "confirm_smb_channel_encryption_is_configured_as_aes256gcm_or_higher_for_smb_file_shares_automated",
294
+ "title": "Confirm SMB channel encryption is configured as AES-256-GCM or higher for SMB file shares (Automated)",
295
+ "description": "Implement SMB channel encryption with AES-256-GCM for SMB file shares to ensure data confidentiality and integrity in transit. This method offers strong protection against eavesdropping and man-in-the-middle attacks, safeguarding sensitive information.",
296
+ "caption": ""
297
+ },
298
+ {
299
+ "key": "confirm_encryption_key_source_is_configured_as_customer_managed_key_for_azure_netapp_files_accounts_automated",
300
+ "title": "Confirm Encryption key source is configured as Customer Managed Key for Azure NetApp Files accounts (Automated)",
301
+ "description": "Customer-managed keys (CMK) for Azure NetApp Files volume encryption enable organizations to use their own keys instead of platform-managed ones, providing full control over encryption.",
302
+ "caption": ""
303
+ },
304
+ {
305
+ "key": "confirm_allowed_protocols_for_shared_access_signature_sas_tokens_is_configured_as_https_only_manual",
306
+ "title": "Confirm Allowed Protocols for shared access signature (SAS) tokens is configured as HTTPS Only (Manual)",
307
+ "description": "Shared access signatures (SAS) can be used to grant limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for a request made with the SAS. It is recommended to allow requests over HTTPS only.",
308
+ "caption": ""
309
+ },
310
+ {
311
+ "key": "confirm_that_shared_access_signature_sas_tokens_expire_within_an_hour_manual",
312
+ "title": "Confirm that shared access signature (SAS) tokens expire within an hour (Manual)",
313
+ "description": "Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. It enables users to interact with the resources without exposing account keys, offering precise control over the permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.",
314
+ "caption": ""
315
+ },
316
+ {
317
+ "key": "confirm_that_soft_delete_for_blobs_on_azure_blob_storage_storage_accounts_is_enabled_automated",
318
+ "title": "Confirm that soft delete for blobs on Azure Blob Storage storage accounts is Enabled (Automated)",
319
+ "description": "Blobs in Azure storage accounts may contain sensitive or personal data, such as ePHI (electronic Protected Health Information) or financial information. Data that is erroneously modified or deleted by an application or a user can lead to data loss or unavailability. It is recommended that soft delete be enabled on Azure storage accounts with blob storage to allow for the preservation and recovery of data when blobs or blob snapshots are deleted.",
320
+ "caption": ""
321
+ },
322
+ {
323
+ "key": "confirm_stored_access_policies_sap_are_used_when_generating_shared_access_signature_sas_tokens_manual",
324
+ "title": "Confirm stored access policies (SAP) are used when generating shared access signature (SAS) tokens (Manual)",
325
+ "description": "Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.",
326
+ "caption": ""
327
+ },
328
+ {
329
+ "key": "confirm_versioning_is_configured_as_enabled_on_azure_blob_storage_storage_accounts_automated",
330
+ "title": "Confirm Versioning is configured as Enabled on Azure Blob Storage storage accounts (Automated)",
331
+ "description": "Enabling blob versioning allows for the automatic retention of previous versions of objects. With blob versioning enabled, earlier versions of a blob are accessible for data recovery in the event of modifications or deletions.",
332
+ "caption": ""
333
+ },
334
+ {
335
+ "key": "confirm_locked_immutability_policies_are_used_for_containers_storing_businesscritical_blob_data_automated",
336
+ "title": "Confirm locked immutability policies are used for containers storing business-critical blob data (Automated)",
337
+ "description": "Require locked immutability policies for all containers that store business-critical blob data. This measure protects the data from modifications or deletions, ensuring that critical information remains intact and unaltered, regardless of user actions or access permissions.",
338
+ "caption": ""
339
+ },
340
+ {
341
+ "key": "confirm_double_encryption_is_used_for_azure_data_box_in_highsecurity_environments_manual",
342
+ "title": "Confirm double encryption is used for Azure Data Box in high-security environments (Manual)",
343
+ "description": "Enabling double encryption on Azure Data Box applies an additional layer of encryption to safeguard data during physical transfer. This approach enhances confidentiality and integrity, ensuring that sensitive information remains secure against unauthorized access if the device is lost, stolen, or intercepted.",
344
+ "caption": ""
345
+ },
346
+ {
347
+ "key": "confirm_public_network_access_is_configured_as_disabled_on_azure_elastic_san_automated",
348
+ "title": "Confirm Public network access is configured as Disabled on Azure Elastic SAN (Automated)",
349
+ "description": "Azure Elastic SAN is a scalable, high-performance cloud-based storage solution. Disabling public network access at the SAN level guarantees that Elastic SAN resources are accessible only through private networks.",
350
+ "caption": ""
351
+ },
352
+ {
353
+ "key": "confirm_customermanaged_keys_cmk_are_used_to_encrypt_data_at_rest_on_azure_elastic_san_volume_groups_automated",
354
+ "title": "Confirm customer-managed keys (CMK) are used to encrypt data at rest on Azure Elastic SAN volume groups (Automated)",
355
+ "description": "Azure Elastic SAN volume groups offer two encryption options: Microsoft-managed keys, which provide automatic encryption without user intervention, and customer managed keys (CMK), which allow organizations to retain full control over their encryption keys for enhanced security and compliance.",
356
+ "caption": ""
357
+ },
358
+ {
359
+ "key": "confirm_allowed_protocols_for_shared_access_signature_sas_tokens_is_configured_as_https_only_manual",
360
+ "title": "Confirm Allowed Protocols for shared access signature (SAS) tokens is configured as HTTPS Only (Manual)",
361
+ "description": "Shared access signatures (SAS) can be used to grant limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for a request made with the SAS. It is recommended to allow requests over HTTPS only.",
362
+ "caption": ""
363
+ },
364
+ {
365
+ "key": "confirm_that_shared_access_signature_sas_tokens_expire_within_an_hour_manual",
366
+ "title": "Confirm that shared access signature (SAS) tokens expire within an hour (Manual)",
367
+ "description": "Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. It enables users to interact with the resources without exposing account keys, offering precise control over the permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.",
368
+ "caption": ""
369
+ },
370
+ {
371
+ "key": "confirm_stored_access_policies_sap_are_used_when_generating_shared_access_signature_sas_tokens_manual",
372
+ "title": "Confirm stored access policies (SAP) are used when generating shared access signature (SAS) tokens (Manual)",
373
+ "description": "Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.",
374
+ "caption": ""
375
+ },
376
+ {
377
+ "key": "confirm_that_enable_key_rotation_reminders_is_enabled_for_each_storage_account_manual",
378
+ "title": "Confirm that Enable key rotation reminders is enabled for each Storage Account (Manual)",
379
+ "description": "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The \"Rotation Reminder\" is an automatic reminder feature for a manual procedure.",
380
+ "caption": ""
381
+ },
382
+ {
383
+ "key": "confirm_allowed_protocols_for_shared_access_signature_sas_tokens_is_configured_as_https_only_manual",
384
+ "title": "Confirm Allowed Protocols for shared access signature (SAS) tokens is configured as HTTPS Only (Manual)",
385
+ "description": "Shared access signatures (SAS) can be used to grant limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for a request made with the SAS. It is recommended to allow requests over HTTPS only.",
386
+ "caption": ""
387
+ },
388
+ {
389
+ "key": "confirm_that_storage_account_access_keys_are_periodically_regenerated_manual",
390
+ "title": "Confirm that Storage Account Access Keys are Periodically Regenerated (Manual)",
391
+ "description": "For increased security, regenerate storage account access keys periodically. Rotating these keys periodically guarantees that any inadvertent access or exposure does not result from the compromise of these keys.",
392
+ "caption": ""
393
+ },
394
+ {
395
+ "key": "confirm_that_shared_access_signature_sas_tokens_expire_within_an_hour_manual",
396
+ "title": "Confirm that shared access signature (SAS) tokens expire within an hour (Manual)",
397
+ "description": "Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. It enables users to interact with the resources without exposing account keys, offering precise control over the permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.",
398
+ "caption": ""
399
+ },
400
+ {
401
+ "key": "confirm_allow_storage_account_key_access_for_azure_storage_accounts_is_disabled_automated",
402
+ "title": "Confirm Allow storage account key access for Azure Storage Accounts is Disabled (Automated)",
403
+ "description": "Every secure request to an Azure Storage account must be authorized. By standard setting, requests can be authorized with either Microsoft Entra credentials or by using the account access key for Shared Key authorization. Microsoft Entra ID offers superior security and ease of use compared to Shared Key and is recommended by Microsoft.",
404
+ "caption": ""
405
+ },
406
+ {
407
+ "key": "confirm_storage_for_critical_data_are_encrypted_with_customer_managed_keys_cmk_manual",
408
+ "title": "Confirm Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) (Manual)",
409
+ "description": "Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys.",
410
+ "caption": ""
411
+ },
412
+ {
413
+ "key": "confirm_private_endpoints_are_used_to_access_storage_accounts_automated",
414
+ "title": "Confirm Private Endpoints are used to access Storage Accounts (Automated)",
415
+ "description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.",
416
+ "caption": ""
417
+ },
418
+ {
419
+ "key": "confirm_that_public_network_access_is_disabled_for_storage_accounts_automated",
420
+ "title": "Confirm that Public Network Access is Disabled for storage accounts (Automated)",
421
+ "description": "Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.",
422
+ "caption": ""
423
+ },
424
+ {
425
+ "key": "confirm_default_network_access_rule_for_storage_accounts_is_set_to_deny_automated",
426
+ "title": "Confirm Default Network Access Rule for Storage Accounts is Set to Deny (Automated)",
427
+ "description": "Restricting standard setting network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the standard setting action must be changed. Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built.",
428
+ "caption": ""
429
+ },
430
+ {
431
+ "key": "confirm_that_secure_transfer_required_is_configured_as_enabled_automated",
432
+ "title": "Confirm that Secure transfer required is configured as Enabled (Automated)",
433
+ "description": "Enable data encryption in transit. The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled.",
434
+ "caption": ""
435
+ },
436
+ {
437
+ "key": "confirm_that_enable_infrastructure_encryption_for_each_storage_account_in_azure_storage_is_set_to_enabled_automated",
438
+ "title": "Confirm that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled (Automated)",
439
+ "description": "Enabling encryption at the hardware level on top of the standard setting software encryption for Storage Accounts accessing Azure storage solutions. Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised.",
440
+ "caption": ""
441
+ },
442
+ {
443
+ "key": "confirm_allow_azure_services_on_the_trusted_services_list_to_access_this_storage_account_is_enabled_for_storage_account_access_automated",
444
+ "title": "Confirm Allow Azure services on the trusted services list to access this storage account is Enabled for Storage Account Access (Automated)",
445
+ "description": "Some Azure services that interact with storage accounts operate from networks that cant be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.",
446
+ "caption": ""
447
+ },
448
+ {
449
+ "key": "confirm_soft_delete_is_enabled_for_azure_containers_and_blob_storage_automated",
450
+ "title": "Confirm Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)",
451
+ "description": "Azure Storage blobs can contain data which can be secret or personal (e.g. ePHI (electronic Protected Health Information) or Financial records). Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration.",
452
+ "caption": ""
453
+ },
454
+ {
455
+ "key": "confirm_storage_logging_is_enabled_for_queue_service_for_read_write_and_delete_requests_automated",
456
+ "title": "Confirm Storage Logging is Enabled for Queue Service for Read, Write, and Delete requests (Automated)",
457
+ "description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues.",
458
+ "caption": ""
459
+ },
460
+ {
461
+ "key": "confirm_storage_logging_is_enabled_for_blob_service_for_read_write_and_delete_requests_automated",
462
+ "title": "Confirm Storage logging is Enabled for Blob Service for Read, Write, and Delete requests (Automated)",
463
+ "description": "The Storage Blob service offers scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs.",
464
+ "caption": ""
465
+ },
466
+ {
467
+ "key": "confirm_storage_logging_is_enabled_for_table_service_for_read_write_and_delete_requests_automated",
468
+ "title": "Confirm Storage Logging is Enabled for Table Service for Read, Write, and Delete Requests (Automated)",
469
+ "description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables.",
470
+ "caption": ""
471
+ },
472
+ {
473
+ "key": "confirm_the_minimum_tls_version_for_storage_accounts_is_configured_as_version_12_automated",
474
+ "title": "Confirm the Minimum TLS version for storage accounts is configured as Version 1.2 (Automated)",
475
+ "description": "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by standard setting. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.",
476
+ "caption": ""
477
+ },
478
+ {
479
+ "key": "confirm_cross_tenant_replication_is_not_enabled_automated",
480
+ "title": "Confirm Cross Tenant Replication is not enabled (Automated)",
481
+ "description": "Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication guarantees that data is not inadvertently replicated across different tenant boundaries without explicit authorization.",
482
+ "caption": ""
483
+ },
484
+ {
485
+ "key": "confirm_that_allow_blob_anonymous_access_is_configured_as_disabled_automated",
486
+ "title": "Confirm that Allow Blob Anonymous Access is configured as Disabled (Automated)",
487
+ "description": "The Azure Storage setting Allow Blob Anonymous Access (aka allowBlobPublicAccess) controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.",
488
+ "caption": ""
489
+ },
490
+ {
491
+ "key": "confirm_azure_resource_manager_delete_locks_are_applied_to_azure_storage_accounts_manual",
492
+ "title": "Confirm Azure Resource Manager Delete locks are applied to Azure Storage Accounts (Manual)",
493
