Azure.GA_2024_03#
Warning
This baseline is obsolete. Consider switching to a newer baseline.
Include rules released March 2024 or prior for Azure GA features.
Rules#
The following rules are included within the Azure.GA_2024_03
baseline.
This baseline includes a total of 393 rules.
Name | Synopsis | Severity |
---|---|---|
Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical |
Azure.ACR.ContainerScan | Container images or their base images may have vulnerabilities discovered after they are built. | Critical |
Azure.ACR.ContentTrust | Use container images signed by a trusted image publisher. | Important |
Azure.ACR.Firewall | Container Registry without restrictions can be accessed from any network location including the Internet. | Important |
Azure.ACR.GeoReplica | Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start. | Important |
Azure.ACR.ImageHealth | Remove container images with known vulnerabilities. | Critical |
Azure.ACR.MinSku | ACR should use the Premium or Standard SKU for production deployments. | Important |
Azure.ACR.Name | Container registry names should meet naming requirements. | Awareness |
Azure.ACR.Usage | Regularly remove deprecated and unneeded images to reduce storage usage. | Important |
Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important |
Azure.ADX.ManagedIdentity | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important |
Azure.ADX.SLA | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important |
Azure.ADX.Usage | Regularly remove unused resources to reduce costs. | Important |
Azure.AI.DisableLocalAuth | Access keys allow depersonalized access to Azure AI using a shared secret. | Important |
Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.AI.PrivateEndpoints | Use Private Endpoints to access Azure AI services accounts. | Important |
Azure.AI.PublicAccess | Restrict access of Azure AI services to authorized virtual networks. | Important |
Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important |
Azure.AKS.AuthorizedIPs | Restrict access to API server endpoints to authorized IP addresses. | Important |
Azure.AKS.AutoScaling | Use autoscaling to scale clusters based on workload requirements. | Important |
Azure.AKS.AutoUpgrade | Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. | Important |
Azure.AKS.AvailabilityZone | AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. | Important |
Azure.AKS.AzurePolicyAddOn | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important |
Azure.AKS.AzureRBAC | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important |
Azure.AKS.CNISubnetSize | AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. | Important |
Azure.AKS.ContainerInsights | Enable Container insights to monitor AKS cluster workloads. | Important |
Azure.AKS.DefenderProfile | Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. | Important |
Azure.AKS.DNSPrefix | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness |
Azure.AKS.EphemeralOSDisk | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | Important |
Azure.AKS.HttpAppRouting | Disable HTTP application routing add-on in AKS clusters. | Important |
Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | Important |
Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important |
Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important |
Azure.AKS.MinNodeCount | AKS clusters should have minimum number of system nodes for failover and updates. | Important |
Azure.AKS.MinUserPoolNodes | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important |
Azure.AKS.Name | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness |
Azure.AKS.NetworkPolicy | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important |
Azure.AKS.NodeMinPods | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important |
Azure.AKS.PlatformLogs | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | Important |
Azure.AKS.PoolScaleSet | Deploy AKS clusters with nodes pools based on VM scale sets. | Important |
Azure.AKS.PoolVersion | AKS node pools should match Kubernetes control plane version. | Important |
Azure.AKS.SecretStore | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important |
Azure.AKS.SecretStoreRotation | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important |
Azure.AKS.StandardLB | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important |
Azure.AKS.UptimeSLA | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important |
Azure.AKS.UseRBAC | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important |
Azure.AKS.Version | AKS control plane and nodes pools should use a current stable release. | Important |
