bmt 0.9.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +3 -1
  3. data/lib/data/0.10/mappings/templates.json +17 -0
  4. data/lib/data/0.10/mappings/templates.schema.json +62 -0
  5. data/lib/data/0.10/methodologies/active_directory.json +426 -0
  6. data/lib/data/0.10/methodologies/ai_llm.json +280 -0
  7. data/lib/data/0.10/methodologies/api_testing.json +687 -0
  8. data/lib/data/0.10/methodologies/binaries.json +252 -0
  9. data/lib/data/0.10/methodologies/cloud_config_aws.json +621 -0
  10. data/lib/data/0.10/methodologies/cloud_config_azure.json +1402 -0
  11. data/lib/data/0.10/methodologies/cloud_config_gcp.json +431 -0
  12. data/lib/data/0.10/methodologies/hardware_testing.json +216 -0
  13. data/lib/data/0.10/methodologies/internal_network.json +454 -0
  14. data/lib/data/0.10/methodologies/mobile_android.json +514 -0
  15. data/lib/data/0.10/methodologies/mobile_ios.json +438 -0
  16. data/lib/data/0.10/methodologies/network.json +207 -0
  17. data/lib/data/0.10/methodologies/template.json +83 -0
  18. data/lib/data/0.10/methodologies/website_testing.json +1078 -0
  19. data/lib/data/0.10/schema.json +124 -0
  20. metadata +24 -7
data/lib/data/0.10/methodologies/cloud_config_azure.json ADDED
@@ -0,0 +1,1402 @@
1
+ {
2
+ "metadata": {
3
+ "title": "Microsoft Azure Cloud Configuration Review Methodology",
4
+ "release_date": "2025-10-30T00:00:00+00:00",
5
+ "description": "Methodology based on Microsoft Azure Benchmark v4.0.0",
6
+ "vrt_version": "1.15.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "compute_services",
12
+ "title": "Compute Services",
13
+ "description": "This part outlines fundamental security settings for Azure's compute services, with a key focus on mandating Multi-Factor Authentication for privileged Virtual Machine access.",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "container_instances_use_managed_identity",
18
+ "title": "Verify that Container Instances use a Managed Identity for Azure service interactions (Manual).",
19
+ "description": "When containers must access other Azure resources, or be accessed by them, an identity is necessary. Employing a Managed Identity eliminates the need to hardcode credentials within the Container Instance.",
20
+ "caption": ""
21
+ },
22
+ {
23
+ "key": "container_instances_use_private_vnets",
24
+ "title": "Verify that Container Instances are deployed within Private Virtual Networks (Manual).",
25
+ "description": "Private Virtual Networks (vNets) are crucial for segmenting services and hosts into private subnets. Any public IP addressing for container instances should be managed via a NAT gateway or firewall. Additionally, a Network Security Group (NSG) must be configured and assigned to the vNet of your container instance.",
26
+ "caption": ""
27
+ },
28
+ {
29
+ "key": "container_instances_least_privilege_for_managed_identity",
30
+ "title": "Verify that the principle of least privilege is applied to Managed Identity role assignments (Manual).",
31
+ "description": "For any managed identity, whether user-assigned or system-assigned, that requires a specific role, the principle of least privilege must be applied. This means granting the identity only the minimum permissions necessary to perform its function.",
32
+ "caption": ""
33
+ },
34
+ {
35
+ "key": "app_service_supported_php_version",
36
+ "title": "Verify that the PHP version for App Services is currently supported (if in use) (Manual).",
37
+ "description": "Older versions of PHP are periodically deprecated and lose support. To prevent exposure to unpatched vulnerabilities, it is recommended to use a currently supported version of PHP for all web applications.",
38
+ "caption": ""
39
+ },
40
+ {
41
+ "key": "app_service_authentication_setup",
42
+ "title": "Verify that App Service Authentication is configured for all web applications (Automated).",
43
+ "description": "Azure App Service Authentication serves to block anonymous HTTP requests from accessing a Web Application or to authenticate them using tokens beforehand. If an unauthenticated browser request is detected, App Service can redirect it to a login page, utilizing a selected identity provider or a custom authentication solution.",
44
+ "caption": ""
45
+ },
46
+ {
47
+ "key": "app_service_supported_java_version",
48
+ "title": "Verify that the Java version for App Services is currently supported (if in use) (Manual).",
49
+ "description": "Older versions of Java are periodically deprecated and lose support. To prevent exposure to unpatched vulnerabilities, it is recommended to use a currently supported version of Java for all web applications.",
50
+ "caption": ""
51
+ },
52
+ {
53
+ "key": "app_service_supported_python_version",
54
+ "title": "Verify that the Python version for App Services is currently supported (if in use) (Manual).",
55
+ "description": "Older versions of Python are periodically deprecated and lose support. To prevent exposure to unpatched vulnerabilities, it is recommended to use a currently supported version of Python for all web applications.",
56
+ "caption": ""
57
+ },
58
+ {
59
+ "key": "app_service_client_certificates_on",
60
+ "title": "Verify that the web app Client Certificates setting is On (Automated).",
61
+ "description": "This setting enables the application to demand a certificate for all incoming requests. Access is granted only to clients that present a valid certificate.",
62
+ "caption": ""
63
+ },
64
+ {
65
+ "key": "app_service_https_only",
66
+ "title": "Verify that HTTPS Only is enabled for App Services (Automated).",
67
+ "description": "By default, Azure App Service permits traffic over both HTTP and HTTPS, leaving apps accessible through insecure links. It is a recommended security measure to enforce HTTPS-only traffic, which involves restricting insecure HTTP requests and redirecting all traffic to the secure HTTPS port.",
68
+ "caption": ""
69
+ },
70
+ {
71
+ "key": "app_service_latest_tls_version",
72
+ "title": "Verify that the Web App is configured to use the latest TLS encryption version (Automated).",
73
+ "description": "The Transport Layer Security (TLS) protocol provides security for data transmission online through encryption. It is crucial to configure encryption with the most recent TLS version. App Service defaults to TLS 1.2, which aligns with industry best practices such as PCI DSS.",
74
+ "caption": ""
75
+ },
76
+ {
77
+ "key": "app_service_register_with_aad",
78
+ "title": "Verify that Register with Azure Active Directory is enabled for the App Service (Automated).",
79
+ "description": "Using a managed service identity with Azure Active Directory enhances security by eliminating secrets from an application, such as credentials in connection strings. By registering the app with Azure AD, it can connect to other Azure services securely without managing usernames and passwords.",
80
+ "caption": ""
81
+ },
82
+ {
83
+ "key": "app_service_ftp_state_secure",
84
+ "title": "Verify that the FTP State is configured to FTPS Only or Disabled (Automated).",
85
+ "description": "By default, App Services support deployment via FTP. If FTP is a necessary part of the deployment process, FTPS should be mandated for all logins. If FTPS is not essential, the setting should be 'Disabled' for optimal security.",
86
+ "caption": ""
87
+ },
88
+ {
89
+ "key": "app_service_use_key_vault_for_secrets",
90
+ "title": "Verify that Azure Key Vaults are used for storing application secrets (Manual).",
91
+ "description": "Azure Key Vault provides a secure repository for various types of sensitive data, including encryption keys, certificate thumbprints, and Managed Identity credentials. Granular permissions can be used to control access to these 'Secrets'.",
92
+ "caption": ""
93
+ },
94
+ {
95
+ "key": "app_service_http20_enabled",
96
+ "title": "Verify that HTTP20enabled is set to true for the App Service (if in use) (Automated).",
97
+ "description": "Outdated versions of HTTP can become deprecated and unsupported. Using a current version of HTTP for web apps is advisable to avoid vulnerabilities from obsolete protocols. HTTP 2.0 brings performance enhancements over older versions, addressing head-of-line blocking, compressing headers, and prioritizing requests.",
98
+ "caption": ""
99
+ },
100
+ {
101
+ "key": "compute_vm_mfa_for_privileged_access",
102
+ "title": "Verify that only MFA-enabled identities have privileged access to Virtual Machines (Manual).",
103
+ "description": "Identify any identities that can access a privileged virtual machine without Multi-Factor Authentication. An attacker could exploit this access to move laterally and execute actions using the VM's managed identity. Ensure the VM has only essential permissions and revoke excessive admin rights based on the principle of least privilege.",
104
+ "caption": ""
105
+ },
106
+ {
107
+ "key": "vm_azure_bastion_host_exists",
108
+ "title": "Verify that an Azure Bastion Host is deployed (Automated).",
109
+ "description": "The Azure Bastion service enables secure remote connections to Azure Virtual Machines from the internet without exposing remote access ports. Access is provided via TLS over 443/TCP and integrates with an organization's hardened Azure Active Directory configurations.",
110
+ "caption": ""
111
+ },
112
+ {
113
+ "key": "vm_encrypt_unattached_disks_with_cmk",
114
+ "title": "Verify that unattached disks are encrypted with a Customer-Managed Key (CMK) (Automated).",
115
+ "description": "Verify that all unattached disks within a subscription are secured through encryption using a Customer-Managed Key (CMK).",
116
+ "caption": ""
117
+ },
118
+ {
119
+ "key": "vm_only_approved_extensions",
120
+ "title": "Verify that only approved extensions are installed on Virtual Machines (Manual).",
121
+ "description": "For improved security, ensure that only extensions approved by the organization are installed on Virtual Machines.",
122
+ "caption": ""
123
+ },
124
+ {
125
+ "key": "vm_legacy_encrypt_vhds",
126
+ "title": "Legacy - Verify that Virtual Hard Disks (VHDs) are encrypted (Manual).",
127
+ "description": "Virtual Hard Disks (VHDs) are an older disk type stored in blob storage. As storage accounts are unencrypted by default, Microsoft Defender recommends encrypting OS disks. Therefore, storage accounts containing VHDs should have encryption enabled, using either platform-managed or customer-managed keys.",
128
+ "caption": ""
129
+ },
130
+ {
131
+ "key": "vm_install_endpoint_protection",
132
+ "title": "Verify that Endpoint Protection is installed on all Virtual Machines (Manual).",
133
+ "description": "Ensure endpoint protection software is installed on every virtual machine to safeguard against threats.",
134
+ "caption": ""
135
+ },
136
+ {
137
+ "key": "vm_utilize_managed_disks",
138
+ "title": "Verify that Virtual Machines are using Managed Disks (Automated).",
139
+ "description": "Transition any blob-based VHDs to Managed Disks on Virtual Machines to benefit from the inherent features of this modern disk configuration.",
140
+ "caption": ""
141
+ },
142
+ {
143
+ "key": "vm_encrypt_disks_with_cmk",
144
+ "title": "Verify that OS and data disks are encrypted with a Customer-Managed Key (CMK) (Automated).",
145
+ "description": "Confirm that both operating system disks (boot volumes) and data disks are encrypted using Customer-Managed Keys (CMK). This can be implemented via Azure Disk Encryption (ADE) or Server-Side Encryption (SSE).",