+ "description": "Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature guarantees that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions. This feature is a protective control for the availability of data.",
494
+ "caption": ""
495
+ },
496
+ {
497
+ "key": "confirm_azure_resource_manager_readonly_locks_are_considered_for_azure_storage_accounts_manual",
498
+ "title": "Confirm Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts (Manual)",
499
+ "description": "Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It offers more protection than a CannotDelete-type of resource manager lock.",
500
+ "caption": ""
501
+ },
502
+ {
503
+ "key": "confirm_redundancy_is_configured_as_georedundant_storage_grs_on_critical_azure_storage_accounts_automated",
504
+ "title": "Confirm Redundancy is configured as geo-redundant storage (GRS) on critical Azure Storage Accounts (Automated)",
505
+ "description": "Geo-redundant storage (GRS) in Azure replicates data three times within the primary region using locally redundant storage (LRS) and asynchronously copies it to a secondary region hundreds of miles away. This setup aims to provide a high level availability and resilience.",
506
+ "caption": ""
507
+ },
508
+ {
509
+ "key": "confirm_that_shared_access_signature_sas_tokens_expire_within_an_hour_manual",
510
+ "title": "Confirm that shared access signature (SAS) tokens expire within an hour (Manual)",
511
+ "description": "Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. It enables users to interact with the resources without exposing account keys, offering precise control over the permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.",
512
+ "caption": ""
513
+ },
514
+ {
515
+ "key": "confirm_stored_access_policies_sap_are_used_when_generating_shared_access_signature_sas_tokens_manual",
516
+ "title": "Confirm stored access policies (SAP) are used when generating shared access signature (SAS) tokens (Manual)",
517
+ "description": "Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.",
518
+ "caption": ""
519
+ },
520
+ {
521
+ "key": "confirm_storage_explorer_is_using_the_latest_version_manual",
522
+ "title": "Confirm Storage Explorer is using the latest version (Manual)",
523
+ "description": "Ensure all users accessing Azure Storage resources with Storage Explorer are using the latest version of the software, applying updates promptly to safeguard against new vulnerabilities and benefit from the latest security enhancements.",
524
+ "caption": ""
525
+ }
526
+ ]
527
+ },
528
+ {
529
+ "key": "security_services",
530
+ "title": "Security Services",
531
+ "description": "Covers Microsoft Defender for Cloud plans (Servers, Storage, APIs, etc.) and Key Vault security configurations.",
532
+ "type": "checklist",
533
+ "items": [
534
+ {
535
+ "key": "confirm_microsoft_defender_cspm_is_set_to_on_automated",
536
+ "title": "Confirm Microsoft Defender CSPM is Set to On (Automated)",
537
+ "description": "Enabling CSPM offers continuous assessment of cloud resources for misconfigurations and compliance risks.",
538
+ "caption": ""
539
+ },
540
+ {
541
+ "key": "confirm_microsoft_defender_for_apis_is_set_to_on_automated",
542
+ "title": "Confirm Microsoft Defender for APIs is Set to On (Automated)",
543
+ "description": "Provides full lifecycle protection and threat detection for APIs published in Azure API Management.",
544
+ "caption": ""
545
+ },
546
+ {
547
+ "key": "confirm_that_defender_for_servers_is_set_to_on_automated",
548
+ "title": "Confirm that Defender for Servers is Set to On (Automated)",
549
+ "description": "Reduces security risk by providing actionable recommendations and real-time threat detection for VMs.",
550
+ "caption": ""
551
+ },
552
+ {
553
+ "key": "confirm_that_vulnerability_assessment_for_machines_component_status_is_configured_as_on_manual",
554
+ "title": "Confirm that Vulnerability assessment for machines Component Status is configured as On (Manual)",
555
+ "description": "Enabling vulnerability assessment guarantees machines are scanned for OS vulnerabilities and missing security updates.",
556
+ "caption": ""
557
+ },
558
+ {
559
+ "key": "confirm_that_endpoint_protection_component_status_is_configured_as_on_automated",
560
+ "title": "Confirm that Endpoint protection Component Status is configured as On (Automated)",
561
+ "description": "Integrates Microsoft Defender for Endpoint with Defender for Cloud for advanced detection and response capabilities.",
562
+ "caption": ""
563
+ },
564
+ {
565
+ "key": "confirm_that_agentless_scanning_for_machines_component_status_is_set_to_on_manual",
566
+ "title": "Confirm that Agentless scanning for machines Component Status is Set to On (Manual)",
567
+ "description": "Uses disk snapshots to scan for installed software and vulnerabilities without requiring a local agent.",
568
+ "caption": ""
569
+ },
570
+ {
571
+ "key": "confirm_that_file_integrity_monitoring_component_status_is_set_to_on_manual",
572
+ "title": "Confirm that File Integrity Monitoring Component Status is Set to On (Manual)",
573
+ "description": "Monitors critical system files for unauthorized changes that might indicate a compromise.",
574
+ "caption": ""
575
+ },
576
+ {
577
+ "key": "confirm_that_microsoft_defender_for_containers_is_set_to_on_automated",
578
+ "title": "Confirm That Microsoft Defender for Containers Is Set To On (Automated)",
579
+ "description": "Provides advanced threat detection and security monitoring for containerized assets like Kubernetes clusters.",
580
+ "caption": ""
581
+ },
582
+ {
583
+ "key": "confirm_that_microsoft_defender_for_storage_is_set_to_on_automated",
584
+ "title": "Confirm That Microsoft Defender for Storage Is Set To On (Automated)",
585
+ "description": "Enables threat intelligence and behavior analytics to detect anomalous access to storage accounts.",
586
+ "caption": ""
587
+ },
588
+ {
589
+ "key": "confirm_advanced_threat_protection_alerts_for_storage_accounts_are_monitored_manual",
590
+ "title": "Confirm Advanced Threat Protection Alerts for Storage Accounts Are Monitored (Manual)",
591
+ "description": "Ensures that alerts generated by Defender for Storage are integrated with monitoring tools and actioned by security teams.",
592
+ "caption": ""
593
+ },
594
+ {
595
+ "key": "confirm_that_microsoft_defender_for_app_services_is_set_to_on_automated",
596
+ "title": "Confirm That Microsoft Defender for App Services Is Set To On (Automated)",
597
+ "description": "Provides threat intelligence and behavior analytics for Azure App Service resources.",
598
+ "caption": ""
599
+ },
600
+ {
601
+ "key": "confirm_that_microsoft_defender_for_azure_cosmos_db_is_set_to_on_automated",
602
+ "title": "Confirm That Microsoft Defender for Azure Cosmos DB Is Set To On (Automated)",
603
+ "description": "Scans incoming network requests for threats targeting Azure Cosmos DB resources.",
604
+ "caption": ""
605
+ },
606
+ {
607
+ "key": "confirm_that_microsoft_defender_for_opensource_relational_databases_is_set_to_on_automated",
608
+ "title": "Confirm That Microsoft Defender for Open-Source Relational Databases Is Set To On (Automated)",
609
+ "description": "Provides threat detection for open-source relational databases like MySQL and PostgreSQL.",
610
+ "caption": ""
611
+ },
612
+ {
613
+ "key": "confirm_that_microsoft_defender_for_managed_instance_azure_sql_databases_is_set_to_on_automated",
614
+ "title": "Confirm That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To On (Automated)",
615
+ "description": "Enables threat detection and vulnerability discovery for Managed Instance Azure SQL databases.",
616
+ "caption": ""
617
+ },
618
+ {
619
+ "key": "confirm_that_microsoft_defender_for_sql_servers_on_machines_is_set_to_on_automated",
620
+ "title": "Confirm That Microsoft Defender for SQL Servers on Machines Is Set To On (Automated)",
621
+ "description": "Provides specialized protection for SQL server instances running inside virtual machines.",
622
+ "caption": ""
623
+ },
624
+ {
625
+ "key": "confirm_that_microsoft_defender_for_key_vault_is_set_to_on_automated",
626
+ "title": "Confirm That Microsoft Defender for Key Vault Is Set To On (Automated)",
627
+ "description": "Provides an additional layer of security intelligence for Key Vault by detecting suspicious and potentially harmful attempts to access or exploit vaults.",
628
+ "caption": ""
629
+ },
630
+ {
631
+ "key": "confirm_that_microsoft_defender_for_resource_manager_is_set_to_on_automated",
632
+ "title": "Confirm That Microsoft Defender for Resource Manager Is Set To On (Automated)",
633
+ "description": "Scans administrative requests for infrastructure changes to alert on suspicious activity.",
634
+ "caption": ""
635
+ },
636
+ {
637
+ "key": "confirm_that_microsoft_defender_for_cloud_is_configured_to_check_vm_operating_systems_for_updates_automated",
638
+ "title": "Confirm that Microsoft Defender for Cloud is Configured to Check VM Operating Systems for Updates (Automated)",
639
+ "description": "Ensures that virtual machines are periodically checked for missing system and security updates.",
640
+ "caption": ""
641
+ },
642
+ {
643
+ "key": "confirm_that_nondeprecated_microsoft_cloud_security_benchmark_policies_are_not_set_to_disabled_manual",
644
+ "title": "Confirm that non-deprecated Microsoft Cloud Security Benchmark policies are not set to Disabled (Manual)",
645
+ "description": "Disabling these policies creates gaps in visibility. Non-deprecated policies should remain enabled unless an exception is documented.",
646
+ "caption": ""
647
+ },
648
+ {
649
+ "key": "confirm_that_all_users_with_the_following_roles_is_set_to_owner_automated",
650
+ "title": "Confirm That All users with the following roles is Set to Owner (Automated)",
651
+ "description": "Ensures that subscription owners receive security alert emails from Microsoft for timely mitigation.",
652
+ "caption": ""
653
+ },
654
+ {
655
+ "key": "confirm_additional_email_addresses_is_configured_with_a_security_contact_email_automated",
656
+ "title": "Confirm Additional email addresses is Configured with a Security Contact Email (Automated)",
657
+ "description": "Adding a security contact guarantees your organizations security team is notified of compromise attempts.",
658
+ "caption": ""
659
+ },
660
+ {
661
+ "key": "confirm_that_notify_about_alerts_with_the_following_severity_or_higher_is_enabled_automated",
662
+ "title": "Confirm that Notify about alerts with the following severity (or higher) is Enabled (Automated)",
663
+ "description": "Configures email notifications for specific alert severity levels to ensure critical issues are not missed.",
664
+ "caption": ""
665
+ },
666
+ {
667
+ "key": "confirm_that_notify_about_attack_paths_with_the_following_risk_level_or_higher_is_enabled_automated",
668
+ "title": "Confirm that Notify about attack paths with the following risk level (or higher) is Enabled (Automated)",
669
+ "description": "Enables email notifications for identified attack paths to help security teams prioritize risks.",
670
+ "caption": ""
671
+ },
672
+ {
673
+ "key": "confirm_that_microsoft_defender_external_attack_surface_monitoring_easm_is_enabled_manual",
674
+ "title": "Confirm that Microsoft Defender External Attack Surface Monitoring (EASM) is Enabled (Manual)",
675
+ "description": "EASM crawls the internet to identify and monitor your organizations publicly exposed assets.",
676
+ "caption": ""
677
+ },
678
+ {
679
+ "key": "confirm_that_microsoft_defender_for_iot_hub_is_set_to_on_manual",
680
+ "title": "Confirm That Microsoft Defender for IoT Hub Is Set To On (Manual)",
681
+ "description": "Provides specialized threat prevention and detection for IoT devices connected to an IoT Hub.",
682
+ "caption": ""
683
+ },
684
+ {
685
+ "key": "confirm_that_the_expiration_date_is_set_for_all_keys_in_key_vaults_using_rbac_automated",
686
+ "title": "Confirm that the Expiration Date is Set for all Keys in Key Vaults using RBAC (Automated)",
687
+ "description": "Setting expiration dates for cryptographic keys guarantees they cannot be used beyond their assigned lifetimes.",
688
+ "caption": ""
689
+ },
690
+ {
691
+ "key": "confirm_that_the_expiration_date_is_set_for_all_keys_in_key_vaults_using_access_policies_legacy_automated",
692
+ "title": "Confirm that the Expiration Date is set for All Keys in Key Vaults using access policies (legacy) (Automated)",
693
+ "description": "Ensures expiration dates are applied even when using the legacy access policy model.",
694
+ "caption": ""
695
+ },
696
+ {
697
+ "key": "confirm_that_the_expiration_date_is_set_for_all_secrets_in_key_vaults_using_rbac_automated",
698
+ "title": "Confirm that the Expiration Date is set for All Secrets in Key Vaults using RBAC (Automated)",
699
+ "description": "Ensures secrets are rotated periodically by mandating an explicit expiration date.",
700
+ "caption": ""
701
+ },
702
+ {
703
+ "key": "confirm_that_the_expiration_date_is_set_for_all_secrets_in_key_vaults_using_access_policies_legacy_automated",
704
+ "title": "Confirm that the Expiration Date is set for All Secrets in Key Vaults using access policies (legacy) (Automated)",
705
+ "description": "Mandates expiration dates for secrets in key vaults using legacy access policies.",
706
+ "caption": ""
707
+ },
708
+ {
709
+ "key": "confirm_purge_protection_is_set_to_enabled_automated",
710
+ "title": "Confirm Purge protection is Set to Enabled (Automated)",
711
+ "description": "Purge protection prevents accidental or malicious permanent deletion of key vaults and their objects.",
712
+ "caption": ""
713
+ },
714
+ {
715
+ "key": "confirm_that_role_based_access_control_for_azure_key_vault_is_enabled_automated",
716
+ "title": "Confirm that Role Based Access Control for Azure Key Vault is Enabled (Automated)",
717
+ "description": "Azure RBAC offers a finer-grained and more centralized permissions model for key vault objects compared to vault policies.",
718
+ "caption": ""
719
+ },
720
+ {
721
+ "key": "confirm_public_network_access_is_disabled_automated",
722
+ "title": "Confirm Public Network Access is Disabled (Automated)",
723
+ "description": "Disabling public network access removes the vaults public endpoint from public DNS, reducing exposure.",
724
+ "caption": ""
725
+ },
726
+ {
727
+ "key": "confirm_private_endpoints_are_used_to_access_azure_key_vault_automated",
728
+ "title": "Confirm Private Endpoints are Used to Access Azure Key Vault (Automated)",
729
+ "description": "Using private endpoints guarantees traffic to Key Vault traverses encrypted over a private virtual network.",
730
+ "caption": ""
731
+ },
732
+ {
733
+ "key": "confirm_automatic_key_rotation_is_enabled_within_azure_key_vault_automated",
734
+ "title": "Confirm Automatic Key Rotation is Enabled within Azure Key Vault (Automated)",
735
+ "description": "Automated rotation guarantees keys are updated frequently without manual intervention, reducing risk of compromise.",
736
+ "caption": ""
737
+ },
738
+ {
739
+ "key": "confirm_that_azure_key_vault_managed_hsm_is_used_when_required_manual",
740
+ "title": "Confirm that Azure Key Vault Managed HSM is Used when Required (Manual)",
741
+ "description": "Managed HSM offers single-tenant, hardware-protected storage for keys to meet high-security and compliance needs.",
742
+ "caption": ""
743
