Skip to content

Azure.MCSB.v1#

Experimental

This baseline is experimental and subject to change.

Microsoft Cloud Security Benchmark v1.

Controls#

The following rules are included within the Azure.MCSB.v1 baseline.

This baseline includes a total of 136 rules.

Name Synopsis Severity
Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. Critical
Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical
Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important
Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important
Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. Important
Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important
Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important
Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important
Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important
Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important
Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important
Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important
Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important
Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important
Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical
Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical
Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important
Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical
Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical
Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important
Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. Important
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important
Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important
Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important
Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important
Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important
Azure.CDN.HTTP Enforce HTTPS for client connections. Important
Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important
Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important
Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important
Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important
Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Cosmos.DisableLocalAuth Azure Cosmos DB should have local authentication disabled. Critical
Azure.Cosmos.DisableMetadataWrite Use Entra ID identities for management place operations in Azure Cosmos DB. Important
Azure.Cosmos.PublicAccess Azure Cosmos DB should have public network access disabled. Critical
Azure.Defender.Api Enable Microsoft Defender for APIs. Critical
Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical
Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical
Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical
Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical
Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical
Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical
Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical
Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical
Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical
Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical
Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical
Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important
Azure.EntraDS.TLS Disable TLS v1 for Microsoft Entra Domain Services. Critical
Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important
Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important
Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important
Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important
Azure.EventHub.Firewall Access to the namespace endpoints should be restricted to only allowed sources. Critical
Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical
Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical
Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important
Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important
Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important
Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness
Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical
Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical
Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important
Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important
Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical
Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical
Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness
Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical
Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical
Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical
Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical
Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important
Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important
Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical
Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important
Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical
Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical
Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important
Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical
Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical
Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important
Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important
Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important