146
+ "caption": ""
147
+ },
148
+ {
149
+ "key": "cyclecloud_configure_ssl",
150
+ "title": "Verify that SSL is configured for CycleCloud (Manual).",
151
+ "description": "Implementing SSL is crucial for encrypting data transmitted to and from the Azure CycleCloud server, thereby maintaining confidentiality.",
152
+ "caption": ""
153
+ }
154
+ ]
155
+ },
156
+ {
157
+ "key": "identity_services",
158
+ "title": "Identity Services",
159
+ "description": "This chapter outlines security best practices for Azure's identity services. It provides guidance on Microsoft Entra ID settings, Conditional Access rules, regular identity audits, and role-based access control to create a resilient identity management system.",
160
+ "type": "checklist",
161
+ "items": [
162
+ {
163
+ "key": "identity_disallow_users_to_create_security_groups",
164
+ "title": "Verify that Users can create security groups... is set to No (Manual).",
165
+ "description": "Ensure that the ability to create security groups is limited to administrative accounts only.",
166
+ "caption": ""
167
+ },
168
+ {
169
+ "key": "identity_restrict_non_admin_tenant_creation",
170
+ "title": "Verify that Restrict non-admin users from creating tenants is set to Yes (Automated).",
171
+ "description": "Mandate that new tenants can only be created by administrators or other specifically delegated users.",
172
+ "caption": ""
173
+ },
174
+ {
175
+ "key": "identity_set_account_lockout_duration",
176
+ "title": "Verify that the account Lockout duration in seconds is 60 or greater (Manual).",
177
+ "description": "The lockout duration specifies the amount of time an account remains locked, determining how long a user must wait before attempting to log in again after reaching the lockout threshold.",
178
+ "caption": ""
179
+ },
180
+ {
181
+ "key": "identity_no_custom_subscription_admin_roles",
182
+ "title": "Verify that no custom subscription administrator roles exist (Automated).",
183
+ "description": "Adhere to the principle of least privilege by assigning only necessary permissions, rather than granting full administrative control.",
184
+ "caption": ""
185
+ },
186
+ {
187
+ "key": "identity_notify_users_on_password_resets",
188
+ "title": "Verify that Notify users on password resets? is set to Yes (Manual).",
189
+ "description": "Confirm that users receive notifications to their primary and secondary email addresses when their password is reset.",
190
+ "caption": ""
191
+ },
192
+ {
193
+ "key": "identity_require_auth_info_reconfirmation",
194
+ "title": "Verify that Number of days before users are asked to re-confirm their authentication information is not 0 (Manual).",
195
+ "description": "Make sure that the period before users are prompted to re-confirm their authentication details is not set to zero days.",
196
+ "caption": ""
197
+ },
198
+ {
199
+ "key": "identity_restrict_guest_invitations_to_admins",
200
+ "title": "Verify Guest invite restrictions is set to Only users assigned to specific admin roles can invite... (Automated).",
201
+ "description": "Restrict the ability to invite guest users exclusively to accounts holding designated administrative roles.",
202
+ "caption": ""
203
+ },
204
+ {
205
+ "key": "identity_no_admin_accounts_for_daily_ops",
206
+ "title": "Verify that Azure admin accounts are not used for daily operational tasks (Manual).",
207
+ "description": "Microsoft Azure administrative accounts should be reserved for administrative duties and not used for routine, non-privileged activities.",
208
+ "caption": ""
209
+ },
210
+ {
211
+ "key": "identity_consider_device_code_flow_exclusion_policy",
212
+ "title": "Verify that an exclusionary policy for the device code flow has been considered (Manual).",
213
+ "description": "Conditional Access Policies can be used to block the device code authentication flow. This flow should only be allowed for users whose roles specifically require it, such as for authenticating with Azure via PowerShell.",
214
+ "caption": ""
215
+ },
216
+ {
217
+ "key": "identity_restrict_access_to_entra_admin_center",
218
+ "title": "Verify that Restrict access to Microsoft Entra admin center is set to Yes (Manual).",
219
+ "description": "Ensure that access to the Microsoft Entra ID administration portal is restricted to administrative personnel only.",
220
+ "caption": ""
221
+ },
222
+ {
223
+ "key": "identity_set_account_lockout_threshold",
224
+ "title": "Verify that the account Lockout threshold is 10 or less (Manual).",
225
+ "description": "The lockout threshold defines the number of failed sign-in attempts allowed before an account is locked and a variable lockout period begins.",
226
+ "caption": ""
227
+ },
228
+ {
229
+ "key": "identity_custom_role_for_resource_locks",
230
+ "title": "Verify that a custom role is used for administering resource locks (Manual).",
231
+ "description": "Resource locking is a vital security feature that prevents accidental modification or deletion of Azure resources, aligning with recommended NIST configurations. A custom role should manage these locks.",
232
+ "caption": ""
233
+ },
234
+ {
235
+ "key": "identity_notify_admins_on_other_admin_password_resets",
236
+ "title": "Verify that Notify all admins when other admins reset their password? is set to Yes (Manual).",
237
+ "description": "Ensure a system is in place to notify all Global Administrators whenever any other administrator resets their password.",
238
+ "caption": ""
239
+ },
240
+ {
241
+ "key": "identity_review_privileged_roles_periodically",
242
+ "title": "Verify that all privileged role assignments are reviewed periodically (Manual).",
243
+ "description": "Regularly review privileged role assignments to confirm that the roles granted to users remain accurate and appropriate for their responsibilities.",
244
+ "caption": ""
245
+ },
246
+ {
247
+ "key": "identity_restrict_user_access_administrator_role",
248
+ "title": "Verify that the use of the User Access Administrator role is restricted (Automated).",
249
+ "description": "The User Access Administrator role provides extensive privileges, including viewing all resources and managing access at any subscription or management group level. To mitigate security risks, this role should only be assigned temporarily and removed immediately after the necessary tasks are completed.",
250
+ "caption": ""
251
+ },
252
+ {
253
+ "key": "identity_require_two_methods_for_password_reset",
254
+ "title": "Verify that the Number of methods required to reset is set to 2 (Manual).",
255
+ "description": "This policy ensures that users must provide two different forms of identification before they are permitted to reset their password.",
256
+ "caption": ""
257
+ },
258
+ {
259
+ "key": "identity_restrict_user_access_to_my_groups",
260
+ "title": "Verify that Restrict user ability to access groups features in My Groups is Yes (Manual).",
261
+ "description": "Restrict user access to the group management interface within the Access Panel portal.",
262
+ "caption": ""
263
+ },
264
+ {
265
+ "key": "identity_require_mfa_for_azure_management_api",
266
+ "title": "Verify that multi-factor authentication is required for the Azure Service Management API (Manual).",
267
+ "description": "This setting ensures that any user accessing resources via the Windows Azure Service Management API (e.g., Azure PowerShell, CLI, Resource Manager API) must authenticate using multi-factor authentication (MFA).",
268
+ "caption": ""
269
+ },
270
+ {
271
+ "key": "identity_disallow_owners_to_manage_group_requests",
272
+ "title": "Verify that Owners can manage group membership requests in My Groups is No (Manual).",
273
+ "description": "Ensure that the management of security groups is confined to administrative accounts only.",
274
+ "caption": ""
275
+ },
276
+ {
277
+ "key": "identity_enable_security_defaults",
278
+ "title": "Verify that security defaults is enabled in Microsoft Entra ID (Manual).",
279
+ "description": "Security defaults in Microsoft Entra ID simplify security and help safeguard your organization by providing pre-configured settings to defend against common attacks.",
280
+ "caption": ""
281
+ },
282
+ {
283
+ "key": "identity_require_mfa_for_admin_portals",
284
+ "title": "Verify that multi-factor authentication is required for access to Microsoft Admin Portals (Manual).",
285
+ "description": "This policy ensures that users accessing Microsoft Admin Portals (like the Microsoft 365 Admin Center, Azure Portal, etc.) must authenticate using multi-factor authentication (MFA).",
286
+ "caption": ""
287
+ },
288
+ {
289
+ "key": "identity_disallow_users_to_register_apps",
290
+ "title": "Verify that Users can register applications is set to No (Automated).",
291
+ "description": "Mandate that the registration of third-party applications can only be performed by administrators or other appropriately delegated users.",
292
+ "caption": ""
293
+ },
294
+ {
295
+ "key": "identity_disallow_user_consent_for_apps",
296
+ "title": "Verify that User consent for applications is set to Do not allow user consent (Manual).",
297
+ "description": "Require that administrative consent is given for all applications before they can be used.",
298
+ "caption": ""
299
+ },
300
+ {
301
+ "key": "identity_require_mfa_for_risky_sign_ins",
302
+ "title": "Verify that multi-factor authentication is required for risky sign-ins (Manual).",
303
+ "description": "Entra ID monitors sign-in event behavior. For tenants with a P2 license, this behavior can trigger additional security measures. When this policy is enabled, sign-in events flagged as risky will require users to provide a multi-factor authentication (MFA) token for verification.",
304
+ "caption": ""
305
+ },
306
+ {
307
+ "key": "identity_consider_geographic_exclusion_policy",
308
+ "title": "Verify that an exclusionary geographic Conditional Access policy has been considered (Manual).",
309
+ "description": "Conditional Access Policies can be configured to block access from geographic regions that are considered outside the operational scope of your organization or application. The specifics of this policy should be carefully defined.",
310
+ "caption": ""
311
+ },
312
+ {
313
+ "key": "identity_allow_user_consent_from_verified_publishers",
314
+ "title": "Verify User consent for applications is set to Allow user consent for apps from verified publishers... (Manual).",
315
+ "description": "Allow users to grant consent for certain permissions when the application request originates from a publisher that has been verified.",
316
+ "caption": ""
317
+ },
318
+ {
319
+ "key": "identity_prevent_subscription_tenant_transfers",
320
+ "title": "Verify that subscription transfers into or out of the Microsoft Entra tenant are prohibited (Manual).",
321
+ "description": "Users assigned as subscription owners have the ability to perform administrative actions, including moving subscriptions between Microsoft Entra ID tenants. This setting prevents such transfers.",
322
+ "caption": ""
323
+ },
324
+ {
325
+ "key": "identity_mfa_policy_for_all_users",
326
+ "title": "Verify that a multi-factor authentication policy is in place for all users (Manual).",
327
+ "description": "A Conditional Access policy can be implemented to ensure all users are required to use Multifactor Authentication (MFA) during the login process.",
328
+ "caption": ""
329
+ },