+ },
744
+ {
745
+ "key": "confirm_certificate_validity_period_in_months_is_less_than_or_equal_to_12_automated",
746
+ "title": "Confirm Certificate Validity Period (in months) is Less Than or Equal to 12 (Automated)",
747
+ "description": "Restricting certificate validity to 12 months improves security by ensuring timely renewal.",
748
+ "caption": ""
749
+ },
750
+ {
751
+ "key": "confirm_an_azure_bastion_host_exists_automated",
752
+ "title": "Confirm an Azure Bastion Host Exists (Automated)",
753
+ "description": "Azure Bastion offers secure remote access to VMs over TLS/443 without needing public IPs for those VMs.",
754
+ "caption": ""
755
+ },
756
+ {
757
+ "key": "confirm_azure_ddos_network_protection_is_enabled_on_virtual_networks_automated",
758
+ "title": "Confirm Azure DDoS Network Protection is Enabled on Virtual Networks (Automated)",
759
+ "description": "Protects virtual networks and resources from distributed denial-of-service attacks.",
760
+ "caption": ""
761
+ }
762
+ ]
763
+ },
764
+ {
765
+ "key": "networking_services",
766
+ "title": "Networking Services",
767
+ "description": "Detailed policies for restricting management port access (RDP/SSH), enabling WAF, and using private endpoints.",
768
+ "type": "checklist",
769
+ "items": [
770
+ {
771
+ "key": "confirm_that_rdp_access_from_the_internet_is_evaluated_and_restricted_automated",
772
+ "title": "Confirm that RDP Access from the Internet is Evaluated and Restricted (Automated)",
773
+ "description": "Restricting RDP access eliminates a major vector for brute-force attacks against Azure Virtual Machines.",
774
+ "caption": ""
775
+ },
776
+ {
777
+ "key": "confirm_that_ssh_access_from_the_internet_is_evaluated_and_restricted_automated",
778
+ "title": "Confirm that SSH Access from the Internet is Evaluated and Restricted (Automated)",
779
+ "description": "Similar to RDP, internet-level SSH access should be restricted to prevent unauthorized attempts to gain terminal access to VMs.",
780
+ "caption": ""
781
+ },
782
+ {
783
+ "key": "confirm_that_udp_port_access_from_the_internet_is_evaluated_and_restricted_automated",
784
+ "title": "Confirm that UDP Port Access from the Internet is Evaluated and Restricted (Automated)",
785
+ "description": "Exposing UDP services can lead to DDoS amplification attacks. Access should be restricted to validated business needs.",
786
+ "caption": ""
787
+ },
788
+ {
789
+ "key": "confirm_that_https_access_from_the_internet_is_evaluated_and_restricted_automated",
790
+ "title": "Confirm that HTTP(S) Access from the Internet is Evaluated and Restricted (Automated)",
791
+ "description": "Public access to web ports should be evaluated to ensure resources are not unnecessarily exposed to the internet.",
792
+ "caption": ""
793
+ },
794
+ {
795
+ "key": "confirm_that_network_security_group_flow_log_retention_days_is_set_to_greater_than_or_equal_to_90_automated",
796
+ "title": "Confirm that Network Security Group Flow Log Retention Days is Set to Greater than or equal to 90 (Automated)",
797
+ "description": "Retaining flow logs for at least 90 days offers an audit trail for forensic investigations after a suspected breach.",
798
+ "caption": ""
799
+ },
800
+ {
801
+ "key": "confirm_that_network_watcher_is_enabled_for_azure_regions_that_are_in_use_automated",
802
+ "title": "Confirm that Network Watcher is Enabled for Azure Regions That are in Use (Automated)",
803
+ "description": "Network Watcher offers diagnostic and visualization tools to help understand and gain insights into your Azure network.",
804
+ "caption": ""
805
+ },
806
+ {
807
+ "key": "confirm_that_public_ip_addresses_are_evaluated_on_a_periodic_basis_manual",
808
+ "title": "Confirm that Public IP Addresses are Evaluated on a Periodic Basis (Manual)",
809
+ "description": "Public IP addresses should be reviewed for necessity as they present a publicly facing vector for threat actors.",
810
+ "caption": ""
811
+ },
812
+ {
813
+ "key": "confirm_that_virtual_network_flow_log_retention_days_is_set_to_greater_than_or_equal_to_90_automated",
814
+ "title": "Confirm that Virtual Network Flow Log Retention Days is Set to Greater than or Equal to 90 (Automated)",
815
+ "description": "Ensures that traffic patterns recorded in virtual network flow logs are available for long-term auditing and analysis.",
816
+ "caption": ""
817
+ },
818
+ {
819
+ "key": "confirm_authentication_type_is_set_to_azure_active_directory_only_for_azure_vpn_gateway_pointtosite_configuration_automated",
820
+ "title": "Confirm Authentication type is Set to Azure Active Directory only for Azure VPN Gateway Point-to-Site Configuration (Automated)",
821
+ "description": "Using Entra ID authentication for VPN connections offers strong security and centralized identity management.",
822
+ "caption": ""
823
+ },
824
+ {
825
+ "key": "confirm_azure_web_application_firewall_waf_is_enabled_on_azure_application_gateway_automated",
826
+ "title": "Confirm Azure Web Application Firewall (WAF) is Enabled on Azure Application Gateway (Automated)",
827
+ "description": "WAF helps protect applications from common exploits by inspecting and filtering incoming traffic.",
828
+ "caption": ""
829
+ },
830
+ {
831
+ "key": "confirm_subnets_are_associated_with_network_security_groups_automated",
832
+ "title": "Confirm Subnets Are Associated with Network Security Groups (Automated)",
833
+ "description": "Subnets should be protected by NSGs to filter traffic and prevent unauthorized access to subnet resources.",
834
+ "caption": ""
835
+ },
836
+ {
837
+ "key": "confirm_the_ssl_policys_min_protocol_version_is_set_to_tlsv12_or_higher_on_azure_application_gateway_automated",
838
+ "title": "Confirm the SSL Policys Min protocol version is Set to TLSv1.2 or Higher on Azure Application Gateway (Automated)",
839
+ "description": "Restricting TLS to version 1.2 or higher mitigates risks from legacy protocols with known vulnerabilities.",
840
+ "caption": ""
841
+ },
842
+ {
843
+ "key": "confirm_http2_is_set_to_enabled_on_azure_application_gateway_automated",
844
+ "title": "Confirm HTTP2 is Set to Enabled on Azure Application Gateway (Automated)",
845
+ "description": "Enabling HTTP/2 supports modern encrypted connections and improves performance and security.",
846
+ "caption": ""
847
+ },
848
+ {
849
+ "key": "confirm_request_body_inspection_is_enabled_in_azure_web_application_firewall_policy_on_azure_application_gateway_automated",
850
+ "title": "Confirm Request Body Inspection is Enabled in Azure Web Application Firewall policy on Azure Application Gateway (Automated)",
851
+ "description": "Enabling request body inspection allows the WAF to detect threats inside the content of HTTP requests like SQL injection.",
852
+ "caption": ""
853
+ },
854
+ {
855
+ "key": "confirm_bot_protection_is_enabled_in_azure_web_application_firewall_policy_on_azure_application_gateway_automated",
856
+ "title": "Confirm Bot Protection is Enabled in Azure Web Application Firewall Policy on Azure Application Gateway (Automated)",
857
+ "description": "Bot protection blocks requests from known malicious IP addresses identified by Microsoft Threat Intelligence.",
858
+ "caption": ""
859
+ },
860
+ {
861
+ "key": "confirm_azure_network_security_perimeter_is_used_to_secure_azure_platformasaservice_resources_manual",
862
+ "title": "Confirm Azure Network Security Perimeter is Used to Secure Azure Platform-as-a-service Resources (Manual)",
863
+ "description": "Network Security Perimeter creates a logical boundary around PaaS resources to deny public access by standard setting.",
864
+ "caption": ""
865
+ }
866
+ ]
867
+ },
868
+ {
869
+ "key": "management_and_governance_services",
870
+ "title": "Management and Governance Services",
871
+ "description": "Encompasses logging, monitoring, diagnostic settings, and resource integrity controls.",
872
+ "type": "checklist",
873
+ "items": [
874
+ {
875
+ "key": "confirm_that_a_diagnostic_setting_exists_for_subscription_activity_logs_automated",
876
+ "title": "Confirm that a Diagnostic Setting Exists for Subscription Activity Logs (Automated)",
877
+ "description": "Enable Diagnostic settings for exporting activity logs to ensure logs are retained for longer duration to analyze security activities.",
878
+ "caption": ""
879
+ },
880
+ {
881
+ "key": "confirm_diagnostic_setting_captures_appropriate_categories_automated",
882
+ "title": "Confirm Diagnostic Setting Captures Appropriate Categories (Automated)",
883
+ "description": "The diagnostic setting should be configured to log appropriate activities from the control plane, including Administrative, Alert, Policy, and Security categories.",
884
+ "caption": ""
885
+ },
886
+ {
887
+ "key": "confirm_the_storage_account_containing_the_container_with_activity_logs_is_encrypted_with_customermanaged_key_cmk_manual",
888
+ "title": "Confirm the Storage Account Containing the Container with Activity Logs is Encrypted with Customer-managed Key (CMK) (Manual)",
889
+ "description": "Configuring the storage account with activity logs to use CMKs offers additional confidentiality controls on log data.",
890
+ "caption": ""
891
+ },
892
+ {
893
+ "key": "confirm_that_logging_for_azure_key_vault_is_enabled_automated",
894
+ "title": "Confirm that Logging for Azure Key Vault is Enabled (Automated)",
895
+ "description": "Enable AuditEvent logging for key vault instances to ensure interactions with confidential information, keys, and certificates are logged.",
896
+ "caption": ""
897
+ },
898
+ {
899
+ "key": "confirm_that_network_security_group_flow_logs_are_captured_and_sent_to_log_analytics_manual",
900
+ "title": "Confirm that Network Security Group Flow Logs are Captured and Sent to Log Analytics (Manual)",
901
+ "description": "Network Flow Logs provide valuable insight into traffic flow and help analyze lateral movement. Azure recommends migrating to virtual network flow logs.",
902
+ "caption": ""
903
+ },
904
+ {
905
+ "key": "confirm_that_virtual_network_flow_logs_are_captured_and_sent_to_log_analytics_manual",
906
+ "title": "Confirm that Virtual Network Flow Logs are Captured and Sent to Log Analytics (Manual)",
907
+ "description": "Virtual network flow logs provide critical visibility into traffic patterns, enabling centralized analysis and faster threat detection.",
908
+ "caption": ""
909
+ },
910
+ {
911
+ "key": "confirm_that_a_microsoft_entra_diagnostic_setting_exists_to_send_microsoft_graph_activity_logs_to_an_appropriate_destination_manual",
912
+ "title": "Confirm that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Graph Activity Logs to an Appropriate Destination (Manual)",
913
+ "description": "Microsoft Graph activity logs provide visibility into HTTP requests made to the service, helping detect unauthorized access and suspicious activity.",
914
+ "caption": ""
915
+ },
916
+ {
917
+ "key": "confirm_that_a_microsoft_entra_diagnostic_setting_exists_to_send_microsoft_entra_activity_logs_to_an_appropriate_destination_manual",
918
+ "title": "Confirm that a Microsoft Entra Diagnostic Setting Exists to Send Microsoft Entra Activity Logs to an Appropriate Destination (Manual)",
919
+ "description": "Configuring diagnostic settings for Entra guarantees activity logs are collected for monitoring, analysis, and retention.",
920
+ "caption": ""
921
+ },
922
+ {
923
+ "key": "confirm_that_intune_logs_are_captured_and_sent_to_log_analytics_manual",
924
+ "title": "Confirm that Intune Logs are Captured and Sent to Log Analytics (Manual)",
925
+ "description": "Sending Intune logs to a Log Analytics workspace enables centralized analysis and alerting for faster threat response.",
926
+ "caption": ""
927
+ },
928
+ {
929
+ "key": "confirm_that_activity_log_alert_exists_for_create_policy_assignment_automated",
930
+ "title": "Confirm that Activity Log Alert Exists for Create Policy Assignment (Automated)",
931
+ "description": "Monitoring for create policy assignment events gives insight into changes in Azure policy and reduces time to detect unsolicited changes.",
932
+ "caption": ""
933
+ },
934
+ {
935
+ "key": "confirm_that_activity_log_alert_exists_for_delete_policy_assignment_automated",
936
+ "title": "Confirm that Activity Log Alert exists for Delete Policy Assignment (Automated)",
937
+ "description": "Monitoring for delete policy assignment events offers visibility into policy removals that could weaken security posture.",
938
+ "caption": ""
939
+ },
940
+ {
941
+ "key": "confirm_that_activity_log_alert_exists_for_create_or_update_network_security_group_automated",
942
+ "title": "Confirm that Activity Log Alert Exists for Create or Update Network Security Group (Automated)",
943
+ "description": "Monitoring these events gives insight into network access changes and helps detect suspicious activity.",
944
+ "caption": ""
945
+ },
946
+ {
947
+ "key": "confirm_that_activity_log_alert_exists_for_delete_network_security_group_automated",
948
+ "title": "Confirm that Activity Log Alert Exists for Delete Network Security Group (Automated)",
949
+ "description": "Alerting on the deletion of NSGs is critical for identifying potential unauthorized attempts to open network traffic.",
950
+ "caption": ""
951
+ },
952
+ {
953
+ "key": "confirm_that_activity_log_alert_exists_for_create_or_update_security_solution_automated",
954
+ "title": "Confirm that Activity Log Alert Exists for Create or Update Security Solution (Automated)",
955
+ "description": "Monitoring for these events gives insight into changes to active security solutions in the environment.",
956
+ "caption": ""
957
+ },
958
+ {
959
+ "key": "confirm_that_activity_log_alert_exists_for_delete_security_solution_automated",
960
+ "title": "Confirm that Activity Log Alert Exists for Delete Security Solution (Automated)",
961
+ "description": "Alerting on the deletion of security solutions helps detect efforts to blind security monitoring.",
962
+ "caption": ""
963
+ },
964
+ {
965
+ "key": "confirm_that_activity_log_alert_exists_for_create_or_update_sql_server_firewall_rule_automated",
966
+ "title": "Confirm that Activity Log Alert Exists for Create or Update SQL Server Firewall Rule (Automated)",
967
+ "description": "Monitoring these events offers insight into SQL network access changes that could expose databases to the internet.",
968
+ "caption": ""
969
+ },
970
+ {
971
+ "key": "confirm_that_activity_log_alert_exists_for_delete_sql_server_firewall_rule_automated",
972
+ "title": "Confirm that Activity Log Alert Exists for Delete SQL Server Firewall Rule (Automated)",
973
+ "description": "Ensures visibility into changes in SQL server network security boundaries.",
974
+ "caption": ""
975
+ },
976
+ {
977
+ "key": "confirm_that_activity_log_alert_exists_for_create_or_update_public_ip_address_rule_automated",
978
+ "title": "Confirm that Activity Log Alert Exists for Create or Update Public IP Address rule (Automated)",
979
+ "description": "Monitoring for these events offers visibility into network changes that might expose internal resources publicly.",
980
+ "caption": ""
981
+ },
982
+ {
983
+ "key": "confirm_that_activity_log_alert_exists_for_delete_public_ip_address_rule_automated",
984
+ "title": "Confirm that Activity Log Alert Exists for Delete Public IP Address rule (Automated)",
985
