Azure Security Policies
The Security Policies view provides a list of all security policies within the Cloudneeti application. Following is the security policies within the Cloudneeti application for different cloud account types, please refer Release Notes for latest updates.
Azure Security Policies
| Category Name | Service Name | Policy Title |
|---|---|---|
| Azure - Business continuity and DR | Virtual Machine (VM) | Ensure that backup feature is configured for Virtual Machines |
| Azure - Business continuity and DR | Recovery Services vault | Ensure that backup policy is associated with every Backup Vault |
| Azure - Business continuity and DR | Virtual Machine (VM) | Ensure that sufficient capacity is available for Virtual Machines (SLA) |
| Azure - Business continuity and DR | Web App | Ensure that Backup feature is configured for App Service deployed on Standard and above App Service Plan |
| Azure - Business continuity and DR | API App | Ensure that Backup feature is configured for API Apps deployed on Standard and above App Service Plan |
| Azure - Business continuity and DR | Function App | Ensure that Backup feature is configured for Function Apps deployed on Standard and above App Service Plan |
| Azure - Business continuity and DR | Mobile App | Ensure that Backup feature is configured for Mobile Apps deployed on Standard and above App Service Plan |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Vulnerability Assessment solutions is installed on the Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Endpoint Protection is installed on the Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that latest OS patches are applied to all Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Disk Encryption policy is enforced on the Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that operating system disks are encrypted for Windows Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that data disks are encrypted for Windows Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that VM agent is installed on Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Antivirus is enabled for Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that auto update for Antivirus software is enabled on the Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that real time protection is set to ON inside the Windows Virtual Machine |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that diagnostics is enabled on Virtual Machine |
| Azure - Compute (IaaS) | Service Fabric cluster | Ensure that Service Fabric cluster consists more than one VM |
| Azure - Compute (IaaS) | Service Fabric cluster | Ensure that Certificate security is enabled on the Service Fabric cluster |
| Azure - Compute (IaaS) | Service Fabric cluster | Ensure that update mode is set to automatic for Service Fabric cluster |
| Azure - Compute (IaaS) | Service Fabric cluster | Ensure that log analytics storage is enabled for Service Fabric cluster |
| Azure - Compute (IaaS) | Service Fabric cluster | Ensure that Azure AD security is use to Service Fabric cluster |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Log Analytics VM extension is enabled for Windows Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Windows Virtual Machines are always AD Domain joined |
| Azure - Compute (IaaS) | Azure Disk | Ensure that 'Unattached disks' are encrypted |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure than ASC showing healthy state for Virtual Machine |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Log Analytics VM extension is enabled for Linux Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that operating system disks are encrypted for Linux Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that data disks are encrypted for Linux Virtual Machines |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that Virtual Machines are using managed disks |
| Azure - Compute (IaaS) | Virtual Machine (VM) | Ensure that only approved extensions are installed |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure HTTP/2 is enabled for an App Service Mobile Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that 'Always On' is enabled for App Services deployed on Basic and above App Service Plan |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that 'Always On' is enabled for Api Apps deployed on Basic and above App Service Plan |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that 'Always On' is enabled for Mobile Apps deployed on Basic and above App Service Plan |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that 'Always On' is enabled for Function Apps deployed on Basic and above App Service Plan |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that 'Auto Heal' is enabled for App Services |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that 'Auto Heal' is enabled for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that 'Auto Heal' is enabled for Api Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that 'Auto Heal' is enabled for Function Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that Register with Azure Active Directory is enabled on App Service |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that Managed Service Identity (MSI) is enabled for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that Managed Service Identity (MSI) is enabled for Function Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that Managed Service Identity (MSI) is enabled for Api Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure Web Sockets are disabled for App Services |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure Web Sockets are disabled for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure Web Sockets are disabled for API Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure Web Sockets are disabled for Function Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Web Apps |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for API Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that remote debugging is turned off for Function App |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that IP restrictions rules are configured for Function Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that