Azure.APIM.APIDescriptors | APIs should have a display name and description. | Awareness |
Azure.APIM.CertificateExpiry | Renew certificates used for custom domain bindings. | Important |
Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | Critical |
Azure.APIM.CORSPolicy | Avoid using wildcard for any configuration option in CORS policies. | Important |
Azure.APIM.DefenderCloud | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical |
Azure.APIM.EncryptValues | Encrypt all API Management named values with Key Vault secrets. | Important |
Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | Critical |
Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.APIM.MinAPIVersion | API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. | Important |
Azure.APIM.MultiRegionGateway | API Management instances should have multi-region deployment gateways enabled. | Important |
Azure.APIM.Name | API Management service names should meet naming requirements. | Awareness |
Azure.APIM.PolicyBase | Base element for any policy element in a section should be configured. | Important |
Azure.APIM.ProductApproval | Configure products to require approval. | Important |
Azure.APIM.ProductDescriptors | API Management products should have a display name and description. | Awareness |
Azure.APIM.ProductSubscription | Configure products to require a subscription. | Important |
Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical |
Azure.APIM.SampleProducts | API Management Services with default products configured may expose more APIs than intended. | Awareness |
Azure.AppConfig.AuditLogs | Ensure app configuration store audit diagnostic logs are enabled. | Important |
Azure.AppConfig.DisableLocalAuth | Access keys allow depersonalized access to App Configuration using a shared secret. | Important |
Azure.AppConfig.GeoReplica | Replicate app configuration store across all points of presence for an application. | Important |
Azure.AppConfig.Name | App Configuration store names should meet naming requirements. | Awareness |
Azure.AppConfig.PurgeProtect | Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. | Important |
Azure.AppConfig.SKU | App Configuration should use a minimum size of Standard. | Important |
Azure.AppGw.AvailabilityZone | Application Gateway (App Gateway) should use availability zones in supported regions for improved resiliency. | Important |
Azure.AppGw.MigrateV2 | Use a Application Gateway v2 SKU. | Important |
Azure.AppGw.MinInstance | Application Gateways should use a minimum of two instances. | Important |
Azure.AppGw.MinSku | Application Gateway should use a minimum instance size of Medium. | Important |
Azure.AppGw.Name | Application Gateways should meet naming requirements. | Awareness |
Azure.AppGw.OWASP | Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. | Important |
Azure.AppGw.Prevention | Internet exposed Application Gateways should use prevention mode to protect backend resources. | Critical |
Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical |
Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical |
Azure.AppGw.UseWAF | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical |
Azure.AppGw.WAFEnabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
Azure.AppGw.WAFRules | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Important |
Azure.AppGwWAF.Enabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
Azure.AppGwWAF.Exclusions | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical |
Azure.AppGwWAF.PreventionMode | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.AppGwWAF.RuleGroups | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.AppInsights.Name | Azure Application Insights resources names should meet naming requirements. | Awareness |
Azure.AppInsights.Workspace | Configure Application Insights resources to store data in a workspace. | Important |
Azure.AppService.AlwaysOn | Configure Always On for App Service apps. | Important |
Azure.AppService.ARRAffinity | Disable client affinity for stateless services. | Awareness |
Azure.AppService.HTTP2 | Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. | Awareness |
Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.AppService.MinPlan | Use at least a Standard App Service Plan. | Important |
Azure.AppService.MinTLS | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical |
Azure.AppService.NETVersion | Configure applications to use newer .NET versions. | Important |
Azure.AppService.PHPVersion | Configure applications to use newer PHP runtime versions. | Important |
Azure.AppService.PlanInstanceCount | App Service Plan should use a minimum number of instances for failover. | Important |
