Azure.GA_2021_06#
Warning
This baseline is obsolete. Consider switching to a newer baseline.
Include rules released June 2021 or prior for Azure GA features.
Rules#
The following rules are included within the Azure.GA_2021_06 baseline.
This baseline includes a total of 199 rules.
| Name | Synopsis | Severity |
|---|---|---|
| Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical |
| Azure.ACR.ContainerScan | Container images or their base images may have vulnerabilities discovered after they are built. | Critical |
| Azure.ACR.ContentTrust | Use container images signed by a trusted image publisher. | Important |
| Azure.ACR.GeoReplica | Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start. | Important |
| Azure.ACR.ImageHealth | Remove container images with known vulnerabilities. | Critical |
| Azure.ACR.MinSku | ACR should use the Premium or Standard SKU for production deployments. | Important |
| Azure.ACR.Name | Container registry names should meet naming requirements. | Awareness |
| Azure.ACR.Usage | Regularly remove deprecated and unneeded images to reduce storage usage. | Important |
| Azure.AKS.AuthorizedIPs | Restrict access to API server endpoints to authorized IP addresses. | Important |
| Azure.AKS.AzurePolicyAddOn | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important |
| Azure.AKS.AzureRBAC | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important |
| Azure.AKS.DNSPrefix | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness |
| Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important |
| Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important |
| Azure.AKS.MinNodeCount | AKS clusters should have minimum number of system nodes for failover and updates. | Important |
| Azure.AKS.Name | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness |
| Azure.AKS.NetworkPolicy | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important |
| Azure.AKS.NodeMinPods | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important |
| Azure.AKS.PoolScaleSet | Deploy AKS clusters with nodes pools based on VM scale sets. | Important |
| Azure.AKS.PoolVersion | AKS node pools should match Kubernetes control plane version. | Important |
| Azure.AKS.StandardLB | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important |
| Azure.AKS.UseRBAC | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important |
| Azure.AKS.Version | AKS control plane and nodes pools should use a current stable release. | Important |
| Azure.APIM.APIDescriptors | APIs should have a display name and description. | Awareness |
| Azure.APIM.CertificateExpiry | Renew certificates used for custom domain bindings. | Important |
| Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | Critical |
| Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.APIM.Name | API Management service names should meet naming requirements. | Awareness |
| Azure.APIM.ProductApproval | Configure products to require approval. | Important |
| Azure.APIM.ProductDescriptors | API Management products should have a display name and description. | Awareness |
| Azure.APIM.ProductSubscription | Configure products to require a subscription. | Important |
| Azure.APIM.ProductTerms | Set legal terms for each product registered in API Management. | Important |
| Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical |
| Azure.APIM.SampleProducts | Remove starter and unlimited sample products. | Awareness |
| Azure.AppConfig.Name | App Configuration store names should meet naming requirements. | Awareness |
| Azure.AppConfig.SKU | App Configuration should use a minimum size of Standard. | Important |
| Azure.AppGw.MinInstance | Application Gateways should use a minimum of two instances. | Important |
| Azure.AppGw.MinSku | Application Gateway should use a minimum instance size of Medium. | Important |
| Azure.AppGw.OWASP | Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. | Important |
| Azure.AppGw.Prevention | Internet exposed Application Gateways should use prevention mode to protect backend resources. | Critical |
| Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical |
| Azure.AppGw.UseWAF | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical |
| Azure.AppGw.WAFEnabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
| Azure.AppGw.WAFRules | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Important |
| Azure.AppInsights.Name | Azure Application Insights resources names should meet naming requirements. | Awareness |
| Azure.AppInsights.Workspace | Configure Application Insights resources to store data in a workspace. | Important |
| Azure.AppService.AlwaysOn | Configure Always On for App Service apps. | Important |