+ "description": "Ensures monitoring of changes to the public networking interface of the tenant.",
986
+ "caption": ""
987
+ },
988
+ {
989
+ "key": "confirm_that_an_activity_log_alert_exists_for_service_health_automated",
990
+ "title": "Confirm that an Activity Log Alert Exists for Service Health (Automated)",
991
+ "description": "Monitoring for Service Health events offers insight into service issues, planned maintenance, and security advisories.",
992
+ "caption": ""
993
+ },
994
+ {
995
+ "key": "confirm_application_insights_are_configured_automated",
996
+ "title": "Confirm Application Insights are Configured (Automated)",
997
+ "description": "Application Insights offers valuable data for performance monitoring and detailed telemetry for incident response.",
998
+ "caption": ""
999
+ },
1000
+ {
1001
+ "key": "confirm_that_azure_monitor_resource_logging_is_enabled_for_all_services_that_support_it_manual",
1002
+ "title": "Confirm that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)",
1003
+ "description": "Resource Logs capture activity at the data plane. A lack of monitoring reduces visibility into reconnaissance or malicious activity.",
1004
+ "caption": ""
1005
+ },
1006
+ {
1007
+ "key": "confirm_basic_free_and_consumption_skus_are_not_used_on_production_artifacts_requiring_monitoring_and_sla_manual",
1008
+ "title": "Confirm Basic, Free, and Consumption SKUs are not used on Production artifacts requiring monitoring and SLA (Manual)",
1009
+ "description": "Basic/Free SKUs often lack SLAs, high availability, and observability features required for production environments.",
1010
+ "caption": ""
1011
+ },
1012
+ {
1013
+ "key": "confirm_that_resource_locks_are_set_for_missioncritical_azure_resources_manual",
1014
+ "title": "Confirm that Resource Locks are set for Mission-Critical Azure Resources (Manual)",
1015
+ "description": "Resource Manager Locks prevent accidental deletion or modification of critical resources, sitting outside of the RBAC hierarchy.",
1016
+ "caption": ""
1017
+ }
1018
+ ]
1019
+ },
1020
+ {
1021
+ "key": "identity_services",
1022
+ "title": "Identity Services",
1023
+ "description": "Focuses on centralizing authentication, enabling security defaults, and performing periodic reviews of administrative roles.",
1024
+ "type": "checklist",
1025
+ "items": [
1026
+ {
1027
+ "key": "confirm_that_security_defaults_is_enabled_in_microsoft_entra_id_automated",
1028
+ "title": "Confirm that security defaults is Enabled in Microsoft Entra ID (Automated)",
1029
+ "description": "Security standard settings in Microsoft Entra ID make it easier to be secure by providing preconfigured security settings for common attacks, including requiring MFA for all users.",
1030
+ "caption": ""
1031
+ },
1032
+ {
1033
+ "key": "confirm_that_require_multifactor_authentication_to_register_or_join_devices_with_microsoft_entra_is_configured_as_yes_manual",
1034
+ "title": "Confirm that Require Multifactor Authentication to register or join devices with Microsoft Entra is configured as Yes (Manual)",
1035
+ "description": "Joining or registering devices to Microsoft Entra ID should require multi-factor authentication to ensure rogue devices are not added using compromised accounts.",
1036
+ "caption": ""
1037
+ },
1038
+ {
1039
+ "key": "confirm_that_multifactor_authentication_is_enabled_for_all_users_automated",
1040
+ "title": "Confirm that multifactor authentication is enabled For All Users (Automated)",
1041
+ "description": "Enable multifactor authentication for all users to provide additional assurance that the individual attempting to gain access is who they claim to be.",
1042
+ "caption": ""
1043
+ },
1044
+ {
1045
+ "key": "confirm_that_allow_users_to_remember_multifactor_authentication_on_devices_they_trust_is_disabled_manual",
1046
+ "title": "Confirm that Allow users to remember multifactor authentication on devices they trust is Disabled (Manual)",
1047
+ "description": "Do not allow users to remember multi-factor authentication on devices. Remembering MFA allows users to bypass MFA for a set number of days, which may affect security if a device is compromised.",
1048
+ "caption": ""
1049
+ },
1050
+ {
1051
+ "key": "confirm_that_azure_admin_accounts_are_not_used_for_daily_operations_manual",
1052
+ "title": "Confirm that Azure Admin Accounts Are Not Used for Daily Operations (Manual)",
1053
+ "description": "Microsoft Azure admin accounts should not be used for routine, non-administrative tasks to decrease the risk of accidental misconfigurations and security breaches.",
1054
+ "caption": ""
1055
+ },
1056
+ {
1057
+ "key": "confirm_that_guest_users_are_reviewed_on_a_regular_basis_manual",
1058
+ "title": "Confirm that Guest Users are Reviewed on a Regular Basis (Manual)",
1059
+ "description": "Guest users should be reviewed on a regular basis to ensure they still require access and do not have inappropriate administrative privileges.",
1060
+ "caption": ""
1061
+ },
1062
+ {
1063
+ "key": "confirm_that_use_of_the_user_access_administrator_role_is_restricted_automated",
1064
+ "title": "Confirm That Use of the User Access Administrator Role is Restricted (Automated)",
1065
+ "description": "The User Access Administrator role grants the ability to manage access assignments at any level. This role assignment should be removed immediately after completing necessary changes.",
1066
+ "caption": ""
1067
+ },
1068
+ {
1069
+ "key": "confirm_that_all_privileged_role_assignments_are_periodically_reviewed_manual",
1070
+ "title": "Confirm that All Privileged Role Assignments are Periodically Reviewed (Manual)",
1071
+ "description": "Periodic review of privileged role assignments guarantees that the roles assigned to users remain accurate and appropriate for their current duties.",
1072
+ "caption": ""
1073
+ },
1074
+ {
1075
+ "key": "confirm_disabled_user_accounts_do_not_have_read_write_or_owner_permissions_manual",
1076
+ "title": "Confirm Disabled User Accounts do not Have Read, Write, or Owner Permissions (Manual)",
1077
+ "description": "Ensure that any roles granting read, write, or owner permissions are removed from disabled Azure user accounts to mitigate potential unauthorized access.",
1078
+ "caption": ""
1079
+ },
1080
+ {
1081
+ "key": "confirm_tenant_creator_role_assignments_are_periodically_reviewed_manual",
1082
+ "title": "Confirm Tenant Creator Role Assignments are Periodically Reviewed (Manual)",
1083
+ "description": "Perform a periodic review of the Tenant Creator role assignment to ensure that the assignments are accurate and appropriate.",
1084
+ "caption": ""
1085
+ },
1086
+ {
1087
+ "key": "confirm_all_nonprivileged_role_assignments_are_periodically_reviewed_manual",
1088
+ "title": "Confirm All Non-privileged Role Assignments are Periodically Reviewed (Manual)",
1089
+ "description": "Non-privileged role assignments should be reviewed periodically to confirm that users are granted only the minimum level of permissions they need.",
1090
+ "caption": ""
1091
+ },
1092
+ {
1093
+ "key": "confirm_that_no_custom_subscription_administrator_roles_exist_automated",
1094
+ "title": "Confirm that No Custom Subscription Administrator Roles Exist (Automated)",
1095
+ "description": "Custom roles in Azure with administrative access can obfuscate permissions and introduce complexity. The principle of least privilege should be followed.",
1096
+ "caption": ""
1097
+ },
1098
+ {
1099
+ "key": "confirm_that_a_custom_role_is_assigned_permissions_for_administering_resource_locks_manual",
1100
+ "title": "Confirm that a Custom Role is Assigned Permissions for Administering Resource Locks (Manual)",
1101
+ "description": "Creating a resource lock administrator role allows specific permissions to be granted for managing resource locks without needing to provide broad Owner or User Access Administrator roles.",
1102
+ "caption": ""
1103
+ },
1104
+ {
1105
+ "key": "confirm_that_subscription_leaving_microsoft_entra_tenant_and_subscription_entering_microsoft_entra_tenant_is_configured_as_permit_no_one_manual",
1106
+ "title": "Confirm that Subscription leaving Microsoft Entra tenant and Subscription entering Microsoft Entra tenant is configured as Permit no one (Manual)",
1107
+ "description": "Permissions to move subscriptions in and out of a Microsoft Entra tenant must only be given to appropriate administrative personnel to prevent data loss or unapproved changes.",
1108
+ "caption": ""
1109
+ },
1110
+ {
1111
+ "key": "confirm_there_are_between_2_and_3_subscription_owners_automated",
1112
+ "title": "Confirm there are between 2 and 3 Subscription Owners (Automated)",
1113
+ "description": "Limit the number of security principals assigned the Owner role to between 2 and 3 to ensure redundancy without excessive privilege sprawl.",
1114
+ "caption": ""
1115
+ }
1116
+ ]
1117
+ },
1118
+ {
1119
+ "key": "database_services",
1120
+ "title": "Database Services",
1121
+ "description": "This part outlines secure configuration recommendations for Azure database services, including Redis, Cosmos DB, Data Factory, MySQL, PostgreSQL, and SQL Database.",
1122
+ "type": "checklist",
1123
+ "items": [
1124
+ {
1125
+ "key": "confirm_microsoft_entra_authentication_is_enabled_manual",
1126
+ "title": "Confirm Microsoft Entra Authentication is Enabled (Manual)",
1127
+ "description": "Ensuring that Microsoft Entra Authentication is Enabled offers a natively integrated use of identities already defined with Microsoft Entra ID.",
1128
+ "caption": ""
1129
+ },
1130
+ {
1131
+ "key": "confirm_that_allow_access_only_via_ssl_is_configured_as_yes_automated",
1132
+ "title": "Confirm that Allow access only via SSL is configured as Yes (Automated)",
1133
+ "description": "Setting Allow access only via SSL to Yes guarantees that data in transit to and from Azure Cache for Redis is encrypted using TLS.",
1134
+ "caption": ""
1135
+ },
1136
+ {
1137
+ "key": "confirm_that_minimum_tls_version_is_configured_as_tls_v12_or_higher_manual",
1138
+ "title": "Confirm that Minimum TLS version is configured as TLS v1.2 (or higher) (Manual)",
1139
+ "description": "Setting the Minimum TLS version helps reduce (but not eliminate) TLS protocol vulnerabilities by preventing the use of significantly outdated versions of TLS.",
1140
+ "caption": ""
1141
+ },
1142
+ {
1143
+ "key": "confirm_that_access_policies_are_implemented_and_reviewed_periodically_manual",
1144
+ "title": "Confirm that Access Policies are Implemented and Reviewed Periodically (Manual)",
1145
+ "description": "Access Policies provide an Access Control List (ACL) functionality allowing administrators to define which identities or identity groups have access to what data and commands. This is an implementation of the Role Based Access Control (RBAC) concept and will require careful consideration to deploy and maintain.",
1146
+ "caption": ""
1147
+ },
1148
+ {
1149
+ "key": "confirm_that_system_assigned_managed_identity_is_configured_as_on_manual",
1150
+ "title": "Confirm that System Assigned Managed Identity is configured as On (Manual)",
1151
+ "description": "System Assigned Managed Identities provide the Azure Cache for Redis instance with a unique account like a service principle but automatically assigned and managed by Azure. These identities are unique to the resource instance they are created for, and removed when the resource is deleted.",
1152
+ "caption": ""
1153
+ },
1154
+ {
1155
+ "key": "confirm_that_public_network_access_is_disabled_manual",
1156
+ "title": "Confirm that Public Network Access is Disabled (Manual)",
1157
+ "description": "Disabling public network access restricts the service from accessing public networks.",
1158
+ "caption": ""
1159
+ },
1160
+ {
1161
+ "key": "confirm_azure_cache_for_redis_is_using_a_private_link_manual",
1162
+ "title": "Confirm Azure Cache for Redis is Using a Private Link (Manual)",
1163
+ "description": "Private links make resources available via a private endpoint to a network you select. Tunneling between subscriptions, resource groups, without the need for traditional network routing.",
1164
+ "caption": ""
1165
+ },
1166
+ {
1167
+ "key": "confirm_that_azure_cache_for_redis_is_using_customermanaged_keys_manual",
1168
+ "title": "Confirm that Azure Cache for Redis is Using Customer-Managed Keys (Manual)",
1169
+ "description": "Customer Managed Keys allow you more granular control over the encryption of your information.",
1170
+ "caption": ""
1171
+ },
1172
+ {
1173
+ "key": "confirm_access_keys_authentication_is_configured_as_disabled_automated",
1174
+ "title": "Confirm Access Keys Authentication is configured as Disabled (Automated)",
1175
+ "description": "Ensure access key authentication is disabled for Azure Cache for Redis instances. Use Microsoft Entra for secure cache authentication.",
1176
+ "caption": ""
1177
+ },
1178
+ {
1179
+ "key": "confirm_update_channel_is_configured_as_stable_automated",
1180
+ "title": "Confirm Update Channel is configured as Stable (Automated)",
1181
+ "description": "Ensure all Azure Cache for Redis instances are configured to use the stable update channel.",
1182
+ "caption": ""
1183
+ },
1184
+ {
1185
+ "key": "confirm_that_firewalls_networks_is_limited_to_use_selected_networks_instead_of_all_networks_automated",
1186
+ "title": "Confirm That Firewalls & Networks Is Limited to Use Selected Networks Instead of All Networks (Automated)",
1187
+ "description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.",
1188
+ "caption": ""
1189
+ },
1190
+ {
1191
+ "key": "confirm_that_cosmos_db_uses_private_endpoints_where_possible_automated",
1192
+ "title": "Confirm that Cosmos DB uses Private Endpoints where possible (Automated)",
1193
+ "description": "Private endpoints limit network traffic to approved sources.",
1194
+ "caption": ""
1195
+ },
1196
+ {
1197
+ "key": "confirm_that_disablelocalauth_is_configured_as_true_automated",
1198
+ "title": "Confirm that disableLocalAuth is configured as true (Automated)",
1199
+ "description": "Ensure that key-based authentication (including resource owner password credential authentication) is disabled for Azure Cosmos DB accounts by setting disableLocalAuth to true. Instead, use Microsoft Entra ID for authentication, as it offers stronger security through managed credentials, multi-factor authentication (MFA), centralized access control, and seamless integration with Azure RBAC.",
1200
+ "caption": ""
1201
+ },
1202
+ {
1203
+ "key": "confirm_public_network_access_is_disabled_manual",
1204
+ "title": "Confirm Public Network Access is Disabled (Manual)",
1205
+ "description": "Setting public networks to disabled prevents requests from the public internet.",
1206
+ "caption": ""
1207
+ },
1208
+ {
1209
+ "key": "confirm_critical_data_is_encrypted_with_customermanaged_keys_cmk_manual",
1210
+ "title": "Confirm critical data is encrypted with customer-managed keys (CMK) (Manual)",
1211
+ "description": "Customer-managed keys introduce additional depth to security by providing control over encryption keys. Where required, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys.",
1212
+ "caption": ""
1213
+ },
1214
+ {
1215
+ "key": "confirm_the_firewall_does_not_allow_all_network_traffic_automated",
1216
+ "title": "Confirm the firewall does not allow all network traffic (Automated)",
1217