Azure.AppService.RemoteDebug | Disable remote debugging on App Service apps when not in use. | Important |
Azure.AppService.UseHTTPS | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
Azure.AppService.WebProbe | Configure and enable instance health probes. | Important |
Azure.AppService.WebProbePath | Configure a dedicated path for health probe requests. | Important |
Azure.AppService.WebSecureFtp | Web apps should disable insecure FTP and configure SFTP when required. | Important |
Azure.ASE.MigrateV3 | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | Important |
Azure.ASG.Name | Application Security Group (ASG) names should meet naming requirements. | Awareness |
Azure.Automation.AuditLogs | Ensure automation account audit diagnostic logs are enabled. | Important |
Azure.Automation.EncryptVariables | Azure Automation variables should be encrypted. | Important |
Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | Important |
Azure.Automation.PlatformLogs | Ensure automation account platform diagnostic logs are enabled. | Important |
Azure.Automation.WebHookExpiry | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness |
Azure.Bastion.Name | Bastion hosts should meet naming requirements. | Awareness |
Azure.BV.Immutable | Ensure immutability is configured to protect backup data. | Important |
Azure.CDN.EndpointName | Azure CDN Endpoint names should meet naming requirements. | Awareness |
Azure.CDN.HTTP | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | Important |
Azure.CDN.UseFrontDoor | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important |
Azure.ContainerApp.APIVersion | Migrate from retired API version to a supported version. | Important |
Azure.ContainerApp.DisableAffinity | Disable session affinity to prevent unbalanced distribution. | Awareness |
Azure.ContainerApp.ExternalIngress | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important |
Azure.ContainerApp.Insecure | Ensure insecure inbound traffic is not permitted to the container app. | Important |
Azure.ContainerApp.ManagedIdentity | Ensure managed identity is used for authentication. | Important |
Azure.ContainerApp.Name | Container Apps should meet naming requirements. | Awareness |
Azure.ContainerApp.PublicAccess | Ensure public network access for Container Apps environment is disabled. | Important |
Azure.ContainerApp.RestrictIngress | IP ingress restrictions mode should be set to allow action for all rules defined. | Important |
Azure.ContainerApp.Storage | Use of Azure Files volume mounts to persistent storage container data. | Awareness |
Azure.Cosmos.AccountName | Cosmos DB account names should meet naming requirements. | Awareness |
Azure.Cosmos.DefenderCloud | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
Azure.Cosmos.DisableMetadataWrite | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important |
Azure.Databricks.PublicAccess | Azure Databricks workspaces should disable public network access. | Critical |
Azure.Databricks.SecureConnectivity | Use Databricks workspaces configured for secure cluster connectivity. | Critical |
Azure.Databricks.SKU | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical |
Azure.DataFactory.Version | Consider migrating to DataFactory v2. | Awareness |
Azure.Defender.Api | Enable Microsoft Defender for APIs. | Critical |
Azure.Defender.AppServices | Enable Microsoft Defender for App Service. | Critical |
Azure.Defender.Arm | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical |
Azure.Defender.Containers | Enable Microsoft Defender for Containers. | Critical |
Azure.Defender.CosmosDb | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
Azure.Defender.Cspm | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical |
Azure.Defender.Dns | Enable Microsoft Defender for DNS. | Critical |
Azure.Defender.KeyVault | Enable Microsoft Defender for Key Vault. | Critical |
Azure.Defender.OssRdb | Enable Microsoft Defender for open-source relational databases. | Critical |
Azure.Defender.Servers | Enable Microsoft Defender for Servers. | Critical |
Azure.Defender.SQL | Enable Microsoft Defender for SQL servers. | Critical |
Azure.Defender.SQLOnVM | Enable Microsoft Defender for SQL servers on machines. | Critical |
Azure.Defender.Storage | Enable Microsoft Defender for Storage. | Critical |
Azure.Defender.Storage.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
Azure.DefenderCloud.Provisioning | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important |
Azure.Deployment.AdminUsername | A sensitive property set from deterministic or hardcoded values is not secure. | Awareness |