| Azure.AppService.ARRAffinity | Disable client affinity for stateless services. | Awareness |
| Azure.AppService.HTTP2 | Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. | Awareness |
| Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AppService.MinPlan | Use at least a Standard App Service Plan. | Important |
| Azure.AppService.MinTLS | App Service should reject TLS versions older than 1.2. | Critical |
| Azure.AppService.PlanInstanceCount | App Service Plan should use a minimum number of instances for failover. | Important |
| Azure.AppService.RemoteDebug | Disable remote debugging on App Service apps when not in use. | Important |
| Azure.AppService.UseHTTPS | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.Automation.EncryptVariables | Azure Automation variables should be encrypted. | Important |
| Azure.Automation.WebHookExpiry | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness |
| Azure.CDN.EndpointName | Azure CDN Endpoint names should meet naming requirements. | Awareness |
| Azure.CDN.HTTP | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | Important |
| Azure.DataFactory.Version | Consider migrating to DataFactory v2. | Awareness |
| Azure.DefenderCloud.Provisioning | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important |
| Azure.Firewall.Mode | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical |
| Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical |
| Azure.FrontDoor.Name | Front Door names should meet naming requirements. | Awareness |
| Azure.FrontDoor.Probe | Use health probes to check the health of each backend. | Important |
| Azure.FrontDoor.ProbeMethod | Configure health probes to use HEAD requests to reduce performance overhead. | Important |
| Azure.FrontDoor.ProbePath | Configure a dedicated path for health probe requests. | Important |
| Azure.FrontDoor.State | Enable Azure Front Door Classic instance. | Important |
| Azure.FrontDoor.UseWAF | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical |
| Azure.FrontDoor.WAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
| Azure.FrontDoor.WAF.Mode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
| Azure.FrontDoor.WAF.Name | Front Door WAF policy names should meet naming requirements. | Awareness |
| Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | Important |
| Azure.KeyVault.KeyName | Key Vault Key names should meet naming requirements. | Awareness |
| Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important |
| Azure.KeyVault.Name | Key Vault names should meet naming requirements. | Awareness |
| Azure.KeyVault.PurgeProtect | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important |
| Azure.KeyVault.SecretName | Key Vault Secret names should meet naming requirements. | Awareness |
| Azure.KeyVault.SoftDelete | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important |
| Azure.LB.Name | Load Balancer names should meet naming requirements. | Awareness |
| Azure.LB.Probe | Use a specific probe for web protocols. | Important |
| Azure.LogicApp.LimitHTTPTrigger | Limit HTTP request trigger access to trusted IP addresses. | Critical |
| Azure.Monitor.ServiceHealth | Configure Service Health alerts to notify administrators. | Important |
| Azure.MySQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.MySQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
| Azure.MySQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | Critical |
| Azure.MySQL.ServerName | Azure MySQL DB server names should meet naming requirements. | Awareness |
| Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | Critical |
| Azure.NIC.Attached | Network interfaces (NICs) that are not used should be removed. | Awareness |
| Azure.NIC.Name | Network Interface (NIC) names should meet naming requirements. | Awareness |
| Azure.NIC.UniqueDns | Network interfaces (NICs) should inherit DNS from virtual networks. | Awareness |
| Azure.NSG.AnyInboundSource | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical |
| Azure.NSG.Associated | Network Security Groups (NSGs) should be associated to a subnet or network interface. | Awareness |
| Azure.NSG.DenyAllInbound | When all inbound traffic is denied, some functions that affect the reliability of your service may not work as expected. | Important |
| Azure.NSG.LateralTraversal | Deny outbound management connections from non-management hosts. | Important |
| Azure.NSG.Name | Network Security Group (NSG) names should meet naming requirements. | Awareness |
| Azure.Policy.AssignmentAssignedBy | Policy assignments should use assignedBy metadata. | Awareness |
