Skip to content

Azure.MCSB.v1#

Experimental

This baseline is experimental and subject to change.

Microsoft Cloud Security Benchmark v1.

Controls#

The following rules are included within Azure.MCSB.v1. This baseline includes a total of 105 rules.

Name Synopsis Severity
Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical
Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important
Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important
Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important
Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important
Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important
Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important
Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important
Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important
Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important
Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical
Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important
Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical
Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical
Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important
Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important
Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important
Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important
Azure.CDN.HTTP Enforce HTTPS for client connections. Important
Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important
Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important
Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important
Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important
Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important
Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important
Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important
Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important
Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical
Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical
Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical
Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical
Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical
Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical
Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical
Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important
Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important
Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important
Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important
Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important
Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical
Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness
Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical
Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical
Azure.PublicIP.IsAttached Public IP address should be attached or removed. Important
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical
Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important
Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical
Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important
Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical
Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical
Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important
Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical
Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important
Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important
Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important
Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important

Last update: 2023-04-29