prowler 5.17.0__py3-none-any.whl → 5.18.0__py3-none-any.whl

prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_application_insights_enabled",
-  "CheckTitle": "Ensure Function App has Application Insights configured",
+  "CheckTitle": "Function App has Application Insights configured",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Microsoft.Web/sites",
+  "Severity": "medium",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Application Insights is a powerful tool for monitoring the performance and health of Azure Function Apps. It provides valuable insights into exceptions, performance issues, and usage patterns, enabling timely detection and resolution of issues.",
-  "Risk": "Without Application Insights, you may miss critical errors, performance degradation, or abnormal behavior in your Function App, potentially impacting availability and user experience.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
+  "Description": "**Azure Function apps** are configured to send telemetry to **Application Insights** when application settings include `APPLICATIONINSIGHTS_CONNECTION_STRING` or `APPINSIGHTS_INSTRUMENTATIONKEY`.",
+  "Risk": "Without this telemetry, **visibility** into exceptions, dependencies, and performance is lost, reducing **availability** and delaying response. Gaps in traces mask anomalous traffic and failures, enabling prolonged outages and undermining **integrity** of processing (e.g., undetected retries or timeouts).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/azure-monitor/app/monitor-functions",
+    "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/function-app-insights-on.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/function-app-insights-on.html",
-      "Terraform": ""
+      "CLI": "az functionapp config appsettings set --resource-group <RESOURCE_GROUP> --name <FUNCTION_APP_NAME> --settings APPLICATIONINSIGHTS_CONNECTION_STRING=<CONNECTION_STRING>",
+      "NativeIaC": "```bicep\n// Add Application Insights connection string to an existing Function App\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource appSettings 'Microsoft.Web/sites/config@2022-09-01' = {\n  name: '${functionApp.name}/appsettings'\n  properties: {\n    APPLICATIONINSIGHTS_CONNECTION_STRING: '<CONNECTION_STRING>' // Critical: setting this enables Application Insights for the Function App\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Function App > Configuration > Application settings\n2. Click + New application setting\n3. Name: APPLICATIONINSIGHTS_CONNECTION_STRING\n4. Value: paste the connection string from your Application Insights resource (Overview > Connection string)\n5. Click OK, then Save\n6. If prompted, click Continue to apply the changes",
+      "Terraform": "```hcl\n# Add Application Insights connection string to an existing Function App via ARM deployment\nresource \"azurerm_resource_group_template_deployment\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<RESOURCE_GROUP>\"\n  deployment_mode     = \"Incremental\"\n\n  template_content = jsonencode({\n    \"$schema\"      = \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n    \"contentVersion\" = \"1.0.0.0\",\n    \"resources\"    = [\n      {\n        \"type\"       = \"Microsoft.Web/sites/config\",\n        \"apiVersion\" = \"2022-09-01\",\n        \"name\"       = \"<FUNCTION_APP_NAME>/appsettings\",\n        \"properties\" = {\n          \"APPLICATIONINSIGHTS_CONNECTION_STRING\" = \"<CONNECTION_STRING>\" // Critical: setting this enables Application Insights for the Function App\n        }\n      }\n    ]\n  })\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Application Insights for your Azure Function App to monitor its performance and health.",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/monitor-functions"
+      "Text": "Enable **Application Insights** for each Function App using a `APPLICATIONINSIGHTS_CONNECTION_STRING` and standardize telemetry. Apply **defense in depth**: use distributed tracing, alert on errors/latency, and enforce least-privilege access and retention on logs to prevent blind spots and speed recovery.",