IP restrictions rules are configured for App Service |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that Custom Domains are configured in App Service |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that Custom Domains are configured in Function App |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that CORS should not allow every resource to access Mobile Apps |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that Custom Domains are configured in Mobile App |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that Custom Domains are configured in API App |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that IP restrictions rules are configured for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that IP restrictions rules are configured for API Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Function Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that CORS should not allow every resource to access Function Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that CORS should not allow every resource to access Web Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that CORS should not allow every resource to access API Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that HTTPS Only is enabled for Function Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that HTTPS Only is enabled for API App Services |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that HTTPS Only is enabled for Mobile App Services |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that remote debugging is turned off for App Service |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that 'App Service Authentication' is enabled for Function Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that 'App Service Authentication' is enabled for API Apps |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that 'App Service Authentication' is enabled for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that 'App Service Authentication' is enabled for Web apps |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that remote debugging is turned off for Mobile App |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that remote debugging is turned off for API App |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that 'Availability Web Tests' are configured for API Apps |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that 'Availability Web Tests' are configured for Mobile Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that 'Availability Web Tests' are configured for Function Apps |
| Azure - Compute (PaaS and Serverless) | Mobile App | Ensure that 'App Insights' are configured for Azure Mobile Apps |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure that 'App Insights' are configured for Azure Function Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure that 'App Insights' are configured for Azure API Apps |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
| Azure - Compute (PaaS and Serverless) | Web App | Ensure that 'HTTP Version' is the latest, if used to run the web app |
| Azure - Compute (PaaS and Serverless) | Function App | Ensure HTTP/2 is enabled for an App Service Function Apps |
| Azure - Compute (PaaS and Serverless) | API App | Ensure HTTP/2 is enabled for an App Service API Apps |
| Azure - Data Analytics | HDInsight | Ensure that HDInsight Cluster is AD Domain joined |
| Azure - Data Analytics | Network Security Groups (NSG) | Ensure that NSG always allows traffic from the specific IP addresses for HDInsight Cluster |
| Azure - Data Analytics | Network Security Groups (NSG) | Ensure that NSG always allows traffic from the specific region for HDInsight Cluster |
| Azure - Data Analytics | HDInsight | Ensure that Enterprise Security Package is enabled for HDInsight cluster |
| Azure - Data Analytics | Azure Data Factory (ADF) | Ensure that Service Identity is enabled for Azure Data Factory |
| Azure - Data Analytics | Azure Data Factory (ADF) | Ensure that Azure Data Factory connection credentials are stored in Azure Key Vault |
| Azure - Data in Transit | Application Gateway | Ensure that TLS 1.0 and 1.1 protocols are disabled for Application Gateway |
| Azure - Data in Transit | Application Gateway | Ensure only SSL traffic is enabled for Application Gateway |
| Azure - Data in Transit | Application Gateway | Ensure that minimum protocol version of TLS1.2 or higher is enabled for Application Gateway |
| Azure - Data in Transit | Web App | Ensure web app is using the latest version of TLS encryption |
| Azure - Data in Transit | Function App | Ensure that TLS is configured for Function Apps |
| Azure - Data in Transit | API App | Ensure that TLS is configured for API Apps |
| Azure - Data in Transit | Mobile App | Ensure that TLS is configured for Mobile Apps |
| Azure - Data in Transit | Application Gateway | Ensure that latest version of OWASP ruleset is used for Application Gateway |
| Azure - Data in Transit | Application Gateway | Ensure that WAF is enabled for Application Gateway |
| Azure - Data in Transit | Application Gateway | Ensure that your deployment architecture is protected by Azure SLA for Application Gateway |
| Azure - Data in Transit | Application Gateway | Ensure that WAF is set to 'Prevention mode' for Application Gateway |
| Azure - Fundamentals | Azure Resource | Ensure that Department tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that Environment tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that ProjectName tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that ApplicationOwner tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that BusinessUnit tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that CostCenter tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that DataProfile tag has been applied for individual Azure resources |
| Azure - Fundamentals | Azure Resource | Ensure that Resource Locks are set for mission critical Azure resources |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that no custom subscription owner roles are created |