| Azure.Policy.AssignmentDescriptors | Policy assignments should use a display name and description. | Awareness |
| Azure.Policy.Descriptors | Policy and initiative definitions should use a display name, description, and category. | Awareness |
| Azure.Policy.ExemptionDescriptors | Policy exemptions should use a display name and description. | Awareness |
| Azure.Policy.WaiverExpiry | Configure policy waiver exemptions to expire. | Awareness |
| Azure.PostgreSQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.PostgreSQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
| Azure.PostgreSQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical |
| Azure.PostgreSQL.ServerName | Azure PostgreSQL DB server names should meet naming requirements. | Awareness |
| Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | Critical |
| Azure.PublicIP.DNSLabel | Public IP domain name labels should meet naming requirements. | Awareness |
| Azure.PublicIP.IsAttached | Public IP addresses should be attached or cleaned up if not in use. | Important |
| Azure.PublicIP.Name | Public IP names should meet naming requirements. | Awareness |
| Azure.RBAC.CoAdministrator | Delegate access to manage Azure resources using role-based access control (RBAC). | Important |
| Azure.RBAC.LimitMGDelegation | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important |
| Azure.RBAC.LimitOwner | Limit the number of subscription Owners. | Important |
| Azure.RBAC.PIM | Use just-in-time (JiT) activation of roles instead of persistent role assignment. | Important |
| Azure.RBAC.UseGroups | Use groups for assigning permissions instead of individual user accounts. | Important |
| Azure.RBAC.UseRGDelegation | Use RBAC assignments on resource groups instead of individual resources. | Important |
| Azure.Redis.MaxMemoryReserved | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important |
| Azure.Redis.MinSKU | Use Azure Cache for Redis instances of at least Standard C1. | Important |
| Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
| Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | Critical |
| Azure.Resource.AllowedRegions | Resources should be deployed to allowed regions. | Important |
| Azure.Resource.UseTags | Azure resources should be tagged using a standard convention. | Awareness |
| Azure.ResourceGroup.Name | Resource Group names should meet naming requirements. | Awareness |
| Azure.Route.Name | Route table names should meet naming requirements. | Awareness |
| Azure.Search.IndexSLA | Use a minimum of 3 replicas to receive an SLA for query and index updates. | Important |
| Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.Search.Name | AI Search service names should meet naming requirements. | Awareness |
| Azure.Search.QuerySLA | Use a minimum of 2 replicas to receive an SLA for index queries. | Important |
| Azure.Search.SKU | Use the basic and standard tiers for entry level workloads. | Critical |
| Azure.ServiceFabric.AAD | Use Entra ID client authentication for Service Fabric clusters. | Critical |
| Azure.SignalR.Name | SignalR service instance names should meet naming requirements. | Awareness |
| Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical |
| Azure.SQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.SQL.Auditing | Enable auditing for Azure SQL logical server. | Important |
| Azure.SQL.DBName | Azure SQL Database names should meet naming requirements. | Awareness |
| Azure.SQL.DefenderCloud | Enable Microsoft Defender for Azure SQL logical server. | Important |
| Azure.SQL.FGName | Azure SQL failover group names should meet naming requirements. | Awareness |
| Azure.SQL.FirewallIPRange | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important |
| Azure.SQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical |
| Azure.SQL.ServerName | Azure SQL logical server names should meet naming requirements. | Awareness |
| Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical |
| Azure.SQLMI.Name | SQL Managed Instance names should meet naming requirements. | Awareness |
| Azure.Storage.BlobAccessType | Use containers configured with a private access type that requires authorization. | Important |
| Azure.Storage.BlobPublicAccess | Storage Accounts should only accept authorized requests. | Important |
| Azure.Storage.MinTLS | Storage Accounts should reject TLS versions older than 1.2. | Critical |
| Azure.Storage.Name | Storage Account names should meet naming requirements. | Awareness |
| Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important |
| Azure.Storage.SoftDelete | Enable blob soft delete on Storage Accounts. | Important |
