azure

The included Azure checks are listed below. For more information about each check, see the link provided.

Checks
azure-appservice-account-identity-registered
Web App has registration with AD enabled
azure-appservice-authentication-enabled
App Service authentication is activated
azure-appservice-detailed-error-messages-enabled
App service disables detailed error messages
azure-appservice-dotnet-framework-version
Azure App Service Web app does not use the latest .Net Core version
azure-appservice-enable-http2
Web App uses the latest HTTP version
azure-appservice-enable-https-only
Ensure App Service can only be accessed via HTTPS. The default is false
azure-appservice-failed-request-tracing-enabled
App service does not enable failed request tracing
azure-appservice-ftp-deployments-disabled
Ensure FTP Deployments are disabled
azure-appservice-http-logs-enabled
App service does not enable HTTP logging
azure-appservice-php-version
Azure App Service Web app does not use the latest PHP version
azure-appservice-python-version
Azure App Service Web app does not use the latest Python version
azure-appservice-require-client-cert
Web App accepts incoming client certificate
azure-appservice-use-secure-tls-policy
Web App uses latest TLS version
azure-authorization-limit-role-actions
Roles limited to the required actions
azure-compute-disable-password-authentication
Password authentication should be disabled on Azure virtual machines
azure-compute-enable-disk-encryption
Enable disk encryption on managed disk
azure-compute-no-secrets-in-custom-data
Ensure that no sensitive credentials are exposed in VM custom_data
azure-compute-ssh-authentication
Password authentication in use instead of SSH keys.
azure-container-configured-network-policy
Ensure AKS cluster has Network Policy configured
azure-container-limit-authorized-ips
Ensure AKS has an API Server Authorized IP Ranges enabled
azure-container-logging
Ensure AKS logging to Azure Monitoring is Configured
azure-container-use-rbac-permissions
Ensure RBAC is enabled on AKS clusters
azure-database-enable-audit
Auditing should be enabled on Azure SQL Databases
azure-database-enable-ssl-enforcement
SSL should be enforced on database connections where applicable
azure-database-mysql-threat-detection-enabled
Ensure databases are not publicly accessible
azure-database-no-public-access
Ensure databases are not publicly accessible
azure-database-no-public-firewall-access
Ensure database firewalls do not permit public access
azure-database-postgres-configuration-log-checkpoints
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
azure-database-postgres-configuration-log-connection-throttling
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
azure-database-postgres-configuration-log-connections
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
azure-database-retention-period-set
Database auditing rentention period should be longer than 90 days
azure-database-secure-tls-policy
Databases should have the minimum TLS set for connections
azure-datafactory-no-public-access
Data Factory should have public access disabled, the default is enabled.
azure-datalake-enable-at-rest-encryption
Unencrypted data lake storage.
azure-functionapp-authentication-enabled
Function App authentication is activated
azure-functionapp-enable-http2
Web App uses the latest HTTP version
azure-keyvault-content-type-for-secret
Key vault Secret should have a content type set
azure-keyvault-ensure-key-expiry
Ensure that the expiration date is set on all keys
azure-keyvault-ensure-secret-expiry
Key Vault Secret should have an expiration date set
azure-keyvault-no-purge
Key vault should have purge protection enabled
azure-keyvault-specify-network-acl
Key vault should have the network acl block specified
azure-monitor-activity-log-retention-set
Ensure the activity retention log is set to at least a year
azure-monitor-capture-all-activities
Ensure log profile captures all activities
azure-monitor-capture-all-regions
Ensure activitys are captured for all locations
azure-mssql-all-threat-alerts-enabled
No threat detections are set
azure-mssql-threat-alert-email-set
At least one email address is set for threat alerts
azure-mssql-threat-alert-email-to-owner
Security threat alerts go to subcription owners and co-administrators
azure-network-disable-rdp-from-internet
RDP access should not be accessible from the Internet, should be blocked on port 3389
azure-network-no-public-egress
An outbound network security rule allows traffic to /0.
azure-network-no-public-ingress
An inbound network security rule allows traffic from /0.
azure-network-retention-policy-set
Retention policy for flow logs should be enabled and set to greater than 90 days
azure-network-ssh-blocked-from-internet
SSH access should not be accessible from the Internet, should be blocked on port 22
azure-security-center-alert-on-severe-notifications
Send notification emails for high severity alerts
azure-security-center-defender-on-appservices
Ensure Azure Defender is set to On for container registries
azure-security-center-defender-on-container-registry
Ensure Azure Defender is set to On for container registries
azure-security-center-defender-on-keyvault
Ensure Azure Defender is set to On for key vaults
azure-security-center-defender-on-kubernetes
Ensure Azure Defender is set to On for Kubernetes
azure-security-center-defender-on-servers
Ensure Azure Defender is set to On for Servers
azure-security-center-defender-on-sql-servers
Ensure Azure Defender is set to On for SQL Servers
azure-security-center-defender-on-sql-servers-vms
Ensure Azure Defender is set to On for Sql Server on Machines
azure-security-center-defender-on-storage
Ensure Azure Defender is set to On for storage accounts
azure-security-center-enable-standard-subscription
Enable the standard security center subscription tier
azure-security-center-set-required-contact-details
The required contact details should be set for security center
azure-storage-allow-microsoft-service-bypass
Trusted Microsoft Services should have bypass access to Storage accounts
azure-storage-container-activity-logs-not-public
Ensure public access level for Blob Containers is set to private
azure-storage-default-action-deny
The default action on Storage account network rules should be set to deny
azure-storage-enforce-https
Storage accounts should be configured to only accept transfers that are over secure connections
azure-storage-no-public-access
Storage containers in blob storage mode should not have public access
azure-storage-queue-services-logging-enabled
When using Queue Services for a storage account, logging should be enabled.
azure-storage-use-secure-tls-policy
The minimum TLS version for Storage Accounts should be TLS1_2
azure-synapse-virtual-network-enabled
Synapse Workspace should have managed virtual network enabled, the default is disabled.