Azure.Deployment.Name | Nested deployments should meet naming requirements of deployments. | Awareness |
Azure.Deployment.OuterSecret | Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments. | Critical |
Azure.Deployment.OutputSecretValue | Outputting a sensitive value from deployment may leak secrets into deployment history or logs. | Critical |
Azure.Deployment.SecureParameter | Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. | Critical |
Azure.DevBox.ProjectLimit | Limit the number of Dev Boxes a single user can create for a project. | Important |
Azure.EventGrid.DisableLocalAuth | Authenticate publishing clients with Azure AD identities. | Important |
Azure.EventGrid.ManagedIdentity | Use managed identities to deliver Event Grid Topic events. | Important |
Azure.EventGrid.TopicPublicAccess | Use Private Endpoints to access Event Grid topics and domains. | Important |
Azure.EventHub.DisableLocalAuth | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important |
Azure.EventHub.MinTLS | Event Hub namespaces should reject TLS versions older than 1.2. | Critical |
Azure.EventHub.Usage | Regularly remove unused resources to reduce costs. | Important |
Azure.Firewall.Mode | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical |
Azure.Firewall.Name | Firewall names should meet naming requirements. | Awareness |
Azure.Firewall.PolicyMode | Deny high confidence malicious IP addresses, domains and URLs. | Critical |
Azure.Firewall.PolicyName | Firewall policy names should meet naming requirements. | Awareness |
Azure.FrontDoor.Logs | Audit and monitor access through Azure Front Door profiles. | Important |
Azure.FrontDoor.ManagedIdentity | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important |
Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical |
Azure.FrontDoor.Name | Front Door names should meet naming requirements. | Awareness |
Azure.FrontDoor.Probe | Use health probes to check the health of each backend. | Important |
Azure.FrontDoor.ProbeMethod | Configure health probes to use HEAD requests to reduce performance overhead. | Important |
Azure.FrontDoor.ProbePath | Configure a dedicated path for health probe requests. | Important |
Azure.FrontDoor.State | Enable Azure Front Door Classic instance. | Important |
Azure.FrontDoor.UseCaching | Use caching to reduce retrieving contents from origins. | Important |
Azure.FrontDoor.UseWAF | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical |
Azure.FrontDoor.WAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
Azure.FrontDoor.WAF.Mode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.FrontDoor.WAF.Name | Front Door WAF policy names should meet naming requirements. | Awareness |
Azure.FrontDoorWAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
Azure.FrontDoorWAF.Exclusions | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical |
Azure.FrontDoorWAF.PreventionMode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.FrontDoorWAF.RuleGroups | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.Identity.UserAssignedName | Managed Identity names should meet naming requirements. | Awareness |
Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | Critical |
Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | Important |
Azure.KeyVault.AutoRotationPolicy | Key Vault keys should have auto-rotation enabled. | Important |
Azure.KeyVault.Firewall | Key Vault should only accept explicitly allowed traffic. | Important |
Azure.KeyVault.KeyName | Key Vault Key names should meet naming requirements. | Awareness |
Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important |
Azure.KeyVault.Name | Key Vault names should meet naming requirements. | Awareness |
Azure.KeyVault.PurgeProtect | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important |
Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness |
Azure.KeyVault.SecretName | Key Vault Secret names should meet naming requirements. | Awareness |
Azure.KeyVault.SoftDelete | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important |
Azure.LB.AvailabilityZone | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important |
Azure.LB.Name | Load Balancer names should meet naming requirements. | Awareness |
Azure.LB.Probe | Use a specific probe for web protocols. | Important |
Azure.LB.StandardSKU | Load balancers should be deployed with Standard SKU for production workloads. | Important |
Azure.LogicApp.LimitHTTPTrigger | Logic Apps using HTTP triggers without restrictions can be accessed from any network location including the Internet. | Critical |
Azure.MariaDB.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.MariaDB.DatabaseName | Azure Database for MariaDB databases should meet naming requirements. | Awareness |
