| Azure AKS Api Iprange |
azure-aks-api-iprange |
Ensure AKS has an API Server Authorized IP Ranges enabled |
| Azure AKS Logging Enable |
azure-aks-logging-enable |
Ensure AKS logging to Azure Monitoring is Configured |
| Azure AKS Networkpolicy |
azure-aks-networkpolicy |
Ensure AKS cluster has Network Policy configured |
| Azure AKS Private Cluster |
azure-aks-private-cluster |
Ensure that AKS enables private clusters |
| Azure AKS RBAC Enabled |
azure-aks-rbac-enabled |
Ensure RBAC is enabled on AKS clusters |
| Azure App Service Ad Enabled |
azure-appsvc-ad-enabled |
Ensure that Register with Azure Active Directory is enabled on App Service |
| Azure App Service Auth Enabled |
azure-appsvc-auth-enabled |
Ensure App Service Authentication is set on Azure App Service |
| Azure App Service Cors Restrictive |
azure-appsvc-cors-restrictive |
Ensure that CORS disallows every resource to access app services |
| Azure App Service Disable Debug |
azure-appsvc-disable-debug |
Ensure that remote debugging is not enabled for app services |
| Azure App Service FTP Disabled |
azure-appsvc-ftp-disabled |
Ensure FTP deployments are disabled |
| Azure App Service HTTP Redirect |
azure-appsvc-http-redirect |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
| Azure App Service HTTP TLS Version |
azure-appsvc-http-tls-version |
Ensure web app is using the latest version of TLS encryption |
| Azure App Service Http Version |
azure-appsvc-http-version |
Ensure that 'HTTP Version' is the latest if used to run the web app |
| Azure Automation Variable Encrypted |
azure-automn-variable-encrypted |
Ensure that Automation account variables are encrypted |
| Azure Batch Keyvault |
azure-batch-keyvault |
Ensure that Azure Batch account uses key vault to encrypt data |
| Azure Dashboard Disable |
azure-dashboard-disable |
Ensure Kube Dashboard is disabled |
| Azure Database Audit Enabled |
azure-db-audit-enabled |
Ensure that 'Auditing' is set to 'On' for SQL servers |
| Azure Database Audit Retention |
azure-db-audit-retention |
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers |
| Azure Database Public Ingress |
azure-db-public-ingress |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
| Azure Function App Auth Enabled |
azure-funcapp-auth-enabled |
Ensure that function apps enables Authentication |
| Azure Function App Http Version |
azure-funcapp-http-version |
Ensure that 'HTTP Version' is the latest, if used to run the Function app |
| Azure Function App Https Only |
azure-funcapp-https-only |
Ensure that Function apps is only accessible over HTTPS |
| Azure Machine Scaleset Auth |
azure-machine-scaleset-auth |
Ensure Azure linux scale set does not use basic authentication |
| Azure Machine Scaleset Encrypt |
azure-machine-scaleset-encrypt |
Ensure that Virtual machine scale sets have encryption at host enabled |
| Azure Machine Sensitive Data |
azure-machine-sensitive-data |
Ensure that no sensitive credentials are exposed in VM custom_data |
| Azure MariaDB Public Ingress |
azure-mariadb-public-ingress |
Ensure 'public network access enabled' is set to 'False' for MariaDB servers |
| Azure MariaDB SSL Enabled |
azure-mariadb-ssl-enabled |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers |
| Azure Monitor Audit Activities |
azure-monitor-audit-activities |
Ensure audit profile captures all the activities |
| Azure Monitor Log Retention |
azure-monitor-log-retention |
Ensure that Activity Log Retention is set 365 days or greater |
| Azure MSSQL Audit Retention |
azure-mssql-audit-retention |
Ensure an audit log retention period greater than 90 days. |
| Azure MSSQL Email Service |
azure-mssql-email-service |
Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers |
| Azure MSSQL Send Alerts |
azure-mssql-send-alerts |
Ensure that 'Send Alerts To' is enabled for MSSQL servers |
| Azure MSSQL Threat Types |
azure-mssql-threat-types |
Ensure that 'Threat Detection types' is set to 'All' |
| Azure MSSQL TLS Version |
azure-mssql-tls-version |
Ensure MSSQL is using the latest version of TLS encryption |
| Azure MySQL Enforce SSL |
azure-mysql-enforce-ssl |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
| Azure MySQL Public Ingress |
azure-mysql-public-ingress |
Ensure 'public network access enabled' is set to 'False' for mySQL servers |
| Azure MySQL Tls Version |
azure-mysql-tls-version |
Ensure MySQL is using the latest version of TLS encryption |
| Azure Network Log Retention |
azure-network-log-retention |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
| Azure Network Public RDP |
azure-network-public-rdp |
Ensure that RDP access is restricted from the internet |
| Azure Network Public UDP |
azure-network-public-udp |
Ensure that UDP Services are restricted from the Internet |
| Azure PSQL Enforce SSL |
azure-psql-enforce-ssl |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
| Azure PSQL Param Conn Throttling |
azure-psql-param-conn-throttling |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
| Azure PSQL Public Ingress |
azure-psql-public-ingress |
Ensure that PostgreSQL server disables public network access |
| Azure Security Center Email Alerts |
azure-seccntr-email-alerts |
Ensure that 'Send email notification for high severity alerts' is set to 'On' |
| Azure Storage Public Access |
azure-storage-public-access |
Ensure that 'Public access level' is set to Private for blob containers |
| Azure Storage Public Ingress |
azure-storage-public-ingress |
Ensure default network access rule for Storage Accounts is set to deny |
| Azure Storage Secure Transfer |
azure-storage-secure-xfer |
Ensure that 'Secure transfer required' is set to 'Enabled' |
| Azure Storage TLS Version |
azure-storage-tls-version |
Ensure Storage Account is using the latest version of TLS encryption |
| Azure Storage Trusted Microsoft Service |
azure-storage-trust-msft |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
| Azure Storage Sync Public Ingress |
azure-storsync-public-ingress |
Ensure that Azure File Sync disables public network access |
| Azure Vault Allow Firewall |
azure-vault-allow-firewall |
Ensure that key vault allows firewall rules settings |
| Azure Vault Key Expiry |
azure-vault-key-expiry |
Ensure that the expiration date is set on all keys |
| Azure Vault Purge Protection |
azure-vault-purge-protection |
Ensure that key vault enables purge protection |
| Azure Vault Secret Expiry |
azure-vault-secret-expiry |
Ensure that the expiration date is set on all secrets |