Azure.Pillar.Security#
Microsoft Azure Well-Architected Framework - Security pillar specific baseline.
Rules#
The following rules are included within the Azure.Pillar.Security baseline.
This baseline includes a total of 204 rules.
| Name | Synopsis | Severity |
|---|---|---|
| Azure.ACR.AdminUser | Use Entra ID identities instead of using the registry admin user. | Critical |
| Azure.ACR.ContainerScan | Enable vulnerability scanning for container images. | Critical |
| Azure.ACR.ContentTrust | Use container images signed by a trusted image publisher. | Important |
| Azure.ACR.Firewall | Limit network access of container registries to only trusted clients. | Important |
| Azure.ACR.ImageHealth | Remove container images with known vulnerabilities. | Critical |
| Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important |
| Azure.ADX.ManagedIdentity | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important |
| Azure.AI.DisableLocalAuth | Authenticate requests to Azure AI services with Entra ID identities. | Important |
| Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AI.PrivateEndpoints | Use Private Endpoints to access Azure AI services accounts. | Important |
| Azure.AI.PublicAccess | Restrict access of Azure AI services to authorized virtual networks. | Important |
| Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important |
| Azure.AKS.AuthorizedIPs | Restrict access to API server endpoints to authorized IP addresses. | Important |
| Azure.AKS.AutoUpgrade | Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. | Important |
| Azure.AKS.AzurePolicyAddOn | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important |
| Azure.AKS.AzureRBAC | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important |
| Azure.AKS.DefenderProfile | Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. | Important |
| Azure.AKS.HttpAppRouting | Disable HTTP application routing add-on in AKS clusters. | Important |
| Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | Important |
| Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | Important |
| Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important |
| Azure.AKS.NetworkPolicy | Deploy AKS clusters with Network Policies enabled. | Important |
| Azure.AKS.SecretStore | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important |
| Azure.AKS.SecretStoreRotation | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important |
| Azure.AKS.UseRBAC | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important |
| Azure.APIM.CertificateExpiry | Renew certificates used for custom domain bindings. | Important |
| Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | Critical |
| Azure.APIM.CORSPolicy | Avoid using wildcard for any configuration option in CORS policies. | Important |
| Azure.APIM.DefenderCloud | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical |
| Azure.APIM.EncryptValues | Encrypt all API Management named values with Key Vault secrets. | Important |
| Azure.APIM.HTTPBackend | Use HTTPS for communication to backend services. | Critical |
| Azure.APIM.HTTPEndpoint | Enforce HTTPS for communication to API clients. | Important |
| Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.APIM.PolicyBase | Base element for any policy element in a section should be configured. | Important |
| Azure.APIM.ProductApproval | Configure products to require approval. | Important |
| Azure.APIM.ProductSubscription | Configure products to require a subscription. | Important |
| Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical |
| Azure.AppConfig.AuditLogs | Ensure app configuration store audit diagnostic logs are enabled. | Important |
| Azure.AppConfig.DisableLocalAuth | Authenticate App Configuration clients with Entra ID identities. | Important |
| Azure.AppGw.OWASP | Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. | Important |
| Azure.AppGw.Prevention | Internet exposed Application Gateways should use prevention mode to protect backend resources. | Critical |
| Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | Critical |
| Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical |
| Azure.AppGw.UseWAF | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical |
| Azure.AppGw.WAFEnabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
| Azure.AppGw.WAFRules | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Important |
| Azure.AppGwWAF.Enabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical |
| Azure.AppGwWAF.Exclusions | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical |
| Azure.AppGwWAF.PreventionMode | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical |
| Azure.AppGwWAF.RuleGroups | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical |
| Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.AppService.MinTLS | App Service should reject TLS versions older than 1.2. | Critical |
| Azure.AppService.NETVersion | Configure applications to use newer .NET versions. | Important |
| Azure.AppService.PHPVersion | Configure applications to use newer PHP runtime versions. | Important |
| Azure.AppService.RemoteDebug | Disable remote debugging on App Service apps when not in use. | Important |
| Azure.AppService.UseHTTPS | Azure App Service apps should only accept encrypted connections. | Important |
| Azure.AppService.WebSecureFtp | Web apps should disable insecure FTP and configure SFTP when required. | Important |
| Azure.Automation.AuditLogs | Ensure automation account audit diagnostic logs are enabled. | Important |
| Azure.Automation.EncryptVariables | Azure Automation variables should be encrypted. | Important |
| Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | Important |
| Azure.Automation.WebHookExpiry | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness |
| Azure.BV.Immutable | Ensure immutability is configured to protect backup data. | Important |
| Azure.CDN.HTTP | Enforce HTTPS for client connections. | Important |
| Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | Important |
| Azure.ContainerApp.ExternalIngress | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important |
| Azure.ContainerApp.Insecure | Ensure insecure inbound traffic is not permitted to the container app. | Important |