+      "Url": "https://hub.prowler.com/check/app_function_application_insights_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_ftps_deployment_disabled",
-  "CheckTitle": "Ensure that FTP and FTPS deployments are disabled for Azure Functions to prevent unauthorized access and data breaches.",
+  "CheckTitle": "Function app has FTP and FTPS deployments disabled",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Microsoft.Web/sites",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Azure FTP deployment endpoints are unencrypted and public, making them vulnerable to attacks. Disabling FTP and FTPS deployments enhances security by preventing unauthorized access to login credentials and sensitive codebases.",
-  "Risk": "If left enabled, attackers can intercept network traffic and gain full control of the app or service, leading to potential data breaches and unauthorized modifications.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp",
+  "Description": "**Azure Function apps** are evaluated for the `ftps_state` setting that controls **FTP/FTPS deployment endpoints**. Values `AllAllowed` or `FtpsOnly` indicate deployment over FTP/FTPS is enabled, while `Disabled` indicates both endpoints are turned off.",
+  "Risk": "Enabled **FTP/FTPS deployment** undermines confidentiality and integrity. FTP exposes credentials in cleartext; FTPS still presents a public basic-auth endpoint susceptible to brute force and credential reuse. Compromise enables **unauthorized code pushes**, leading to RCE, data leakage, and service disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows#trigger-syncing",
+    "https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az webapp config set --resource-group <resource-group> --name <app-name> --ftps-state Disabled",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "",
-      "Arm": ""
+      "NativeIaC": "```bicep\n// Disable FTP and FTPS on an existing Function App\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource webConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n  name: 'web'\n  parent: functionApp\n  properties: {\n    ftpsState: 'Disabled' // CRITICAL: Disables both FTP and FTPS deployments\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to your Function App\n2. Select Configuration > General settings\n3. Under Platform settings, set FTP state to Disabled\n4. Click Save",
+      "Terraform": "```hcl\n# Disable FTP and FTPS on a Function App\nresource \"azurerm_linux_function_app\" \"<example_resource_name>\" {\n  name                       = \"<example_resource_name>\"\n  resource_group_name        = \"<example_resource_name>\"\n  location                   = \"<example_location>\"\n  service_plan_id            = \"<example_resource_id>\"\n  storage_account_name       = \"<example_resource_name>\"\n  storage_account_access_key = \"<example_secret_value>\"\n  functions_extension_version = \"~4\"\n\n  site_config {\n    ftps_state = \"Disabled\" # CRITICAL: Disables both FTP and FTPS deployments\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to disable FTP and FTPS deployments for Azure Functions to mitigate security risks. Instead, consider using more secure deployment methods such as Docker contianer or enabling continuous deployment with GitHub Actions.",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows#trigger-syncing"
+      "Text": "Disable **FTP and FTPS deployment** on Function apps (`ftps_state: Disabled`). Adopt **defense in depth**: deploy via **CI/CD** with packaged artifacts (zip or containers), enforce **least privilege** publishing access, and limit exposure of build and deployment endpoints. *If unavoidable, use FTPS-only with TLS 1.2 and rotate credentials promptly.*",
+      "Url": "https://hub.prowler.com/check/app_function_ftps_deployment_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This check ensures that Azure Functions are deployed securely, reducing the attack surface and protecting sensitive information."

prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_identity_is_configured",
-  "CheckTitle": "Ensure Azure function has system or user assigned managed identity configured",
+  "CheckTitle": "Function app has a system-assigned or user-assigned managed identity enabled",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Microsoft.Web/sites",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Azure Functions should have managed identities configured for enhanced security and access control.",
-  "Risk": "Not using managed identities can lead to less secure authentication and authorization practices, potentially exposing sensitive data.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview",
+  "Description": "**Azure Function Apps** are evaluated for an enabled **managed identity** (`SystemAssigned` or `UserAssigned`) configured on the app.\n\nThe finding indicates whether an identity is present to support token-based access to other Azure resources.",
+  "Risk": "Without **managed identities**, apps rely on stored secrets/keys, risking:\n- Confidentiality loss from leaked credentials\n- Integrity tampering via unauthorized writes\n- Availability outages from secret expiry/rotation\n\nCompromised keys enable unauthorized access and lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-system-assigned-identity.html",
+    "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity",
+    "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az functionapp identity assign --name <function_name> --resource-group <resource_group> --identities [system]",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-system-assigned-identity.html",
-      "Terraform": ""
+      "CLI": "az functionapp identity assign --resource-group <resource_group> --name <function_name>",
+      "NativeIaC": "```bicep\n// Enable managed identity on an existing Function App\nparam location string = resourceGroup().location\n\nresource functionApp 'Microsoft.Web/sites@2022-03-01' = {\n  name: '<example_resource_name>'\n  location: location\n  identity: {\n    type: 'SystemAssigned' // CRITICAL: Enables a system-assigned managed identity so the check passes\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to your Function App\n2. Under Settings, select Identity\n3. On the System assigned tab, set Status to On\n4. Click Save",
+      "Terraform": "```hcl\n# Enable managed identity on an existing Function App via PATCH\nresource \"azapi_update_resource\" \"<example_resource_name>\" {\n  type       = \"Microsoft.Web/sites@2022-03-01\"\n  resource_id = \"<example_resource_id>\"\n  body = jsonencode({\n    identity = {\n      type = \"SystemAssigned\" # CRITICAL: Enables a system-assigned managed identity so the check passes\n    }\n  })\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to enable managed identities for Azure Functions to enhance security and access control. This allows the function app to easily access other Azure resources securely and with the appropriate permissions.",
-      "Url": "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity"
+      "Text": "Enable a **managed identity** on each Function App (`SystemAssigned` per app, `UserAssigned` for shared/long-lived needs). Replace secrets with token-based access and grant only required RBAC roles (**least privilege**). Remove keys from settings, apply **separation of duties**, and monitor access as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/app_function_identity_is_configured"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_identity_without_admin_privileges",
-  "CheckTitle": "Ensure that your Azure functions are not configured with an identity with admin privileges",
+  "CheckTitle": "Function app managed identity is not assigned Owner, Contributor, User Access Administrator, or Role Based Access Control Administrator roles",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Microsoft.Web/sites",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "It is important to ensure that Azure functions are not configured with administrative privileges to maintain the principle of least privilege and reduce the attack surface. By limiting the privileges of Azure functions, potential security risks and data leaks can be mitigated.",
-  "Risk": "If Azure functions are configured with administrative privileges, it increases the risk of unauthorized access, privilege escalation, and data breaches. Attackers can exploit these privileges to gain access to sensitive data and compromise the entire system.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview",
+  "Description": "**Azure Function apps** with managed identities are evaluated for assignments to broad **administrative roles**: **Owner**, **Contributor**, **User Access Administrator**, **RBAC Administrator**.\n\nThe finding highlights functions whose identity carries elevated permissions beyond normal runtime needs.",
+  "Risk": "Admin rights on a function's identity expose the control plane.\n- Confidentiality: read secrets and data\n- Integrity: alter configs, grant roles, deploy changes\n- Availability: stop or delete resources\nA runtime compromise can enable **lateral movement** and **privilege escalation** across the environment.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-admin-permissions.html",
+    "https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authorization#use-the-principle-of-least-privilege",
+    "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "az role assignment delete --assignee <MANAGED_IDENTITY_PRINCIPAL_ID> --scope <SCOPE_ID>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-admin-permissions.html",
+      "Other": "1. In the Azure portal, open the scope where the role is assigned (e.g., Subscription, Resource group, or the Function App resource)\n2. Go to Access control (IAM) > Role assignments\n3. In the Principal filter, search for the Function App's managed identity (<function-app-name>)\n4. For each assignment with role Owner, Contributor, User Access Administrator, or Role Based Access Control Administrator, click Remove\n5. Repeat steps 1-4 at all relevant scopes (subscription, resource group, and Function App) until no such admin roles remain for this identity",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "To remediate this issue, ensure that Azure functions are not configured with an identity that has administrative privileges. Instead, use the principle of least privilege to grant only the necessary permissions to Azure functions. For more information, refer to the official documentation: Use the principle of least privilege.",
-      "Url": "https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authorization#use-the-principle-of-least-privilege"
+      "Text": "Apply **least privilege**: grant only narrowly scoped, data-plane permissions needed by the function; avoid broad roles like `Owner` or `Contributor`.\nUse **separation of duties** and **just-in-time** elevation for rare admin tasks.\nRegularly review role assignments and restrict scope to the smallest necessary boundary.",
+      "Url": "https://hub.prowler.com/check/app_function_identity_without_admin_privileges"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This check helps prevent privilege escalation attacks and ensures that Azure functions operate with the necessary permissions, reducing the impact of potential security breaches."

prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_latest_runtime_version",
-  "CheckTitle": "Ensure Azure Functions are using the latest supported runtime",
+  "CheckTitle": "Function app uses the latest supported runtime version (~4)",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Microsoft.Web/sites",
+  "Severity": "medium",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Keeping Azure Functions up to date with the latest supported runtime version is crucial for security and performance. Updates often include security patches and enhancements, helping to protect against known vulnerabilities and potential exploits. Additionally, newer runtime versions may offer improved functionality and optimized resource utilization.",
-  "Risk": "Using outdated runtime versions may introduce security risks and performance degradation. Outdated runtimes may have unpatched vulnerabilities, making them susceptible to attacks.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-versions",
+  "Description": "**Azure Function apps** are assessed for the **runtime version** set via `FUNCTIONS_EXTENSION_VERSION`. The finding identifies apps not configured to use the current supported major version `~4`.",
+  "Risk": "Outdated Functions runtimes erode CIA:\n- **Confidentiality**: known flaws enable unauthorized data access.\n- **Integrity**: RCE or binding bugs allow code tampering.\n- **Availability**: missing fixes cause crashes and scale faults.\n\nEnd-of-support versions (e.g., 2.x/3.x) lack security patches, increasing exploitability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/azure/azure-functions/functions-versions",
+    "https://learn.microsoft.com/en-us/azure/azure-functions/migrate-version-3-version-4?tabs=net8%2Cazure-cli%2Cwindows&pivots=programming-language-python",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-runtime-version.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az functionapp config appsettings set --name <function_app_name> --resource-group <resource_group_name> --settings FUNCTIONS_EXTENSION_VERSION=~4",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-runtime-version.html",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Set Azure Functions runtime to v4 for an existing Function App\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource appSettings 'Microsoft.Web/sites/config@2022-09-01' = {\n  name: '${functionApp.name}/appsettings'\n  properties: {\n    FUNCTIONS_EXTENSION_VERSION: '~4' // Critical: ensures the Function App uses runtime ~4\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Function App <example_resource_name>\n2. Select Configuration > Application settings\n3. Add or edit the setting:\n   - Name: FUNCTIONS_EXTENSION_VERSION\n   - Value: ~4\n4. Click Save and confirm the restart\n5. Verify the setting shows FUNCTIONS_EXTENSION_VERSION = ~4",
+      "Terraform": "```hcl\n# Minimal Function App with runtime set to v4 (~4) - use azurerm_linux_function_app or azurerm_windows_function_app\nresource \"azurerm_resource_group\" \"example\" {\n  name     = \"<example_resource_name>\"\n  location = \"eastus\"\n}\n\nresource \"azurerm_storage_account\" \"example\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = azurerm_resource_group.example.name\n  location                 = azurerm_resource_group.example.location\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n}\n\nresource \"azurerm_service_plan\" \"example\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = azurerm_resource_group.example.name\n  location            = azurerm_resource_group.example.location\n  os_type             = \"Linux\"\n  sku_name            = \"Y1\"\n}\n\nresource \"azurerm_linux_function_app\" \"example\" {\n  name                       = \"<example_resource_name>\"\n  location                   = azurerm_resource_group.example.location\n  resource_group_name        = azurerm_resource_group.example.name\n  service_plan_id            = azurerm_service_plan.example.id\n  storage_account_name       = azurerm_storage_account.example.name\n  storage_account_access_key = azurerm_storage_account.example.primary_access_key\n\n  site_config {}\n\n  app_settings = {\n    FUNCTIONS_EXTENSION_VERSION = \"~4\" # Critical: ensures the Function App uses runtime ~4\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-functions/migrate-version-3-version-4?tabs=net8%2Cazure-cli%2Cwindows&pivots=programming-language-python"
+      "Text": "Standardize on supported runtime `~4` and align language/extension versions.\n- Enforce upgrades in CI/CD and use staging to validate before rollout.\n- Apply **least privilege** for app identities and secrets.\n- Prefer automated patching and periodic reviews to avoid drift; avoid downgrades or indefinite minor pinning.",
+      "Url": "https://hub.prowler.com/check/app_function_latest_runtime_version"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Stay informed about the latest security updates and patch releases for Azure Functions to maintain a secure and up-to-date environment."

prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_not_publicly_accessible",
-  "CheckTitle": "Ensure Azure Functions are not publicly accessible",
+  "CheckTitle": "Function app is not publicly accessible",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Microsoft.Web/sites",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Azure Functions should not be exposed to the public internet. Restricting access helps protect applications from potential threats and reduces the attack surface.",
-  "Risk": "Exposing Azure Functions to the public internet increases the risk of unauthorized access, data breaches, and other security threats.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options",
+  "Description": "**Azure Function apps** are assessed for whether they are reachable from the public Internet. The evaluation considers the app's `publicNetworkAccess` state and the presence of access restrictions or private endpoints to limit inbound traffic.",
+  "Risk": "Public exposure allows unauthorized invocation, risking data disclosure and tampering (**confidentiality** and **integrity**). Attackers can brute-force tokens or abuse misconfigurations for remote execution. Unrestricted calls also enable abuse and DoS, driving cost and harming **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-exposed.html",
+    "https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-exposed.html",
-      "Terraform": ""
+      "CLI": "az functionapp update --resource-group <RESOURCE_GROUP> --name <FUNCTION_APP_NAME> --set publicNetworkAccess=Disabled",
+      "NativeIaC": "```bicep\n// Disable public access by denying all unmatched traffic\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource siteConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n  name: '${functionApp.name}/web'\n  properties: {\n    ipSecurityRestrictionsDefaultAction: 'Deny' // Critical: blocks public access via default endpoint\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to your Function App\n2. Select Networking\n3. Under Public access, set Public network access to Disabled\n4. Click Save",
+      "Terraform": "```hcl\n# Disable public network access for the Function App\nresource \"azurerm_linux_function_app\" \"<example_resource_name>\" {\n  name                       = \"<example_resource_name>\"\n  location                   = azurerm_resource_group.main.location\n  resource_group_name        = azurerm_resource_group.main.name\n  service_plan_id            = azurerm_service_plan.main.id\n  storage_account_name       = azurerm_storage_account.main.name\n  storage_account_access_key = azurerm_storage_account.main.primary_access_key\n\n  public_network_access_enabled = false # Critical: disables public endpoint access\n}\n```"
     },
     "Recommendation": {
-      "Text": "Review the Azure Functions security guidelines and ensure that access restrictions are in place. Use Azure Private Link and Key Vault for enhanced security.",
-      "Url": "https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions"
+      "Text": "Apply network isolation and least privilege:\n- Set `publicNetworkAccess=Disabled`\n- Use access restrictions for trusted IPs/VNets or **Private Endpoints**\n- Require strong auth (e.g., **Microsoft Entra ID**) over shared keys\n- Front with **API Management/WAF**\n- Keep secrets in **Key Vault** and monitor access logs",
+      "Url": "https://hub.prowler.com/check/app_function_not_publicly_accessible"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_function_vnet_integration_enabled",
-  "CheckTitle": "Ensure Virtual Network Integration is Enabled for Azure Functions",
+  "CheckTitle": "Function app has Virtual Network integration enabled",
   "CheckType": [],
   "ServiceName": "app",
-  "SubServiceName": "function",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Microsoft.Web/sites",
+  "Severity": "medium",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Enabling Virtual Network Integration for Azure Functions provides an additional layer of security by restricting access to selected virtual network subnets. This helps to protect your Function Apps from unauthorized access and potential threats.",
-  "Risk": "Without Virtual Network Integration, your Function Apps may be exposed to the public internet, increasing the risk of unauthorized access and potential security breaches.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#virtual-network-integration",
