Skip to content

Rules by resource type#

PSRule for Azure includes the following rules organized by resource type.

All resources#

Name Synopsis Severity Level
Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Awareness Error
Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error
Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error
Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error
Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error
Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error
Azure.Template.LocationType Location parameters should use a string value. Important Error
Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error
Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error
Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error
Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error
Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error
Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error
Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error
Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error
Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error
Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error
Azure.Template.TemplateFile Use ARM template files that are valid. Important Error
Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error
Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error
Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information
Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information
Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning
Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error
Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error
Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error

API Management#

Name Synopsis Severity Level
Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning
Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error
Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers. Important Error
Azure.APIM.EncryptValues API Management named values should be encrypted. Important Error
Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error
Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error
Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error
Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error
Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error
Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error
Azure.APIM.ProductApproval Configure products to require approval. Important Error
Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning
Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error
Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2. Important Error
Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error

App Configuration#

Name Synopsis Severity Level
Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error
Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error
Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error
Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error
Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error
Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error

App Service#

Name Synopsis Severity Level
Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error
Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error
Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error
Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error
Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error
Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error
Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error
Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error
Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error
Azure.AppService.WebProbe Configure and enable instance health probes. Important Error
Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error
Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error

App Service Environment#

Name Synopsis Severity Level
Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error

Application Gateway#

Name Synopsis Severity Level
Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error
Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error
Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error
Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error
Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error
Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error
Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error
Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error
Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error
Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error
Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error

Application Insights#

Name Synopsis Severity Level
Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error
Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error

Application Security Group#

Name Synopsis Severity Level
Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error

Automation Account#

Name Synopsis Severity Level
Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error
Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error
Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error

Azure Cache for Redis#

Name Synopsis Severity Level
Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error
Azure.Redis.FirewallIPRange Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. Critical Error
Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error
Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error
Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error
Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error
Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error

Azure Cache for Redis Enterprise#

Name Synopsis Severity Level
Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error
Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error

Azure Database for MariaDB#

Name Synopsis Severity Level
Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error
Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error
Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error
Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error
Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error
Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error
Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error
Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error
Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error
Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error
Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error

Azure Database for MySQL#

Name Synopsis Severity Level
Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error
Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error
Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error
Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error
Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error
Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error
Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error

Azure Database for PostgreSQL#

Name Synopsis Severity Level
Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error
Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error
Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error
Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error
Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error
Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error

Azure Kubernetes Service#

Name Synopsis Severity Level
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error
Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error
Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error
Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error
Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error
Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error
Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error
Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning
Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error
Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error
Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error
Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error
Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error
Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error
Azure.AKS.PodIdentity Configure AKS clusters to use AAD pod identities to access Azure resources securely. Important Error
Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error
Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error
Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error
Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error
Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error
Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. Important Error
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error

Bastion#

Name Synopsis Severity Level
Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error
Name Synopsis Severity Level
Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error
Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error
Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error
Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error

Cognitive Services#

Name Synopsis Severity Level
Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error
Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error
Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error
Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error

Container App#

Name Synopsis Severity Level
Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error

Container Registry#

Name Synopsis Severity Level
Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error
Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error
Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error
Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error
Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error
Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error
Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error
Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error
Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error
Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error

Content Delivery Network#

Name Synopsis Severity Level
Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error
Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error
Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error

Cosmos DB#

Name Synopsis Severity Level
Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error
Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error

Data Explorer#

Name Synopsis Severity Level
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error
Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error
Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error
Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error

Data Factory#

Name Synopsis Severity Level
Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error

Deployment#

Name Synopsis Severity Level
Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error
Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error
Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error
Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error

Event Grid#

Name Synopsis Severity Level
Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error
Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error
Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error

Event Hub#

Name Synopsis Severity Level
Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error
Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error

Firewall#

Name Synopsis Severity Level
Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error
Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error
Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error

Front Door#

Name Synopsis Severity Level
Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error
Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error
Azure.FrontDoor.MinTLS Front Door should reject TLS versions older than 1.2. Critical Error
Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error
Azure.FrontDoor.Probe Configure and enable health probes for each backend pool. Important Error
Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD instead of GET requests. Important Error
Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error
Azure.FrontDoor.State Enable Azure Front Door instance. Awareness Error
Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error
Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error
Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error
Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error
Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error
Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error
Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error

Key Vault#

Name Synopsis Severity Level
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error
Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error
Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error
Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error
Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error
Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error
Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error

Load Balancer#

Name Synopsis Severity Level
Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error
Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error
Azure.LB.Probe Use a specific probe for web protocols. Important Error
Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error

Logic App#

Name Synopsis Severity Level
Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error

Microsoft Defender for Cloud#

Name Synopsis Severity Level
Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error
Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error
Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error
Azure.Defender.SQL Enable Defender for SQL servers. Critical Error
Azure.Defender.SQLOnVM Enable Defender for SQL servers on machines. Critical Error
Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error
Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error

Monitor#

Name Synopsis Severity Level
Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error

Network Security Group#

Name Synopsis Severity Level
Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error
Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. Critical Error
Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error
Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error
Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error
Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error

Policy#

Name Synopsis Severity Level
Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error
Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error
Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error
Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error
Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error

Private Endpoint#

Name Synopsis Severity Level
Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error

Public IP address#

Name Synopsis Severity Level
Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error
Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error
Azure.PublicIP.IsAttached Public IP address should be attached or removed. Important Error
Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error
Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error

Recovery Services Vault#

Name Synopsis Severity Level
Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error
Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error
Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error

Resource Group#

Name Synopsis Severity Level
Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error

Route table#

Name Synopsis Severity Level
Azure.Route.Name Route table names should meet naming requirements. Awareness Error

Service Bus#

Name Synopsis Severity Level
Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error
Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error
Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error

Service Fabric#

Name Synopsis Severity Level
Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error

SignalR Service#

Name Synopsis Severity Level
Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error
Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error
Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error

SQL Database#

Name Synopsis Severity Level
Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error
Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error
Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error
Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error
Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error
Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error
Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error

SQL Managed Instance#

Name Synopsis Severity Level
Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error

Storage Account#

Name Synopsis Severity Level
Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error
Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error
Azure.Storage.FileShareSoftDelete Enable fileshare soft delete on Storage Accounts Important Error
Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error
Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error
Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error
Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error
Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error

Subscription#

Name Synopsis Severity Level
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error

Traffic Manager#

Name Synopsis Severity Level
Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error
Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error

User Assigned Managed Identity#

Name Synopsis Severity Level
Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error

Virtual Machine#

Name Synopsis Severity Level
Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error
Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error
Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error
Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error
Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error
Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error
Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error
Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error
Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error
Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error
Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error
Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error
Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error
Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error
Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error
Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error
Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error
Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error
Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error
Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error
Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error
Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error
Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error
Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error

Virtual Machine Scale Sets#

Name Synopsis Severity Level
Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error
Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error
Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error
Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error
Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error
Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error

Virtual Network#

Name Synopsis Severity Level
Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error
Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error
Azure.VNET.LocalDNS Virtual networks (VNETs) should use Azure local DNS servers. Important Error
Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error
Azure.VNET.PeerState VNET peering connections must be connected. Important Error
Azure.VNET.SingleDNS VNETs should have at least two DNS servers assigned. Important Error
Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error
Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error

Virtual Network Gateway#

Name Synopsis Severity Level
Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error
Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error
Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error
Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error
Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error
Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error
Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error

Virtual WAN#

Name Synopsis Severity Level
Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error

Web PubSub Service#

Name Synopsis Severity Level
Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error
Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error

Last update: 2022-12-16