Skip to content

Azure.Pillar.Security#

v1.35.0

Microsoft Azure Well-Architected Framework - Security pillar specific baseline.

Rules#

The following rules are included within the Azure.Pillar.Security baseline.

This baseline includes a total of 210 rules.

Name Synopsis Severity
Azure.ACR.AdminUser The local admin account allows depersonalized access to a container registry using a shared secret. Critical
Azure.ACR.AnonymousAccess Anonymous pull access allows unidentified downloading of images and metadata from a container registry. Important
Azure.ACR.ContainerScan Container images or their base images may have vulnerabilities discovered after they are built. Critical
Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important
Azure.ACR.Firewall Container Registry without restrictions can be accessed from any network location including the Internet. Important
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important
Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important
Azure.AI.DisableLocalAuth Access keys allow depersonalized access to Azure AI using a shared secret. Important
Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important
Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important
Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important
Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important
Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important
Azure.AKS.NetworkPolicy AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. Important
Azure.AKS.NodeAutoUpgrade Deploy AKS Clusters with Node Auto-Upgrade enabled Important
Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important
Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical
Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important
Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical
Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important
Azure.APIM.HTTPBackend Unencrypted communication could allow disclosure of information to an untrusted party. Critical
Azure.APIM.HTTPEndpoint Unencrypted communication could allow disclosure of information to an untrusted party. Important
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important
Azure.APIM.ProductApproval Configure products to require approval. Important
Azure.APIM.ProductSubscription Configure products to require a subscription. Important
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical
Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important
Azure.AppConfig.DisableLocalAuth Access keys allow depersonalized access to App Configuration using a shared secret. Important
Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important
Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important
Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical
Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical
Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important
Azure.AppService.NodeJsVersion Configure applications to use supported Node.js runtime versions. Important
Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important
Azure.AppService.UseHTTPS Unencrypted communication could allow disclosure of information to an untrusted party. Important
Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important
Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important
Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness
Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important
Azure.CDN.HTTP Unencrypted communication could allow disclosure of information to an untrusted party. Important
Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important
Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important
Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important
Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important
Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important
Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important
Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Cosmos.DisableLocalAuth Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. Critical
Azure.Cosmos.DisableMetadataWrite Use Entra ID identities for management place operations in Azure Cosmos DB. Important
Azure.Cosmos.MinTLS Cosmos DB accounts should reject TLS versions older than 1.2. Critical
Azure.Cosmos.PublicAccess Azure Cosmos DB should have public network access disabled. Critical
Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical
Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical
Azure.Defender.Api Enable Microsoft Defender for APIs. Critical
Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical
Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical
Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical
Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical
Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical
Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical
Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical
Azure.Defender.SecurityContact Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified. Important
Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical
Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical
Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical
Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical
Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important
Azure.Deployment.AdminUsername A sensitive property set from deterministic or hardcoded values is not secure. Awareness
Azure.Deployment.OuterSecret Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments. Critical
Azure.Deployment.OutputSecretValue Outputting a sensitive value from deployment may leak secrets into deployment history or logs. Critical
Azure.Deployment.SecureParameter Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. Critical
Azure.Deployment.SecureValue A secret property set from a non-secure value may leak the secret into deployment history or logs. Critical
Azure.EntraDS.NTLM Disable NTLM v1 for Microsoft Entra Domain Services. Critical
Azure.EntraDS.RC4 Disable RC4 encryption for Microsoft Entra Domain Services. Critical
Azure.EntraDS.TLS Disable TLS v1 for Microsoft Entra Domain Services. Critical
Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important
Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important
Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important
Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important
Azure.EventHub.Firewall Access to the namespace endpoints should be restricted to only allowed sources. Critical
Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical
Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical
Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical
Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important
Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important
Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical
Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important
Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important
Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important
Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness
Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical
Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important
Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical
Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical
Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical
Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical
Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical
Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important
Azure.MySQL.AAD Use Entra ID authentication with Azure Database for MySQL databases. Critical
Azure.MySQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. Important
Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important
Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical
Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. Critical
Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important
Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness
Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical
Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important
Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important
Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical
Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important
Azure.Redis.EntraID Use Entra ID authentication with cache instances. Critical
Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical
Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical
Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical
Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important
Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important
Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important
Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important
Azure.ServiceFabric.AAD Use Entra ID client authentication for Service Fabric clusters. Critical
Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important
Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical
Azure.SQL.AADOnly Ensure Entra ID only authentication is enabled with Azure SQL Database. Important
Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important
Azure.SQL.FirewallIPRange Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. Important
Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical
Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical
Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important
Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important
Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important
Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical
Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical
Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important
Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important
Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important
Azure.VM.PublicIPAttached Avoid attaching public IPs directly to virtual machines. Critical
Azure.VM.PublicKey Linux virtual machines should use public keys. Important
Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important
Azure.VMSS.PublicIPAttached Avoid attaching public IPs directly to virtual machine scale set instances. Critical
Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important
Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important
Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important
Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical
Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important