Skip to content

Azure.Pillar.Security#

v1.35.0Download CSV

Microsoft Azure Well-Architected Framework - Security pillar specific baseline.

Rules#

The following rules are included within the Azure.Pillar.Security baseline.

This baseline includes a total of 229 rules.

Name Synopsis Severity Maturity
Azure.ACR.AdminUser The local admin account allows depersonalized access to a container registry using a shared secret. Critical L1
Azure.ACR.AnonymousAccess Anonymous pull access allows unidentified downloading of images and metadata from a container registry. Important -
Azure.ACR.ContainerScan Container images or their base images may have vulnerabilities discovered after they are built. Critical -
Azure.ACR.ExportPolicy Export policy on Azure container registry may allow artifact exfiltration. Important -
Azure.ACR.Firewall Container Registry without restrictions can be accessed from any network location including the Internet. Important -
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical L2
Azure.ACR.ReplicaLocation The replication location determines the country or region where container images and metadata are stored and processed. Important -
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important L1
Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important L1
Azure.AI.DisableLocalAuth Access keys allow depersonalized access to Azure AI using a shared secret. Important L1
Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important -
Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important -
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important L1
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important -
Azure.AKS.AutoUpgrade New versions of Kubernetes are released regularly. Upgrading each release manually can add operational overhead without realizing equivalent value. Important -
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important -
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important -
Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important -
Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important -
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important L1
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important L1
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important L1
Azure.AKS.NetworkPolicy AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. Important -
Azure.AKS.NodeAutoUpgrade Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. Important -
Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important -
Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important -
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important -
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical L1
Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important -
Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical -
Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important -
Azure.APIM.HTTPBackend Unencrypted communication could allow disclosure of information to an untrusted party. Critical L1
Azure.APIM.HTTPEndpoint Unencrypted communication could allow disclosure of information to an untrusted party. Important L1
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important -
Azure.APIM.ProductApproval Configure products to require approval. Important -
Azure.APIM.ProductSubscription Configure products to require a subscription. Important -
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical L1
Azure.APIM.SampleProducts API Management Services with default products configured may expose more APIs than intended. Awareness -
Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important L1
Azure.AppConfig.DisableLocalAuth Access keys allow depersonalized access to App Configuration using a shared secret. Important L1
Azure.AppConfig.SecretLeak Secrets stored as key values in an App Configuration Store may be leaked to unauthorized users. Critical -
Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important -
Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical -
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical L1
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical L1
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical -
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical -
Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important -
Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical -
Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical -
Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical -
Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical -
Azure.AppInsights.LocalAuth Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. Critical L1
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.AppService.MinTLS App Service should not accept weak or deprecated transport protocols for client-server communication. Critical L1
Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important -
Azure.AppService.NodeJsVersion Configure applications to use supported Node.js runtime versions. Important -
Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important -
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important -
Azure.AppService.UseHTTPS Unencrypted communication could allow disclosure of information to an untrusted party. Important L1
Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important L1
Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important L1
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important -
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important L1
Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness -
Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important -
Azure.CDN.HTTP Unencrypted communication could allow disclosure of information to an untrusted party. Important -
Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important L1
Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important -
Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important L1
Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important L1
Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important -
Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important -
Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical -
Azure.Cosmos.DisableLocalAuth Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. Critical L1
Azure.Cosmos.DisableMetadataWrite Use Entra ID identities for management place operations in Azure Cosmos DB. Important -
Azure.Cosmos.MinTLS Cosmos DB accounts should reject TLS versions older than 1.2. Critical L1
Azure.Cosmos.PublicAccess Azure Cosmos DB should have public network access disabled. Critical -
Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. Critical -
Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical -
Azure.Defender.Api Enable Microsoft Defender for APIs. Critical -
Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical -
Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical -
Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical -
Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical -
Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical -
Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical -
Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical -
Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical -
Azure.Defender.SecurityContact Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified. Important -
Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical -
Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical -
Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical -
Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical -
Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical -
Azure.DefenderCloud.ActiveAlerts Alerts that have not received a response may indicate a security issue that requires attention. Important -
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important -
Azure.Deployment.AdminUsername A sensitive property set from deterministic or hardcoded values is not secure. Awareness -
Azure.Deployment.OuterSecret Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments. Critical -
Azure.Deployment.OutputSecretValue Outputting a sensitive value from deployment may leak secrets into deployment history or logs. Critical -
Azure.Deployment.SecretLeak Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. Critical -
Azure.Deployment.SecureParameter Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. Critical -
Azure.Deployment.SecureValue A secret property set from a non-secure value may leak the secret into deployment history or logs. Critical -
Azure.DNS.DNSSEC DNS may be vulnerable to several attacks when the DNS clients are not able to verify the authenticity of the DNS responses. Important -
Azure.EntraDS.NTLM Disable NTLM v1 for Microsoft Entra Domain Services. Critical L1
Azure.EntraDS.RC4 Disable RC4 encryption for Microsoft Entra Domain Services. Critical L1
