Skip to content

Rules by resource type#

PSRule for Azure includes the following rules organized by resource type.

All resources#

Name Synopsis Severity
Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Awareness
Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness
Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness
Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness
Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness
Azure.Template.LocationType Location parameters should use a string value. Important
Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important
Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important
Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important
Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness
Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important
Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness
Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness
Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness
Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness
Azure.Template.TemplateFile Use ARM template files that are valid. Important
Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness
Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness
Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness
Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness
Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness
Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness

API Management#

Name Synopsis Severity
Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness
Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important
Azure.APIM.EncryptValues API Management named values should be encrypted. Important
Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical
Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.APIM.Name API Management service names should meet naming requirements. Awareness
Azure.APIM.ProductApproval Configure products to require approval. Important
Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness
Azure.APIM.ProductSubscription Configure products to require a subscription. Important
Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2. Important
Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness

App Configuration#

Name Synopsis Severity
Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness
Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important

App Service#

Name Synopsis Severity
Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important
Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness
Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important
Azure.AppService.MinTLS App Service should reject TLS versions older then 1.2. Critical
Azure.AppService.NETVersion Configure applications to use newer .NET Framework versions. Important
Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important
Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important
Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important

Application Gateway#

Name Synopsis Severity
Azure.AppGw.AvailabilityZone Application gateways deployed with V2 SKU(Standard_v2, WAF_v2) should use availability zones in supported regions for high availability. Important
Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important
Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important
Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important
Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important

Application Insights#

Name Synopsis Severity
Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness
Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important

Automation Service#

Name Synopsis Severity
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important
Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness

Azure Cache for Redis#

Name Synopsis Severity
Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important
Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important
Azure.Redis.MinTLS Redis Cache should reject TLS versions older then 1.2. Critical
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical

Azure Database for MySQL#

Name Synopsis Severity
Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical
Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical

Azure Database for PostgreSQL#

Name Synopsis Severity
Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical
Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical

Azure Kubernetes Service#

Name Synopsis Severity
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important
Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important
Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important
Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important
Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important
Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important
Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important
Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important
Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness
Azure.AKS.NetworkPolicy Deploy AKS clusters with Azure Network Policies enabled. Important
Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important
Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important
Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important
Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important
Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important

Cognitive Search#

Name Synopsis Severity
Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness
Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important
Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical

Container Registry#

Name Synopsis Severity
Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical
Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical
Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important
Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical
Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important
Azure.ACR.Name Container registry names should meet naming requirements. Awareness
Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important
Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important
Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important

Content Delivery Network#

Name Synopsis Severity
Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness
Azure.CDN.HTTP Enforce HTTPS for client connections. Important
Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important

Cosmos DB#

Name Synopsis Severity
Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness
Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important

Data Factory#

Name Synopsis Severity
Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness

Firewall#

Name Synopsis Severity
Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains. Critical

Front Door#

Name Synopsis Severity
Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important
Azure.FrontDoor.MinTLS Front Door should reject TLS versions older then 1.2. Critical
Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness
Azure.FrontDoor.Probe Configure and enable health probes for each backend pool. Important
Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD instead of GET requests. Important
Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important
Azure.FrontDoor.State Enable Azure Front Door instance. Awareness
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness

Key Vault#

Name Synopsis Severity
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important
Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness
Azure.KeyVault.Logs Audit and monitor access to Key Vault data. Important
Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness
Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important
Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness
Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important

Load Balancer#

Name Synopsis Severity
Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important
Azure.LB.Name Load Balancer names should meet naming requirements. Awareness
Azure.LB.Probe Use a specific probe for web protocols. Important
Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important

Logic App#

Name Synopsis Severity
Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical

Monitor#

Name Synopsis Severity
Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important

Network Security Group#

Name Synopsis Severity
Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow any inbound source. Critical
Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness
Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important
Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important
Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness

Policy#

Name Synopsis Severity
Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness
Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness
Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness
Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness
Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness

Public IP address#

Name Synopsis Severity
Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important
Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness
Azure.PublicIP.IsAttached Public IP address should be attached or removed. Important
Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness
Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important

Resource Group#

Name Synopsis Severity
Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness

Route table#

Name Synopsis Severity
Azure.Route.Name Route table names should meet naming requirements. Awareness

Security Center#

Name Synopsis Severity
Azure.SecurityCenter.Contact Security Center email and phone contact details should be set. Important
Azure.SecurityCenter.Provisioning Enable auto-provisioning on to improve Azure Security Center insights. Important

Service Fabric#

Name Synopsis Severity
Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical

SignalR Service#

Name Synopsis Severity
Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness

SQL Database#

Name Synopsis Severity
Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical
Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important
Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness
Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness
Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical
Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical
Azure.SQL.ThreatDetection Enable Advanced Thread Protection for Azure SQL logical server. Important

SQL Managed Instance#

Name Synopsis Severity
Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness

Storage Account#

Name Synopsis Severity
Azure.Storage.BlobAccessType Storage Accounts use containers configured with an access type other than Private. Important
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important
Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important
Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical
Azure.Storage.Name Storage Account names should meet naming requirements. Awareness
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important
Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important
Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important

Subscription#

Name Synopsis Severity
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important

Traffic Manager#

Name Synopsis Severity
Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important
Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important

Virtual Machine#

Name Synopsis Severity
Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important
Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important
Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important
Azure.VM.ASMinMembers Availability sets should be deployed with at least two members. Important
Azure.VM.ASName Availability Set names should meet naming requirements. Awareness
Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important
Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness
Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important
Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important
Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness
Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness
Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness
Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness
Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness
Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness
Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness
Azure.VM.PublicKey Linux virtual machines should use public keys. Important
Azure.VM.Standalone VMs must use premium disks or use availability sets/ zones to meet SLA requirements. Important
Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important
Azure.VM.UseHybridUseBenefit Use Hybrid Use Benefit (HUB) for applicable virtual machine (VM) workloads. Awareness
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important

Virtual Machine Scale Sets#

Name Synopsis Severity
Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness
Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness

Virtual Network#

Name Synopsis Severity
Azure.VNET.LocalDNS Virtual networks (VNETs) should use Azure local DNS servers. Important
Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness
Azure.VNET.PeerState VNET peering connections must be connected. Important
Azure.VNET.SingleDNS VNETs should have at least two DNS servers assigned. Important
Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness
Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical

Virtual Network Gateway#

Name Synopsis Severity
Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness
Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important
Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness
Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important
Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important

Last update: 2021-09-24