Azure.Pillar.Security#
Microsoft Azure Well-Architected Framework - Security pillar specific baseline.
Rules#
The following rules are included within the Azure.Pillar.Security
baseline.
This baseline includes a total of 210 rules.
Name | Synopsis | Severity |
---|---|---|
Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical |
Azure.ACR.ContainerScan | Container images or their base images may have vulnerabilities discovered after they are built. | Critical |
Azure.ACR.ContentTrust | Use container images signed by a trusted image publisher. | Important |
Azure.ACR.Firewall | Container Registry without restrictions can be accessed from any network location including the Internet. | Important |
Azure.ACR.ImageHealth | Remove container images with known vulnerabilities. | Critical |
Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important |
Azure.ADX.ManagedIdentity | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important |
Azure.AI.DisableLocalAuth | Access keys allow depersonalized access to Azure AI using a shared secret. | Important |
Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.AI.PrivateEndpoints | Use Private Endpoints to access Azure AI services accounts. | Important |
Azure.AI.PublicAccess | Restrict access of Azure AI services to authorized virtual networks. | Important |
Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important |
Azure.AKS.AuthorizedIPs | Restrict access to API server endpoints to authorized IP addresses. | Important |
Azure.AKS.AutoUpgrade | Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. | Important |
Azure.AKS.AzurePolicyAddOn | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important |
Azure.AKS.AzureRBAC | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important |
Azure.AKS.DefenderProfile | Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. | Important |
Azure.AKS.HttpAppRouting | Disable HTTP application routing add-on in AKS clusters. | Important |
Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | Important |
Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important |
Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important |
Azure.AKS.NetworkPolicy | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important |
Azure.AKS.NodeAutoUpgrade | Deploy AKS Clusters with Node Auto-Upgrade enabled | Important |
Azure.AKS.SecretStore | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important |
Azure.AKS.SecretStoreRotation | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important |
Azure.AKS.UseRBAC | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important |
Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | Critical |
Azure.APIM.CORSPolicy | Avoid using wildcard for any configuration option in CORS policies. | Important |
Azure.APIM.DefenderCloud | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical |
Azure.APIM.EncryptValues | Encrypt all API Management named values with Key Vault secrets. | Important |
Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | Critical |
Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.APIM.PolicyBase | Base element for any policy element in a section should be configured. | Important |
Azure.APIM.ProductApproval | Configure products to require approval. | Important |
Azure.APIM.ProductSubscription | Configure products to require a subscription. | Important |
Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical |
Azure.AppConfig.AuditLogs | Ensure app configuration store audit diagnostic logs are enabled. | Important |
Azure.AppConfig.DisableLocalAuth | Access keys allow depersonalized access to App Configuration using a shared secret. | Important |
Azure.AppGw.OWASP | Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. | Important |
Azure.AppGw.Prevention | Internet exposed Application Gateways should use prevention mode to protect backend resources. | Critical |
Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical |
Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical |
Azure.AppGw.UseWAF | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical |
Azure.AppGw.WAFEnabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
Azure.AppGw.WAFRules | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Important |
Azure.AppGwWAF.Enabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
Azure.AppGwWAF.Exclusions | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical |
Azure.AppGwWAF.PreventionMode | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.AppGwWAF.RuleGroups | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.AppService.MinTLS | App Service should reject TLS versions older than 1.2. | Critical |
Azure.AppService.NETVersion | Configure applications to use newer .NET versions. | Important |
Azure.AppService.NodeJsVersion | Configure applications to use supported Node.js runtime versions. | Important |
Azure.AppService.PHPVersion | Configure applications to use newer PHP runtime versions. | Important |
Azure.AppService.RemoteDebug | Disable remote debugging on App Service apps when not in use. | Important |
Azure.AppService.UseHTTPS | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
Azure.AppService.WebSecureFtp | Web apps should disable insecure FTP and configure SFTP when required. | Important |
Azure.Automation.AuditLogs | Ensure automation account audit diagnostic logs are enabled. | Important |
Azure.Automation.EncryptVariables | Azure Automation variables should be encrypted. | Important |
Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | Important |
Azure.Automation.WebHookExpiry | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness |
Azure.BV.Immutable | Ensure immutability is configured to protect backup data. | Important |
Azure.CDN.HTTP | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | Important |
Azure.ContainerApp.ExternalIngress | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important |
Azure.ContainerApp.Insecure | Ensure insecure inbound traffic is not permitted to the container app. | Important |
Azure.ContainerApp.ManagedIdentity | Ensure managed identity is used for authentication. | Important |