| Azure - Identity and Access | Identify and access management (IAM) | Enforce the policy to set Password to 'always' expire in Azure Active Directory for all Organization Users |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that Azure resources are accessible only through Organization Account |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that Service Principal Certificates are renewed before it expires |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that there are no guest users |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users can register applications' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Guest user permissions are limited' is set to 'Yes' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Members can invite' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Guests can invite' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Self-service group management enabled' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users can create security groups' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users who can manage security groups' is set to 'None' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users can create Office 365 groups' is set to 'No' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Users who can manage Office 365 groups' is set to 'None' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Enable All Users group' is set to 'Yes' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Number of methods required to reset' is set to '2' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Notify users on password resets?' is set to 'Yes' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
| Azure - Identity and Access | Identify and access management (IAM) | Ensure that multi-factor authentication is enabled for all privileged users |
| Azure - Key Management | Identify and access management (IAM) | Ensure that AD Application keys are rotated before they expires |
| Azure - Key Management | Key Vault | Ensure that the expiry date is set on all Secrets in a Key Vault |
| Azure - Key Management | Key Vault | Ensure that Diagnostics logs are set with a retention period of at least 365 days for Azure Key Vaults |
| Azure - Key Management | Key Vault | Ensure that Soft Delete is enabled for Key Vault |
| Azure - Key Management | Key Vault | Ensure mission critical Azure KeyVaults are not open to the Internet |
| Azure - Key Management | Key Vault | Ensure that the expiration date is set on all keys |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure Azure Active Directory RBAC is enabled for Azure Kubernetes Services (AKS) |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that AAD is enabled in Kubernetes Service |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that Monitoring is enabled for Azure Kubernetes Service |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure Azure Kubernetes Service clusters are always running with latest Kubernetes versions |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that latest system updates are applied to all Azure Kubernetes Cluster nodes |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that Diagnostics logs must be enabled with a retention period of at least 365 days for Azure Kubernetes Service |
| Azure - Kubernetes & Containers | Azure Container Registry (ACR) | Ensure that credentials of service principal used for Container Registry are stored in Key Vault |
| Azure - Kubernetes & Containers | Azure Container Registry (ACR) | Ensure that Container Registry has latest/patched image(s) all the time |
| Azure - Kubernetes & Containers | Azure Container Registry (ACR) | Ensure that Activity logs for Data Container Registry are reviewed periodically |
| Azure - Kubernetes & Containers | Azure Container Registry (ACR) | Ensure that only signed images are pushed to Container Registry |
| Azure - Kubernetes & Containers | Azure Container Registry (ACR) | Ensure that a service principal is used to access container images in Container Registry |
| Azure - Kubernetes & Containers | Azure Container Registry (ACR) | Ensure that all users/identities are granted minimum required permissions on Container Registry using Role Based Access Control (RBAC) |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that management ports are not kept open on Kubernetes nodes unless required |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that cluster admin level access is not directly or indirectly granted to developers |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that container images (including nested images) deployed in Kubernetes are from a trustworthy source |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that default cluster namespace is not used to deploy applications |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that all Kubernetes Service secrets are stored in Key Vault |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that all the Kubernetes cluster nodes have all the required OS patches installed |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that Pod Identity is used for accessing other AAD(Azure Active Directory)-protected resources from the Kubernetes Service |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that issues/recommendations provided by kube advisor are reviewed periodically |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that data transit inside/across Kubernetes are using encrypted channel |
| Azure - Kubernetes & Containers | Azure Kubernetes Service (AKS) | Ensure that all users/identities are granted minimum required permissions on Kubernetes Cluster using Role Based Access Control (RBAC) |
| Azure - Logging and Auditing | Web App | Ensure that 'Availability Web Tests' are configured for Azure Web Apps |
| Azure - Logging and Auditing | Azure Monitor | Ensure that a Log Profile exists for Azure Monitor |
| Azure - Logging and Auditing | Azure Monitor | Ensure that retention period is set to 365 days or greater for Activity Logs |