+  "Description": "**Azure Function apps** configured with **Virtual Network integration** uses a chosen subnet so outbound traffic is routed via the VNet and can reach private or service-endpoint-secured resources.\n\nThe finding reflects whether a function app is associated with a subnet resource ID.",
+  "Risk": "Without VNet integration, function apps send egress directly to the public Internet and cannot reach private endpoints.\n\nThis weakens confidentiality and integrity by bypassing NSG/UDR controls, enables data exfiltration from compromised code, and may force exposing backends publicly, increasing attack surface.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-vnet-integration-on.html",
+    "https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#enable-virtual-network-integration",
+    "https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#virtual-network-integration"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az functionapp vnet-integration update --name <function_app_name> --resource-group <resource_group_name> --vnet <vnet_name> --subnet <subnet_name>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-vnet-integration-on.html",
-      "Terraform": ""
+      "CLI": "az functionapp vnet-integration add --name <function_app_name> --resource-group <resource_group_name> --vnet <vnet_name> --subnet <subnet_name>",
+      "NativeIaC": "```bicep\n// Enable VNet integration for an existing Function App\nresource vnetConn 'Microsoft.Web/sites/virtualNetworkConnections@2022-03-01' = {\n  name: '<example_resource_name>/<example_resource_name>' // <function_app_name>/<vnet_name>\n  properties: {\n    subnetResourceId: '/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Network/virtualNetworks/<example_resource_name>/subnets/<example_resource_name>' // CRITICAL: attaches the Function App to this subnet\n    isSwift: true // CRITICAL: enables regional VNet (Swift) integration\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to your Function App\n2. Select Networking > VNet Integration\n3. Click Add VNet\n4. Choose the target Virtual network and Subnet\n5. Click OK/Save to apply\n",
+      "Terraform": "```hcl\n# Enable VNet integration for an existing Function App\nresource \"azurerm_app_service_virtual_network_swift_connection\" \"<example_resource_name>\" {\n  app_service_id = \"/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Web/sites/<example_resource_name>\" # CRITICAL: target Function App resource ID\n  subnet_id      = \"/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Network/virtualNetworks/<example_resource_name>/subnets/<example_resource_name>\" # CRITICAL: subnet to integrate with\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to enable Virtual Network Integration for Azure Functions to enhance security and protect against unauthorized access.",
-      "Url": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#enable-virtual-network-integration"
+      "Text": "Enable **Virtual Network integration** and attach function apps to a dedicated subnet to enforce **least privilege network access**.\n\nRoute egress through the VNet (e.g., `Route All`), apply **NSGs/UDRs**, and use **private endpoints** or service endpoints for dependencies. Restrict outbound traffic by default as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/app_function_vnet_integration_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "app_http_logs_enabled",
-  "CheckTitle": "Ensure that logging for Azure AppService 'HTTP logs' is enabled",
+  "CheckTitle": "App Service web app has HTTP logs enabled in diagnostic settings",
   "CheckType": [],
   "ServiceName": "app",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "Microsoft.Web/sites/config",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.",
-  "Risk": "Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+  "Description": "**Azure App Service web apps** diagnostic settings include **HTTP request logging** when the `AppServiceHTTPLogs` category (or the `allLogs` group) is enabled to capture web access events.",
+  "Risk": "Without **HTTP access logs**, visibility into requests is lost, hindering **detection** of brute force, probing, and injection attempts. This weakens **forensics** and reduces **confidentiality** and **integrity** by masking data access paths and blocking reliable incident timelines.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
+    "https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-logging-policies/ensure-that-app-service-enables-http-logging#terraform"
+      "CLI": "az monitor diagnostic-settings create --name <example_resource_name> --resource /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_NAME> --workspace <LOG_ANALYTICS_WORKSPACE_RESOURCE_ID> --logs '[{\"category\":\"AppServiceHTTPLogs\",\"enabled\":true}]'",
