Azure.MCSB.v1#
Experimental
This baseline is experimental and subject to change.
Rules for GA Azure features that align to the Microsoft Cloud Security Benchmark v1. This baseline is updated each release.
Controls#
The following rules are included within the Azure.MCSB.v1 baseline.
This baseline includes a total of 136 rules.
| Name | Synopsis | Severity |
|---|---|---|
| Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical |
| Azure.ACR.AnonymousAccess | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important |
| Azure.ACR.ContainerScan | Container images or their base images may have vulnerabilities discovered after they are built. | Critical |
| Azure.ACR.Firewall | Container Registry without restrictions can be accessed from any network location including the Internet. | Important |
| Azure.ACR.ImageHealth | Remove container images with known vulnerabilities. | Critical |
| Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important |
| Azure.ADX.ManagedIdentity | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important |
| Azure.AI.DisableLocalAuth | Access keys allow depersonalized access to Azure AI using a shared secret. | Important |
| Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AI.PrivateEndpoints | Use Private Endpoints to access Azure AI services accounts. | Important |
| Azure.AI.PublicAccess | Restrict access of Azure AI services to authorized virtual networks. | Important |
| Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important |
| Azure.AKS.AuthorizedIPs | Restrict access to API server endpoints to authorized IP addresses. | Important |
| Azure.AKS.AutoUpgrade | New versions of Kubernetes are released regularly. Upgrading each release manually can add operational overhead without realizing equivalent value. | Important |
| Azure.AKS.AzurePolicyAddOn | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important |
| Azure.AKS.AzureRBAC | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important |
| Azure.AKS.ContainerInsights | Enable Container insights to monitor AKS cluster workloads. | Important |
| Azure.AKS.HttpAppRouting | Disable HTTP application routing add-on in AKS clusters. | Important |
| Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | Important |
| Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important |
| Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important |
| Azure.AKS.NetworkPolicy | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important |
| Azure.AKS.PlatformLogs | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | Important |
| Azure.AKS.SecretStore | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important |
| Azure.AKS.SecretStoreRotation | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important |
| Azure.AKS.UseRBAC | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important |
| Azure.AKS.Version | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important |
| Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | Critical |
| Azure.APIM.DefenderCloud | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical |
| Azure.APIM.EncryptValues | Encrypt all API Management named values with Key Vault secrets. | Important |
| Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | Critical |
| Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical |
| Azure.AppConfig.AuditLogs | Ensure app configuration store audit diagnostic logs are enabled. | Important |
| Azure.AppConfig.DisableLocalAuth | Access keys allow depersonalized access to App Configuration using a shared secret. | Important |
| Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical |
| Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical |
| Azure.AppGw.UseWAF | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical |
| Azure.AppGw.WAFEnabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
| Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AppService.MinTLS | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical |
| Azure.AppService.RemoteDebug | Disable remote debugging on App Service apps when not in use. | Important |
| Azure.AppService.UseHTTPS | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.AppService.WebSecureFtp | Web apps should disable insecure FTP and configure SFTP when required. | Important |
| Azure.Automation.AuditLogs | Ensure automation account audit diagnostic logs are enabled. | Important |
| Azure.Automation.EncryptVariables | Azure Automation variables should be encrypted. | Important |
| Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | Important |
| Azure.BV.Immutable | Ensure immutability is configured to protect backup data. | Important |
| Azure.CDN.HTTP | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.ContainerApp.Insecure | Ensure insecure inbound traffic is not permitted to the container app. | Important |
| Azure.ContainerApp.ManagedIdentity | Ensure managed identity is used for authentication. | Important |
| Azure.ContainerApp.PublicAccess | Ensure public network access for Container Apps environment is disabled. | Important |
| Azure.ContainerApp.RestrictIngress | IP ingress restrictions mode should be set to allow action for all rules defined. | Important |
| Azure.Cosmos.DefenderCloud | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
| Azure.Cosmos.DisableLocalAuth | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical |
| Azure.Cosmos.DisableMetadataWrite | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important |
| Azure.Cosmos.PublicAccess | Azure Cosmos DB should have public network access disabled. | Critical |
| Azure.Defender.Api | Enable Microsoft Defender for APIs. | Critical |
| Azure.Defender.AppServices | Enable Microsoft Defender for App Service. | Critical |
| Azure.Defender.Arm | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical |
| Azure.Defender.Containers | Enable Microsoft Defender for Containers. | Critical |
| Azure.Defender.CosmosDb | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
| Azure.Defender.Cspm | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical |
| Azure.Defender.Dns | Enable Microsoft Defender for DNS. | Critical |
| Azure.Defender.KeyVault | Enable Microsoft Defender for Key Vault. | Critical |