| Azure.ContainerApp.ManagedIdentity | Ensure managed identity is used for authentication. | Important |
| Azure.ContainerApp.PublicAccess | Ensure public network access for Container Apps environment is disabled. | Important |
| Azure.ContainerApp.RestrictIngress | IP ingress restrictions mode should be set to allow action for all rules defined. | Important |
| Azure.Cosmos.DefenderCloud | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
| Azure.Cosmos.DisableMetadataWrite | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important |
| Azure.Cosmos.MinTLS | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical |
| Azure.Databricks.PublicAccess | Azure Databricks workspaces should disable public network access. | Critical |
| Azure.Databricks.SecureConnectivity | Use Databricks workspaces configured for secure cluster connectivity. | Critical |
| Azure.Defender.Api | Enable Microsoft Defender for APIs. | Critical |
| Azure.Defender.AppServices | Enable Microsoft Defender for App Service. | Critical |
| Azure.Defender.Arm | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical |
| Azure.Defender.Containers | Enable Microsoft Defender for Containers. | Critical |
| Azure.Defender.CosmosDb | Enable Microsoft Defender for Azure Cosmos DB. | Critical |
| Azure.Defender.Cspm | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical |
| Azure.Defender.Dns | Enable Microsoft Defender for DNS. | Critical |
| Azure.Defender.KeyVault | Enable Microsoft Defender for Key Vault. | Critical |
| Azure.Defender.OssRdb | Enable Microsoft Defender for open-source relational databases. | Critical |
| Azure.Defender.Servers | Enable Microsoft Defender for Servers. | Critical |
| Azure.Defender.SQL | Enable Microsoft Defender for SQL servers. | Critical |
| Azure.Defender.SQLOnVM | Enable Microsoft Defender for SQL servers on machines. | Critical |
| Azure.Defender.Storage | Enable Microsoft Defender for Storage. | Critical |
| Azure.Defender.Storage.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
| Azure.DefenderCloud.Contact | Microsoft Defender for Cloud email and phone contact details should be set. | Important |
| Azure.DefenderCloud.Provisioning | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important |
| Azure.Deployment.AdminUsername | Use secure parameters for sensitive resource properties. | Awareness |
| Azure.Deployment.OuterSecret | Do not use Outer deployments when references SecureString or SecureObject parameters. | Critical |
| Azure.Deployment.OutputSecretValue | Avoid outputting sensitive deployment values. | Critical |
| Azure.Deployment.SecureParameter | Use secure parameters for any parameter that contains sensitive information. | Critical |
| Azure.Deployment.SecureValue | Use secure parameters for setting properties of resources that contain sensitive information. | Critical |
| Azure.EntraDS.NTLM | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical |
| Azure.EntraDS.RC4 | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical |
| Azure.EntraDS.TLS | Disable TLS v1 for Microsoft Entra Domain Services. | Critical |
| Azure.EventGrid.DisableLocalAuth | Authenticate publishing clients with Azure AD identities. | Important |
| Azure.EventGrid.ManagedIdentity | Use managed identities to deliver Event Grid Topic events. | Important |
| Azure.EventGrid.TopicPublicAccess | Use Private Endpoints to access Event Grid topics and domains. | Important |
| Azure.EventHub.DisableLocalAuth | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important |
| Azure.EventHub.MinTLS | Event Hub namespaces should reject TLS versions older than 1.2. | Critical |
| Azure.Firewall.Mode | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical |
| Azure.Firewall.PolicyMode | Deny high confidence malicious IP addresses, domains and URLs. | Critical |
| Azure.FrontDoor.Logs | Audit and monitor access through Azure Front Door profiles. | Important |
| Azure.FrontDoor.ManagedIdentity | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important |
| Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | Critical |
| Azure.FrontDoor.UseWAF | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical |
| Azure.FrontDoor.WAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
| Azure.FrontDoor.WAF.Mode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
| Azure.FrontDoorWAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical |
| Azure.FrontDoorWAF.Exclusions | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical |
| Azure.FrontDoorWAF.PreventionMode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
| Azure.FrontDoorWAF.RuleGroups | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical |
| Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | Critical |
| Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | Important |
| Azure.KeyVault.AutoRotationPolicy | Key Vault keys should have auto-rotation enabled. | Important |
| Azure.KeyVault.Firewall | Key Vault should only accept explicitly allowed traffic. | Important |
| Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important |
| Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness |
| Azure.LogicApp.LimitHTTPTrigger | Limit HTTP request trigger access to trusted IP addresses. | Critical |
| Azure.MariaDB.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.MariaDB.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important |
| Azure.MariaDB.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
| Azure.MariaDB.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.MariaDB.MinTLS | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical |
| Azure.MariaDB.UseSSL | Azure Database for MariaDB servers should only accept encrypted connections. | Critical |
| Azure.ML.ComputeVnet | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical |
| Azure.ML.DisableLocalAuth | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical |
| Azure.ML.PublicAccess | Disable public network access from a Azure Machine Learning workspace. | Critical |
| Azure.ML.UserManagedIdentity | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important |
| Azure.Monitor.ServiceHealth | Configure Service Health alerts to notify administrators. | Important |