Azure.MariaDB.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important |
Azure.MariaDB.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
Azure.MariaDB.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.MariaDB.FirewallRuleName | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness |
Azure.MariaDB.GeoRedundantBackup | Azure Database for MariaDB should store backups in a geo-redundant storage. | Important |
Azure.MariaDB.MinTLS | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical |
Azure.MariaDB.ServerName | Azure Database for MariaDB servers should meet naming requirements. | Awareness |
Azure.MariaDB.UseSSL | Azure Database for MariaDB servers should only accept encrypted connections. | Critical |
Azure.MariaDB.VNETRuleName | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness |
Azure.ML.ComputeIdleShutdown | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical |
Azure.ML.ComputeVnet | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical |
Azure.ML.DisableLocalAuth | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical |
Azure.ML.PublicAccess | Disable public network access from a Azure Machine Learning workspace. | Critical |
Azure.ML.UserManagedIdentity | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important |
Azure.Monitor.ServiceHealth | Configure Service Health alerts to notify administrators. | Important |
Azure.MySQL.AAD | Use Entra ID authentication with Azure Database for MySQL databases. | Critical |
Azure.MySQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. | Important |
Azure.MySQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.MySQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important |
Azure.MySQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
Azure.MySQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.MySQL.GeoRedundantBackup | Azure Database for MySQL should store backups in a geo-redundant storage. | Important |
Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | Critical |
Azure.MySQL.ServerName | Azure MySQL DB server names should meet naming requirements. | Awareness |
Azure.MySQL.UseFlexible | Use Azure Database for MySQL Flexible Server deployment model. | Important |
Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | Critical |
Azure.NIC.Attached | Network interfaces (NICs) that are not used should be removed. | Awareness |
Azure.NIC.Name | Network Interface (NIC) names should meet naming requirements. | Awareness |
Azure.NIC.UniqueDns | Network interfaces (NICs) should inherit DNS from virtual networks. | Awareness |
Azure.NSG.AKSRules | AKS Network Security Group (NSG) should not have custom rules. | Awareness |
Azure.NSG.AnyInboundSource | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical |
Azure.NSG.Associated | Network Security Groups (NSGs) should be associated to a subnet or network interface. | Awareness |
Azure.NSG.DenyAllInbound | When all inbound traffic is denied, some functions that affect the reliability of your service may not work as expected. | Important |
Azure.NSG.LateralTraversal | Deny outbound management connections from non-management hosts. | Important |
Azure.NSG.Name | Network Security Group (NSG) names should meet naming requirements. | Awareness |
Azure.Policy.AssignmentAssignedBy | Policy assignments should use assignedBy metadata. | Awareness |
Azure.Policy.AssignmentDescriptors | Policy assignments should use a display name and description. | Awareness |
Azure.Policy.Descriptors | Policy and initiative definitions should use a display name, description, and category. | Awareness |
Azure.Policy.ExemptionDescriptors | Policy exemptions should use a display name and description. | Awareness |
Azure.Policy.WaiverExpiry | Configure policy waiver exemptions to expire. | Awareness |
Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | Critical |
Azure.PostgreSQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. | Important |
Azure.PostgreSQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.PostgreSQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important |
Azure.PostgreSQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
Azure.PostgreSQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.PostgreSQL.GeoRedundantBackup | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important |
Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical |
Azure.PostgreSQL.ServerName | Azure PostgreSQL DB server names should meet naming requirements. | Awareness |
Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | Critical |
Azure.PrivateEndpoint.Name | Private Endpoint names should meet naming requirements. | Awareness |