330
+ {
331
+ "key": "identity_define_trusted_locations",
332
+ "title": "Verify that trusted locations have been defined (Manual).",
333
+ "description": "Microsoft Entra ID Conditional Access enables organizations to define Named Locations and designate them as either trusted or untrusted. This feature allows for the specification of geographic areas or specific IP ranges for use in conditional access policies.",
334
+ "caption": ""
335
+ },
336
+ {
337
+ "key": "identity_limit_global_administrators",
338
+ "title": "Verify that fewer than 5 users are assigned the global administrator role (Manual).",
339
+ "description": "This guideline seeks to balance security with operational needs by recommending a minimum of 2 and a maximum of 4 users assigned the Global Administrator role. Having at least two ensures redundancy, while keeping the number below five mitigates the risk of excessive privileged access.",
340
+ "caption": ""
341
+ },
342
+ {
343
+ "key": "identity_enforce_custom_banned_password_list",
344
+ "title": "Verify that a Custom banned password list is enforced (Manual).",
345
+ "description": "In addition to a default global banned password list, Microsoft Azure allows for the enforcement of a custom list for all user and admin accounts managed directly in Microsoft Entra ID.",
346
+ "caption": ""
347
+ },
348
+ {
349
+ "key": "identity_disable_remember_mfa_on_trusted_devices",
350
+ "title": "Verify Allow users to remember multifactor authentication on devices they trust is disabled (Manual).",
351
+ "description": "Prevent users from saving their multi-factor authentication status on devices they use.",
352
+ "caption": ""
353
+ },
354
+ {
355
+ "key": "identity_review_guest_users_regularly",
356
+ "title": "Verify that guest user accounts are reviewed on a regular basis (Manual).",
357
+ "description": "Microsoft Entra ID provides functionality to invite external individuals as guest users into your cloud environment, where they can sign in using their own credentials. These guest accounts should be reviewed periodically.",
358
+ "caption": ""
359
+ },
360
+ {
361
+ "key": "identity_disallow_users_to_create_m365_groups",
362
+ "title": "Verify that Users can create Microsoft 365 groups... is set to No (Manual).",
363
+ "description": "Limit the creation of Microsoft 365 groups to administrative accounts only.",
364
+ "caption": ""
365
+ },
366
+ {
367
+ "key": "identity_restrict_guest_user_access",
368
+ "title": "Verify Guest users access restrictions is set to restrict access to their own directory objects (Automated).",
369
+ "description": "Constrain the permissions of guest users to only view properties and memberships of their own directory objects.",
370
+ "caption": ""
371
+ },
372
+ {
373
+ "key": "identity_require_mfa_to_join_devices",
374
+ "title": "Verify Require Multifactor Authentication to register or join devices... is Yes (Manual).",
375
+ "description": "The process of joining or registering a device with Microsoft Entra ID should require the user to complete a multi-factor authentication challenge.",
376
+ "caption": ""
377
+ },
378
+ {
379
+ "key": "identity_enable_mfa_for_all_users",
380
+ "title": "Verify that multifactor authentication is enabled for all users (Manual).",
381
+ "description": "Activate multi-factor authentication for all user accounts without exception.",
382
+ "caption": ""
383
+ }
384
+ ]
385
+ },
386
+ {
387
+ "key": "networking_services",
388
+ "title": "Networking Policies",
389
+ "description": "This chapter addresses security guidelines for networking policies within an Azure subscription. It includes controls for restricting internet-based RDP and SSH, managing Network Watcher, and defining retention periods for network flow logs.",
390
+ "type": "checklist",
391
+ "items": [
392
+ {
393
+ "key": "networking_evaluate_public_ips_periodically",
394
+ "title": "Verify that Public IP addresses are evaluated on a periodic basis (Manual).",
395
+ "description": "Public IP Addresses grant internet connectivity to resources within a tenant. Since some Azure resources create a Public IP upon deployment, all Public IP Addresses should be reviewed regularly to ensure they are necessary and correctly configured.",
396
+ "caption": ""
397
+ },
398
+ {
399
+ "key": "networking_restrict_rdp_from_internet",
400
+ "title": "Verify that RDP access from the Internet is evaluated and restricted (Automated).",
401
+ "description": "Network security groups require periodic review for port misconfigurations. Access to Azure resources from the internet, particularly for RDP, should be restricted or removed unless it is explicitly required and tightly configured.",
402
+ "caption": ""
403
+ },
404
+ {
405
+ "key": "networking_vnet_flow_log_retention_over_90_days",
406
+ "title": "Verify that virtual network flow log retention is set to 90 days or more (Automated).",
407
+ "description": "Confirm that the retention period for virtual network flow logs is configured to be at least 90 days.",
408
+ "caption": ""
409
+ },
410
+ {
411
+ "key": "networking_restrict_udp_from_internet",
412
+ "title": "Verify that UDP access from the Internet is evaluated and restricted (Automated).",
413
+ "description": "Network security groups should be reviewed regularly for port misconfigurations. Any ports and protocols exposed to the internet should be evaluated for necessity and restricted if not explicitly required.",
414
+ "caption": ""
415
+ },
416
+ {
417
+ "key": "networking_restrict_ssh_from_internet",
418
+ "title": "Verify that SSH access from the Internet is evaluated and restricted (Automated).",
419
+ "description": "Network security groups require periodic review for port misconfigurations. Any ports and protocols exposed to the internet should be evaluated for necessity and restricted if not explicitly required.",
420
+ "caption": ""
421
+ },
422
+ {
423
+ "key": "networking_nsg_flow_log_retention_over_90_days",
424
+ "title": "Verify that Network Security Group Flow Log retention is greater than 90 days (Automated).",
425
+ "description": "It is required that Network Security Group Flow Logs are enabled and their retention period is set to 90 days or longer.",
426
+ "caption": ""
427
+ },
428
+ {
429
+ "key": "networking_enable_network_watcher_for_used_regions",
430
+ "title": "Verify that Network Watcher is Enabled for all in-use Azure Regions (Automated).",
431
+ "description": "Enable the Network Watcher service for every physical region in your Azure subscriptions that hosts resources.",
432
+ "caption": ""
433
+ },
434
+ {
435
+ "key": "networking_restrict_http_from_internet",
436
+ "title": "Verify that HTTP(S) access from the Internet is evaluated and restricted (Automated).",
437
+ "description": "Network security groups need regular evaluation for port misconfigurations. Any ports and protocols, like HTTP(S), exposed to the internet should be reviewed for necessity and restricted unless they are explicitly required and narrowly configured.",
438
+ "caption": ""
439
+ }
440
+ ]
441
+ },
442
+ {
443
+ "key": "database_services",
444
+ "title": "Database Services",
445
+ "description": "This chapter details fundamental security settings for various Azure Database services.",
446
+ "type": "checklist",
447
+ "items": [
448
+ {
449
+ "key": "sqldb_tde_protector_encrypted_with_cmk",
450
+ "title": "Verify that the SQL servers TDE protector is encrypted with a Customer-Managed Key (Automated).",
451
+ "description": "Using a customer-managed key for Transparent Data Encryption (TDE) provides greater control over the TDE Protector, enhances security through an HSM-backed service, and helps enforce separation of duties.",
452
+ "caption": ""
453
+ },
454
+ {
455
+ "key": "sqldb_data_encryption_on",
456
+ "title": "Verify that Data encryption is set to On for all SQL Databases (Automated).",
457
+ "description": "Ensure that Transparent Data Encryption is enabled on all SQL server instances.",
458
+ "caption": ""
459
+ },
460
+ {
461
+ "key": "sqldb_entra_authentication_configured",
462
+ "title": "Verify that Microsoft Entra authentication is configured for SQL Servers (Automated).",
463
+ "description": "Utilize Microsoft Entra authentication for SQL Database connections to centralize credential management.",
464
+ "caption": ""
465
+ },
466
+ {
467
+ "key": "sqldb_no_ingress_from_any_ip",
468
+ "title": "Verify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (Any IP) (Automated).",
469
+ "description": "Confirm that no SQL Databases are configured to permit inbound traffic from all IP addresses (0.0.0.0/0).",
470
+ "caption": ""
471
+ },
472
+ {
473
+ "key": "sqldb_auditing_retention_over_90_days",
474
+ "title": "Verify that Auditing retention is greater than 90 days (Automated).",
475
+ "description": "The retention period for SQL Server Auditing should be set to a value greater than 90 days.",
476
+ "caption": ""
477
+ },
478
+ {
479
+ "key": "sqldb_public_network_access_disabled",
480
+ "title": "Verify that Public Network Access is disabled for SQL Servers (Manual).",
481
+ "description": "By disabling public network access, you prevent the service from being reachable from public networks.",
482
+ "caption": ""
483
+ },
484
+ {
485
+ "key": "sqldb_auditing_on",
486
+ "title": "Verify that Auditing is set to On for SQL Servers (Automated).",
487
+ "description": "Activate the auditing feature on all SQL Server instances.",
488
+ "caption": ""
489
+ },
490
+ {
491
+ "key": "postgresql_connection_throttling_on",
492
+ "title": "Verify that connection throttling is ON for PostgreSQL Servers (Automated).",
493
+ "description": "Ensure the connection_throttling parameter is enabled on all PostgreSQL Servers.",
494
+ "caption": ""
495
+ },
496
+ {
497
+ "key": "postgresql_log_retention_over_3_days",
498
+ "title": "Verify that log retention days is greater than 3 for PostgreSQL Servers (Automated).",
499
+ "description": "Confirm that the log_retention_days parameter on PostgreSQL Servers is configured to an adequate value.",
500
+ "caption": ""
501
+ },
502
+ {
503
+ "key": "postgresql_log_disconnections_on",
504
+ "title": "Verify that log disconnections is ON for PostgreSQL Servers (Automated).",
505
+ "description": "Ensure the log_disconnections parameter is enabled on all PostgreSQL Servers.",
506
+ "caption": ""
507
+ },
508
+ {
509
+ "key": "postgresql_log_checkpoints_on",
510
+ "title": "Verify that log checkpoints is ON for PostgreSQL Servers (Automated).",
511
+ "description": "Enable log_checkpoints on PostgreSQL Servers.",
512
+ "caption": ""
513
+ },
514
+ {
515
+ "key": "postgresql_disable_allow_access_to_azure_services",
516
+ "title": "Verify that Allow access to Azure services for PostgreSQL Servers is disabled (Automated).",
517
+ "description": "Disable the setting that allows access from other Azure services to the PostgreSQL Database Server.",
518
+ "caption": ""
519
+ },
520
+ {
521
+ "key": "postgresql_enforce_ssl_connection",
522
+ "title": "Verify that Enforce SSL connection is ENABLED for PostgreSQL Servers (Automated).",
523
+ "description": "Ensure that SSL connections are required for all PostgreSQL Servers.",
524
+ "caption": ""
525
+ },
526
+ {
527
+ "key": "postgresql_enable_infrastructure_double_encryption",
528
+ "title": "Verify that Infrastructure double encryption for PostgreSQL Servers is Enabled (Single Server Only) (Automated).",
529
