Azure.Pillar.Security.L1#
Microsoft Azure Well-Architected Framework - Security pillar Level 1 maturity baseline.
Rules#
The following rules are included within the Azure.Pillar.Security.L1 baseline.
This baseline includes a total of 85 rules.
| Name | Synopsis | Severity | Maturity |
|---|---|---|---|
| Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical | L1 |
| Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | L1 |
| Azure.ADX.ManagedIdentity | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | L1 |
| Azure.AI.DisableLocalAuth | Access keys allow depersonalized access to Azure AI using a shared secret. | Important | L1 |
| Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | Important | L1 |
| Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important | L1 |
| Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | Important | L1 |
| Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | L1 |
| Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important | L1 |
| Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | Critical | L1 |
| Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | Critical | L1 |
| Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | Important | L1 |
| Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important | L1 |
| Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical | L1 |
| Azure.AppConfig.AuditLogs | Ensure app configuration store audit diagnostic logs are enabled. | Important | L1 |
| Azure.AppConfig.DisableLocalAuth | Access keys allow depersonalized access to App Configuration using a shared secret. | Important | L1 |
| Azure.AppConfig.ReplicaLocation | The replication location determines the country or region where configuration data is stored and processed. | Important | L1 |
| Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical | L1 |
| Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical | L1 |
| Azure.AppInsights.LocalAuth | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | L1 |
| Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important | L1 |
| Azure.AppService.MinTLS | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical | L1 |
| Azure.AppService.UseHTTPS | Unencrypted communication could allow disclosure of information to an untrusted party. | Important | L1 |
| Azure.AppService.WebSecureFtp | Web apps should disable insecure FTP and configure SFTP when required. | Important | L1 |
| Azure.Automation.AuditLogs | Ensure automation account audit diagnostic logs are enabled. | Important | L1 |
| Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | Important | L1 |
| Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | Important | L1 |
| Azure.ContainerApp.Insecure | Ensure insecure inbound traffic is not permitted to the container app. | Important | L1 |
| Azure.ContainerApp.ManagedIdentity | Ensure managed identity is used for authentication. | Important | L1 |
| Azure.Cosmos.MinTLS | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.Cosmos.MongoEntraID | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 |
| Azure.Cosmos.NoSQLLocalAuth | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | L1 |
| Azure.EntraDS.NTLM | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical | L1 |
| Azure.EntraDS.RC4 | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical | L1 |
| Azure.EntraDS.TLS | Disable TLS v1 for Microsoft Entra Domain Services. | Critical | L1 |
| Azure.EventGrid.DisableLocalAuth | Authenticate publishing clients with Azure AD identities. | Important | L1 |
| Azure.EventGrid.DomainTLS | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | L1 |
| Azure.EventGrid.ManagedIdentity | Use managed identities to deliver Event Grid Topic events. | Important | L1 |
| Azure.EventGrid.NamespaceTLS | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | L1 |
| Azure.EventGrid.TopicTLS | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | L1 |
| Azure.EventHub.DisableLocalAuth | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | L1 |
| Azure.EventHub.MinTLS | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | L1 |
| Azure.FrontDoor.ManagedIdentity | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | L1 |
| Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | Important | L1 |
| Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | L1 |
| Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | L1 |
| Azure.MariaDB.MinTLS | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.MariaDB.UseSSL | Azure Database for MariaDB servers should only accept encrypted connections. | Critical | L1 |
| Azure.ML.DisableLocalAuth | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical | L1 |
| Azure.ML.UserManagedIdentity | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | L1 |
| Azure.MySQL.AAD | Use Entra ID authentication with Azure Database for MySQL databases. | Critical | L1 |
| Azure.MySQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. | Important | L1 |
| Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | Critical | L1 |
| Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | Critical | L1 |
| Azure.PostgreSQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. | Important | L1 |
| Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | Critical | L1 |
| Azure.Redis.EntraID | Use Entra ID authentication with cache instances. | Critical | L1 |
| Azure.Redis.LocalAuth | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important | L1 |
| Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | Critical | L1 |
| Azure.RedisEnterprise.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | Important | L1 |
| Azure.ServiceBus.AuditLogs | Ensure namespaces audit diagnostic logs are enabled. | Important | L1 |
| Azure.ServiceBus.DisableLocalAuth | Authenticate Service Bus publishers and consumers with Entra ID identities. | Important | L1 |
| Azure.ServiceBus.MinTLS | Service Bus namespaces should reject TLS versions older than 1.2. | Important | L1 |
| Azure.ServiceFabric.AAD | Use Entra ID client authentication for Service Fabric clusters. | Critical | L1 |
| Azure.ServiceFabric.ProtectionLevel | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | L1 |
| Azure.SignalR.ManagedIdentity | Configure SignalR Services to use managed identities to access Azure resources securely. | Important | L1 |
| Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical | L1 |
| Azure.SQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important | L1 |
| Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | L1 |
| Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | L1 |
| Azure.SQLMI.AAD | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical | L1 |
| Azure.SQLMI.AADOnly | Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. | Important | L1 |
| Azure.SQLMI.ManagedIdentity | Ensure managed identity is used to allow support for Azure AD authentication. | Important | L1 |
| Azure.Storage.LocalAuth | Access keys allow depersonalized access to Storage Accounts using a shared secret. | Important | L1 |
| Azure.Storage.MinTLS | Storage Accounts should not accept weak or deprecated transport protocols for client-server communication. | Critical | L1 |
| Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important | L1 |
| Azure.TrafficManager.Protocol | Monitor Traffic Manager web-based endpoints with HTTPS. | Important | L1 |
| Azure.VM.ADE | Use Azure Disk Encryption (ADE). | Important | L1 |
| Azure.WebPubSub.ManagedIdentity | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important | L1 |