| Azure - Logging and Auditing | Azure Monitor | Ensure that Activity Log Alert exists for Create Policy Assignment |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Create or Update Network Security Group |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Delete Network Security Group |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Create or Update Network Security Group Rule |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Delete Network Security Group Rule |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Create or Update Security Solution |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Delete Security Solution |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert(s) have configured for Create or Update SQL Server Firewall Rule |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Delete SQL Server Firewall Rule |
| Azure - Logging and Auditing | Azure Monitor | Ensure Activity Log Alert exists for Update Security Policy |
| Azure - Logging and Auditing | Key Vault | Ensure that Logging is enabled for Azure Key Vault |
| Azure - Logging and Auditing | Web App | Ensure that Auditing and Monitoring is enabled for App Service |
| Azure - Logging and Auditing | Mobile App | Ensure that Auditing and Monitoring is enabled for Mobile App |
| Azure - Logging and Auditing | API App | Ensure that Auditing and Monitoring is enabled for API App |
| Azure - Logging and Auditing | Function App | Ensure that Auditing and Monitoring is enabled for Function App |
| Azure - Logging and Auditing | Log Analytics | Ensure that data retention period is set to 365 days or longer for Log Analytics |
| Azure - Logging and Auditing | Azure Monitor | Ensure Audit Profile captures all the Activities |
| Azure - Logging and Auditing | Azure Monitor | Ensure Log Profile captures activity logs for all Regions including global |
| Azure - Logging and Auditing | Storage Account | Ensure Storage Container storing activity logs is not Publicly accessible |
| Azure - Logging and Auditing | Storage Account | Ensure the storage account containing the container with activity logs is encrypted with BYOK |
| Azure - Logging and Auditing | Cosmos DB | Ensure that 'Geo replication' is enabled for Cosmos DB |
| Azure - Logging and Auditing | SQL Database | Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL database |
| Azure - Logging and Auditing | SQL Server | Ensure that periodic recurring scans is enabled for SQL server |
| Azure - Logging and Auditing | SQL Server | Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL Server |
| Azure - Logging and Auditing | SQL Server | Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL Server |
| Azure - Logging and Auditing | SQL Server | Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL Server |
| Azure - Logging and Auditing | SQL Database | Ensure that 'Advanced Data Security' on a SQL database is set to 'On' |
| Azure - Logging and Auditing | SQL Database | Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL database |
| Azure - Logging and Auditing | SQL Server | Ensure that 'Send scan reports to' is set for SQL Server |
| Azure - Networking | Virtual Network (VNET) | Ensure that inbound and outbound traffic rules are configured for Subnets by associating NSGs to Subnets |
| Azure - Networking | Network Security Groups (NSG) | Ensure that DenyAll rule is configured for all NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that RDP access is restricted from the internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that SSH access is restricted from the internet on NSG's |
| Azure - Networking | Network Watcher | Ensure that Network Watcher is 'Enabled' |
| Azure - Networking | SQL Server | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) |
| Azure - Networking | Virtual Network (VNET) | Ensure that DDOS protection is enabled for Virtual Network |
| Azure - Networking | Network Security Groups (NSG) | Ensure that Flow Log Status is set to On for Network Security Groups |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'Known internal web port' (TCP:8000) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'Known internal web port' (TCP:8080) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'NetBIOS Name Service' (UDP:137) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'NetBios Datagram Service' (UDP:138) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'NetBios Datagram Service' (UDP:139) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'SNMP' (UDP:161) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to CiscoSecure,websm (TCP:9090) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'Cassandra' (TCP:7001) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'MSSQL Server' (TCP:1433) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'MySQL' (TCP:3306) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'Postgres SQL' (TCP:5432) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'SQL Server Analysis Services' (TCP:2383) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Cassandra Client (TCP:9042) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Cassandra Internode Communication (TCP:7000) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Cassandra Monitoring (TCP:7199) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Cassandra OpsCenter Monitoring (TCP:61620) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Cassandra OpsCenter Website (TCP:8888) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Cassandra Thrift (TCP:9160) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Elastic search (TCP:9200) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Elastic search (TCP:9300) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to LDAP (UDP:389) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Memcached (TCP:11211) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Memcached (UDP:11211) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Mongo (TCP:27017) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Oracle DB (TCP:1521) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Oracle DB (TCP:2483) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Oracle DB (UDP:2483) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Redis (TCP:6379) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Remote Desktop (TCP:3389) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to SSH (TCP:22) is restricted from the public internet on NSG's |