Azure.ContainerApp.PublicAccess | Ensure public network access for Container Apps environment is disabled. | Important |
Azure.ContainerApp.RestrictIngress | IP ingress restrictions mode should be set to allow action for all rules defined. | Important |
Azure.Cosmos.DefenderCloud | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
Azure.Cosmos.DisableLocalAuth | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical |
Azure.Cosmos.DisableMetadataWrite | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important |
Azure.Cosmos.MinTLS | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical |
Azure.Cosmos.PublicAccess | Azure Cosmos DB should have public network access disabled. | Critical |
Azure.Databricks.PublicAccess | Azure Databricks workspaces should disable public network access. | Critical |
Azure.Databricks.SecureConnectivity | Use Databricks workspaces configured for secure cluster connectivity. | Critical |
Azure.Defender.Api | Enable Microsoft Defender for APIs. | Critical |
Azure.Defender.AppServices | Enable Microsoft Defender for App Service. | Critical |
Azure.Defender.Arm | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical |
Azure.Defender.Containers | Enable Microsoft Defender for Containers. | Critical |
Azure.Defender.CosmosDb | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
Azure.Defender.Cspm | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical |
Azure.Defender.Dns | Enable Microsoft Defender for DNS. | Critical |
Azure.Defender.KeyVault | Enable Microsoft Defender for Key Vault. | Critical |
Azure.Defender.OssRdb | Enable Microsoft Defender for open-source relational databases. | Critical |
Azure.Defender.SecurityContact | Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified. | Important |
Azure.Defender.Servers | Enable Microsoft Defender for Servers. | Critical |
Azure.Defender.SQL | Enable Microsoft Defender for SQL servers. | Critical |
Azure.Defender.SQLOnVM | Enable Microsoft Defender for SQL servers on machines. | Critical |
Azure.Defender.Storage | Enable Microsoft Defender for Storage. | Critical |
Azure.Defender.Storage.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
Azure.DefenderCloud.Provisioning | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important |
Azure.Deployment.AdminUsername | A sensitive property set from deterministic or hardcoded values is not secure. | Awareness |
Azure.Deployment.OuterSecret | Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments. | Critical |
Azure.Deployment.OutputSecretValue | Outputting a sensitive value from deployment may leak secrets into deployment history or logs. | Critical |
Azure.Deployment.SecureParameter | Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. | Critical |
Azure.Deployment.SecureValue | A secret property set from a non-secure value may leak the secret into deployment history or logs. | Critical |
Azure.EntraDS.NTLM | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical |
Azure.EntraDS.RC4 | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical |
Azure.EntraDS.TLS | Disable TLS v1 for Microsoft Entra Domain Services. | Critical |
Azure.EventGrid.DisableLocalAuth | Authenticate publishing clients with Azure AD identities. | Important |
Azure.EventGrid.ManagedIdentity | Use managed identities to deliver Event Grid Topic events. | Important |
Azure.EventGrid.TopicPublicAccess | Use Private Endpoints to access Event Grid topics and domains. | Important |
Azure.EventHub.DisableLocalAuth | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important |
Azure.EventHub.Firewall | Access to the namespace endpoints should be restricted to only allowed sources. | Critical |
Azure.EventHub.MinTLS | Event Hub namespaces should reject TLS versions older than 1.2. | Critical |
Azure.Firewall.Mode | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical |
Azure.Firewall.PolicyMode | Deny high confidence malicious IP addresses, domains and URLs. | Critical |
Azure.FrontDoor.Logs | Audit and monitor access through Azure Front Door profiles. | Important |
Azure.FrontDoor.ManagedIdentity | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important |
Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical |
Azure.FrontDoor.UseWAF | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical |
Azure.FrontDoor.WAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
Azure.FrontDoor.WAF.Mode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.FrontDoorWAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
Azure.FrontDoorWAF.Exclusions | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical |
Azure.FrontDoorWAF.PreventionMode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.FrontDoorWAF.RuleGroups | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | Critical |
Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | Important |
Azure.KeyVault.AutoRotationPolicy | Key Vault keys should have auto-rotation enabled. | Important |
Azure.KeyVault.Firewall | Key Vault should only accept explicitly allowed traffic. | Important |
Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important |
Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness |
Azure.LogicApp.LimitHTTPTrigger | Limit HTTP request trigger access to trusted IP addresses. | Critical |
Azure.MariaDB.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.MariaDB.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important |
Azure.MariaDB.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
Azure.MariaDB.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.MariaDB.MinTLS | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical |
Azure.MariaDB.UseSSL | Azure Database for MariaDB servers should only accept encrypted connections. | Critical |
Azure.ML.ComputeVnet | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical |
Azure.ML.DisableLocalAuth | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical |
Azure.ML.PublicAccess | Disable public network access from a Azure Machine Learning workspace. | Critical |
Azure.ML.UserManagedIdentity | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important |