+ "description": "Do not allow all network traffic. Restrict access to specific IP addresses or ranges.",
1218
+ "caption": ""
1219
+ },
1220
+ {
1221
+ "key": "confirm_that_cosmos_db_logging_is_enabled_manual",
1222
+ "title": "Confirm that Cosmos DB Logging is Enabled (Manual)",
1223
+ "description": "Cosmos DB logs should be captured to track events relevant to auditing and diagnostics.",
1224
+ "caption": ""
1225
+ },
1226
+ {
1227
+ "key": "confirm_data_factory_is_encrypted_using_customer_managed_keys_manual",
1228
+ "title": "Confirm Data Factory is encrypted using Customer Managed Keys (Manual)",
1229
+ "description": "Customer-managed keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys (CMK) rather than Microsoft-managed keys.",
1230
+ "caption": ""
1231
+ },
1232
+ {
1233
+ "key": "confirm_data_factory_is_using_managed_identities_automated",
1234
+ "title": "Confirm Data Factory is using Managed Identities (Automated)",
1235
+ "description": "Managed identities are the roles that Azure services assume to access other services or resources. Access and permissions may be set on these roles to set the scope and reach of what a service can access. Setting a service to use a managed identity also prevents the need to store credentials in code or other less secure options.",
1236
+ "caption": ""
1237
+ },
1238
+ {
1239
+ "key": "confirm_that_data_factory_is_using_azure_key_vault_to_store_credentials_and_secrets_manual",
1240
+ "title": "Confirm that Data Factory is using Azure Key Vault to store Credentials and Secrets (Manual)",
1241
+ "description": "Azure Key Vault is a way to securely store secrets and keys, and create role based access control permissions to services and users to access them.",
1242
+ "caption": ""
1243
+ },
1244
+ {
1245
+ "key": "confirm_that_data_factory_is_using_rbac_to_manage_privilege_assignment_manual",
1246
+ "title": "Confirm that Data Factory is using RBAC to manage privilege assignment (Manual)",
1247
+ "description": "Role Based Access Control (RBAC) is setting permissions to the role that a user occupies. Often the user is added to a group which the account inherits permissions from. This is different than Access Policies which are used on an individual case by case basis for each user.",
1248
+ "caption": ""
1249
+ },
1250
+ {
1251
+ "key": "confirm_azure_database_for_mysql_uses_customer_managed_keys_for_encryption_at_rest_manual",
1252
+ "title": "Confirm Azure Database for MySQL uses Customer Managed Keys for Encryption at Rest (Manual)",
1253
+ "description": "Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys (MMK).",
1254
+ "caption": ""
1255
+ },
1256
+ {
1257
+ "key": "confirm_azure_database_for_mysql_uses_only_microsoft_entra_authentication_automated",
1258
+ "title": "Confirm Azure Database for MySQL uses only Microsoft Entra Authentication (Automated)",
1259
+ "description": "Ensuring that Microsoft Entra Authentication is the only authentication method prevents the local MySQL authentication from being used.",
1260
+ "caption": ""
1261
+ },
1262
+ {
1263
+ "key": "confirm_public_network_access_is_disabled_for_azure_database_for_mysql_automated",
1264
+ "title": "Confirm Public Network Access is Disabled for Azure Database for MySQL (Automated)",
1265
+ "description": "Setting public networks to disabled prevents requests from the public internet.",
1266
+ "caption": ""
1267
+ },
1268
+ {
1269
+ "key": "confirm_private_endpoints_are_used_for_azure_mysql_databases_automated",
1270
+ "title": "Confirm Private Endpoints Are Used for Azure MySQL Databases (Automated)",
1271
+ "description": "Private links make resources available via a private endpoint to a network you select. Tunneling between subscriptions, resource groups, without the need for traditional network routing.",
1272
+ "caption": ""
1273
+ },
1274
+ {
1275
+ "key": "confirm_server_parameter_auditlogenabled_is_configured_as_on_for_mysql_flexible_server_automated",
1276
+ "title": "Confirm server parameter audit log enabled is configured as ON for MySQL flexible server (Automated)",
1277
+ "description": "Enable audit logging on MySQL flexible servers.",
1278
+ "caption": ""
1279
+ },
1280
+ {
1281
+ "key": "confirm_server_parameter_auditlogevents_has_connection_set_for_mysql_flexible_server_automated",
1282
+ "title": "Confirm server parameter audit log events has CONNECTION set for MySQL flexible server (Automated)",
1283
+ "description": "Set audit log events to include CONNECTION on MySQL flexible servers.",
1284
+ "caption": ""
1285
+ },
1286
+ {
1287
+ "key": "confirm_server_parameter_errorserverlogfile_is_enabled_for_mysql_database_server_manual",
1288
+ "title": "Confirm server parameter error server log file is Enabled for MySQL Database Server (Manual)",
1289
+ "description": "Enable error logs on MySQL flexible servers.",
1290
+ "caption": ""
1291
+ },
1292
+ {
1293
+ "key": "confirm_server_parameter_requiresecuretransport_is_configured_as_on_for_mysql_server_automated",
1294
+ "title": "Confirm server parameter Require Secure Transport is configured as ON for MySQL Server (Automated)",
1295
+ "description": "Enable Require Secure Transport on MySQL flexible servers.",
1296
+ "caption": ""
1297
+ },
1298
+ {
1299
+ "key": "confirm_server_parameter_tlsversion_is_configured_as_tlsv12_or_higher_for_mysql_flexible_server_automated",
1300
+ "title": "Confirm server parameter TLS version is configured as TLSv1.2 (or higher) for MySQL flexible server (Automated)",
1301
+ "description": "Ensure TLS version on MySQL flexible servers is set to use TLS version 1.2 or higher.",
1302
+ "caption": ""
1303
+ },
1304
+ {
1305
+ "key": "confirm_azure_database_for_postgresql_uses_customer_managed_keys_for_encryption_at_rest_manual",
1306
+ "title": "Confirm Azure Database for PostgreSQL uses Customer Managed Keys for Encryption at Rest (Manual)",
1307
+ "description": "Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys (MMK).",
1308
+ "caption": ""
1309
+ },
1310
+ {
1311
+ "key": "confirm_azure_database_for_postgresql_uses_only_microsoft_entra_authentication_manual",
1312
+ "title": "Confirm Azure Database for PostgreSQL uses only Microsoft Entra Authentication (Manual)",
1313
+ "description": "Ensuring that Microsoft Entra Authentication is the only authentication method prevents the local PostgreSQL authentication from being used.",
1314
+ "caption": ""
1315
+ },
1316
+ {
1317
+ "key": "confirm_public_network_access_is_disabled_for_azure_database_for_postgresql_automated",
1318
+ "title": "Confirm Public Network Access is Disabled for Azure Database for PostgreSQL (Automated)",
1319
+ "description": "Setting public networks to disabled prevents requests from the public internet.",
1320
+ "caption": ""
1321
+ },
1322
+ {
1323
+ "key": "confirm_private_endpoints_are_used_for_azure_database_for_postgresql_automated",
1324
+ "title": "Confirm Private Endpoints Are Used for Azure Database for PostgreSQL (Automated)",
1325
+ "description": "Private links make resources available via a private endpoint to a network you select. Tunneling between subscriptions, resource groups, without the need for traditional network routing.",
1326
+ "caption": ""
1327
+ },
1328
+ {
1329
+ "key": "confirm_server_parameter_connectionthrottleenable_is_configured_as_on_for_postgresql_server_automated",
1330
+ "title": "Confirm server parameter connection throttle is configured as ON for PostgreSQL server (Automated)",
1331
+ "description": "Enable connection throttling on PostgreSQL flexible servers.",
1332
+ "caption": ""
1333
+ },
1334
+ {
1335
+ "key": "confirm_server_parameter_logfilesretentiondays_is_greater_than_3_days_for_postgresql_server_automated",
1336
+ "title": "Confirm server parameter log retention days is greater than 3 days for PostgreSQL server (Automated)",
1337
+ "description": "Ensure log retention days on PostgreSQL flexible servers is set to an appropriate value.",
1338
+ "caption": ""
1339
+ },
1340
+ {
1341
+ "key": "confirm_server_parameter_logcheckpoints_is_configured_as_on_for_postgresql_server_automated",
1342
+ "title": "Confirm server parameter Log Checkpoints is configured as ON for PostgreSQL server (Automated)",
1343
+ "description": "Enable Log Checkpoints on PostgreSQL flexible servers.",
1344
+ "caption": ""
1345
+ },
1346
+ {
1347
+ "key": "confirm_server_parameter_logdisconnections_is_configured_as_on_for_postgresql_servers_automated",
1348
+ "title": "Confirm server parameter Log Disconnections is configured as ON for PostgreSQL servers (Automated)",
1349
+ "description": "Enable Log Disconnections on PostgreSQL servers.",
1350
+ "caption": ""
1351
+ },
1352
+ {
1353
+ "key": "confirm_server_parameter_logconnections_is_configured_as_on_for_postgresql_servers_automated",
1354
+ "title": "Confirm server parameter Log Connections is configured as ON for PostgreSQL servers (Automated)",
1355
+ "description": "Enable Log Connections on PostgreSQL servers.",
1356
+ "caption": ""
1357
+ },
1358
+ {
1359
+ "key": "confirm_server_parameter_requiresecuretransport_is_configured_as_on_for_postgresql_server_automated",
1360
+ "title": "Confirm server parameter Require Secure Transport is configured as ON for PostgreSQL server (Automated)",
1361
+ "description": "Enable Require Secure Transport on PostgreSQL flexible servers.",
1362
+ "caption": ""
1363
+ },
1364
+ {
1365
+ "key": "confirm_server_parameter_sslminprotocolversion_is_configured_as_tlsv12_or_higher_for_postgresql_server_automated",
1366
+ "title": "Confirm server parameter SSL minimum protocol version is configured as TLSv1.2 or higher for PostgreSQL server (Automated)",
1367
+ "description": "Setting minimum protocol version to TLSv1.2 or higher reduces TLS protocol vulnerabilities by preventing the use of significantly outdated versions of TLS.",
1368
+ "caption": ""
1369
+ },
1370
+ {
1371
+ "key": "confirm_that_auditing_is_configured_as_on_automated",
1372
+ "title": "Confirm that Auditing is configured as On (Automated)",
1373
+ "description": "Enable auditing on SQL Servers.",
1374
+ "caption": ""
1375
+ },
1376
+ {
1377
+ "key": "confirm_that_public_network_access_is_configured_as_disable_automated",
1378
+ "title": "Confirm that Public Network Access is configured as Disable (Automated)",
1379
+ "description": "Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts.",
1380
+ "caption": ""
1381
+ },
1382
+ {
1383
+ "key": "confirm_no_azure_sql_database_firewall_rule_is_overly_permissive_automated",
1384
+ "title": "Confirm no Azure SQL Database firewall rule is overly permissive (Automated)",
1385
+ "description": "Ensure that no SQL Databases have overly permissive firewall rules (e.g. rule allowing traffic with start IP address of 0.0.0.0 and end IP address of 255.255.255.255, or other combinations allowing large swathes of IP addresses).",
1386
+ "caption": ""
1387
+ },
1388
+ {
1389
+ "key": "confirm_sql_servers_transparent_data_encryption_tde_protector_is_encrypted_with_customermanaged_key_automated",
1390
+ "title": "Confirm SQL servers Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key (Automated)",
1391
+ "description": "Transparent Data Encryption (TDE) with Customer-managed key support offers increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.",
1392
+ "caption": ""
1393
+ },
1394
+ {
1395
+ "key": "confirm_that_microsoft_entra_authentication_is_configured_for_sql_servers_automated",
1396
+ "title": "Confirm that Microsoft Entra authentication is Configured for SQL Servers (Automated)",
1397
+ "description": "Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.",
1398
+ "caption": ""
1399
+ },
1400
+ {
1401
+ "key": "confirm_that_data_encryption_is_configured_as_on_on_a_sql_database_automated",
1402
+ "title": "Confirm that Data encryption is configured as On on a SQL Database (Automated)",
1403
+ "description": "Enable Transparent Data Encryption on every SQL server.",
1404
+ "caption": ""
1405
+ },
1406
+ {
1407
+ "key": "confirm_that_auditing_retention_is_greater_than_90_days_automated",
1408
+ "title": "Confirm that Auditing Retention is greater than 90 days (Automated)",
1409
+ "description": "SQL Server Audit Retention should be configured to be greater than 90 days.",
1410
+ "caption": ""
1411
+ },
1412
+ {
1413
+ "key": "confirm_minimum_tls_version_is_configured_as_tls_12_or_higher_automated",
1414
+ "title": "Confirm Minimum TLS Version is configured as TLS 1.2 or higher (Automated)",
1415
+ "description": "Setting the Minimum TLS version to TLS 1.2 or higher reduces TLS protocol vulnerabilities by preventing the use of significantly outdated versions of TLS.",
1416
+ "caption": ""
1417
+ }
1418
+ ]
1419
+ },
1420
+ {
1421
+ "key": "compute_services",
1422
+ "title": "Compute Services",
1423
+ "description": "This part outlines fundamental security settings for Azures compute services, focusing on identity security and vulnerability management.",
1424
+ "type": "checklist",
1425
+ "items": [
1426
+ {
1427
+ "key": "confirm_only_mfa_enabled_identities_can_access_privileged_virtual_machine_manual",
1428
+ "title": "Confirm only MFA Enabled Identities can Access Privileged Virtual Machine (Manual)",
1429
+ "description": "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machines managed identity.",
1430
+ "caption": ""
1431
+ },
1432
+ {
1433
+ "key": "confirm_java_version_is_currently_supported_if_in_use_manual",
1434
+ "title": "Confirm Java version is currently supported (if in use) (Manual)",
1435
+ "description": "Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for App Service apps is recommended to avoid potential unpatched vulnerabilities.",
1436
+ "caption": ""
1437
+ },
1438
+ {
1439
+ "key": "confirm_python_version_is_currently_supported_if_in_use_manual",
1440
+ "title": "Confirm Python version is currently supported (if in use) (Manual)",
1441
+ "description": "Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for App Service apps is recommended to avoid potential unpatched vulnerabilities.",
1442
+ "caption": ""
1443
+ },
1444
+ {
1445
+ "key": "confirm_php_version_is_currently_supported_if_in_use_manual",
1446
+ "title": "Confirm PHP version is currently supported (if in use) (Manual)",
1447
+ "description": "Periodically, older versions of PHP may be deprecated and no longer supported. Using a supported version of PHP for App Service apps is recommended to avoid potential unpatched vulnerabilities.",
1448
+ "caption": ""
1449
+ },
1450
+ {
1451
+ "key": "confirm_basic_authentication_publishing_credentials_are_disabled_automated",
1452
+ "title": "Confirm Basic Authentication Publishing Credentials are Disabled (Automated)",
1453
+ "description": "Basic Authentication Publishing Credentials offers the ability to publish or deploy to-an App Service app without a centralized Identity Provider. For a more effective, capable, and secure solution for Identity, Authentication, Authorization, and Accountability, a centralized Identity Provider such as Entra ID is strongly advised.",
1454
+ "caption": ""
1455
+ },
1456
+ {
1457
+ "key": "confirm_ftp_state_is_configured_as_ftps_only_or_disabled_automated",
1458
+ "title": "Confirm FTP State is configured as FTPS only or Disabled (Automated)",
1459
+ "description": "By standard setting, App Service supports deployment over FTP. If FTP is essential for a deployment workflow, FTPS should be enforced for all App Service apps. If FTPS is not explicitly required, the recommended setting is Disabled.",