Azure.PublicIP.AvailabilityZone | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important |
Azure.PublicIP.DNSLabel | Public IP domain name labels should meet naming requirements. | Awareness |
Azure.PublicIP.IsAttached | Public IP addresses should be attached or cleaned up if not in use. | Important |
Azure.PublicIP.MigrateStandard | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important |
Azure.PublicIP.Name | Public IP names should meet naming requirements. | Awareness |
Azure.PublicIP.StandardSKU | The basic SKU is being retired on 30 September 2025, and does not include several reliability and security features. | Important |
Azure.RBAC.CoAdministrator | Delegate access to manage Azure resources using role-based access control (RBAC). | Important |
Azure.RBAC.LimitMGDelegation | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important |
Azure.RBAC.LimitOwner | Limit the number of subscription Owners. | Important |
Azure.RBAC.PIM | Use just-in-time (JiT) activation of roles instead of persistent role assignment. | Important |
Azure.RBAC.UseGroups | Use groups for assigning permissions instead of individual user accounts. | Important |
Azure.RBAC.UseRGDelegation | Use RBAC assignments on resource groups instead of individual resources. | Important |
Azure.Redis.AvailabilityZone | Premium Redis cache should be deployed with availability zones for high availability. | Important |
Azure.Redis.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical |
Azure.Redis.FirewallRuleCount | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness |
Azure.Redis.MaxMemoryReserved | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important |
Azure.Redis.MinSKU | Use Azure Cache for Redis instances of at least Standard C1. | Important |
Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | Critical |
Azure.Redis.PublicNetworkAccess | Redis cache should disable public network access. | Critical |
Azure.Redis.Version | Azure Cache for Redis should use the latest supported version of Redis. | Important |
Azure.RedisEnterprise.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
Azure.RedisEnterprise.Zones | Enterprise Redis cache should be zone-redundant for high availability. | Important |
Azure.Resource.AllowedRegions | Resources should be deployed to allowed regions. | Important |
Azure.Resource.UseTags | Azure resources should be tagged using a standard convention. | Awareness |
Azure.ResourceGroup.Name | Resource Group names should meet naming requirements. | Awareness |
Azure.Route.Name | Route table names should meet naming requirements. | Awareness |
Azure.RSV.Immutable | Ensure immutability is configured to protect backup data. | Important |
Azure.RSV.Name | Recovery Services vaults should meet naming requirements. | Awareness |
Azure.RSV.ReplicationAlert | Recovery Services Vaults (RSV) without replication alerts configured may be at risk. | Important |
Azure.RSV.StorageType | Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. | Important |
Azure.Search.IndexSLA | Use a minimum of 3 replicas to receive an SLA for query and index updates. | Important |
Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.Search.Name | AI Search service names should meet naming requirements. | Awareness |
Azure.Search.QuerySLA | Use a minimum of 2 replicas to receive an SLA for index queries. | Important |
Azure.Search.SKU | Use the basic and standard tiers for entry level workloads. | Critical |
Azure.ServiceBus.AuditLogs | Ensure namespaces audit diagnostic logs are enabled. | Important |
Azure.ServiceBus.DisableLocalAuth | Authenticate Service Bus publishers and consumers with Entra ID identities. | Important |
Azure.ServiceBus.MinTLS | Service Bus namespaces should reject TLS versions older than 1.2. | Important |
Azure.ServiceBus.Usage | Regularly remove unused resources to reduce costs. | Important |
Azure.ServiceFabric.AAD | Use Entra ID client authentication for Service Fabric clusters. | Critical |
Azure.SignalR.ManagedIdentity | Configure SignalR Services to use managed identities to access Azure resources securely. | Important |
Azure.SignalR.Name | SignalR service instance names should meet naming requirements. | Awareness |
Azure.SignalR.SLA | Use SKUs that include an SLA when configuring SignalR Services. | Important |
Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical |
Azure.SQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important |
Azure.SQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.SQL.Auditing | Enable auditing for Azure SQL logical server. | Important |