Azure.EntraDS.ReplicaLocation The location of a replica set determines the country or region where the data is stored and processed. Important -
Azure.EntraDS.TLS Disable TLS v1 for Microsoft Entra Domain Services. Critical L1
Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important L1
Azure.EventGrid.DomainTLS Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. Critical L1
Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important L1
Azure.EventGrid.NamespaceTLS Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. Critical L1
Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important -
Azure.EventGrid.TopicTLS Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. Critical L1
Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important L1
Azure.EventHub.Firewall Access to the namespace endpoints should be restricted to only allowed sources. Critical -
Azure.EventHub.MinTLS Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. Critical L1
Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical -
Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical -
Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. Important -
Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important L1
Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical L1
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical -
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical -
Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical -
Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical -
Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical -
Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical -
Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical -
Azure.ImageBuilder.CustomizeHash External scripts that are not pinned may be modified to execute privileged actions by an unauthorized user. Important -
Azure.ImageBuilder.ValidateHash External scripts that are not pinned may be modified to execute privileged actions by an unauthorized user. Important -
Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical L1
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important L1
Azure.KeyVault.AutoRotationPolicy Keys that become compromised may be used to spoof, decrypt, or gain access to sensitive data. Important -
Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important L2
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important L1
Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness L1
Azure.Log.ReplicaLocation The replication location determines the country or region where the data is stored and processed. Important -
Azure.LogicApp.LimitHTTPTrigger Logic Apps using HTTP triggers without restrictions can be accessed from any network location including the Internet. Critical -
Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important -
Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important -
Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important -
Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness -
Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical L1
Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical L1
Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical -
Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical L1
Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical L2
Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important L1
Azure.MySQL.AAD Use Entra ID authentication with Azure Database for MySQL databases. Critical L1
Azure.MySQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. Important L1
Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important -
Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important -
Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important -
Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness -
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical L1
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical L1
Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. Critical -
Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important -
Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness -
Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical L1
Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important L1
Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important -
Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important -
Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important -
Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness -
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical L1
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical L1
Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important -
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important -
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important -
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important -
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important -
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important -
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important -
Azure.Redis.EntraID Use Entra ID authentication with cache instances. Critical L1
Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical -
Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness -
Azure.Redis.LocalAuth Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. Important L1
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical L1
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical L1
Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical -
Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical L1
Azure.Resource.AllowedRegions The deployment location of a resource determines the country or region where metadata and data is stored and processed. Important -
Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important -
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important L1
Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important L1
Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important L1
Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important L1
Azure.ServiceFabric.AAD Use Entra ID client authentication for Service Fabric clusters. Critical L1
Azure.ServiceFabric.ProtectionLevel Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. Important L1
Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important L1
Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical L1
Azure.SQL.AADOnly Ensure Entra ID only authentication is enabled with Azure SQL Database. Important L1
Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important -
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important -
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important -
Azure.SQL.FirewallIPRange Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. Important -
Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness -
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical L1
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical L1
Azure.SQL.VAScan SQL Databases may have configuration vulnerabilities discovered after they are deployed. Important -
Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical L1
Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important L1
Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important L1
Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important -
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important -
Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical -
Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical -
Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important -
Azure.Storage.LocalAuth Access keys allow depersonalized access to Storage Accounts using a shared secret. Important L1
Azure.Storage.MinTLS Storage Accounts should not accept weak or deprecated transport protocols for client-server communication. Critical L1
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important L1
Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important L1
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important L1
Azure.VM.PublicIPAttached Avoid attaching public IPs directly to virtual machines. Critical -
Azure.VM.PublicKey Linux virtual machines should use public keys. Important -
Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important -
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important -
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important -
Azure.VMSS.PublicIPAttached Avoid attaching public IPs directly to virtual machine scale set instances. Critical -
Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important -
Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important -
Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important -
Azure.VNET.PrivateSubnet Subnets that allow direct outbound access to the Internet may expose virtual machines to increased security risks. Critical -
Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical -
Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important L1