1460
+ "caption": ""
1461
+ },
1462
+ {
1463
+ "key": "confirm_http_version_is_configured_as_20_if_in_use_automated",
1464
+ "title": "Confirm HTTP version is configured as 2.0 (if in use) (Automated)",
1465
+ "description": "Periodically, newer versions are released for HTTP, either due to security flaws or to include additional functionalities. Using the latest HTTP version allows apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
1466
+ "caption": ""
1467
+ },
1468
+ {
1469
+ "key": "confirm_https_only_is_configured_as_on_automated",
1470
+ "title": "Confirm HTTPS Only is configured as On (Automated)",
1471
+ "description": "Azure App Service allows apps to run under both HTTP and HTTPS by standard setting. Apps can be accessed by anyone using non-secure HTTP links by standard setting. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.",
1472
+ "caption": ""
1473
+ },
1474
+ {
1475
+ "key": "confirm_minimum_inbound_tls_version_is_configured_as_12_or_higher_automated",
1476
+ "title": "Confirm Minimum Inbound TLS Version is configured as 1.2 or higher (Automated)",
1477
+ "description": "The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. App Service apps use TLS 1.2 for the Minimum Inbound TLS Version by standard setting and allow for the use of TLS versions 1.0, 1.1, and 1.3.",
1478
+ "caption": ""
1479
+ },
1480
+ {
1481
+ "key": "confirm_endtoend_tls_encryption_is_enabled_automated",
1482
+ "title": "Confirm end-to-end TLS encryption is enabled (Automated)",
1483
+ "description": "End-to-end (E2E) TLS encryption guarantees that front-end to worker communication within App Service apps is encrypted using TLS. Without this feature, while incoming HTTPS requests are encrypted to the front ends, the traffic from front ends to workers running the application workloads would travel unencrypted inside Azures infrastructure.",
1484
+ "caption": ""
1485
+ },
1486
+ {
1487
+ "key": "confirm_remote_debugging_is_configured_as_off_automated",
1488
+ "title": "Confirm Remote debugging is configured as Off (Automated)",
1489
+ "description": "Remote debugging allows an App Service app to be debugged in real-time directly in the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.",
1490
+ "caption": ""
1491
+ },
1492
+ {
1493
+ "key": "confirm_incoming_client_certificates_are_enabled_and_required_if_in_use_automated",
1494
+ "title": "Confirm incoming client certificates are enabled and required (if in use) (Automated)",
1495
+ "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
1496
+ "caption": ""
1497
+ },
1498
+ {
1499
+ "key": "confirm_app_service_authentication_is_configured_as_enabled_automated",
1500
+ "title": "Confirm App Service authentication is configured as Enabled (Automated)",
1501
+ "description": "App Service authentication can prevent anonymous HTTP requests from reaching an app, or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a login page.",
1502
+ "caption": ""
1503
+ },
1504
+ {
1505
+ "key": "confirm_managed_identities_are_configured_automated",
1506
+ "title": "Confirm managed identities are configured (Automated)",
1507
+ "description": "Managed identities from Microsoft Entra ID allow App Service apps to securely access other Azure services without the need to provision or rotate any secrets.",
1508
+ "caption": ""
1509
+ },
1510
+ {
1511
+ "key": "confirm_public_network_access_is_disabled_automated",
1512
+ "title": "Confirm public network access is disabled (Automated)",
1513
+ "description": "Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access within trusted networks.",
1514
+ "caption": ""
1515
+ },
1516
+ {
1517
+ "key": "confirm_app_service_plan_sku_supports_private_endpoints_automated",
1518
+ "title": "Confirm App Service plan SKU supports private endpoints (Automated)",
1519
+ "description": "Ensure that your App Service plan SKU supports private endpoints. Private endpoints provide secure access over Azure Private Link, which keeps traffic on the Microsoft backbone network and eliminates exposure to the public internet.",
1520
+ "caption": ""
1521
+ },
1522
+ {
1523
+ "key": "confirm_private_endpoints_are_used_to_access_app_service_apps_automated",
1524
+ "title": "Confirm private endpoints are used to access App Service apps (Automated)",
1525
+ "description": "Use private endpoints to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet.",
1526
+ "caption": ""
1527
+ },
1528
+ {
1529
+ "key": "confirm_private_endpoints_used_to_access_app_service_apps_use_private_dns_zones_manual",
1530
+ "title": "Confirm private endpoints used to access App Service apps use private DNS zones (Manual)",
1531
+ "description": "Use private DNS zones to override DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service app.",
1532
+ "caption": ""
1533
+ },
1534
+ {
1535
+ "key": "confirm_app_is_integrated_with_a_virtual_network_automated",
1536
+ "title": "Confirm app is integrated with a virtual network (Automated)",
1537
+ "description": "Integrate App Service apps with a virtual network to enable access to resources in or through a non-internet-routable virtual network.",
1538
+ "caption": ""
1539
+ },
1540
+ {
1541
+ "key": "confirm_configuration_is_routed_through_the_virtual_network_integration_automated",
1542
+ "title": "Confirm configuration is routed through the virtual network integration (Automated)",
1543
+ "description": "By standard setting, configuration traffic for App Service apps goes directly over the public route. Container image pulls and content sharing can be routed through the virtual network integration.",
1544
+ "caption": ""
1545
+ },
1546
+ {
1547
+ "key": "confirm_all_traffic_is_routed_through_the_virtual_network_automated",
1548
+ "title": "Confirm all traffic is routed through the virtual network (Automated)",
1549
+ "description": "Enable vnetRouteAllEnabled to ensure all outbound traffic is routed through the integrated virtual network.",
1550
+ "caption": ""
1551
+ },
1552
+ {
1553
+ "key": "confirm_crossorigin_resource_sharing_does_not_allow_all_origins_automated",
1554
+ "title": "Confirm cross-origin resource sharing does not allow all origins (Automated)",
1555
+ "description": "Cross-origin resource sharing (CORS) is a security feature that controls how applications interact with resources hosted on different domains.",
1556
+ "caption": ""
1557
+ },
1558
+ {
1559
+ "key": "confirm_java_version_is_currently_supported_if_in_use_manual",
1560
+ "title": "Confirm Java version is currently supported (if in use) (Manual)",
1561
+ "description": "Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for App Service deployment slots is recommended to avoid potential unpatched vulnerabilities.",
1562
+ "caption": ""
1563
+ },
1564
+ {
1565
+ "key": "confirm_python_version_is_currently_supported_if_in_use_manual",
1566
+ "title": "Confirm Python version is currently supported (if in use) (Manual)",
1567
+ "description": "Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for App Service deployment slots is recommended to avoid potential unpatched vulnerabilities.",
1568
+ "caption": ""
1569
+ },
1570
+ {
1571
+ "key": "confirm_php_version_is_currently_supported_if_in_use_manual",
1572
+ "title": "Confirm PHP version is currently supported (if in use) (Manual)",
1573
+ "description": "Periodically, older versions of PHP may be deprecated and no longer supported. By using a supported version of PHP for App Service deployment slots is recommended to avoid potential unpatched vulnerabilities.",
1574
+ "caption": ""
1575
+ },
1576
+ {
1577
+ "key": "confirm_basic_authentication_publishing_credentials_are_disabled_automated",
1578
+ "title": "Confirm Basic Authentication Publishing Credentials are Disabled (Automated)",
1579
+ "description": "Basic Authentication Publishing Credentials offers the ability to publish or deploy to an App Service deployment slot without a centralized Identity Provider.",
1580
+ "caption": ""
1581
+ },
1582
+ {
1583
+ "key": "confirm_ftp_state_is_configured_as_ftps_only_or_disabled_automated",
1584
+ "title": "Confirm FTP state is configured as FTPS only or Disabled (Automated)",
1585
+ "description": "By standard setting, App Service supports deployment over FTP. If FTP is essential for a deployment workflow, FTPS should be enforced for all App Service deployment slots.",
1586
+ "caption": ""
1587
+ },
1588
+ {
1589
+ "key": "confirm_http_version_is_configured_as_20_if_in_use_automated",
1590
+ "title": "Confirm HTTP version is configured as 2.0 (if in use) (Automated)",
1591
+ "description": "Periodically, newer versions are released for HTTP, either due to security flaws or to include additional functionalities. By using the latest HTTP version allows apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
1592
+ "caption": ""
1593
+ },
1594
+ {
1595
+ "key": "confirm_https_only_is_configured_as_on_automated",
1596
+ "title": "Confirm HTTPS Only is configured as On (Automated)",
1597
+ "description": "Azure App Service allows deployment slots to run under both HTTP and HTTPS by standard setting. Deployment slots can be accessed by anyone using non-secure HTTP links by standard setting.",
1598
+ "caption": ""
1599
+ },
1600
+ {
1601
+ "key": "confirm_minimum_inbound_tls_version_is_configured_as_12_or_higher_automated",
1602
+ "title": "Confirm Minimum Inbound TLS Version is configured as 1.2 or higher (Automated)",
1603
+ "description": "The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. App Service deployment slots use TLS 1.2 for the Minimum Inbound TLS Version by standard setting.",
1604
+ "caption": ""
1605
+ },
1606
+ {
1607
+ "key": "confirm_endtoend_tls_encryption_is_enabled_automated",
1608
+ "title": "Confirm end-to-end TLS encryption is enabled (Automated)",
1609
+ "description": "End-to-end (E2E) TLS encryption guarantees that front-end to worker communication within App Service deployment slots is encrypted using TLS.",
1610
+ "caption": ""
1611
+ },
1612
+ {
1613
+ "key": "confirm_remote_debugging_is_configured_as_off_automated",
1614
+ "title": "Confirm Remote debugging is configured as Off (Automated)",
1615
+ "description": "Remote debugging allows an App Service deployment slot to be debugged in real-time directly in the Azure environment.",
1616
+ "caption": ""
1617
+ },
1618
+ {
1619
+ "key": "confirm_incoming_client_certificates_are_enabled_and_required_if_in_use_automated",
1620
+ "title": "Confirm incoming client certificates are enabled and required (if in use) (Automated)",
1621
+ "description": "Client certificates allow for the deployment slot to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the deployment slot.",
1622
+ "caption": ""
1623
+ },
1624
+ {
1625
+ "key": "confirm_managed_identities_are_configured_automated",
1626
+ "title": "Confirm managed identities are configured (Automated)",
1627
+ "description": "Managed identities from Microsoft Entra ID allow App Service deployment slots to securely access other Azure services without the need to provision or rotate any secrets.",
1628
+ "caption": ""
1629
+ },
1630
+ {
1631
+ "key": "confirm_public_network_access_is_disabled_automated",
1632
+ "title": "Confirm public network access is disabled (Automated)",
1633
+ "description": "Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access within trusted networks.",
1634
+ "caption": ""
1635
+ },
1636
+ {
1637
+ "key": "confirm_deployment_slot_is_integrated_with_a_virtual_network_automated",
1638
+ "title": "Confirm deployment slot is integrated with a virtual network (Automated)",
1639
+ "description": "Integrate App Service deployment slots with a virtual network to enable access to resources in or through a non-internet-routable virtual network.",
1640
+ "caption": ""
1641
+ },
1642
+ {
1643
+ "key": "confirm_configuration_is_routed_through_the_virtual_network_integration_automated",
1644
+ "title": "Confirm configuration is routed through the virtual network integration (Automated)",
1645
+ "description": "By standard setting, configuration traffic for App Service deployment slots goes directly over the public route. Container image pulls and content sharing can be routed through the virtual network integration.",
1646
+ "caption": ""
1647
+ },
1648
+ {
1649
+ "key": "confirm_all_traffic_is_routed_through_the_virtual_network_automated",
1650
+ "title": "Confirm all traffic is routed through the virtual network (Automated)",
1651
+ "description": "Enable vnetRouteAllEnabled to ensure all outbound traffic is routed through the integrated virtual network.",
1652
+ "caption": ""
1653
+ },
1654
+ {
1655
+ "key": "confirm_crossorigin_resource_sharing_does_not_allow_all_origins_automated",
1656
+ "title": "Confirm cross-origin resource sharing does not allow all origins (Automated)",
1657
+ "description": "Cross-origin resource sharing (CORS) is a security feature that controls how applications interact with resources hosted on different domains.",
1658
+ "caption": ""
1659
+ },
1660
+ {
1661
+ "key": "confirm_java_version_is_currently_supported_if_in_use_manual",
1662
+ "title": "Confirm Java version is currently supported (if in use) (Manual)",
1663
+ "description": "Periodically, older versions of Java may be deprecated and no longer supported. By using a supported version of Java for function apps is recommended to avoid potential unpatched vulnerabilities.",
1664
+ "caption": ""
1665
+ },
1666
+ {
1667
+ "key": "confirm_python_version_is_currently_supported_if_in_use_manual",
1668
+ "title": "Confirm Python version is currently supported (if in use) (Manual)",
1669
+ "description": "Periodically, older versions of Python may be deprecated and no longer supported. By using a supported version of Python for function apps is recommended to avoid potential unpatched vulnerabilities.",
1670
+ "caption": ""
1671
+ },
1672
+ {
1673
+ "key": "confirm_basic_authentication_publishing_credentials_are_disabled_automated",
1674
+ "title": "Confirm Basic Authentication Publishing Credentials are Disabled (Automated)",
1675
+ "description": "Basic Authentication Publishing Credentials offers the ability to publish or deploy to a function app without a centralized Identity Provider.",
1676
+ "caption": ""
1677
+ },
1678
+ {
1679
+ "key": "confirm_ftp_state_is_configured_as_ftps_only_or_disabled_automated",
1680
+ "title": "Confirm FTP state is configured as FTPS only or Disabled (Automated)",
1681
+ "description": "By standard setting, App Service supports deployment over FTP. If FTP is essential for a deployment workflow, FTPS should be enforced for all function apps.",
1682
+ "caption": ""
1683
+ },
1684
+ {
1685
+ "key": "confirm_http_version_is_configured_as_20_if_in_use_automated",
1686
+ "title": "Confirm HTTP version is configured as 2.0 (if in use) (Automated)",
1687
+ "description": "Periodically, newer versions are released for HTTP, either due to security flaws or to include additional functionalities. Using the latest HTTP version allows apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
1688
+ "caption": ""
1689
+ },
1690
+ {
1691
+ "key": "confirm_https_only_is_configured_as_on_automated",
1692
+ "title": "Confirm HTTPS Only is configured as On (Automated)",
1693