Azure.SQL.DBName | Azure SQL Database names should meet naming requirements. | Awareness |
Azure.SQL.DefenderCloud | Enable Microsoft Defender for Azure SQL logical server. | Important |
Azure.SQL.FGName | Azure SQL failover group names should meet naming requirements. | Awareness |
Azure.SQL.FirewallIPRange | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important |
Azure.SQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical |
Azure.SQL.ServerName | Azure SQL logical server names should meet naming requirements. | Awareness |
Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical |
Azure.SQLMI.AAD | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical |
Azure.SQLMI.AADOnly | Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. | Important |
Azure.SQLMI.ManagedIdentity | Ensure managed identity is used to allow support for Azure AD authentication. | Important |
Azure.SQLMI.Name | SQL Managed Instance names should meet naming requirements. | Awareness |
Azure.Storage.BlobAccessType | Use containers configured with a private access type that requires authorization. | Important |
Azure.Storage.BlobPublicAccess | Storage Accounts should only accept authorized requests. | Important |
Azure.Storage.ContainerSoftDelete | Enable container soft delete on Storage Accounts. | Important |
Azure.Storage.Defender.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
Azure.Storage.DefenderCloud | Enable Microsoft Defender for Storage for storage accounts. | Critical |
Azure.Storage.FileShareSoftDelete | Enable soft delete on Storage Accounts file shares. | Important |
Azure.Storage.Firewall | Storage Accounts should only accept explicitly allowed traffic. | Important |
Azure.Storage.MinTLS | Storage Accounts should not accept weak or deprecated transport protocols for client-server communication. | Critical |
Azure.Storage.Name | Storage Account names should meet naming requirements. | Awareness |
Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important |
Azure.Storage.SoftDelete | Enable blob soft delete on Storage Accounts. | Important |
Azure.Storage.UseReplication | Storage Accounts using the LRS SKU are only replicated within a single zone. | Important |
Azure.Template.DebugDeployment | Use default deployment detail level for nested deployments. | Awareness |
Azure.Template.ExpressionLength | Template expressions should not exceed the maximum length. | Awareness |
Azure.Template.LocationDefault | Set the default value for the location parameter within an ARM template to resource group location. | Awareness |
Azure.Template.LocationType | Location parameters should use a string value. | Important |
Azure.Template.MetadataLink | Configure a metadata link for each parameter file. | Important |
Azure.Template.ParameterDataTypes | Set the parameter default value to a value of the same type. | Important |
Azure.Template.ParameterFile | Use ARM template parameter files that are valid. | Important |
Azure.Template.ParameterMetadata | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | Awareness |
Azure.Template.ParameterMinMaxValue | Template parameters minValue and maxValue constraints must be valid. | Important |
Azure.Template.ParameterScheme | Use an Azure template parameter file schema with the https scheme. | Awareness |
Azure.Template.ParameterStrongType | Set the parameter value to a value that matches the specified strong type. | Awareness |
Azure.Template.ParameterValue | Specify a value for each parameter in template parameter files. | Awareness |
Azure.Template.ResourceLocation | Resource locations should be an expression or global. | Awareness |
Azure.Template.Resources | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | Awareness |
Azure.Template.TemplateFile | Use ARM template files that are valid. | Important |
Azure.Template.TemplateSchema | Use a more recent version of the Azure template schema. | Awareness |
Azure.Template.TemplateScheme | Use an Azure template file schema with the https scheme. | Awareness |
Azure.Template.UseComments | Use comments for each resource in ARM template to communicate purpose. | Awareness |
Azure.Template.UseDescriptions | Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. | Awareness |
Azure.Template.UseLocationParameter | Template should reference a location parameter to specify resource location. | Awareness |
Azure.TrafficManager.Endpoints | Traffic Manager should use at lest two enabled endpoints. | Important |
Azure.TrafficManager.Protocol | Monitor Traffic Manager web-based endpoints with HTTPS. | Important |
Azure.VM.AcceleratedNetworking | Use accelerated networking for supported operating systems and VM types. | Important |