| Azure.Storage.UseReplication | Storage Accounts using the LRS SKU are only replicated within a single zone. | Important |
| Azure.Template.DebugDeployment | Use default deployment detail level for nested deployments. | Awareness |
| Azure.Template.LocationDefault | Set the default value for the location parameter within an ARM template to resource group location. | Awareness |
| Azure.Template.LocationType | Location parameters should use a string value. | Important |
| Azure.Template.ParameterDataTypes | Set the parameter default value to a value of the same type. | Important |
| Azure.Template.ParameterFile | Use ARM template parameter files that are valid. | Important |
| Azure.Template.ParameterMetadata | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | Awareness |
| Azure.Template.ParameterMinMaxValue | Template parameters minValue and maxValue constraints must be valid. | Important |
| Azure.Template.ResourceLocation | Resource locations should be an expression or global. | Awareness |
| Azure.Template.Resources | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | Awareness |
| Azure.Template.TemplateFile | Use ARM template files that are valid. | Important |
| Azure.Template.UseLocationParameter | Template should reference a location parameter to specify resource location. | Awareness |
| Azure.TrafficManager.Endpoints | Traffic Manager should use at lest two enabled endpoints. | Important |
| Azure.TrafficManager.Protocol | Monitor Traffic Manager web-based endpoints with HTTPS. | Important |
| Azure.VM.AcceleratedNetworking | Use accelerated networking for supported operating systems and VM types. | Important |
| Azure.VM.ADE | Use Azure Disk Encryption (ADE). | Important |
| Azure.VM.Agent | Ensure the VM agent is provisioned automatically. | Important |
| Azure.VM.ASAlignment | Use availability sets aligned with managed disks fault domains. | Important |
| Azure.VM.ASMinMembers | Availability sets should be deployed with at least two virtual machines (VMs). | Important |
| Azure.VM.ASName | Availability Set names should meet naming requirements. | Awareness |
| Azure.VM.BasicSku | Virtual machines (VMs) should not use Basic sizes. | Important |
| Azure.VM.ComputerName | Virtual Machine (VM) computer name should meet naming requirements. | Awareness |
| Azure.VM.DiskAttached | Managed disks should be attached to virtual machines or removed. | Important |
| Azure.VM.DiskCaching | Check disk caching is configured correctly for the workload. | Important |
| Azure.VM.DiskName | Managed Disk names should meet naming requirements. | Awareness |
| Azure.VM.DiskSizeAlignment | Align to the Managed Disk billing increments to improve cost efficiency. | Awareness |
| Azure.VM.Name | Virtual Machine (VM) names should meet naming requirements. | Awareness |
| Azure.VM.PPGName | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness |
| Azure.VM.PromoSku | Virtual machines (VMs) should not use expired promotional SKU. | Awareness |
| Azure.VM.PublicKey | Linux virtual machines should use public keys. | Important |
| Azure.VM.Standalone | Use VM features to increase reliability and improve covered SLA for VM configurations. | Important |
| Azure.VM.Updates | Ensure automatic updates are enabled at deployment. | Important |
| Azure.VM.UseHybridUseBenefit | Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. | Awareness |
| Azure.VM.UseManagedDisks | Virtual machines (VMs) should use managed disks. | Important |
| Azure.VMSS.ComputerName | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness |
| Azure.VMSS.Name | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness |
| Azure.VNET.LocalDNS | Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. | Important |
| Azure.VNET.Name | Virtual Network (VNET) names should meet naming requirements. | Awareness |
| Azure.VNET.PeerState | VNET peering connections must be connected. | Important |
| Azure.VNET.SingleDNS | Virtual networks (VNETs) should have at least two DNS servers assigned. | Important |
| Azure.VNET.SubnetName | Subnet names should meet naming requirements. | Awareness |
| Azure.VNET.UseNSGs | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | Critical |
| Azure.VNG.ConnectionName | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness |
| Azure.VNG.ERLegacySKU | Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. | Critical |
| Azure.VNG.Name | Virtual Network Gateway (VNG) names should meet naming requirements. | Awareness |
| Azure.VNG.VPNActiveActive | Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. | Important |
| Azure.VNG.VPNLegacySKU | Migrate from legacy SKUs to improve reliability and performance of VPN gateways. | Critical |