| Azure - Networking | Network Interface Card (NIC) | Ensure that less than 3 Public IP's (i.e. NIC's with Public IP) are used for Virtual Network |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to bitcoin ports (TCP 8332 and 8333) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to Ethereum port (TCP 8545) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to 'POP3' (TCP:110) is restricted from the public internet on NSG's |
| Azure - Networking | Network Security Groups (NSG) | Ensure that ingress traffic to SMTP (TCP:25) is restricted from the public internet on NSG's |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that AAD authentication in Service Fabric is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that AAD authentication in SQL server is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitor of Adaptive Application whitelisting is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that Automatic Provisioning of monitoring agent is set to On in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that Cluster Protection level in Service Fabric is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Batch Account is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Data Lake Analytics is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Data Lake Store is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Event Hub is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Key Vault is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Logic Apps is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Redis Cache is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Search Service is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Service Bus is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Virtual Machine Scale Sets is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that diagnostics logs in Stream Analytics is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that disable unrestricted network to storage account is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitor disk encryption is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Designate up to 3 subscription owners is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Designate more than one subscription owner is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that MFA is enabled for all subscription accounts with owner permissions in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that MFA is enabled for all subscription accounts with read permissions in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that MFA is enabled for all subscription accounts with write permissions in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that deprecated accounts is removed on subscription are set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that deprecated accounts with owner permissions are removed from subscription is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that external accounts with owner permissions are removed from subscription is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that external accounts with read permissions are removed from subscription is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that external accounts with write permissions are removed from subscription is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that metric alerts in Batch account is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that namespace authorization rules in service bus is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of network security groups is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that next generation firewall is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of OS vulnerabilities is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that secure transfer to storage account is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that security contact email is provided in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that phone number is provided in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that alert notification is set to On in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that email notification is set to On to subscription owners in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of SQL auditing is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that SqlDb Vulnerability Assessment is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitor SQL encryption is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitor storage blob encryption is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that in ASC standard tier is selected |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitor system updates is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that web application firewall is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that vulnerability assessment is set to enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of SQL managed instances without Advanced Data Security is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of permissive network access to app-services is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that all Advanced Threat Protection types on SQL managed instance is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of SQL managed server without Advanced Data Security is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of access rules in Event Hub namespaces is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that all Advanced Threat Protection types on SQL server is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of auditing policy Action-Groups and Actions setting is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of the use of HTTPS in API app is enable in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of using built-in RBAC rules is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that the Audit monitoring of SQL Servers is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Kubernetes Services without authorized IP ranges is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of access rules in Event Hubs is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of CORS restrictions for API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Automation Account Encryption is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of CORS restrictions for Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of CORS