| Azure.Defender.OssRdb | Enable Microsoft Defender for open-source relational databases. | Critical |
| Azure.Defender.Servers | Enable Microsoft Defender for Servers. | Critical |
| Azure.Defender.SQL | Enable Microsoft Defender for SQL servers. | Critical |
| Azure.Defender.SQLOnVM | Enable Microsoft Defender for SQL servers on machines. | Critical |
| Azure.Defender.Storage | Enable Microsoft Defender for Storage. | Critical |
| Azure.Defender.Storage.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
| Azure.DefenderCloud.Provisioning | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important |
| Azure.EntraDS.TLS | Disable TLS v1 for Microsoft Entra Domain Services. | Critical |
| Azure.EventGrid.DisableLocalAuth | Authenticate publishing clients with Azure AD identities. | Important |
| Azure.EventGrid.ManagedIdentity | Use managed identities to deliver Event Grid Topic events. | Important |
| Azure.EventGrid.TopicPublicAccess | Use Private Endpoints to access Event Grid topics and domains. | Important |
| Azure.EventHub.DisableLocalAuth | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important |
| Azure.EventHub.Firewall | Access to the namespace endpoints should be restricted to only allowed sources. | Critical |
| Azure.EventHub.MinTLS | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical |
| Azure.Firewall.PolicyMode | Deny high confidence malicious IP addresses, domains and URLs. | Critical |
| Azure.FrontDoor.Logs | Audit and monitor access through Azure Front Door profiles. | Important |
| Azure.FrontDoor.ManagedIdentity | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important |
| Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical |
| Azure.FrontDoor.UseWAF | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical |
| Azure.FrontDoor.WAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
| Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | Critical |
| Azure.KeyVault.Firewall | Key Vault should only accept explicitly allowed traffic. | Important |
| Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important |
| Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness |
| Azure.ML.ComputeVnet | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical |
| Azure.ML.PublicAccess | Disable public network access from a Azure Machine Learning workspace. | Critical |
| Azure.ML.UserManagedIdentity | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important |
| Azure.MySQL.AAD | Use Entra ID authentication with Azure Database for MySQL databases. | Critical |
| Azure.MySQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. | Important |
| Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | Critical |
| Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | Critical |
| Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | Critical |
| Azure.PostgreSQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. | Important |
| Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical |
| Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | Critical |
| Azure.PublicIP.IsAttached | Public IP addresses should be attached or cleaned up if not in use. | Important |
| Azure.RBAC.CoAdministrator | Delegate access to manage Azure resources using role-based access control (RBAC). | Important |
| Azure.RBAC.LimitMGDelegation | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important |
| Azure.RBAC.LimitOwner | Limit the number of subscription Owners. | Important |
| Azure.RBAC.PIM | Use just-in-time (JiT) activation of roles instead of persistent role assignment. | Important |
| Azure.RBAC.UseGroups | Use groups for assigning permissions instead of individual user accounts. | Important |
| Azure.RBAC.UseRGDelegation | Use RBAC assignments on resource groups instead of individual resources. | Important |
| Azure.Redis.EntraID | Use Entra ID authentication with cache instances. | Critical |
| Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
| Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | Critical |
| Azure.Redis.PublicNetworkAccess | Redis cache should disable public network access. | Critical |
| Azure.RedisEnterprise.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
| Azure.RSV.Immutable | Ensure immutability is configured to protect backup data. | Important |
| Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.ServiceBus.DisableLocalAuth | Authenticate Service Bus publishers and consumers with Entra ID identities. | Important |
| Azure.ServiceBus.MinTLS | Service Bus namespaces should reject TLS versions older than 1.2. | Important |
| Azure.ServiceFabric.AAD | Use Entra ID client authentication for Service Fabric clusters. | Critical |
| Azure.SignalR.ManagedIdentity | Configure SignalR Services to use managed identities to access Azure resources securely. | Important |
| Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical |
| Azure.SQL.Auditing | Enable auditing for Azure SQL logical server. | Important |
| Azure.SQL.DefenderCloud | Enable Microsoft Defender for Azure SQL logical server. | Important |
| Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical |
| Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical |
| Azure.SQLMI.AAD | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical |
| Azure.SQLMI.ManagedIdentity | Ensure managed identity is used to allow support for Azure AD authentication. | Important |
| Azure.Storage.BlobPublicAccess | Storage Accounts should only accept authorized requests. | Important |
| Azure.Storage.Defender.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
| Azure.Storage.DefenderCloud | Enable Microsoft Defender for Storage for storage accounts. | Critical |
| Azure.Storage.MinTLS | Storage Accounts should not accept weak or deprecated transport protocols for client-server communication. | Critical |
| Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important |
| Azure.VM.ADE | Use Azure Disk Encryption (ADE). | Important |
| Azure.VM.Updates | Ensure automatic updates are enabled at deployment. | Important |
| Azure.VM.UseManagedDisks | Virtual machines (VMs) should use managed disks. | Important |
| Azure.VMSS.PublicKey | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | Important |
| Azure.WebPubSub.ManagedIdentity | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important |