+ "description": "Azure App Service allows function apps to run under both HTTP and HTTPS by standard setting. Function apps can be accessed by anyone using non-secure HTTP links by standard setting.",
1694
+ "caption": ""
1695
+ },
1696
+ {
1697
+ "key": "confirm_minimum_inbound_tls_version_is_configured_as_12_or_higher_automated",
1698
+ "title": "Confirm Minimum Inbound TLS Version is configured as 1.2 or higher (Automated)",
1699
+ "description": "The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. Function apps use TLS 1.2 for the Minimum Inbound TLS Version by standard setting.",
1700
+ "caption": ""
1701
+ },
1702
+ {
1703
+ "key": "confirm_endtoend_tls_encryption_is_enabled_automated",
1704
+ "title": "Confirm end-to-end TLS encryption is enabled (Automated)",
1705
+ "description": "End-to-end (E2E) TLS encryption guarantees that front-end to worker communication within function apps is encrypted using TLS.",
1706
+ "caption": ""
1707
+ },
1708
+ {
1709
+ "key": "confirm_remote_debugging_is_configured_as_off_automated",
1710
+ "title": "Confirm Remote debugging is configured as Off (Automated)",
1711
+ "description": "Remote debugging allows a function app to be debugged in real-time directly in the Azure environment.",
1712
+ "caption": ""
1713
+ },
1714
+ {
1715
+ "key": "confirm_incoming_client_certificates_are_enabled_and_required_if_in_use_automated",
1716
+ "title": "Confirm incoming client certificates are enabled and required (if in use) (Automated)",
1717
+ "description": "Client certificates allow for the function app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
1718
+ "caption": ""
1719
+ },
1720
+ {
1721
+ "key": "confirm_app_service_authentication_is_configured_as_enabled_automated",
1722
+ "title": "Confirm App Service authentication is configured as Enabled (Automated)",
1723
+ "description": "App Service authentication can prevent anonymous HTTP requests from reaching an app, or authenticate those with tokens before they reach the app.",
1724
+ "caption": ""
1725
+ },
1726
+ {
1727
+ "key": "confirm_managed_identities_are_configured_automated",
1728
+ "title": "Confirm managed identities are configured (Automated)",
1729
+ "description": "Managed identities from Microsoft Entra ID allow function apps to securely access other Azure services without the need to provision or rotate any secrets.",
1730
+ "caption": ""
1731
+ },
1732
+ {
1733
+ "key": "confirm_public_network_access_is_disabled_automated",
1734
+ "title": "Confirm public network access is disabled (Automated)",
1735
+ "description": "Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access.",
1736
+ "caption": ""
1737
+ },
1738
+ {
1739
+ "key": "confirm_function_app_is_integrated_with_a_virtual_network_automated",
1740
+ "title": "Confirm function app is integrated with a virtual network (Automated)",
1741
+ "description": "Integrate function apps with a virtual network to enable access to resources in or through a non-internet-routable virtual network.",
1742
+ "caption": ""
1743
+ },
1744
+ {
1745
+ "key": "confirm_configuration_is_routed_through_the_virtual_network_integration_automated",
1746
+ "title": "Confirm configuration is routed through the virtual network integration (Automated)",
1747
+ "description": "By standard setting, configuration traffic for function apps goes directly over the public route. Container image pulls and content sharing can be routed through the virtual network integration.",
1748
+ "caption": ""
1749
+ },
1750
+ {
1751
+ "key": "confirm_all_traffic_is_routed_through_the_virtual_network_automated",
1752
+ "title": "Confirm all traffic is routed through the virtual network (Automated)",
1753
+ "description": "Enable vnetRouteAllEnabled to ensure all outbound traffic is routed through the integrated virtual network.",
1754
+ "caption": ""
1755
+ },
1756
+ {
1757
+ "key": "confirm_crossorigin_resource_sharing_does_not_allow_all_origins_automated",
1758
+ "title": "Confirm cross-origin resource sharing does not allow all origins (Automated)",
1759
+ "description": "Cross-origin resource sharing (CORS) is a security feature that controls how applications interact with resources hosted on different domains.",
1760
+ "caption": ""
1761
+ },
1762
+ {
1763
+ "key": "confirm_java_version_is_currently_supported_if_in_use_manual",
1764
+ "title": "Confirm Java version is currently supported (if in use) (Manual)",
1765
+ "description": "Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for function app deployment slots is recommended to avoid potential unpatched vulnerabilities.",
1766
+ "caption": ""
1767
+ },
1768
+ {
1769
+ "key": "confirm_python_version_is_currently_supported_if_in_use_manual",
1770
+ "title": "Confirm Python version is currently supported (if in use) (Manual)",
1771
+ "description": "Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for function app deployment slots is recommended to avoid potential unpatched vulnerabilities.",
1772
+ "caption": ""
1773
+ },
1774
+ {
1775
+ "key": "confirm_basic_authentication_publishing_credentials_are_disabled_automated",
1776
+ "title": "Confirm Basic Authentication Publishing Credentials are Disabled (Automated)",
1777
+ "description": "Basic Authentication Publishing Credentials offers the ability to publish or deploy to a function app deployment slot without a centralized Identity Provider.",
1778
+ "caption": ""
1779
+ },
1780
+ {
1781
+ "key": "confirm_ftp_state_is_configured_as_ftps_only_or_disabled_automated",
1782
+ "title": "Confirm FTP state is configured as FTPS only or Disabled (Automated)",
1783
+ "description": "By standard setting, App Service supports deployment over FTP. If FTP is essential for a deployment workflow, FTPS should be enforced for all function app deployment slots.",
1784
+ "caption": ""
1785
+ },
1786
+ {
1787
+ "key": "confirm_http_version_is_configured_as_20_if_in_use_automated",
1788
+ "title": "Confirm HTTP version is configured as 2.0 (if in use) (Automated)",
1789
+ "description": "Periodically, newer versions are released for HTTP, either due to security flaws or to include additional functionalities. Using the latest HTTP version allows apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
1790
+ "caption": ""
1791
+ },
1792
+ {
1793
+ "key": "confirm_https_only_is_configured_as_on_automated",
1794
+ "title": "Confirm HTTPS Only is configured as On (Automated)",
1795
+ "description": "Azure App Service allows function app deployment slots to run under both HTTP and HTTPS by standard setting. Function app deployment slots can be accessed by anyone using non-secure HTTP links by standard setting.",
1796
+ "caption": ""
1797
+ },
1798
+ {
1799
+ "key": "confirm_minimum_inbound_tls_version_is_configured_as_12_or_higher_automated",
1800
+ "title": "Confirm Minimum Inbound TLS Version is configured as 1.2 or higher (Automated)",
1801
+ "description": "The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. Function app deployment slots use TLS 1.2 for the Minimum Inbound TLS Version by standard setting.",
1802
+ "caption": ""
1803
+ },
1804
+ {
1805
+ "key": "confirm_endtoend_tls_encryption_is_enabled_automated",
1806
+ "title": "Confirm end-to-end TLS encryption is enabled (Automated)",
1807
+ "description": "End-to-end (E2E) TLS encryption guarantees that front-end to worker communication within function app deployment slots is encrypted using TLS.",
1808
+ "caption": ""
1809
+ },
1810
+ {
1811
+ "key": "confirm_remote_debugging_is_configured_as_off_automated",
1812
+ "title": "Confirm Remote debugging is configured as Off (Automated)",
1813
+ "description": "Remote debugging allows a function app deployment slot to be debugged in real-time directly in the Azure environment.",
1814
+ "caption": ""
1815
+ },
1816
+ {
1817
+ "key": "confirm_incoming_client_certificates_are_enabled_and_required_if_in_use_automated",
1818
+ "title": "Confirm incoming client certificates are enabled and required (if in use) (Automated)",
1819
+ "description": "Client certificates allow for the deployment slot to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the deployment slot.",
1820
+ "caption": ""
1821
+ },
1822
+ {
1823
+ "key": "confirm_managed_identities_are_configured_automated",
1824
+ "title": "Confirm managed identities are configured (Automated)",
1825
+ "description": "Managed identities from Microsoft Entra ID allow function app deployment slots to securely access other Azure services without the need to provision or rotate any secrets.",
1826
+ "caption": ""
1827
+ },
1828
+ {
1829
+ "key": "confirm_public_network_access_is_disabled_automated",
1830
+ "title": "Confirm public network access is disabled (Automated)",
1831
+ "description": "Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access.",
1832
+ "caption": ""
1833
+ },
1834
+ {
1835
+ "key": "confirm_deployment_slot_is_integrated_with_a_virtual_network_automated",
1836
+ "title": "Confirm deployment slot is integrated with a virtual network (Automated)",
1837
+ "description": "Integrate function app deployment slots with a virtual network to enable access to resources in or through a non-internet-routable virtual network.",
1838
+ "caption": ""
1839
+ },
1840
+ {
1841
+ "key": "confirm_configuration_is_routed_through_the_virtual_network_integration_automated",
1842
+ "title": "Confirm configuration is routed through the virtual network integration (Automated)",
1843
+ "description": "By standard setting, configuration traffic for function app deployment slots goes directly over the public route. Container image pulls and content sharing can be routed through the virtual network integration.",
1844
+ "caption": ""
1845
+ },
1846
+ {
1847
+ "key": "confirm_all_traffic_is_routed_through_the_virtual_network_automated",
1848
+ "title": "Confirm all traffic is routed through the virtual network (Automated)",
1849
+ "description": "Enable vnetRouteAllEnabled to ensure all outbound traffic is routed through the integrated virtual network.",
1850
+ "caption": ""
1851
+ },
1852
+ {
1853
+ "key": "confirm_crossorigin_resource_sharing_does_not_allow_all_origins_automated",
1854
+ "title": "Confirm cross-origin resource sharing does not allow all origins (Automated)",
1855
+ "description": "Cross-origin resource sharing (CORS) is a security feature that controls how applications interact with resources hosted on different domains.",
1856
+ "caption": ""
1857
+ },
1858
+ {
1859
+ "key": "confirm_azure_key_vaults_are_used_to_store_secrets_manual",
1860
+ "title": "Confirm Azure Key Vaults are Used to Store Secrets (Manual)",
1861
+ "description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these Secrets can be controlled through granular permissions.",
1862
+ "caption": ""
1863
+ },
1864
+ {
1865
+ "key": "confirm_app_service_environment_is_deployed_with_an_internal_load_balancer_automated",
1866
+ "title": "Confirm App Service Environment is deployed with an internal load balancer (Automated)",
1867
+ "description": "App Service Environment apps should not be reachable over public internet. To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer.",
1868
+ "caption": ""
1869
+ },
1870
+ {
1871
+ "key": "confirm_app_service_environment_is_provisioned_with_v3_or_higher_automated",
1872
+ "title": "Confirm App Service Environment is provisioned with v3 or higher (Automated)",
1873
+ "description": "Ensure App Service Environment is provisioned with v3 or higher to benefit from the latest enhancements. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations.",
1874
+ "caption": ""
1875
+ },
1876
+ {
1877
+ "key": "confirm_app_service_environment_has_internal_encryption_enabled_automated",
1878
+ "title": "Confirm App Service Environment has internal encryption enabled (Automated)",
1879
+ "description": "The App Service Environment operates as a black box system where you cannot see the internal components or the communication within the system. To enable higher throughput, encryption is not enabled by standard setting between internal components. However, if you have a compliance requirement that requires complete encryption of the data path from end to end, you can enable encryption of the complete data path with a clusterSetting.",
1880
+ "caption": ""
1881
+ },
1882
+ {
1883
+ "key": "confirm_app_service_environment_has_tls_10_and_11_disabled_automated",
1884
+ "title": "Confirm App Service Environment has TLS 1.0 and 1.1 disabled (Automated)",
1885
+ "description": "The TLS (Transport Layer Security) protocol secures the transmission of data over the internet using standard encryption technology. TLS versions 1.0 and 1.1 have been deprecated, and their use is generally discouraged. Disable all inbound TLS 1.0 and TLS 1.1 traffic for all the apps in an App Service Environment.",
1886
+ "caption": ""
1887
+ },
1888
+ {
1889
+ "key": "confirm_app_service_environment_has_tls_cipher_suite_ordering_configured_automated",
1890
+ "title": "Confirm App Service Environment has TLS cipher suite ordering configured (Automated)",
1891
+ "description": "App Service Environment supports changing the cipher suite from the standard setting. The standard setting set of ciphers is the same set that is used in the multi-tenant App Service. Configuring your App Service Environment to use only the ciphers it requires helps to keep the environment secure.",
1892
+ "caption": ""
1893
+ },
1894
+ {
1895
+ "key": "confirm_private_virtual_networks_are_used_for_container_instances_manual",
1896
+ "title": "Confirm Private Virtual Networks are used for Container Instances (Manual)",
1897
+ "description": "Private Virtual Networks (vNets) ensure that services and hosts within the subscription environment are appropriately segmented in private subnets. Public IP addressing for container instances should be handled through a NAT gateway and/or Firewall. In addition to the use of a private vNet for container instances, ensure that a Network Security Group (NSG) is configured and applied to your container instance vNet.",
1898
+ "caption": ""
1899
+ },
1900
+ {
1901
+ "key": "confirm_a_managed_identity_is_used_for_interactions_with_other_azure_services_manual",
1902
+ "title": "Confirm a Managed Identity is used for interactions with other Azure services (Manual)",
1903
+ "description": "For containers that require access to other resources, or other resources accessing a container, an identity/credential may be required. The Managed Identity prevents needing to store credentials in code within the Container Instance. There are two types of Managed Identities for Container Instances: System Assigned and User Assigned.",
1904
+ "caption": ""
1905
+ },
1906
+ {
1907
+ "key": "confirm_the_principle_of_least_privilege_is_used_when_assigning_roles_to_a_managed_identity_manual",
1908
+ "title": "Confirm the principle of least privilege is used when assigning roles to a Managed Identity (Manual)",
1909
+ "description": "When using either a user-assigned or system-assigned managed identity, those identities may require a role or privilege assignment to perform a desired function. The roles or privileges assigned to that identity should be assigned with the principle of least privilege in mind - the identity is given the minimum levels of access or permissions needed to perform the job.",
1910
+ "caption": ""
1911
+ },
1912
+ {
1913
+ "key": "confirm_ssl_is_configured_for_cyclecloud_manual",
1914