+ "description": "All Azure Database for PostgreSQL servers should be deployed with 'infrastructure double encryption' enabled.",
530
+ "caption": ""
531
+ },
532
+ {
533
+ "key": "postgresql_log_connections_on",
534
+ "title": "Verify that log connections is ON for PostgreSQL Servers (Automated).",
535
+ "description": "Enable log_connections on PostgreSQL Servers.",
536
+ "caption": ""
537
+ },
538
+ {
539
+ "key": "cosmosdb_use_entra_id_and_rbac",
540
+ "title": "Verify that Entra ID and Azure RBAC are used for Cosmos DB authentication where possible (Manual).",
541
+ "description": "Cosmos DB supports both tokens and Entra ID for client authentication, with the latter using Azure RBAC for authorization. Using Entra ID is more secure because it centralizes credential management, enables MFA, and integrates seamlessly with Azure RBAC.",
542
+ "caption": ""
543
+ },
544
+ {
545
+ "key": "cosmosdb_limit_firewalls_and_networks",
546
+ "title": "Verify that Firewalls & Networks is limited to selected networks (Automated).",
547
+ "description": "Confining your Cosmos DB's communication to whitelisted networks effectively reduces its potential attack surface.",
548
+ "caption": ""
549
+ },
550
+ {
551
+ "key": "cosmosdb_use_private_endpoints",
552
+ "title": "Verify that Private Endpoints are used for Cosmos DB where possible (Automated).",
553
+ "description": "Private endpoints ensure that network traffic is restricted to only approved and secure sources.",
554
+ "caption": ""
555
+ },
556
+ {
557
+ "key": "redis_allow_access_only_via_ssl",
558
+ "title": "Verify that Allow access only via SSL is set to Yes for Redis Cache (Automated).",
559
+ "description": "By setting 'Allow access only via SSL' to 'Yes', you guarantee that all data in transit to and from Azure Cache for Redis is encrypted with TLS.",
560
+ "caption": ""
561
+ },
562
+ {
563
+ "key": "redis_public_network_access_disabled",
564
+ "title": "Verify that Public Network Access for Redis Cache is Disabled (Manual).",
565
+ "description": "Disabling public network access ensures the service cannot be reached from public networks, enhancing security.",
566
+ "caption": ""
567
+ },
568
+ {
569
+ "key": "redis_implement_access_policies",
570
+ "title": "Verify that Access Policies are implemented and periodically reviewed (Manual).",
571
+ "description": "Access Policies function as an Access Control List (ACL), enabling administrators to specify which identities can access what data and commands. This Role-Based Access Control (RBAC) implementation requires careful planning to deploy and manage.",
572
+ "caption": ""
573
+ },
574
+ {
575
+ "key": "redis_minimum_tls_1_2",
576
+ "title": "Verify that Minimum TLS version is set to 1.2 or higher (Manual).",
577
+ "description": "Configuring a minimum TLS version helps mitigate protocol vulnerabilities by disallowing the use of older, less secure TLS versions.",
578
+ "caption": ""
579
+ },
580
+ {
581
+ "key": "redis_system_assigned_managed_identity_on",
582
+ "title": "Verify that System Assigned Managed Identity is set to On (Manual).",
583
+ "description": "System Assigned Managed Identities give the Azure Cache for Redis instance a unique, automatically managed identity. These identities are specific to the resource they are created for and are deleted when the resource is removed.",
584
+ "caption": ""
585
+ },
586
+ {
587
+ "key": "redis_entra_authentication_enabled",
588
+ "title": "Verify that Microsoft Entra Authentication is Enabled (Manual).",
589
+ "description": "Enabling Microsoft Entra Authentication allows for the native integration and use of identities already managed within Microsoft Entra ID.",
590
+ "caption": ""
591
+ },
592
+ {
593
+ "key": "mysql_set_tls_1_2",
594
+ "title": "Verify that TLS Version is TLSV1.2 or higher for MySQL flexible servers (Automated).",
595
+ "description": "Verify that the TLS version on MySQL flexible servers is set to 1.2 or a more recent version.",
596
+ "caption": ""
597
+ },
598
+ {
599
+ "key": "mysql_audit_log_events_connection",
600
+ "title": "Verify that audit log events includes CONNECTION for MySQL Servers (Manual).",
601
+ "description": "Configure the audit_log_enabled parameter to include the 'CONNECTION' event on all MySQL Servers.",
602
+ "caption": ""
603
+ },
604
+ {
605
+ "key": "mysql_enforce_ssl_connection",
606
+ "title": "Verify that Enforce SSL connection is Enabled for Standard MySQL Servers (Automated).",
607
+ "description": "Ensure that SSL connections are required for all standard MySQL Servers.",
608
+ "caption": ""
609
+ },
610
+ {
611
+ "key": "mysql_audit_log_enabled",
612
+ "title": "Verify that audit log enabled is set to ON for MySQL Servers (Manual).",
613
+ "description": "Ensure the audit_log_enabled parameter is turned on for all MySQL Servers.",
614
+ "caption": ""
615
+ }
616
+ ]
617
+ },
618
+ {
619
+ "key": "management_and_governance_services",
620
+ "title": "Management and Governance",
621
+ "description": "This chapter addresses security guidelines for logging, monitoring, and governance within an Azure Subscription. It highlights the importance of configuring diagnostic settings, establishing activity log alerts, and using resource locks to safeguard critical infrastructure.",
622
+ "type": "checklist",
623
+ "items": [
624
+ {
625
+ "key": "governance_alert_on_delete_nsg",
626
+ "title": "Verify that an Activity Log Alert exists for Delete Network Security Group (Automated).",
627
+ "description": "Set up an activity log alert to trigger whenever a Network Security Group is deleted.",
628
+ "caption": ""
629
+ },
630
+ {
631
+ "key": "governance_capture_nsg_flow_logs_to_log_analytics",
632
+ "title": "Verify that Network Security Group Flow logs are sent to Log Analytics (Manual).",
633
+ "description": "Make sure that network flow logs are being captured and directed to a centralized Log Analytics workspace for analysis.",
634
+ "caption": ""
635
+ },
636
+ {
637
+ "key": "governance_alert_on_create_update_nsg",
638
+ "title": "Verify that an Activity Log Alert exists for Create or Update Network Security Group (Automated).",
639
+ "description": "Configure an Activity Log Alert for any event where a Network Security Group is created or modified.",
640
+ "caption": ""
641
+ },
642
+ {
643
+ "key": "governance_alert_on_delete_policy_assignment",
644
+ "title": "Verify that an Activity Log Alert exists for Delete Policy Assignment (Automated).",
645
+ "description": "Set up an activity log alert to trigger whenever a Policy Assignment is deleted.",
646
+ "caption": ""
647
+ },
648
+ {
649
+ "key": "governance_alert_on_create_policy_assignment",
650
+ "title": "Verify that an Activity Log Alert exists for Create Policy Assignment (Automated).",
651
+ "description": "Set up an activity log alert to trigger whenever a Policy Assignment is created.",
652
+ "caption": ""
653
+ },
654
+ {
655
+ "key": "governance_alert_on_create_update_security_solution",
656
+ "title": "Verify that an Activity Log Alert exists for Create or Update Security Solution (Automated).",
657
+ "description": "Configure an activity log alert for any event where a Security Solution is created or modified.",
658
+ "caption": ""
659
+ },
660
+ {
661
+ "key": "governance_alert_on_delete_public_ip",
662
+ "title": "Verify that an Activity Log Alert exists for Delete Public IP Address rule (Automated).",
663
+ "description": "Set up an activity log alert that triggers when a Public IP Address rule is deleted.",
664
+ "caption": ""
665
+ },
666
+ {
667
+ "key": "governance_enable_resource_logging_for_all_services",
668
+ "title": "Verify that Azure Monitor Resource Logging is enabled for all supported services (Manual).",
669
+ "description": "Resource Logs record activity in the data access plane, unlike the Activity Log which covers the control plane. These logs provide detailed insights into operations within a resource, like reading a secret from a Key Vault. Many Azure services support this logging, and its content varies by resource type.",
670
+ "caption": ""
671
+ },
672
+ {
673
+ "key": "governance_capture_vnet_flow_logs_to_log_analytics",
674
+ "title": "Verify that virtual network flow logs are sent to Log Analytics (Manual).",
675
+ "description": "Ensure that virtual network flow logs are captured and consolidated into a central Log Analytics workspace.",
676
+ "caption": ""
677
+ },
678
+ {
679
+ "key": "governance_encrypt_activity_log_storage_with_cmk",
680
+ "title": "Verify the storage account for activity logs is encrypted with a Customer-Managed Key (CMK) (Automated).",
681
+ "description": "Storage accounts designated for activity log exports can be secured using Customer-Managed Keys (CMK) for encryption.",
682
+ "caption": ""
683
+ },
684
+ {
685
+ "key": "governance_diagnostic_setting_captures_categories",
686
+ "title": "Verify the Diagnostic Setting captures all appropriate log categories (Automated).",
687
+ "description": "The diagnostic setting needs to be configured to log all pertinent activities from the control and management planes.",
688
+ "caption": ""
689
+ },
690
+ {
691
+ "key": "governance_diagnostic_setting_for_graph_activity_logs",
692
+ "title": "Verify a diagnostic setting sends Microsoft Graph activity logs to a defined destination (Manual).",
693
+ "description": "Configure a Microsoft Entra diagnostic setting to forward Microsoft Graph activity logs to a destination like a Log Analytics workspace or storage account. This allows for centralized monitoring of all HTTP requests processed by the Microsoft Graph service for a tenant.",
694
+ "caption": ""
695
+ },
696
+ {
697
+ "key": "governance_alert_for_service_health",
698
+ "title": "Verify that an Activity Log Alert exists for Service Health events (Automated).",
699
+ "description": "Set up an activity log alert to notify on Service Health events.",
700
+ "caption": ""
701
+ },
702
+ {
703
+ "key": "governance_alert_on_delete_sql_firewall_rule",
704
+ "title": "Verify that an Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated).",
705
+ "description": "Create an activity log alert specifically for the 'Delete SQL Server Firewall Rule' event.",
706
+ "caption": ""
707
+ },
708
+ {
709
+ "key": "governance_alert_on_create_update_sql_firewall_rule",
710
+ "title": "Verify an Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated).",
711
+ "description": "Configure an activity log alert for any event where a SQL Server Firewall Rule is created or modified.",
712
+ "caption": ""
713
+ },
714
+ {
715
+ "key": "governance_enable_logging_for_key_vault",
716
+ "title": "Verify that logging for Azure Key Vault is Enabled (Automated).",
717
+ "description": "Enable 'AuditEvent' logging for all key vault instances to ensure that all interactions are recorded and accessible.",
718
+ "caption": ""
719
+ },
720
+ {
721
+ "key": "governance_avoid_basic_sku_for_monitored_artifacts",
722
+ "title": "Verify that Basic/Consumption SKUs are not used for monitored production workloads (Manual).",
723
+ "description": "While cost-effective, Basic or Free SKUs in Azure have significant monitoring and support limitations. These SKUs typically lack a service SLA, and Microsoft may not provide support for them. For these reasons, they should not be used for production workloads.",
724
+ "caption": ""
725
+ },
726
+ {
727
+ "key": "governance_alert_on_delete_security_solution",
728