+      "NativeIaC": "```bicep\n// Enable HTTP Logs for an existing App Service via Azure Monitor diagnostic setting\nresource app 'Microsoft.Web/sites@2022-03-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource diag 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: '<example_resource_name>'\n  scope: app\n  properties: {\n    workspaceId: '<example_resource_id>' // Destination Log Analytics workspace\n    logs: [\n      {\n        category: 'AppServiceHTTPLogs' // Critical: enable the HTTP Logs category\n        enabled: true                  // Critical: turns HTTP Logs on\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to your App Service > Monitoring > Diagnostic settings\n2. Click + Add diagnostic setting\n3. Under Logs, check AppServiceHTTPLogs (or select the allLogs category group)\n4. Choose a destination (Log Analytics workspace, Storage account, or Event Hub)\n5. Click Save",
+      "Terraform": "```hcl\n# Enable HTTP Logs for App Service via Azure Monitor diagnostic setting\nresource \"azurerm_monitor_diagnostic_setting\" \"<example_resource_name>\" {\n  name                       = \"<example_resource_name>\"\n  target_resource_id         = \"/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<example_resource_name>\"\n  log_analytics_workspace_id = \"<example_resource_id>\" # Destination Log Analytics workspace\n\n  log {                      # Critical: enables the HTTP Logs category\n    category = \"AppServiceHTTPLogs\"\n    enabled  = true\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to App Services For each App Service: 2. Go to Diagnostic Settings 3. Click Add Diagnostic Setting 4. Check the checkbox next to 'HTTP logs' 5. Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging).",
-      "Url": "https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs"
+      "Text": "Enable **diagnostic settings** with `AppServiceHTTPLogs` (or `allLogs`) and route logs to a centralized store. Enforce **least privilege**, retention, and tamper-resistant storage. Integrate with a **SIEM** for analytics and alerting, and periodically verify logging coverage across all apps and regions.",
+      "Url": "https://hub.prowler.com/check/app_http_logs_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Log consumption and processing will incur additional cost."

prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "app_minimum_tls_version_12",
-  "CheckTitle": "Ensure Web App is using the latest version of TLS encryption",
+  "CheckTitle": "App Service web app has minimum TLS version set to 1.2 or 1.3",
   "CheckType": [],
   "ServiceName": "app",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Microsoft.Web/sites/config",
+  "Severity": "medium",
+  "ResourceType": "microsoft.web/sites/config",
   "ResourceGroup": "serverless",
-  "Description": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.",
-  "Risk": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+  "Description": "**Azure App Service web apps** are assessed for the configured minimum TLS version for HTTPS. The expected baseline is `1.2` or `1.3`; settings that permit lower versions indicate acceptance of legacy TLS during client negotiation.",
+  "Risk": "Allowing `TLS 1.0/1.1` enables protocol downgrades and weak cipher negotiation, exposing HTTPS traffic to **MITM** interception, credential theft, and tampering. This undermines the **confidentiality** and **integrity** of sessions and data in transit, and can enable account takeover via stolen tokens.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/+azure/app-service/overview-tls",
+    "https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-tls-encryption-in-use.html",
+    "https://icompaas.freshdesk.com/support/solutions/articles/62000234773-ensure-that-minimum-tls-version-is-set-to-tls-v1-2-or-higher"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --min-tls-version 1.2",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-tls-encryption-in-use.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_6#terraform"
+      "NativeIaC": "```bicep\n// Update existing App Service to enforce minimum TLS 1.2\nresource app 'Microsoft.Web/sites@2023-01-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource appConfig 'Microsoft.Web/sites/config@2023-01-01' = {\n  name: '${app.name}/web'\n  properties: {\n    minTlsVersion: '1.2' // CRITICAL: Enforces minimum TLS version 1.2 to pass the check\n  }\n}\n```",
