Azure AKS Api Iprange |
azure-aks-api-iprange |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Azure AKS Logging Enable |
azure-aks-logging-enable |
Ensure AKS logging to Azure Monitoring is Configured |
Azure AKS Networkpolicy |
azure-aks-networkpolicy |
Ensure AKS cluster has Network Policy configured |
Azure AKS Private Cluster |
azure-aks-private-cluster |
Ensure that AKS enables private clusters |
Azure AKS RBAC Enabled |
azure-aks-rbac-enabled |
Ensure RBAC is enabled on AKS clusters |
Azure App Service Ad Enabled |
azure-appsvc-ad-enabled |
Ensure that Register with Azure Active Directory is enabled on App Service |
Azure App Service Auth Enabled |
azure-appsvc-auth-enabled |
Ensure App Service Authentication is set on Azure App Service |
Azure App Service Cors Restrictive |
azure-appsvc-cors-restrictive |
Ensure that CORS disallows every resource to access app services |
Azure App Service Disable Debug |
azure-appsvc-disable-debug |
Ensure that remote debugging is not enabled for app services |
Azure App Service FTP Disabled |
azure-appsvc-ftp-disabled |
Ensure FTP deployments are disabled |
Azure App Service HTTP Redirect |
azure-appsvc-http-redirect |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Azure App Service HTTP TLS Version |
azure-appsvc-http-tls-version |
Ensure web app is using the latest version of TLS encryption |
Azure App Service Http Version |
azure-appsvc-http-version |
Ensure that 'HTTP Version' is the latest if used to run the web app |
Azure Automation Variable Encrypted |
azure-automn-variable-encrypted |
Ensure that Automation account variables are encrypted |
Azure Batch Keyvault |
azure-batch-keyvault |
Ensure that Azure Batch account uses key vault to encrypt data |
Azure Dashboard Disable |
azure-dashboard-disable |
Ensure Kube Dashboard is disabled |
Azure Database Audit Enabled |
azure-db-audit-enabled |
Ensure that 'Auditing' is set to 'On' for SQL servers |
Azure Database Audit Retention |
azure-db-audit-retention |
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers |
Azure Database Public Ingress |
azure-db-public-ingress |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Azure Function App Auth Enabled |
azure-funcapp-auth-enabled |
Ensure that function apps enables Authentication |
Azure Function App Http Version |
azure-funcapp-http-version |
Ensure that 'HTTP Version' is the latest, if used to run the Function app |
Azure Function App Https Only |
azure-funcapp-https-only |
Ensure that Function apps is only accessible over HTTPS |
Azure Machine Scaleset Auth |
azure-machine-scaleset-auth |
Ensure Azure linux scale set does not use basic authentication |
Azure Machine Scaleset Encrypt |
azure-machine-scaleset-encrypt |
Ensure that Virtual machine scale sets have encryption at host enabled |
Azure Machine Sensitive Data |
azure-machine-sensitive-data |
Ensure that no sensitive credentials are exposed in VM custom_data |
Azure MariaDB Public Ingress |
azure-mariadb-public-ingress |
Ensure 'public network access enabled' is set to 'False' for MariaDB servers |
Azure MariaDB SSL Enabled |
azure-mariadb-ssl-enabled |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers |
Azure Monitor Audit Activities |
azure-monitor-audit-activities |
Ensure audit profile captures all the activities |
Azure Monitor Log Retention |
azure-monitor-log-retention |
Ensure that Activity Log Retention is set 365 days or greater |
Azure MSSQL Audit Retention |
azure-mssql-audit-retention |
Ensure an audit log retention period greater than 90 days. |
Azure MSSQL Email Service |
azure-mssql-email-service |
Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers |
Azure MSSQL Send Alerts |
azure-mssql-send-alerts |
Ensure that 'Send Alerts To' is enabled for MSSQL servers |
Azure MSSQL Threat Types |
azure-mssql-threat-types |
Ensure that 'Threat Detection types' is set to 'All' |
Azure MSSQL TLS Version |
azure-mssql-tls-version |
Ensure MSSQL is using the latest version of TLS encryption |
Azure MySQL Enforce SSL |
azure-mysql-enforce-ssl |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Azure MySQL Public Ingress |
azure-mysql-public-ingress |
Ensure 'public network access enabled' is set to 'False' for mySQL servers |
Azure MySQL Tls Version |
azure-mysql-tls-version |
Ensure MySQL is using the latest version of TLS encryption |
Azure Network Log Retention |
azure-network-log-retention |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
Azure Network Public RDP |
azure-network-public-rdp |
Ensure that RDP access is restricted from the internet |
Azure Network Public UDP |
azure-network-public-udp |
Ensure that UDP Services are restricted from the Internet |
Azure PSQL Enforce SSL |
azure-psql-enforce-ssl |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Azure PSQL Param Conn Throttling |
azure-psql-param-conn-throttling |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
Azure PSQL Public Ingress |
azure-psql-public-ingress |
Ensure that PostgreSQL server disables public network access |
Azure Security Center Email Alerts |
azure-seccntr-email-alerts |
Ensure that 'Send email notification for high severity alerts' is set to 'On' |
Azure Storage Public Access |
azure-storage-public-access |
Ensure that 'Public access level' is set to Private for blob containers |
Azure Storage Public Ingress |
azure-storage-public-ingress |
Ensure default network access rule for Storage Accounts is set to deny |
Azure Storage Secure Transfer |
azure-storage-secure-xfer |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Azure Storage TLS Version |
azure-storage-tls-version |
Ensure Storage Account is using the latest version of TLS encryption |
Azure Storage Trusted Microsoft Service |
azure-storage-trust-msft |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
Azure Storage Sync Public Ingress |
azure-storsync-public-ingress |
Ensure that Azure File Sync disables public network access |
Azure Vault Allow Firewall |
azure-vault-allow-firewall |
Ensure that key vault allows firewall rules settings |
Azure Vault Key Expiry |
azure-vault-key-expiry |
Ensure that the expiration date is set on all keys |
Azure Vault Purge Protection |
azure-vault-purge-protection |
Ensure that key vault enables purge protection |
Azure Vault Secret Expiry |
azure-vault-secret-expiry |
Ensure that the expiration date is set on all secrets |