Skip to content

Azure.GA_2020_06#

Warning

This baseline is obsolete. Consider switching to a newer baseline.

Include rules released June 2020 or prior for Azure GA features.

Rules#

The following rules are included within the Azure.GA_2020_06 baseline.

This baseline includes a total of 136 rules.

Name Synopsis Severity
Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical
Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important
Azure.ACR.Name Container registry names should meet naming requirements. Awareness
Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important
Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important
Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness
Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important
Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important
Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important
Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important
Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important
Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important
Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical
Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.APIM.ProductApproval Configure products to require approval. Important
Azure.APIM.ProductSubscription Configure products to require a subscription. Important
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical
Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness
Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important
Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important
Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important
Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important
Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness
Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important
Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical
Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important
Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important
Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness
Azure.CDN.HTTP Enforce HTTPS for client connections. Important
Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness
Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important
Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical
Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical
Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness
Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important
Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important
Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important
Azure.LB.Name Load Balancer names should meet naming requirements. Awareness
Azure.LB.Probe Use a specific probe for web protocols. Important
Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important
Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical
Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness
Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness
Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness
Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. Critical
Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness
Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important
Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important
Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness
Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness
Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical
Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness
Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important
Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical
Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important
Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness
Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness
Azure.Route.Name Route table names should meet naming requirements. Awareness
Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness
Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical
Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important
Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important
Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical
Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important
Azure.Storage.Name Storage Account names should meet naming requirements. Awareness
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important
Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important
Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important
Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important
Azure.Template.TemplateFile Use ARM template files that are valid. Important
Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important
Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important
Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important
Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important
Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important
Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important
Azure.VM.ASName Availability Set names should meet naming requirements. Awareness
Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important
Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness
Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important
Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important
Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness
Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness
Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness
Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness
Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness
Azure.VM.PublicKey Linux virtual machines should use public keys. Important
Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important
Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important
Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness
Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness
Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important
Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness
Azure.VNET.PeerState VNET peering connections must be connected. Important
Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important
Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness
Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical
Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness
Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important
Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness
Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important
Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important