+ "title": "Verify that an Activity Log Alert exists for Delete Security Solution (Automated).",
729
+ "description": "Set up an activity log alert to trigger whenever a Security Solution is deleted.",
730
+ "caption": ""
731
+ },
732
+ {
733
+ "key": "governance_set_resource_locks_for_mission_critical_resources",
734
+ "title": "Verify that Resource Locks are set for mission-critical Azure resources (Manual).",
735
+ "description": "Resource Manager Locks allow administrators to secure Azure resources against deletion or modification. These locks operate outside the RBAC hierarchy and apply restrictions to all users. They are highly effective for protecting important resources from both accidental and malicious changes.",
736
+ "caption": ""
737
+ },
738
+ {
739
+ "key": "governance_diagnostic_setting_for_activity_logs",
740
+ "title": "Verify a Diagnostic Setting exists for Subscription Activity Logs (Manual).",
741
+ "description": "Activate diagnostic settings to export activity logs. These settings are available on a per-resource basis and should be configured for all relevant resources in your environment.",
742
+ "caption": ""
743
+ },
744
+ {
745
+ "key": "governance_diagnostic_setting_for_entra_activity_logs",
746
+ "title": "Verify a diagnostic setting sends Microsoft Entra activity logs to a defined destination (Manual).",
747
+ "description": "Configure a Microsoft Entra diagnostic setting to forward its activity logs to a suitable destination, such as a Log Analytics workspace or storage account. This facilitates centralized monitoring and analysis of Microsoft Entra activities.",
748
+ "caption": ""
749
+ },
750
+ {
751
+ "key": "governance_enable_appservice_http_logs",
752
+ "title": "Verify that HTTP logs logging is enabled for Azure AppService (Automated).",
753
+ "description": "Enable the 'AppServiceHTTPLogs' diagnostic log category for your Azure App Service instances to ensure all HTTP requests are captured and centrally logged.",
754
+ "caption": ""
755
+ },
756
+ {
757
+ "key": "governance_configure_application_insights",
758
+ "title": "Verify that Application Insights is configured correctly (Automated).",
759
+ "description": "Application Insights in Azure serves as an Application Performance Monitoring tool, offering valuable data on application performance and aiding in incident response. It collects application metrics, telemetry, and trace logging data, providing detailed information that helps organizations proactively and reactively manage security and performance.",
760
+ "caption": ""
761
+ },
762
+ {
763
+ "key": "governance_alert_on_create_update_public_ip",
764
+ "title": "Verify an Activity Log Alert exists for Create or Update Public IP Address rule (Automated).",
765
+ "description": "Set up an activity log alert for the event of creating or updating Public IP Address rules.",
766
+ "caption": ""
767
+ },
768
+ {
769
+ "key": "governance_capture_intune_logs_to_log_analytics",
770
+ "title": "Verify that Intune logs are sent to Log Analytics (Manual).",
771
+ "description": "Confirm that logs from Intune are being captured and forwarded to a central Log Analytics workspace.",
772
+ "caption": ""
773
+ }
774
+ ]
775
+ },
776
+ {
777
+ "key": "security_services",
778
+ "title": "Security Services",
779
+ "description": "This chapter addresses security best practices for services in the Azure Security category. This includes Microsoft Defender for Cloud plans (covering Servers, Containers, Storage, etc.) and Azure Key Vault settings to provide thorough threat protection and secure secret management.",
780
+ "type": "checklist",
781
+ "items": [
782
+ {
783
+ "key": "security_keyvault_enable_rbac",
784
+ "title": "Verify that Role-Based Access Control (RBAC) is enabled for Azure Key Vault (Automated).",
785
+ "description": "The preferred method for managing access to Key Vaults is by using the Azure Role-Based Access Control (RBAC) permissions model.",
786
+ "caption": ""
787
+ },
788
+ {
789
+ "key": "security_keyvault_use_managed_hsm_when_required",
790
+ "title": "Verify that Azure Key Vault Managed HSM is used where required (Manual).",
791
+ "description": "Azure Key Vault Managed HSM is a dedicated, fully managed, single-tenant cloud service that protects cryptographic keys with FIPS 140-2 Level 3 validated Hardware Security Modules.",
792
+ "caption": ""
793
+ },
794
+ {
795
+ "key": "security_keyvault_is_recoverable",
796
+ "title": "Verify that the Key Vault is configured to be recoverable (Automated).",
797
+ "description": "Key Vaults store critical objects like keys, secrets, and certificates. Deleting a Key Vault can lead to irreversible data loss or the failure of security functions (like authentication and verification) that depend on its objects.",
798
+ "caption": ""
799
+ },
800
+ {
801
+ "key": "security_keyvault_non_rbac_secrets_have_expiration",
802
+ "title": "Verify that an expiration date is set for all secrets in Non-RBAC Key Vaults (Automated).",
803
+ "description": "Confirm that every secret stored in Azure Key Vaults that do not use Role-Based Access Control (RBAC) has a defined expiration date.",
804
+ "caption": ""
805
+ },
806
+ {
807
+ "key": "security_keyvault_rbac_secrets_have_expiration",
808
+ "title": "Verify that an expiration date is set for all secrets in RBAC Key Vaults (Automated).",
809
+ "description": "Confirm that every secret stored in Azure Key Vaults that use Role-Based Access Control (RBAC) has a defined expiration date.",
810
+ "caption": ""
811
+ },
812
+ {
813
+ "key": "security_keyvault_rbac_keys_have_expiration",
814
+ "title": "Verify that an expiration date is set for all keys in RBAC Key Vaults (Automated).",
815
+ "description": "Confirm that every key stored in Azure Key Vaults that use Role-Based Access Control (RBAC) has a defined expiration date.",
816
+ "caption": ""
817
+ },
818
+ {
819
+ "key": "security_keyvault_enable_automatic_key_rotation",
820
+ "title": "Verify that automatic key rotation is enabled in Azure Key Vault (Automated).",
821
+ "description": "Key Vault's automated cryptographic key rotation feature enables users to set a schedule for automatically generating new key versions. A unique rotation policy can be configured for each key.",
822
+ "caption": ""
823
+ },
824
+ {
825
+ "key": "security_keyvault_non_rbac_keys_have_expiration",
826
+ "title": "Verify that an expiration date is set for all keys in Non-RBAC Key Vaults (Automated).",
827
+ "description": "Confirm that every key stored in Azure Key Vaults that do not use Role-Based Access Control (RBAC) has a defined expiration date.",
828
+ "caption": ""
829
+ },
830
+ {
831
+ "key": "security_keyvault_use_private_endpoints",
832
+ "title": "Verify that Private Endpoints are used for Azure Key Vault (Automated).",
833
+ "description": "Using private endpoints secures the network traffic between Azure Key Vault and the resources that request its secrets and keys.",
834
+ "caption": ""
835
+ },
836
+ {
837
+ "key": "security_keyvault_disable_public_access_with_private_endpoint",
838
+ "title": "Verify that Public Network Access is disabled when using a Private Endpoint (Automated).",
839
+ "description": "When a Private Endpoint is active on a Key Vault, traffic from the public internet can still reach its public endpoint unless 'Public network access' is explicitly set to 'Disabled'.",
840
+ "caption": ""
841
+ },
842
+ {
843
+ "key": "security_azure_bastion_host_exists",
844
+ "title": "Verify that an Azure Bastion Host is deployed (Automated).",
845
+ "description": "Azure Bastion offers secure remote access to Azure VMs over the internet, avoiding direct exposure of remote access ports. It provides this access via TLS over 443/TCP and integrates with Azure AD for hardened configurations.",
846
+ "caption": ""
847
+ },
848
+ {
849
+ "key": "security_mcsb_policies_not_disabled",
850
+ "title": "Verify that Microsoft Cloud Security Benchmark policies are not Disabled (Manual).",
851
+ "description": "The Microsoft Cloud Security Benchmark (MCSB) is an Azure Policy Initiative with numerous security policies for evaluating resource configurations against best practices. If a policy within MCSB is disabled, it won't be evaluated, potentially leaving administrators unaware of important security recommendations.",
852
+ "caption": ""
853
+ },
854
+ {
855
+ "key": "security_defender_for_app_services_on",
856
+ "title": "Verify that Microsoft Defender for App Services is set to On (Automated).",
857
+ "description": "Enabling Microsoft Defender for App Service activates threat detection, offering threat intelligence, anomaly detection, and behavioral analytics through Microsoft Defender for Cloud.",
858
+ "caption": ""
859
+ },
860
+ {
861
+ "key": "security_defender_for_iot_hub_on",
862
+ "title": "Verify that Microsoft Defender for IoT Hub is set to On (Manual).",
863
+ "description": "Microsoft Defender for IoT functions as a centralized security management hub for all IoT devices within your organization.",
864
+ "caption": ""
865
+ },
866
+ {
867
+ "key": "security_defender_for_azure_sql_db_on",
868
+ "title": "Verify Microsoft Defender for Azure SQL Databases is set to On (Automated).",
869
+ "description": "Turning on Microsoft Defender for Azure SQL Databases activates threat detection for Managed Instance databases, providing threat intelligence and behavioral analytics via Microsoft Defender for Cloud.",
870
+ "caption": ""
871
+ },
872
+ {
873
+ "key": "security_defender_for_resource_manager_on",
874
+ "title": "Verify that Microsoft Defender for Resource Manager is set to On (Automated).",
875
+ "description": "Microsoft Defender for Resource Manager analyzes all incoming administrative requests to modify your infrastructure, whether from the CLI or the Azure portal.",
876
+ "caption": ""
877
+ },
878
+ {
879
+ "key": "security_defender_for_key_vault_on",
880
+ "title": "Verify that Microsoft Defender for Key Vault is set to On (Automated).",
881
+ "description": "Enabling Microsoft Defender for Key Vault turns on threat detection, providing threat intelligence, anomaly detection, and behavioral analytics through Microsoft Defender for Cloud.",
882
+ "caption": ""
883
+ },
884
+ {
885
+ "key": "security_defender_for_storage_on",
886
+ "title": "Verify that Microsoft Defender for Storage is set to On (Automated).",
887
+ "description": "Turning on Microsoft Defender for Storage enables threat detection capabilities, offering threat intelligence, anomaly detection, and behavioral analytics via Microsoft Defender for Cloud.",
888
+ "caption": ""
889
+ },
890
+ {
891
+ "key": "security_defender_for_containers_on",
892
+ "title": "Verify that Microsoft Defender for Containers is set to On (Automated).",
893
+ "description": "Microsoft Defender for Containers is designed to enhance, monitor, and secure containerized assets\u2014like Kubernetes clusters, nodes, and images\u2014across multi-cloud and on-premises setups.",
894
+ "caption": ""
895
+ },
896
+ {
897
+ "key": "security_defender_easm_enabled",
898
+ "title": "Verify that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled (Manual).",
899
+ "description": "An organization's attack surface consists of all assets with a public identifier that an external attacker could access. The larger this surface, the more difficult it is to protect. EASM helps monitor and manage this risk.",
900
+ "caption": ""
901
+ },
902
+ {
903