| Azure.MySQL.AAD | Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. | Critical |
| Azure.MySQL.AADOnly | Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. | Important |
| Azure.MySQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.MySQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important |
| Azure.MySQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
| Azure.MySQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | Critical |
| Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | Critical |
| Azure.NSG.AnyInboundSource | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical |
| Azure.NSG.Associated | Network Security Groups (NSGs) should be associated to a subnet or network interface. | Awareness |
| Azure.NSG.DenyAllInbound | Avoid denying all inbound traffic. | Important |
| Azure.NSG.LateralTraversal | Deny outbound management connections from non-management hosts. | Important |
| Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | Critical |
| Azure.PostgreSQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. | Important |
| Azure.PostgreSQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.PostgreSQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important |
| Azure.PostgreSQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | Important |
| Azure.PostgreSQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical |
| Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | Critical |
| Azure.PublicIP.IsAttached | Public IP addresses should be attached or cleaned up if not in use. | Important |
| Azure.RBAC.CoAdministrator | Delegate access to manage Azure resources using role-based access control (RBAC). | Important |
| Azure.RBAC.LimitMGDelegation | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | Important |
| Azure.RBAC.LimitOwner | Limit the number of subscription Owners. | Important |
| Azure.RBAC.PIM | Use just-in-time (JiT) activation of roles instead of persistent role assignment. | Important |
| Azure.RBAC.UseGroups | Use groups for assigning permissions instead of individual user accounts. | Important |
| Azure.RBAC.UseRGDelegation | Use RBAC assignments on resource groups instead of individual resources. | Important |
| Azure.Redis.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical |
| Azure.Redis.FirewallRuleCount | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness |
| Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
| Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | Critical |
| Azure.Redis.PublicNetworkAccess | Redis cache should disable public network access. | Critical |
| Azure.RedisEnterprise.MinTLS | Redis Cache should reject TLS versions older than 1.2. | Critical |
| Azure.Resource.AllowedRegions | Resources should be deployed to allowed regions. | Important |
| Azure.RSV.Immutable | Ensure immutability is configured to protect backup data. | Important |
| Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | Important |
| Azure.ServiceBus.AuditLogs | Ensure namespaces audit diagnostic logs are enabled. | Important |
| Azure.ServiceBus.DisableLocalAuth | Authenticate Service Bus publishers and consumers with Entra ID identities. | Important |
| Azure.ServiceBus.MinTLS | Service Bus namespaces should reject TLS versions older than 1.2. | Important |
| Azure.ServiceFabric.AAD | Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. | Critical |
| Azure.SignalR.ManagedIdentity | Configure SignalR Services to use managed identities to access Azure resources securely. | Important |
| Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | Critical |
| Azure.SQL.AADOnly | Ensure Azure AD-only authentication is enabled with Azure SQL Database. | Important |
| Azure.SQL.AllowAzureAccess | Determine if access from Azure services is required. | Important |
| Azure.SQL.Auditing | Enable auditing for Azure SQL logical server. | Important |
| Azure.SQL.DefenderCloud | Enable Microsoft Defender for Azure SQL logical server. | Important |
| Azure.SQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). | Important |
| Azure.SQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | Awareness |
| Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical |
| Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical |
| Azure.SQLMI.AAD | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical |
| Azure.SQLMI.AADOnly | Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. | Important |
| Azure.SQLMI.ManagedIdentity | Ensure managed identity is used to allow support for Azure AD authentication. | Important |
| Azure.Storage.BlobAccessType | Use containers configured with a private access type that requires authorization. | Important |
| Azure.Storage.BlobPublicAccess | Storage Accounts should only accept authorized requests. | Important |
| Azure.Storage.Defender.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | Critical |
| Azure.Storage.DefenderCloud | Enable Microsoft Defender for Storage for storage accounts. | Critical |
| Azure.Storage.Firewall | Storage Accounts should only accept explicitly allowed traffic. | Important |
| Azure.Storage.MinTLS | Storage Accounts should reject TLS versions older than 1.2. | Critical |
| Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | Important |
| Azure.TrafficManager.Protocol | Monitor Traffic Manager web-based endpoints with HTTPS. | Important |
| Azure.VM.ADE | Use Azure Disk Encryption (ADE). | Important |
| Azure.VM.PublicKey | Linux virtual machines should use public keys. | Important |
| Azure.VM.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | Important |
| Azure.VM.Updates | Ensure automatic updates are enabled at deployment. | Important |
| Azure.VM.UseManagedDisks | Virtual machines (VMs) should use managed disks. | Important |
| Azure.VMSS.PublicKey | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | Important |
| Azure.VMSS.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | Important |
| Azure.VNET.FirewallSubnet | Use Azure Firewall to filter network traffic to and from Azure resources. | Important |
| Azure.VNET.UseNSGs | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | Critical |
| Azure.WebPubSub.ManagedIdentity | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important |