restrictions for Function App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of diagnostics logs in selective app services is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of DDoS protection for virtual network is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that endpoint protection monitoring for virtual machine scale sets is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of diagnostic logs in IoT Hubs is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of the use of HTTPS in function app is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that 'Send alerts to' is set in SQL server Advanced Data Security settings is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of network just In time access is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that IP Forwarding monitoring on virtual machines is disabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of IP restrictions for API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Open Management Ports on virtual machines is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of IP restrictions for Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of IP restrictions for Function App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of web sockets for API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of diagnostics logs in App Services is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of web sockets for Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of web sockets for Function App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of custom domain use in API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Endpoint Protection is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of custom domain use in Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of custom domain use in Function App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of .Net version in Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of .Net version in API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Java version in web app is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Java version in API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of PHP version in the API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Node.js version in Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Python version in API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of PHP version in Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Internet-facing VM for NSG traffic hardening is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Python version in Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of NSG for virtual machines is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of NSG for Subnet is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Kubernetes Services without pod security policy is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of remote debugging for API App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of remote debugging for Function App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of remote debugging for Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days for Batch accounts is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Azure Search service is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Data Lake Analytics is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Data Lake Store accounts is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Event Hub accounts is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in IoT Hub accounts is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Key Vault vaults is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Logic Apps workflows is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Service Bus is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that required diagnostic logs retention period in days in Stream Analytics is set in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of Kubernetes Services without RBAC is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of sensitive data is classified on SQL database is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of SQL managed instances alerts being sent to admins and subscription owners is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of classic storage accounts migration to ARM is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that reporting of system updates in virtual machine scale sets is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of unencrypted SQL databases is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of classic virtual machines is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that OS vulnerabilities monitoring for virtual machine scale sets is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that the detection of VM vulnerabilities by a Vulnerability Assessment solution is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that Vulnerability Assessment on your SQL managed instances is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that Vulnerability Assessment on your SQL servers is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that monitoring of the use of HTTPS in Web App is enabled in ASC |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that Vulnerabilities in container security configurations should be remediated in ASC. |
| Azure - Security Center | Azure Security Center (ASC) | Ensure that Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version in ASC. |
| Azure - Storage and Databases | Storage Account | Ensure that encryption is enabled for Azure Storage Service |
| Azure - Storage and Databases | SQL Database | Ensure that 'Data encryption' is set to 'On' for SQL Databases |
| Azure - Storage and Databases | SQL Database | Ensure that 'Auditing' is set to 'On' for SQL Databases |
| Azure - Storage and Databases | SQl Server | Ensure that 'Auditing' is set to 'On' for SQL Server |
| Azure - Storage and Databases | Storage Account | Ensure that 'Secure transfer required' is 'Enabled' for Storage Account |
| Azure - Storage and Databases | SQl Server | Ensure that 'Threat Detection types' is set to 'All' for SQL Server |
