azure
The included Azure checks are listed below. For more information about each check, see the link provided.
| Checks |
|---|
| azure-appservice-account-identity-registered Web App has registration with AD enabled |
| azure-appservice-authentication-enabled App Service authentication is activated |
| azure-appservice-detailed-error-messages-enabled App service disables detailed error messages |
| azure-appservice-dotnet-framework-version Azure App Service Web app does not use the latest .Net Core version |
| azure-appservice-enable-http2 Web App uses the latest HTTP version |
| azure-appservice-enable-https-only Ensure App Service can only be accessed via HTTPS. The default is false |
| azure-appservice-failed-request-tracing-enabled App service does not enable failed request tracing |
| azure-appservice-ftp-deployments-disabled Ensure FTP Deployments are disabled |
| azure-appservice-http-logs-enabled App service does not enable HTTP logging |
| azure-appservice-php-version Azure App Service Web app does not use the latest PHP version |
| azure-appservice-python-version Azure App Service Web app does not use the latest Python version |
| azure-appservice-require-client-cert Web App accepts incoming client certificate |
| azure-appservice-use-secure-tls-policy Web App uses latest TLS version |
| azure-authorization-limit-role-actions Roles limited to the required actions |
| azure-compute-disable-password-authentication Password authentication should be disabled on Azure virtual machines |
| azure-compute-enable-disk-encryption Enable disk encryption on managed disk |
| azure-compute-no-secrets-in-custom-data Ensure that no sensitive credentials are exposed in VM custom_data |
| azure-compute-ssh-authentication Password authentication in use instead of SSH keys. |
| azure-container-configured-network-policy Ensure AKS cluster has Network Policy configured |
| azure-container-limit-authorized-ips Ensure AKS has an API Server Authorized IP Ranges enabled |
| azure-container-logging Ensure AKS logging to Azure Monitoring is Configured |
| azure-container-use-rbac-permissions Ensure RBAC is enabled on AKS clusters |
| azure-database-enable-audit Auditing should be enabled on Azure SQL Databases |
| azure-database-enable-ssl-enforcement SSL should be enforced on database connections where applicable |
| azure-database-mysql-threat-detection-enabled Ensure databases are not publicly accessible |
| azure-database-no-public-access Ensure databases are not publicly accessible |
| azure-database-no-public-firewall-access Ensure database firewalls do not permit public access |
| azure-database-postgres-configuration-log-checkpoints Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
| azure-database-postgres-configuration-log-connection-throttling Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
| azure-database-postgres-configuration-log-connections Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
| azure-database-retention-period-set Database auditing rentention period should be longer than 90 days |
| azure-database-secure-tls-policy Databases should have the minimum TLS set for connections |
| azure-datafactory-no-public-access Data Factory should have public access disabled, the default is enabled. |
| azure-datalake-enable-at-rest-encryption Unencrypted data lake storage. |
| azure-functionapp-authentication-enabled Function App authentication is activated |
| azure-functionapp-enable-http2 Web App uses the latest HTTP version |
| azure-keyvault-content-type-for-secret Key vault Secret should have a content type set |
| azure-keyvault-ensure-key-expiry Ensure that the expiration date is set on all keys |
| azure-keyvault-ensure-secret-expiry Key Vault Secret should have an expiration date set |
| azure-keyvault-no-purge Key vault should have purge protection enabled |
| azure-keyvault-specify-network-acl Key vault should have the network acl block specified |
| azure-monitor-activity-log-retention-set Ensure the activity retention log is set to at least a year |
| azure-monitor-capture-all-activities Ensure log profile captures all activities |
| azure-monitor-capture-all-regions Ensure activitys are captured for all locations |
| azure-mssql-all-threat-alerts-enabled No threat detections are set |
| azure-mssql-threat-alert-email-set At least one email address is set for threat alerts |
| azure-mssql-threat-alert-email-to-owner Security threat alerts go to subcription owners and co-administrators |
| azure-network-disable-rdp-from-internet RDP access should not be accessible from the Internet, should be blocked on port 3389 |
| azure-network-no-public-egress An outbound network security rule allows traffic to /0. |
| azure-network-no-public-ingress An inbound network security rule allows traffic from /0. |
| azure-network-retention-policy-set Retention policy for flow logs should be enabled and set to greater than 90 days |
| azure-network-ssh-blocked-from-internet SSH access should not be accessible from the Internet, should be blocked on port 22 |
| azure-security-center-alert-on-severe-notifications Send notification emails for high severity alerts |
| azure-security-center-defender-on-appservices Ensure Azure Defender is set to On for container registries |
| azure-security-center-defender-on-container-registry Ensure Azure Defender is set to On for container registries |
| azure-security-center-defender-on-keyvault Ensure Azure Defender is set to On for key vaults |
| azure-security-center-defender-on-kubernetes Ensure Azure Defender is set to On for Kubernetes |
| azure-security-center-defender-on-servers Ensure Azure Defender is set to On for Servers |
| azure-security-center-defender-on-sql-servers Ensure Azure Defender is set to On for SQL Servers |
| azure-security-center-defender-on-sql-servers-vms Ensure Azure Defender is set to On for Sql Server on Machines |
| azure-security-center-defender-on-storage Ensure Azure Defender is set to On for storage accounts |
| azure-security-center-enable-standard-subscription Enable the standard security center subscription tier |
| azure-security-center-set-required-contact-details The required contact details should be set for security center |
| azure-storage-allow-microsoft-service-bypass Trusted Microsoft Services should have bypass access to Storage accounts |
| azure-storage-container-activity-logs-not-public Ensure public access level for Blob Containers is set to private |
| azure-storage-default-action-deny The default action on Storage account network rules should be set to deny |
| azure-storage-enforce-https Storage accounts should be configured to only accept transfers that are over secure connections |
| azure-storage-no-public-access Storage containers in blob storage mode should not have public access |
| azure-storage-queue-services-logging-enabled When using Queue Services for a storage account, logging should be enabled. |
| azure-storage-use-secure-tls-policy The minimum TLS version for Storage Accounts should be TLS1_2 |
| azure-synapse-virtual-network-enabled Synapse Workspace should have managed virtual network enabled, the default is disabled. |