Azure.Pillar.Security.L1#
Microsoft Azure Well-Architected Framework - Security pillar Level 1 maturity baseline.
Rules#
The following rules are included within the Azure.Pillar.Security.L1 baseline.
This baseline includes a total of 33 rules.
| Name | Synopsis | Severity |
|---|---|---|
| Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical |
| Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important |
| Azure.AI.DisableLocalAuth | Access keys allow depersonalized access to Azure AI using a shared secret. | Important |
| Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important |
| Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | Important |
| Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important |
| Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important |
| Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | Critical |
| Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | Critical |
| Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | Important |
| Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical |
| Azure.AppConfig.DisableLocalAuth | Access keys allow depersonalized access to App Configuration using a shared secret. | Important |
| Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical |
| Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical |
| Azure.AppInsights.LocalAuth | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical |
| Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AppService.MinTLS | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical |
| Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | Important |
| Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | Important |
| Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical |
| Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | Critical |
| Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | Important |
| Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important |
| Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness |
| Azure.MySQL.AAD | Use Entra ID authentication with Azure Database for MySQL databases. | Critical |
| Azure.MySQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. | Important |
| Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | Critical |
| Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical |
| Azure.SQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important |
| Azure.Storage.MinTLS | Storage Accounts should not accept weak or deprecated transport protocols for client-server communication. | Critical |
| Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important |