| Azure - Storage and Databases | Storage Account | Ensure that 'Storage service encryption' is set to Enabled for File Service |
| Azure - Storage and Databases | Storage Account | Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
| Azure - Storage and Databases | Storage Account | Ensure that 'Geo-redundant' is enabled for Azure Storage |
| Azure - Storage and Databases | Storage Account | Ensure that 'Public access level' is set to Private for Blob Containers |
| Azure - Storage and Databases | SQL Server | Ensure that firewall rules are set as appropriate for SQL Servers |
| Azure - Storage and Databases | SQL Database | Ensure that 'Threat Detection types' is set to 'All' for SQL Databases |
| Azure - Storage and Databases | SQL Server | Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Server |
| Azure - Storage and Databases | SQL Server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers |
| Azure - Storage and Databases | SQL Server | Ensure that Azure Active Directory Admin is configured for SQL Server |
| Azure - Storage and Databases | SQL Server | Ensure that 'Advanced Data Security' on a SQL server is set to 'On' |
| Azure - Storage and Databases | SQL Database | Ensure that 'Threat' Retention is 'greater than 90 days' for SQL Databases |
| Azure - Storage and Databases | SQL Database | Ensure that 'Geo replication' is enabled for SQL Databases |
| Azure - Storage and Databases | SQL Database | Ensure that 'Data Masking' is enabled for SQL Databases |
| Azure - Storage and Databases | SQL Database | Ensure that DataProfile tag has been applied for SQL Databases |
| Azure - Storage and Databases | SQL Database | Ensure that Diagnostics is enabled for SQL Databases |
| Azure - Storage and Databases | Storage Account | Ensure that DataProfile tag has been applied for Azure Storage |
| Azure - Storage and Databases | SQL Server | Ensure that DataProfile tag has been applied for SQL DB Servers |
| Azure - Storage and Databases | Azure Synapse Analytics | Ensure that threat detection is enabled for SQL Data Warehouse |
| Azure - Storage and Databases | Azure Synapse Analytics | Ensure that firewall is enabled for SQL Data Warehouse |
| Azure - Storage and Databases | Azure Synapse Analytics | Ensure that encryption is enabled for SQL Data Warehouse |
| Azure - Storage and Databases | Azure Synapse Analytics | Ensure that auditing is enabled for SQL Data Warehouse |
| Azure - Storage and Databases | Cosmos DB | Ensure that failover is enabled for Cosmos DB |
| Azure - Storage and Databases | Cosmos DB | Ensure that firewall is enabled for Cosmos DB |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
| Azure - Storage and Databases | Storage Account | Ensure default network access rule for Storage Accounts is set to deny |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
| Azure - Storage and Databases | Azure Database for PostgreSQL server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
| Azure - Storage and Databases | SQL Server | Ensure SQL server's TDE protector is encrypted with BYOK |
| Azure - Storage and Databases | Storage Account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
| Azure - Storage and Databases | Azure Database for MySQL server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
| Azure - Storage and Databases | SQL Server | Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly |
| Azure - Storage and Databases | SQL Server | Ensure the 'Allow access to Azure services' flag is disabled for SQL Server |
| Azure - Storage and Databases | SQL Database | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Database |
| Azure - Storage and Databases | Storage Account | Ensure Advanced Threat Protection is enabled for Storage Accounts |
| Azure - Storage and Databases | Cosmos DB | Ensure that 'Eventual' consistency is disabled for Cosmos DB |
| Azure - Storage and Databases | Azure Data Lake Storage Gen 1 | Ensure that firewall is enabled for Azure Data Lake Storage Gen1 |
| Azure - Storage and Databases | Azure Data Lake Storage Gen 1 | Ensure that diagnostics log is enabled for Azure Data Lake Storage Gen1 |
| Azure - Storage and Databases | Azure Data Lake Storage Gen 1 | Ensure that encryption of sensitive data is enabled for Azure Data Lake Storage Gen1 |
| Azure - Storage and Databases | SQL Database | Ensure that 'Send scan reports to' is set for SQL database |
| Azure - Storage and Databases | SQL Database | Ensure that periodic recurring scans is enabled for SQL database |
| Azure - Storage and Databases | Storage Account | Ensure that shared access signature tokens are allowed only over https |
| Azure - Storage and Databases | SQL Database | Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL database |
| Azure - Storage and Databases | Storage Account | Ensure that shared access signature tokens expire within an hour |
| Azure - Storage and Databases | Storage Account | Ensure Storage logging is enabled for Queue service for read, write, and delete requests |
| Azure - Storage and Databases | Storage Account | Ensure that storage account access keys are periodically regenerated |
| Azure - Storage and Databases | Azure Databricks | Ensure that secrets and keys must not be in plain text in notebooks and jobs |
| Azure - Storage and Databases | Azure Databricks | Ensure that use Azure Key Vault backed secret scope to hold secrets |
| Azure - Storage and Databases | Azure Databricks | Ensure that all users/identities must be granted minimum required permissions using Role Based Access Control (RBAC) |
| Azure - Storage and Databases | Azure Databricks | Ensure that Minimize the number of workspace admins |
| Azure - Storage and Databases | Azure Databricks | Ensure that All users must be granted minimum required permissions on clusters |
| Azure - Storage and Databases | Cosmos DB | Ensure that the parameterized SQL queries used to access the database |
| Azure - Storage and Databases | Cosmos DB | Ensure that CosmosDb Account keys are rotated periodically |
| Azure - Storage and Databases | Cosmos DB | Ensure that resource tokens are generated with least privileges and expiry needed by clients |
| Azure - Storage and Databases | Cosmos DB | Do not send resource token with read write (RW) permission to untrusted clients |