+ "key": "security_defender_for_open_source_relational_db_on",
904
+ "title": "Verify Microsoft Defender for Open-Source Relational Databases is On (Automated).",
905
+ "description": "Enabling Microsoft Defender for open-source relational databases activates threat detection, providing threat intelligence and behavioral analytics through Microsoft Defender for Cloud.",
906
+ "caption": ""
907
+ },
908
+ {
909
+ "key": "security_defender_for_dns_on",
910
+ "title": "LEGACY - Verify that Microsoft Defender for DNS is set to On (Automated).",
911
+ "description": "[NOTE: As of August 1, 2023, this service is only available to existing subscribers. New subscribers will find suspicious DNS activity alerts included in Defender for Servers P2.] Microsoft Defender for DNS monitors all outbound network traffic from a subscription.",
912
+ "caption": ""
913
+ },
914
+ {
915
+ "key": "security_defender_for_cosmos_db_on",
916
+ "title": "Verify that Microsoft Defender for Azure Cosmos DB is set to On (Automated).",
917
+ "description": "Microsoft Defender for Azure Cosmos DB inspects all inbound network requests for potential threats to your Cosmos DB resources.",
918
+ "caption": ""
919
+ },
920
+ {
921
+ "key": "security_defender_for_sql_servers_on_machines_on",
922
+ "title": "Verify Microsoft Defender for SQL Servers on Machines is set to On (Automated).",
923
+ "description": "Enabling Microsoft Defender for SQL servers on machines activates threat detection, providing threat intelligence and behavioral analytics through Microsoft Defender for Cloud.",
924
+ "caption": ""
925
+ },
926
+ {
927
+ "key": "security_defender_enable_attack_path_notifications",
928
+ "title": "Verify that notifications for attack paths are enabled (Automated).",
929
+ "description": "This setting configures email notifications about attack paths to be sent to the subscription owner or another designated security contact.",
930
+ "caption": ""
931
+ },
932
+ {
933
+ "key": "security_defender_checks_vm_os_updates",
934
+ "title": "Verify Defender for Cloud is configured to check VM OS for updates (Automated).",
935
+ "description": "Ensure that the most recent OS patches are consistently applied to all virtual machines.",
936
+ "caption": ""
937
+ },
938
+ {
939
+ "key": "security_defender_notifications_to_owner",
940
+ "title": "Verify All users with the following roles is set to Owner for notifications (Automated).",
941
+ "description": "This configuration ensures security alert emails are sent to the subscription owners.",
942
+ "caption": ""
943
+ },
944
+ {
945
+ "key": "security_defender_enable_severity_alert_notifications",
946
+ "title": "Verify that notifications for security alerts are enabled (Automated).",
947
+ "description": "This setting configures email notifications for security alerts to be sent to the subscription owner or another designated security contact.",
948
+ "caption": ""
949
+ },
950
+ {
951
+ "key": "security_defender_notifications_to_additional_email",
952
+ "title": "Verify Additional email addresses is configured with a security contact (Automated).",
953
+ "description": "Microsoft Defender for Cloud will email subscription owners when a high-severity alert is triggered. An additional security contact email address should also be provided to ensure alerts are received.",
954
+ "caption": ""
955
+ },
956
+ {
957
+ "key": "security_defender_for_servers_on",
958
+ "title": "Verify that Defender for Servers is set to On (Automated).",
959
+ "description": "The Defender for Servers plan within Microsoft Defender for Cloud helps lower security risk by offering actionable advice to improve machine security. It also protects machines from real-time threats.",
960
+ "caption": ""
961
+ },
962
+ {
963
+ "key": "security_vulnerability_assessment_for_machines_on",
964
+ "title": "Verify Vulnerability assessment for machines is set to On (Manual).",
965
+ "description": "Enable vulnerability scanning for all machines, including both Azure-native and hybrid (Arc-enabled) machines.",
966
+ "caption": ""
967
+ },
968
+ {
969
+ "key": "security_agentless_scanning_for_machines_on",
970
+ "title": "Verify Agentless scanning for machines is set to On (Manual).",
971
+ "description": "The agentless scanner utilizes disk snapshots to identify installed software, known vulnerabilities, and secrets stored in plain text.",
972
+ "caption": ""
973
+ },
974
+ {
975
+ "key": "security_endpoint_protection_on",
976
+ "title": "Verify the Endpoint protection component status is set to On (Manual).",
977
+ "description": "The Endpoint protection component facilitates communication between Microsoft Defender for Endpoint and Microsoft Defender for Cloud.",
978
+ "caption": ""
979
+ },
980
+ {
981
+ "key": "security_file_integrity_monitoring_on",
982
+ "title": "Verify File Integrity Monitoring component status is set to On (Manual).",
983
+ "description": "File Integrity Monitoring (FIM) is a feature that observes critical system files on Windows or Linux for any signs of potential attack or compromise.",
984
+ "caption": ""
985
+ }
986
+ ]
987
+ },
988
+ {
989
+ "key": "storage_services",
990
+ "title": "Storage Services",
991
+ "description": "This part details essential secure configuration advice for Azure Storage services, such as Azure Files, Blob Storage, and the parent Storage Accounts. It addresses data protection, access management, and network security settings.",
992
+ "type": "checklist",
993
+ "items": [
994
+ {
995
+ "key": "storage_files_set_smb_protocol_version",
996
+ "title": "Verify SMB protocol version is SMB 3.1.1 or higher for SMB file shares (Automated).",
997
+ "description": "Make sure that SMB file shares are set to use the most current supported SMB protocol. Keeping the protocol version updated is key to mitigating risks from older, vulnerable versions that lack modern security features.",
998
+ "caption": ""
999
+ },
1000
+ {
1001
+ "key": "storage_files_set_smb_channel_encryption",
1002
+ "title": "Verify SMB channel encryption is AES-256-GCM or higher for SMB file shares (Automated).",
1003
+ "description": "To protect data confidentiality and integrity during transit, implement SMB channel encryption with AES-256-GCM for all SMB file shares. This provides robust defense against eavesdropping and man-in-the-middle attacks.",
1004
+ "caption": ""
1005
+ },
1006
+ {
1007
+ "key": "storage_files_enable_soft_delete",
1008
+ "title": "Verify soft delete for Azure File Shares is enabled (Automated).",
1009
+ "description": "Azure Files provides a soft delete feature for file shares, which enables easy data recovery in cases of accidental deletion by a user or application.",
1010
+ "caption": ""
1011
+ },
1012
+ {
1013
+ "key": "recovery_vaults_cross_region_restore_enabled",
1014
+ "title": "Verify Cross Region Restore is Enabled on Recovery Services vaults (Automated).",
1015
+ "description": "Cross-region restore allows data to be restored in a secondary Azure paired region, even if the primary region is available. This feature enables organizations to test their regional resiliency and prepare for potential outages.",
1016
+ "caption": ""
1017
+ },
1018
+ {
1019
+ "key": "recovery_vaults_cross_subscription_restore_disabled",
1020
+ "title": "Verify Cross Subscription Restore is Disabled or Permanently Disabled on Recovery Services vaults (Automated).",
1021
+ "description": "By disabling cross-subscription restore, you ensure that backup data from a Recovery Services vault can only be restored within the same subscription, preventing data from being moved to other subscriptions.",
1022
+ "caption": ""
1023
+ },
1024
+ {
1025
+ "key": "recovery_vaults_soft_delete_enabled",
1026
+ "title": "Verify soft delete is enabled on Recovery Services vaults (Automated).",
1027
+ "description": "Soft delete adds an extra layer of protection for data in a Recovery Services vault. When enabled, deleted backup data remains recoverable for a specified retention period.",
1028
+ "caption": ""
1029
+ },
1030
+ {
1031
+ "key": "recovery_vaults_infrastructure_encryption_enabled",
1032
+ "title": "Verify Use infrastructure encryption for this vault is enabled on Recovery Services vaults (Automated).",
1033
+ "description": "In addition to customer-managed key encryption at rest, you can enable a second layer of platform-managed infrastructure encryption. This dual-layer encryption model provides enhanced protection for your backup data.",
1034
+ "caption": ""
1035
+ },
1036
+ {
1037
+ "key": "recovery_vaults_public_network_access_disabled",
1038
+ "title": "Verify public network access is disabled on Recovery Services vaults (Automated).",
1039
+ "description": "Turn off public network access on Recovery Services vaults to prevent internet exposure and minimize unauthorized access risks. Use private endpoints and Azure RBAC for secure access management within trusted networks.",
1040
+ "caption": ""
1041
+ },
1042
+ {
1043
+ "key": "recovery_vaults_immutability_enabled",
1044
+ "title": "Verify immutability is enabled for Recovery Services vaults (Automated).",
1045
+ "description": "Immutable vaults protect backup data by blocking any operation that could lead to the loss of recovery points. This setting can be locked, making it irreversible and preventing malicious attempts to disable it and delete backups.",
1046
+ "caption": ""
1047
+ },
1048
+ {
1049
+ "key": "recovery_vaults_encrypted_with_cmk",
1050
+ "title": "Verify backup data in Recovery Services vaults is encrypted with customer-managed keys (CMK) (Automated).",
1051
+ "description": "Recovery Services vaults support two encryption methods: Microsoft-managed keys for automatic encryption, and customer-managed keys (CMK), which give organizations complete control over their encryption keys for greater security and compliance.",
1052
+ "caption": ""
1053
+ },
1054
+ {
1055
+ "key": "queue_storage_use_sap_for_sas",
1056
+ "title": "Verify stored access policies (SAP) are used when generating shared access signature (SAS) tokens (Manual).",
1057
+ "description": "When creating shared access signature (SAS) tokens in Azure, use stored access policies (SAP) to centrally manage permissions, expiration, and revocation. These policies can be applied to blob containers, file shares, queues, and tables.",
1058
+ "caption": ""
1059
+ },
1060
+ {
1061
+ "key": "queue_storage_sas_tokens_expire_within_hour",
1062
+ "title": "Verify that shared access signature (SAS) tokens expire within an hour (Manual).",
1063
+ "description": "Shared access signature (SAS) tokens grant limited, time-bound access to Azure Storage resources. To reduce security exposure, SAS tokens should have the shortest possible lifespan, ideally no more than one hour.",
1064
+ "caption": ""
1065
+ },
1066
+ {
1067
+ "key": "queue_storage_sas_https_only",
1068
+ "title": "Verify Allowed Protocols for SAS tokens is set to HTTPS Only (Manual).",
1069
+ "description": "Shared access signatures (SAS) grant restricted access to Azure Storage resources. When creating a SAS, you can specify the allowed protocols. It is strongly recommended to permit requests over HTTPS exclusively.",
1070
+ "caption": ""
1071
+ },
1072
+ {
1073
+ "key": "netapp_encryption_source_is_cmk",
1074
+ "title": "Verify Encryption key source is Customer Managed Key for Azure NetApp Files accounts (Automated).",
1075