Azure.VM.ADE | Use Azure Disk Encryption (ADE). | Important |
Azure.VM.Agent | Virtual Machines (VMs) without an agent provisioned are unable to use monitoring, management, and security extensions. | Important |
Azure.VM.AMA | Use Azure Monitor Agent for collecting monitoring data from VMs. | Important |
Azure.VM.ASAlignment | Use availability sets aligned with managed disks fault domains. | Important |
Azure.VM.ASMinMembers | Availability sets should be deployed with at least two virtual machines (VMs). | Important |
Azure.VM.ASName | Availability Set names should meet naming requirements. | Awareness |
Azure.VM.BasicSku | Virtual machines (VMs) should not use Basic sizes. | Important |
Azure.VM.ComputerName | Virtual Machine (VM) computer name should meet naming requirements. | Awareness |
Azure.VM.DiskAttached | Managed disks should be attached to virtual machines or removed. | Important |
Azure.VM.DiskCaching | Check disk caching is configured correctly for the workload. | Important |
Azure.VM.DiskName | Managed Disk names should meet naming requirements. | Awareness |
Azure.VM.DiskSizeAlignment | Align to the Managed Disk billing increments to improve cost efficiency. | Awareness |
Azure.VM.MigrateAMA | Use Azure Monitor Agent as replacement for Log Analytics Agent. | Important |
Azure.VM.Name | Virtual Machine (VM) names should meet naming requirements. | Awareness |
Azure.VM.PPGName | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness |
Azure.VM.PromoSku | Virtual machines (VMs) should not use expired promotional SKU. | Awareness |
Azure.VM.PublicKey | Linux virtual machines should use public keys. | Important |
Azure.VM.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | Important |
Azure.VM.ShouldNotBeStopped | Azure VMs should be running or in a deallocated state. | Important |
Azure.VM.SQLServerDisk | Use Premium SSD disks or greater for data and log files for production SQL Server workloads. | Important |
Azure.VM.Standalone | Use VM features to increase reliability and improve covered SLA for VM configurations. | Important |
Azure.VM.Updates | Ensure automatic updates are enabled at deployment. | Important |
Azure.VM.UseHybridUseBenefit | Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. | Awareness |
Azure.VM.UseManagedDisks | Virtual machines (VMs) should use managed disks. | Important |
Azure.VMSS.AMA | Use Azure Monitor Agent for collecting monitoring data from VM scale sets. | Important |
Azure.VMSS.ComputerName | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | Awareness |
Azure.VMSS.MigrateAMA | Use Azure Monitor Agent as replacement for Log Analytics Agent. | Important |
Azure.VMSS.Name | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | Awareness |
Azure.VMSS.PublicKey | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | Important |
Azure.VMSS.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | Important |
Azure.VNET.BastionSubnet | VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. | Important |
Azure.VNET.FirewallSubnet | Use Azure Firewall to filter network traffic to and from Azure resources. | Important |
Azure.VNET.LocalDNS | Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. | Important |
Azure.VNET.Name | Virtual Network (VNET) names should meet naming requirements. | Awareness |
Azure.VNET.PeerState | VNET peering connections must be connected. | Important |
Azure.VNET.SingleDNS | Virtual networks (VNETs) should have at least two DNS servers assigned. | Important |
Azure.VNET.SubnetName | Subnet names should meet naming requirements. | Awareness |
Azure.VNET.UseNSGs | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | Critical |
Azure.VNG.ConnectionName | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness |
Azure.VNG.ERAvailabilityZoneSKU | Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. | Important |
Azure.VNG.ERLegacySKU | Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. | Critical |
Azure.VNG.Name | Virtual Network Gateway (VNG) names should meet naming requirements. | Awareness |
Azure.VNG.VPNActiveActive | Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. | Important |
Azure.VNG.VPNAvailabilityZoneSKU | Use availability zone SKU for virtual network gateways deployed with VPN gateway type. | Important |
Azure.VNG.VPNLegacySKU | Migrate from legacy SKUs to improve reliability and performance of VPN gateways. | Critical |
Azure.vWAN.Name | Virtual WAN (vWAN) names should meet naming requirements. | Awareness |
Azure.WebPubSub.ManagedIdentity | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important |
Azure.WebPubSub.SLA | Use SKUs that include an SLA when configuring Web PubSub Services. | Important |