+      "Other": "1. Sign in to Azure Portal and go to App Services\n2. Select your app\n3. Go to Settings > Configuration > General settings\n4. Set Minimum TLS Version to 1.2 (or 1.3 if available)\n5. Click Save",
+      "Terraform": "```hcl\n# Enforce minimum TLS 1.2 on an Azure Linux Web App\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<example_resource_name>\"\n  service_plan_id     = \"<example_resource_id>\"\n\n  site_config {\n    minimum_tls_version = \"1.2\" # CRITICAL: Enforces minimum TLS 1.2 to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on TLS/SSL settings 5. Under the Bindings pane, ensure that Minimum TLS Version set to 1.2 under Protocol Settings",
-      "Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit"
+      "Text": "Enforce a minimum of `TLS 1.2` (prefer `1.3`) and disable `1.0/1.1`. Require **HTTPS-only**, enable HSTS, and align with modern cipher suites. Test client compatibility and phase out legacy agents. Document narrow exceptions with compensating controls to uphold **defense in depth** and prevent downgrades.",
+      "Url": "https://hub.prowler.com/check/app_minimum_tls_version_12"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "By default, TLS Version feature will be set to 1.2 when a new app is created using the command-line tool or Azure Portal console."

prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "app_register_with_identity",
-  "CheckTitle": "Ensure that Register with Azure Active Directory is enabled on App Service",
+  "CheckTitle": "App Service web app has a managed identity configured",
   "CheckType": [],
   "ServiceName": "app",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Microsoft.Web/sites",
+  "ResourceType": "microsoft.web/sites",
   "ResourceGroup": "serverless",
-  "Description": "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.",
-  "Risk": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant",
+  "Description": "**Azure App Service web apps** are configured with a **managed identity** (`identity`: `SystemAssigned` or `UserAssigned`) for token-based access to Azure resources without embedded credentials",
+  "Risk": "**Missing managed identity** drives reliance on stored secrets. Leaked credentials enable **unauthorized access** to SQL, Storage, or Key Vault, leading to **data exfiltration**, tampering, and lateral movement. Secret expiry or revocation can break connectivity, degrading **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity",
+    "https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-registration-with-microsoft-entra-id.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az webapp identity assign --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-registration-with-microsoft-entra-id.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-iam-policies/bc_azr_iam_1#terraform"
+      "NativeIaC": "```bicep\n// Enable system-assigned managed identity on an existing App Service app\nresource app 'Microsoft.Web/sites@2022-09-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  identity: {\n    type: 'SystemAssigned' // Critical: enables a managed identity for the app\n  }\n}\n```",
+      "Other": "1. Sign in to the Azure portal\n2. Go to App Services and select your app\n3. Under Settings, select Identity\n4. On the System assigned tab, set Status to On\n5. Click Save and confirm",
+      "Terraform": "```hcl\n# Enable system-assigned managed identity on the App Service app (use azurerm_linux_web_app or azurerm_windows_web_app)\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = azurerm_resource_group.<example_resource_name>.location\n  resource_group_name = azurerm_resource_group.<example_resource_name>.name\n  service_plan_id     = azurerm_service_plan.<example_resource_name>.id\n\n  site_config {}\n\n  identity {                    # Critical: enables managed identity\n    type = \"SystemAssigned\"    # Creates a system-assigned identity for the app\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Identity 5. Under the System assigned pane, set Status to On",
-      "Url": "https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service"
+      "Text": "Enable a **managed identity** and use it for all service-to-service access. Apply **least privilege** on target resources and eliminate secrets from code and app settings. Remove legacy credentials, rotate residual keys, and monitor usage for **defense in depth**. *Use system-assigned per app; user-assigned for reuse or separation.*",
+      "Url": "https://hub.prowler.com/check/app_register_with_identity"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "By default, Managed service identity via Azure AD is disabled."