+ "description": "Using customer-managed keys (CMK) for Azure NetApp Files volume encryption lets organizations use their own keys, giving them full control over the encryption process.",
1076
+ "caption": ""
1077
+ },
1078
+ {
1079
+ "key": "elastic_san_public_network_access_disabled",
1080
+ "title": "Verify Public network access is Disabled on Azure Elastic SAN (Automated).",
1081
+ "description": "Azure Elastic SAN is a scalable cloud storage solution. Disabling public network access at the SAN level ensures that all Elastic SAN resources are only accessible through private networks.",
1082
+ "caption": ""
1083
+ },
1084
+ {
1085
+ "key": "elastic_san_use_cmk",
1086
+ "title": "Verify customer-managed keys (CMK) are used to encrypt data at rest on Azure Elastic SAN volume groups (Automated).",
1087
+ "description": "Azure Elastic SAN volume groups support two encryption methods: Microsoft-managed keys for automatic encryption, and customer-managed keys (CMK), which give organizations complete control over their encryption keys for greater security.",
1088
+ "caption": ""
1089
+ },
1090
+ {
1091
+ "key": "storage_account_disable_key_access",
1092
+ "title": "Verify Allow storage account key access is Disabled for Storage Accounts (Automated).",
1093
+ "description": "All secure requests to an Azure Storage account require authorization. By default, authorization can be done with Microsoft Entra credentials or via Shared Key authorization using the account access key. This setting disables the latter.",
1094
+ "caption": ""
1095
+ },
1096
+ {
1097
+ "key": "storage_account_consider_readonly_locks",
1098
+ "title": "Verify that Azure Resource Manager ReadOnly locks have been considered for Storage Accounts (Manual).",
1099
+ "description": "A ReadOnly lock from Azure Resource Manager can prevent accidental or malicious deletion or modification of a storage account, its properties, containers, or access assignments. The lock must be explicitly removed before any such changes can be made.",
1100
+ "caption": ""
1101
+ },
1102
+ {
1103
+ "key": "storage_account_use_geo_redundant_storage",
1104
+ "title": "Verify Redundancy is geo-redundant storage (GRS) on critical Storage Accounts (Automated).",
1105
+ "description": "Geo-redundant storage (GRS) replicates data three times locally and then asynchronously copies it to a secondary region. This provides 99.99999999999999% durability, ensuring high availability and protecting data against regional failures.",
1106
+ "caption": ""
1107
+ },
1108
+ {
1109
+ "key": "storage_account_enable_blob_logging",
1110
+ "title": "Verify Storage logging is enabled for Blob Service for Read, Write, and Delete requests (Automated).",
1111
+ "description": "The Storage Blob service offers scalable object storage. Server-side Storage Logging can record details of both successful and failed requests, allowing users to monitor read, write, and delete operations on their blobs.",
1112
+ "caption": ""
1113
+ },
1114
+ {
1115
+ "key": "storage_account_default_network_rule_deny",
1116
+ "title": "Verify the default network access rule for storage accounts is set to deny (Automated).",
1117
+ "description": "By default, storage accounts accept connections from any network. To enhance security, the default action should be changed to deny access, limiting connections to only selected networks.",
1118
+ "caption": ""
1119
+ },
1120
+ {
1121
+ "key": "storage_account_enable_soft_delete_for_containers_blobs",
1122
+ "title": "Verify that Soft Delete is enabled for Azure Containers and Blob Storage (Automated).",
1123
+ "description": "Azure Storage blobs can contain sensitive data. Accidental modification or deletion can lead to data loss. Enabling soft delete makes this data recoverable.",
1124
+ "caption": ""
1125
+ },
1126
+ {
1127
+ "key": "storage_account_sas_https_only",
1128
+ "title": "Verify Allowed Protocols for SAS tokens is set to HTTPS Only (Manual).",
1129
+ "description": "When generating a Shared Access Signature (SAS) to grant limited access to storage resources, it is a security best practice to specify that only requests over HTTPS are permitted.",
1130
+ "caption": ""
1131
+ },
1132
+ {
1133
+ "key": "storage_account_default_to_entra_auth_in_portal",
1134
+ "title": "Verify Default to Microsoft Entra authorization in the Azure portal is Enabled (Automated).",
1135
+ "description": "When this setting is active, the Azure portal will use Microsoft Entra ID by default to authorize requests to blobs, files, queues, and tables.",
1136
+ "caption": ""
1137
+ },
1138
+ {
1139
+ "key": "storage_account_require_secure_transfer",
1140
+ "title": "Verify that Secure transfer required is Enabled for Storage Accounts (Automated).",
1141
+ "description": "This setting ensures that all data is encrypted while in transit to and from the storage account.",
1142
+ "caption": ""
1143
+ },
1144
+ {
1145
+ "key": "storage_account_enable_key_rotation_reminders",
1146
+ "title": "Verify that Enable key rotation reminders is enabled for each Storage Account (Manual).",
1147
+ "description": "Access Keys are used to authenticate application requests to storage accounts. Periodically rotating these keys is crucial to prevent long-term exploitation of a compromised key. The 'Rotation Reminder' feature helps automate reminders for this manual process.",
1148
+ "caption": ""
1149
+ },
1150
+ {
1151
+ "key": "storage_account_disable_public_network_access",
1152
+ "title": "Verify that Public Network Access is Disabled for storage accounts (Automated).",
1153
+ "description": "For Azure Resource Manager storage accounts, disabling public network access at the account level overrides any public access settings for individual containers, enhancing security. Note that classic deployment model accounts will be retired.",
1154
+ "caption": ""
1155
+ },
1156
+ {
1157
+ "key": "storage_account_enable_infrastructure_encryption",
1158
+ "title": "Verify Enable Infrastructure Encryption is enabled for each Storage Account (Automated).",
1159
+ "description": "This enables an additional layer of encryption at the hardware level, on top of the default software-based encryption for data in Azure storage.",
1160
+ "caption": ""
1161
+ },
1162
+ {
1163
+ "key": "storage_account_sas_tokens_expire_within_hour",
1164
+ "title": "Verify that shared access signature (SAS) tokens expire within an hour (Manual).",
1165
+ "description": "SAS tokens provide temporary, restricted access to storage resources. To minimize security risk, these tokens should be configured with a very short lifespan, ideally one hour or less.",
1166
+ "caption": ""
1167
+ },
1168
+ {
1169
+ "key": "storage_account_use_private_endpoints",
1170
+ "title": "Verify that Private Endpoints are used to access Storage Accounts (Automated).",
1171
+ "description": "Use private endpoints for storage accounts to allow secure data access over an encrypted Private Link. This uses an IP from a VNet, ensuring traffic is segmented and protected from outside access as it traverses the network.",
1172
+ "caption": ""
1173
+ },
1174
+ {
1175
+ "key": "storage_account_regenerate_keys_periodically",
1176
+ "title": "Verify that Storage Account access keys are regenerated periodically (Manual).",
1177
+ "description": "To improve security, it is important to periodically regenerate the access keys for your storage accounts.",
1178
+ "caption": ""
1179
+ },
1180
+ {
1181
+ "key": "storage_account_enable_queue_logging",
1182
+ "title": "Verify Storage Logging is enabled for Queue Service for Read, Write, and Delete requests (Automated).",
1183
+ "description": "The Storage Queue service holds messages accessible by clients with storage account access. Server-side logging can record details of successful and failed requests, giving visibility into read, write, and delete operations on the queues.",
1184
+ "caption": ""
1185
+ },
1186
+ {
1187
+ "key": "storage_account_disable_cross_tenant_replication",
1188
+ "title": "Verify that Cross Tenant Replication is not enabled (Automated).",
1189
+ "description": "While Cross-Tenant Replication can be useful for data sharing, it introduces significant security risks like unauthorized data access and compliance issues if not managed carefully. Disabling it prevents data from being replicated across tenant boundaries without explicit approval.",
1190
+ "caption": ""
1191
+ },
1192
+ {
1193
+ "key": "storage_account_apply_delete_locks",
1194
+ "title": "Verify that Azure Resource Manager Delete locks are applied to Storage Accounts (Manual).",
1195
+ "description": "A 'CannotDelete' lock from Azure Resource Manager helps prevent the accidental or malicious deletion of a storage account. While the account can still be modified, it cannot be deleted until the lock is removed by an authorized user.",
1196
+ "caption": ""
1197
+ },
1198
+ {
1199
+ "key": "storage_account_disable_blob_anonymous_access",
1200
+ "title": "Verify that Allow Blob Anonymous Access is Disabled (Automated).",
1201
+ "description": "The 'Allow Blob Anonymous Access' setting determines if blob data can be accessed without authentication. Disabling this provides a more secure storage environment by preventing public read access to blob data.",
1202
+ "caption": ""
1203
+ },
1204
+ {
1205
+ "key": "storage_account_encrypt_critical_data_with_cmk",
1206
+ "title": "Verify that Storage for critical data is encrypted with Customer-Managed Keys (CMK) (Manual).",
1207
+ "description": "For sensitive data, enable encryption at rest using Customer-Managed Keys (CMK) instead of relying solely on Microsoft-managed keys.",
1208
+ "caption": ""
1209
+ },
1210
+ {
1211
+ "key": "storage_account_allow_trusted_azure_services",
1212
+ "title": "Verify Allow Azure services on the trusted services list... is enabled for Storage Accounts (Automated).",
1213
+ "description": "Certain Azure services operate from networks that cannot be included in network rules. This setting allows a curated list of trusted Azure services to bypass network rules, using strong authentication to access the storage account.",
1214
+ "caption": ""
1215
+ },
1216
+ {
1217
+ "key": "storage_account_set_minimum_tls_1_2",
1218
+ "title": "Verify the Minimum TLS version for storage accounts is Version 1.2 (Automated).",
1219
+ "description": "Azure Storage sometimes defaults to TLS 1.0, an outdated protocol with known security flaws. It is essential to configure the minimum TLS version to a modern protocol, such as TLS 1.2.",
1220
+ "caption": ""
1221
+ },
1222
+ {
1223
+ "key": "storage_account_enable_table_logging",
1224
+ "title": "Verify Storage Logging is enabled for Table Service for Read, Write, and Delete requests (Automated).",
1225
+ "description": "Azure Table storage is a NoSQL key/attribute store. Server-side logging can record details of both successful and failed requests, allowing visibility into read, write, and delete operations on the tables.",
1226
+ "caption": ""
1227
+ },
1228
+ {
1229
+ "key": "files_root_squash_for_nfs_configured",
1230
+ "title": "Verify that root squash is configured for NFS file shares (Automated).",
1231
+ "description": "Permissions for NFS file shares are client-enforced. Root squash is a critical NFS security feature that prevents client machines from gaining unauthorized root access to the server, protecting data and system settings from compromised clients.",
1232
+ "caption": ""
1233
+ },
1234
+ {
1235
+ "key": "databox_double_encryption_enabled",
1236