Azure.Monitor.ServiceHealth | Configure Service Health alerts to notify administrators. | Important |
Azure.MySQL.AAD | Use Entra ID authentication with Azure Database for MySQL databases. | Critical |
Azure.MySQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. | Important |
Azure.MySQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.MySQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important |
Azure.MySQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
Azure.MySQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | Critical |
Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | Critical |
Azure.NSG.AnyInboundSource | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical |
Azure.NSG.LateralTraversal | Deny outbound management connections from non-management hosts. | Important |
Azure.Policy.WaiverExpiry | Configure policy waiver exemptions to expire. | Awareness |
Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | Critical |
Azure.PostgreSQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. | Important |
Azure.PostgreSQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.PostgreSQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important |
Azure.PostgreSQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
Azure.PostgreSQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical |
Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | Critical |
Azure.PublicIP.IsAttached | Public IP addresses should be attached or cleaned up if not in use. | Important |
Azure.RBAC.CoAdministrator | Delegate access to manage Azure resources using role-based access control (RBAC). | Important |
Azure.RBAC.LimitMGDelegation | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important |
Azure.RBAC.LimitOwner | Limit the number of subscription Owners. | Important |
Azure.RBAC.PIM | Use just-in-time (JiT) activation of roles instead of persistent role assignment. | Important |
Azure.RBAC.UseGroups | Use groups for assigning permissions instead of individual user accounts. | Important |
Azure.RBAC.UseRGDelegation | Use RBAC assignments on resource groups instead of individual resources. | Important |
Azure.Redis.EntraID | Use Entra ID authentication with cache instances. | Critical |
Azure.Redis.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical |
Azure.Redis.FirewallRuleCount | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness |
Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | Critical |
Azure.Redis.PublicNetworkAccess | Redis cache should disable public network access. | Critical |
Azure.RedisEnterprise.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
Azure.Resource.AllowedRegions | Resources should be deployed to allowed regions. | Important |
Azure.RSV.Immutable | Ensure immutability is configured to protect backup data. | Important |
Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
Azure.ServiceBus.AuditLogs | Ensure namespaces audit diagnostic logs are enabled. | Important |
Azure.ServiceBus.DisableLocalAuth | Authenticate Service Bus publishers and consumers with Entra ID identities. | Important |
Azure.ServiceBus.MinTLS | Service Bus namespaces should reject TLS versions older than 1.2. | Important |
Azure.ServiceFabric.AAD | Use Entra ID client authentication for Service Fabric clusters. | Critical |
Azure.SignalR.ManagedIdentity | Configure SignalR Services to use managed identities to access Azure resources securely. | Important |
Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical |
Azure.SQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important |
Azure.SQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
Azure.SQL.Auditing | Enable auditing for Azure SQL logical server. | Important |
Azure.SQL.DefenderCloud | Enable Microsoft Defender for Azure SQL logical server. | Important |
Azure.SQL.FirewallIPRange | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important |
Azure.SQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical |
Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical |
Azure.SQLMI.AAD | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical |
Azure.SQLMI.AADOnly | Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. | Important |
Azure.SQLMI.ManagedIdentity | Ensure managed identity is used to allow support for Azure AD authentication. | Important |
Azure.Storage.BlobAccessType | Use containers configured with a private access type that requires authorization. | Important |
Azure.Storage.BlobPublicAccess | Storage Accounts should only accept authorized requests. | Important |
Azure.Storage.Defender.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
Azure.Storage.DefenderCloud | Enable Microsoft Defender for Storage for storage accounts. | Critical |
Azure.Storage.Firewall | Storage Accounts should only accept explicitly allowed traffic. | Important |
Azure.Storage.MinTLS | Storage Accounts should reject TLS versions older than 1.2. | Critical |
Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important |
Azure.TrafficManager.Protocol | Monitor Traffic Manager web-based endpoints with HTTPS. | Important |
Azure.VM.ADE | Use Azure Disk Encryption (ADE). | Important |
Azure.VM.PublicIPAttached | Avoid attaching public IPs directly to virtual machines. | Critical |
Azure.VM.PublicKey | Linux virtual machines should use public keys. | Important |
Azure.VM.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | Important |
Azure.VM.Updates | Ensure automatic updates are enabled at deployment. | Important |
Azure.VM.UseManagedDisks | Virtual machines (VMs) should use managed disks. | Important |
Azure.VMSS.PublicIPAttached | Avoid attaching public IPs directly to virtual machine scale set instances. | Critical |
Azure.VMSS.PublicKey | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | Important |
Azure.VMSS.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | Important |
Azure.VNET.FirewallSubnet | Use Azure Firewall to filter network traffic to and from Azure resources. | Important |
Azure.VNET.UseNSGs | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | Critical |
Azure.WebPubSub.ManagedIdentity | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important |