+ "title": "Confirm SSL is configured for CycleCloud (Manual)",
1915
+ "description": "The use of SSL guarantees that data in transit to and from the Azure CycleCloud server is encrypted. Encryption of data in transit offers integrity and confidentiality to that data. If unencrypted data is intercepted in transit it is highly vulnerable to exposure and exploitation.",
1916
+ "caption": ""
1917
+ },
1918
+ {
1919
+ "key": "confirm_batch_account_is_configured_as_use_customermanaged_keys_to_encrypt_data_manual",
1920
+ "title": "Confirm Batch account is configured as use customer-managed keys to encrypt data (Manual)",
1921
+ "description": "Customer-managed keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys (CMK) rather than Microsoft-managed keys.",
1922
+ "caption": ""
1923
+ },
1924
+ {
1925
+ "key": "confirm_batch_pools_disk_encryption_is_set_enabled_automated",
1926
+ "title": "Confirm Batch pools disk encryption is set enabled (Automated)",
1927
+ "description": "Azure Batch pools must have disk encryption enabled to protect data at rest on both OS and temporary disks, using Azure-managed encryption keys by standard setting. Enabling disk encryption meets compliance requirements, follows security best practices, and safeguards against unauthorized access to cached data and task outputs stored on VM disks.",
1928
+ "caption": ""
1929
+ },
1930
+ {
1931
+ "key": "confirm_local_authentication_methods_for_accounts_are_disabled_automated",
1932
+ "title": "Confirm local authentication methods for accounts are disabled (Automated)",
1933
+ "description": "This recommendation disables local authentication and guarantees that a centralized identity provider is used. Identity and Authentication silos with stale or persistent keys and tokens can increase vulnerability and risk by preventing detection mechanisms from capturing anomalous activity and may not produce an auditable trail of evidence that can be used for pattern detection and forensic investigation.",
1934
+ "caption": ""
1935
+ },
1936
+ {
1937
+ "key": "confirm_private_endpoints_are_considered_for_batch_accounts_automated",
1938
+ "title": "Confirm Private endpoints are considered for Batch accounts (Automated)",
1939
+ "description": "Private endpoints for Azure Batch accounts ensure all network communication occurs over private networks rather than the public internet. Configuring private endpoints for Azure Batch accounts guarantees all network traffic remains within the Microsoft Azure backbone network, eliminating exposure to public internet threats.",
1940
+ "caption": ""
1941
+ },
1942
+ {
1943
+ "key": "confirm_public_network_access_is_disabled_for_batch_accounts_automated",
1944
+ "title": "Confirm public network access is disabled for Batch accounts (Automated)",
1945
+ "description": "Disabling public network access guarantees all connectivity occurs through private endpoints or approved virtual networks. Public network access exposes Batch accounts to internet threats like DDoS attacks and unauthorized access, violating Zero Trust principles and compliance requirements for secure data processing environments.",
1946
+ "caption": ""
1947
+ },
1948
+ {
1949
+ "key": "confirm_private_dns_zones_for_private_endpoints_that_connect_to_batch_accounts_are_configured_manual",
1950
+ "title": "Confirm private DNS zones for private endpoints that connect to Batch accounts are configured (Manual)",
1951
+ "description": "Private DNS zones for Azure Batch private endpoints provide secure internal name resolution, preventing public internet exposure. When a private endpoint is created for a Batch account, Azure requires a private DNS zone (privatelink.batch.azure.com) to map the Batch service domain name to a private IP address within your virtual network (VNet).",
1952
+ "caption": ""
1953
+ },
1954
+ {
1955
+ "key": "confirm_diagnostics_settings_logs_for_batch_accounts_are_enabled_automated",
1956
+ "title": "Confirm Diagnostics settings logs for Batch accounts are enabled (Automated)",
1957
+ "description": "Azure Batch resource logs give important operational data such as job scheduling, pool management, and node communication. Having these logs enabled is necessary for monitoring, troubleshooting, and compliance auditing.",
1958
+ "caption": ""
1959
+ },
1960
+ {
1961
+ "key": "confirm_virtual_machines_are_utilizing_managed_disks_automated",
1962
+ "title": "Confirm Virtual Machines are utilizing Managed Disks (Automated)",
1963
+ "description": "Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the standard setting features of this configuration. Managed disks are by standard setting encrypted on the underlying hardware, so no additional encryption is required for basic protection.",
1964
+ "caption": ""
1965
+ },
1966
+ {
1967
+ "key": "confirm_that_os_and_data_disks_are_encrypted_with_customer_managed_key_cmk_automated",
1968
+ "title": "Confirm that OS and Data disks are encrypted with Customer Managed Key (CMK) (Automated)",
1969
+ "description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE). Encrypting the IaaS VMs OS disk (boot volume) and Data disks (non-boot volume) guarantees that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads.",
1970
+ "caption": ""
1971
+ },
1972
+ {
1973
+ "key": "confirm_that_unattached_disks_are_encrypted_with_customer_managed_key_cmk_automated",
1974
+ "title": "Confirm that Unattached disks are encrypted with Customer Managed Key (CMK) (Automated)",
1975
+ "description": "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). Managed disks are encrypted by standard setting with Platform-managed keys. Using Customer managed keys may provide an additional level of security or meet an organizations regulatory requirements.",
1976
+ "caption": ""
1977
+ },
1978
+ {
1979
+ "key": "confirm_that_disk_network_access_is_not_set_to_enable_public_access_from_all_networks_automated",
1980
+ "title": "Confirm that Disk Network Access is NOT set to Enable public access from all networks (Automated)",
1981
+ "description": "Virtual Machine Disks and snapshots can be configured to allow access from different network resources. The setting Enable public access from all networks is, in many cases, an overly permissive setting on Virtual Machine Disks that presents atypical attack, data infiltration, and data exfiltration vectors.",
1982
+ "caption": ""
1983
+ },
1984
+ {
1985
+ "key": "confirm_that_enable_data_access_authentication_mode_is_checked_automated",
1986
+ "title": "Confirm that Enable Data Access Authentication Mode is Checked (Automated)",
1987
+ "description": "Data Access Authentication Mode offers a method of uploading or exporting Virtual Machine Disks. Enabling data access authentication mode adds a layer of protection using an Entra ID role to further restrict users from creating and using Secure Access Signature (SAS) tokens for exporting a detached managed disk or virtual machine state.",
1988
+ "caption": ""
1989
+ },
1990
+ {
1991
+ "key": "confirm_that_only_approved_extensions_are_installed_manual",
1992
+ "title": "Confirm that Only Approved Extensions Are Installed (Manual)",
1993
+ "description": "For added security, only install organization-approved extensions on VMs. Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine.",
1994
+ "caption": ""
1995
+ },
1996
+ {
1997
+ "key": "confirm_that_endpoint_protection_for_all_virtual_machines_is_installed_manual",
1998
+ "title": "Confirm that Endpoint Protection for all Virtual Machines is installed (Manual)",
1999
+ "description": "Install endpoint protection for all virtual machines. Installing endpoint protection systems (like anti-malware for Azure) offers for real time protection capability that helps identify and remove viruses, spyware, and other malicious software.",
2000
+ "caption": ""
2001
+ },
2002
+ {
2003
+ "key": "legacy_confirm_that_vhds_are_encrypted_manual",
2004
+ "title": "(Legacy) Confirm that VHDs are Encrypted (Manual)",
2005
+ "description": "NOTE: This is a legacy recommendation. Managed Disks are encrypted by standard setting and recommended for all new VM implementations. VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. VHDs are not encrypted by standard setting, so this recommendation intends to address the security of these disks.",
2006
+ "caption": ""
2007
+ },
2008
+ {
2009
+ "key": "confirm_only_mfa_enabled_identities_can_access_privileged_virtual_machine_manual",
2010
+ "title": "Confirm only MFA enabled identities can access privileged Virtual Machine (Manual)",
2011
+ "description": "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machines managed identity. Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials.",
2012
+ "caption": ""
2013
+ },
2014
+ {
2015
+ "key": "confirm_trusted_launch_is_enabled_on_virtual_machines_automated",
2016
+ "title": "Confirm Trusted Launch is enabled on Virtual Machines (Automated)",
2017
+ "description": "When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits.",
2018
+ "caption": ""
2019
+ },
2020
+ {
2021
+ "key": "confirm_that_encryption_at_host_is_enabled_automated",
2022
+ "title": "Confirm that encryption at host is enabled (Automated)",
2023
+ "description": "Encryption at host enhances Azure Disk Storage Server-Side Encryption to ensure that all temporary disks and disk caches are encrypted at rest and flow encrypted to the storage clusters. Encryption at host offers an additional layer of security to protect sensitive information.",
2024
+ "caption": ""
2025
+ }
2026
+ ]
2027
+ },
2028
+ {
2029
+ "key": "analytics_services",
2030
+ "title": "Analytics Services",
2031
+ "description": "This section provides prescriptive guidance for configuring Azure Analytics Services, focusing on isolation and secure access.",
2032
+ "type": "checklist",
2033
+ "items": [
2034
+ {
2035
+ "key": "confirm_that_azure_databricks_is_deployed_in_a_customermanaged_virtual_network_vnet_automated",
2036
+ "title": "Confirm that Azure Databricks is deployed in a customer-managed virtual network (VNet) (Automated)",
2037
+ "description": "By using a customer-managed Virtual Network (VNet) (also known as VNet Injection) guarantees that compute clusters and control planes are securely isolated within the organizations network boundary.",
2038
+ "caption": ""
2039
+ },
2040
+ {
2041
+ "key": "confirm_that_network_security_groups_are_configured_for_databricks_subnets_automated",
2042
+ "title": "Confirm that Network Security Groups are Configured for Databricks Subnets (Automated)",
2043
+ "description": "Network Security Groups (NSGs) should be implemented to control inbound and outbound traffic to Azure Databricks subnets, ensuring only authorized communication.",
2044
+ "caption": ""
2045
+ },
2046
+ {
2047
+ "key": "confirm_that_traffic_is_encrypted_between_cluster_worker_nodes_manual",
2048
+ "title": "Confirm that Traffic is Encrypted Between Cluster Worker Nodes (Manual)",
2049
+ "description": "By standard setting, data exchanged between worker nodes in an Azure Databricks cluster is not encrypted. You can create an initialization script that configures your clusters to encrypt traffic between worker nodes using AES 256-bit encryption over a TLS 1.3 connection.",
2050
+ "caption": ""
2051
+ },
2052
+ {
2053
+ "key": "confirm_that_users_and_groups_are_synced_from_microsoft_entra_id_to_azure_databricks_manual",
2054
+ "title": "Confirm that Users and Groups are Synced from Microsoft Entra ID to Azure Databricks (Manual)",
2055
+ "description": "To ensure centralized identity and access management, users and groups from Microsoft Entra ID should be synchronized with Azure Databricks through SCIM provisioning.",
2056
+ "caption": ""
2057
+ },
2058
+ {
2059
+ "key": "confirm_that_unity_catalog_is_configured_for_azure_databricks_manual",
2060
+ "title": "Confirm that Unity Catalog is Configured for Azure Databricks (Manual)",
2061
+ "description": "Unity Catalog is a centralized governance model for managing and securing data in Azure Databricks. It offers fine-grained access control to databases, tables, and views using Microsoft Entra ID identities.",
2062
+ "caption": ""
2063
+ },
2064
+ {
2065
+ "key": "confirm_that_usage_is_restricted_and_expiry_is_enforced_for_databricks_personal_access_tokens_manual",
2066
+ "title": "Confirm that Usage is Restricted and Expiry is Enforced for Databricks Personal Access Tokens (Manual)",
2067
+ "description": "Administrators should restrict token creation to approved users and service principals and enforce expiration policies to prevent long-lived tokens.",
2068
+ "caption": ""
2069
+ },
2070
+ {
2071
+ "key": "confirm_that_diagnostic_log_delivery_is_configured_for_azure_databricks_automated",
2072
+ "title": "Confirm that Diagnostic Log Delivery is Configured for Azure Databricks (Automated)",
2073
+ "description": "Azure Databricks Diagnostic Logging offers insights into system operations, user activities, and security events within a Databricks workspace.",
2074
+ "caption": ""
2075
+ },
2076
+ {
2077
+ "key": "confirm_critical_data_in_azure_databricks_is_encrypted_with_customermanaged_keys_cmk_manual",
2078
+ "title": "Confirm Critical Data in Azure Databricks is Encrypted with Customer-managed Keys (CMK) (Manual)",
2079
+ "description": "Customer-managed keys provide a means to manage access control for encryption keys. Sensitive data at rest can be encrypted using CMK rather than Microsoft-managed keys.",
2080
+ "caption": ""
2081
+ },
2082
+ {
2083
+ "key": "confirm_no_public_ip_is_set_to_enabled_automated",
2084
+ "title": "Confirm No Public IP is Set to Enabled (Automated)",
2085
+ "description": "Enable secure cluster connectivity (also known as no public IP) on Azure Databricks workspaces to ensure that clusters do not have public IP addresses.",
2086
+ "caption": ""
2087
+ },
2088
+ {
2089
+ "key": "confirm_allow_public_network_access_is_configured_as_disabled_automated",
2090
+ "title": "Confirm Allow Public Network Access is configured as Disabled (Automated)",
2091
+ "description": "Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access.",
2092
+ "caption": ""
2093
+ },
2094
+ {
2095
+ "key": "confirm_private_endpoints_are_used_to_access_azure_databricks_workspaces_automated",
2096
+ "title": "Confirm Private Endpoints are used to access Azure Databricks workspaces (Automated)",
2097
+ "description": "Use private endpoints for Azure Databricks workspaces to allow clients and services to securely access data located over a network via an encrypted Private Link.",
2098
+ "caption": ""
2099
+ },
2100
+ {
2101
+ "key": "confirm_azure_databricks_groups_are_reviewed_periodically_manual",
2102
+ "title": "Confirm Azure Databricks groups are reviewed periodically (Manual)",
2103
+ "description": "Groups are used in Role Based Access Control to apply permissions to users and should be audited on a regular interval.",
2104
+ "caption": ""
2105
+ }
2106
+ ]
2107
+ },
2108
+ {
2109
+ "key": "upload_logs",
2110
+ "title": "Upload logs",
2111
+ "description": "This should include all associated traffic associated to the in-scope targets.",
2112
+ "type": "large_upload"
2113
+ },
2114
+ {
2115
+ "key": "executive_summary",
2116
+ "title": "Executive summary",
2117
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
2118
+ "type": "executive_summary"
2119
+ }
2120
+ ]
2121
+ }
2122
+ }