+ "title": "Verify double encryption is used for Azure Data Box in high-security environments (Manual).",
1237
+ "description": "Activating double encryption on an Azure Data Box adds another layer of protection for data during physical shipment. This strengthens confidentiality and ensures data remains secure if the device is lost, stolen, or intercepted.",
1238
+ "caption": ""
1239
+ },
1240
+ {
1241
+ "key": "storage_explorer_sas_tokens_expire_within_hour",
1242
+ "title": "Verify that shared access signature (SAS) tokens expire within an hour (Manual).",
1243
+ "description": "SAS tokens grant temporary, limited access to Azure Storage. To minimize security risks, these tokens should have a very short lifespan, ideally no longer than one hour.",
1244
+ "caption": ""
1245
+ },
1246
+ {
1247
+ "key": "storage_explorer_latest_version",
1248
+ "title": "Verify that the latest version of Storage Explorer is being used (Manual).",
1249
+ "description": "Verify that all users accessing Azure Storage with Storage Explorer are using the most current version of the software, applying updates promptly to protect against vulnerabilities and leverage new security features.",
1250
+ "caption": ""
1251
+ },
1252
+ {
1253
+ "key": "storage_explorer_use_sap_for_sas",
1254
+ "title": "Verify stored access policies (SAP) are used when generating shared access signature (SAS) tokens (Manual).",
1255
+ "description": "When generating shared access signature (SAS) tokens, utilize stored access policies (SAP) for centralized management of permissions, expiration, and revocation. These policies are applicable to blob containers, file shares, queues, and tables.",
1256
+ "caption": ""
1257
+ },
1258
+ {
1259
+ "key": "blob_storage_sas_https_only",
1260
+ "title": "Verify Allowed Protocols for SAS tokens is set to HTTPS Only (Manual).",
1261
+ "description": "Shared access signatures (SAS) provide limited access to storage resources. When creating a SAS, you can define the allowed protocols for requests. It is highly recommended to permit only HTTPS requests.",
1262
+ "caption": ""
1263
+ },
1264
+ {
1265
+ "key": "blob_storage_sas_tokens_expire_within_hour",
1266
+ "title": "Verify that shared access signature (SAS) tokens expire within an hour (Manual).",
1267
+ "description": "SAS tokens offer restricted, time-bound access to storage resources. To mitigate security risks, SAS tokens should be configured with the shortest possible duration, ideally one hour or less.",
1268
+ "caption": ""
1269
+ },
1270
+ {
1271
+ "key": "blob_storage_use_sap_for_sas",
1272
+ "title": "Verify stored access policies (SAP) are used for generating SAS tokens (Manual).",
1273
+ "description": "For centralized control over permissions, expiration, and revocation, use stored access policies (SAP) when creating shared access signature (SAS) tokens. These policies can be applied to blob containers, file shares, queues, and tables.",
1274
+ "caption": ""
1275
+ },
1276
+ {
1277
+ "key": "blob_storage_versioning_enabled",
1278
+ "title": "Verify Versioning is Enabled on Azure Blob Storage accounts (Automated).",
1279
+ "description": "Activating blob versioning ensures that previous versions of objects are automatically saved. This allows for the recovery of earlier blob versions in case of unintended modifications or deletions.",
1280
+ "caption": ""
1281
+ },
1282
+ {
1283
+ "key": "blob_storage_locked_immutability_policies",
1284
+ "title": "Verify locked immutability policies are used for containers with critical blob data (Automated).",
1285
+ "description": "Mandate the use of locked immutability policies for any container storing business-critical blob data. This protects the data from being modified or deleted, ensuring its integrity regardless of user actions.",
1286
+ "caption": ""
1287
+ },
1288
+ {
1289
+ "key": "backup_vaults_cross_subscription_restore_disabled",
1290
+ "title": "Verify Cross Subscription Restore is Disabled or Permanently Disabled on Backup vaults (Automated).",
1291
+ "description": "Turn off cross-subscription restore for Backup vaults to guarantee that backup data can only be restored within the same subscription, preventing data from being moved to other subscriptions.",
1292
+ "caption": ""
1293
+ },
1294
+ {
1295
+ "key": "backup_vaults_encrypted_with_cmk",
1296
+ "title": "Verify backup data in Backup vaults is encrypted with customer-managed keys (CMK) (Automated).",
1297
+ "description": "Backup vaults provide two encryption choices: Microsoft-managed keys for automatic encryption, and customer-managed keys (CMK), which allow organizations to maintain full control over their keys for enhanced security.",
1298
+ "caption": ""
1299
+ },
1300
+ {
1301
+ "key": "backup_vaults_infrastructure_encryption_enabled",
1302
+ "title": "Verify Use infrastructure encryption for this vault is enabled on Backup vaults (Automated).",
1303
+ "description": "Alongside customer-managed key encryption, you can enable an additional layer of platform-managed infrastructure encryption. This dual-layer approach provides stronger protection for your backup data.",
1304
+ "caption": ""
1305
+ },
1306
+ {
1307
+ "key": "backup_vaults_immutability_enabled",
1308
+ "title": "Verify immutability is enabled for Backup vaults (Automated).",
1309
+ "description": "Immutable vaults protect backup data by preventing any operations that could cause the loss of recovery points. This setting can be locked to make it irreversible, stopping malicious actors from disabling it and deleting backups.",
1310
+ "caption": ""
1311
+ },
1312
+ {
1313
+ "key": "backup_vaults_cross_region_restore_enabled",
1314
+ "title": "Verify Cross Region Restore is Enabled on Backup vaults (Automated).",
1315
+ "description": "Cross-region restore allows data to be restored in a secondary Azure region, even while the primary region is online. This enables organizations to perform drills and validate their regional resiliency plans.",
1316
+ "caption": ""
1317
+ },
1318
+ {
1319
+ "key": "backup_vaults_soft_delete_enabled",
1320
+ "title": "Verify soft delete is enabled on Backup vaults (Automated).",
1321
+ "description": "Soft delete offers extra protection for Backup vault data. With this feature enabled, deleted backup data can be recovered within the specified retention period.",
1322
+ "caption": ""
1323
+ },
1324
+ {
1325
+ "key": "lustre_key_encryption_key_is_cmk",
1326
+ "title": "Verify Key encryption key is set to a customer-managed key for Azure Managed Lustre (Automated).",
1327
+ "description": "Activate customer-managed encryption keys (CMEK) for Azure Managed Lustre file systems to improve data security. By using CMEK, organizations can manage their own keys in Azure Key Vault, allowing them to control key rotation and access according to their security policies.",
1328
+ "caption": ""
1329
+ }
1330
+ ]
1331
+ },
1332
+ {
1333
+ "key": "analytics_services",
1334
+ "title": "Analytics Services",
1335
+ "description": "This chapter addresses security settings for Azure Analytics Services, with a focus on Azure Databricks to promote secure deployment, data encryption, and robust access control.",
1336
+ "type": "checklist",
1337
+ "items": [
1338
+ {
1339
+ "key": "analytics_databricks_sync_entra_id",
1340
+ "title": "Verify users and groups are synced from Microsoft Entra ID to Azure Databricks (Manual).",
1341
+ "description": "For centralized identity management, users and groups in Microsoft Entra ID should be synced with Azure Databricks via SCIM provisioning. This integration automates user and group management in Databricks based on Entra ID, ensuring access controls align with corporate policies and reducing risks from stale permissions or orphaned accounts.",
1342
+ "caption": ""
1343
+ },
1344
+ {
1345
+ "key": "analytics_databricks_encrypt_with_cmk",
1346
+ "title": "Verify data is encrypted in Azure Databricks using customer-managed keys (CMK) (Automated).",
1347
+ "description": "Azure Databricks uses TLS 1.2+ to encrypt data in transit for all communications. While data at rest is encrypted by default with Microsoft-managed keys, using customer-managed keys provides an additional layer of control.",
1348
+ "caption": ""
1349
+ },
1350
+ {
1351
+ "key": "analytics_databricks_nsg_for_subnets",
1352
+ "title": "Verify Network Security Groups are configured for Databricks subnets (Manual).",
1353
+ "description": "Implement Network Security Groups (NSGs) to manage inbound and outbound traffic for Azure Databricks subnets, allowing only authorized communication. NSGs should be configured with deny rules to block all non-essential traffic.",
1354
+ "caption": ""
1355
+ },
1356
+ {
1357
+ "key": "analytics_databricks_configure_unity_catalog",
1358
+ "title": "Verify that Unity Catalog is configured for Azure Databricks (Manual).",
1359
+ "description": "Unity Catalog offers a centralized governance solution for data in Azure Databricks, providing fine-grained access control using Microsoft Entra ID identities. It also improves data lineage and audit logging, making it a vital component for security and governance.",
1360
+ "caption": ""
1361
+ },
1362
+ {
1363
+ "key": "analytics_databricks_configure_diagnostic_logs",
1364
+ "title": "Verify diagnostic log delivery is configured for Azure Databricks (Manual).",
1365
+ "description": "Azure Databricks Diagnostic Logging offers valuable insights into system operations, user activities, and security-related events occurring within a Databricks workspace.",
1366
+ "caption": ""
1367
+ },
1368
+ {
1369
+ "key": "analytics_databricks_restrict_pat_usage",
1370
+ "title": "Verify usage is restricted and expiry enforced for Databricks personal access tokens (Manual).",
1371
+ "description": "Databricks personal access tokens (PATs) enable API authentication. By default, users can create tokens that do not expire, posing a security risk if they are leaked or not rotated. This control ensures usage is restricted and expiration is enforced.",
1372
+ "caption": ""
1373
+ },
1374
+ {
1375
+ "key": "analytics_databricks_encrypt_cluster_traffic",
1376
+ "title": "Verify traffic is encrypted between cluster worker nodes (Manual).",
1377
+ "description": "By default, data traffic between worker nodes in an Azure Databricks cluster is not encrypted. To secure this data, an initialization script can be used to configure clusters to encrypt this traffic using AES 256-bit encryption over a TLS 1.3 connection.",
1378
+ "caption": ""
1379
+ },
1380
+ {
1381
+ "key": "analytics_databricks_in_customer_vnet",
1382
+ "title": "Verify Azure Databricks is deployed in a customer-managed virtual network (VNet) (Automated).",
1383
+ "description": "Using a customer-managed Virtual Network (VNet), also known as VNet Injection, ensures that Databricks compute clusters and control planes are securely isolated within the organization's network. This provides greater control over network security policies compared to the default managed VNet.",
1384
+ "caption": ""
1385
+ }
1386
+ ]
1387
+ },
1388
+ {
1389
+ "key": "upload_logs",
1390
+ "title": "Upload logs",
1391
+ "description": "This should include all associated traffic associated to the in-scope targets.",
1392
+ "type": "large_upload"
1393
+ },
1394
+ {
1395
+ "key": "executive_summary",
1396
+ "title": "Executive summary",
1397
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
1398
+ "type": "executive_summary"
1399
+ }
1400
+ ]
1401
+ }
1402
+ }