microsoft
/
PSRule.Rules.Azure
зеркало из https://github.com/Azure/PSRule.Rules.Azure.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Documentation quality updates (#2309) 

* Documentation quality updates

* Additional updates
This commit is contained in:
Bernie White 2023-07-09 17:08:34 +10:00 коммит произвёл GitHub
Родитель bc6e672b15
Коммит 2e75d87cae
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
51 изменённых файлов: 1128 добавлений и 283 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

9
.vscode/yaml.code-snippets поставляемый
Просмотреть файл

@ -11,13 +11,14 @@
" name: ${1}",
" ref: AZR-000nnn",
" tags:",
" release: 'GA'",
" ruleSet: '${3}'",
" release: GA",
" ruleSet: ${3}",
" Azure.WAF/pillar: ${4}",
"spec:",
" type:",
" - ${4}",
" - ${5}",
" condition:",
" ${5}"
" ${6}"
]
}
}

2
docs/en/baselines/Azure.All.md
Просмотреть файл

@ -261,7 +261,7 @@ Name | Synopsis | Severity
[Azure.RBAC.UseGroups](../rules/Azure.RBAC.UseGroups.md) | Use groups for assigning permissions instead of individual user accounts. | Important
[Azure.RBAC.UseRGDelegation](../rules/Azure.RBAC.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Important
[Azure.Redis.AvailabilityZone](../rules/Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness
[Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important
[Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important

2
docs/en/baselines/Azure.Default.md
Просмотреть файл

@ -249,7 +249,7 @@ Name | Synopsis | Severity
[Azure.RBAC.UseGroups](../rules/Azure.RBAC.UseGroups.md) | Use groups for assigning permissions instead of individual user accounts. | Important
[Azure.RBAC.UseRGDelegation](../rules/Azure.RBAC.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Important
[Azure.Redis.AvailabilityZone](../rules/Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness
[Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important
[Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important

2
docs/en/baselines/Azure.GA_2022_09.md
Просмотреть файл

@ -197,7 +197,7 @@ Name | Synopsis | Severity
[Azure.RBAC.UseGroups](../rules/Azure.RBAC.UseGroups.md) | Use groups for assigning permissions instead of individual user accounts. | Important
[Azure.RBAC.UseRGDelegation](../rules/Azure.RBAC.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Important
[Azure.Redis.AvailabilityZone](../rules/Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness
[Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important
[Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important

2
docs/en/baselines/Azure.GA_2022_12.md
Просмотреть файл

@ -223,7 +223,7 @@ Name | Synopsis | Severity
[Azure.RBAC.UseGroups](../rules/Azure.RBAC.UseGroups.md) | Use groups for assigning permissions instead of individual user accounts. | Important
[Azure.RBAC.UseRGDelegation](../rules/Azure.RBAC.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Important
[Azure.Redis.AvailabilityZone](../rules/Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness
[Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important
[Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important

2
docs/en/baselines/Azure.GA_2023_03.md
Просмотреть файл

@ -235,7 +235,7 @@ Name | Synopsis | Severity
[Azure.RBAC.UseGroups](../rules/Azure.RBAC.UseGroups.md) | Use groups for assigning permissions instead of individual user accounts. | Important
[Azure.RBAC.UseRGDelegation](../rules/Azure.RBAC.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Important
[Azure.Redis.AvailabilityZone](../rules/Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness
[Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important
[Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important

3
docs/en/baselines/Azure.MCSB.v1.md
Просмотреть файл

@ -6,7 +6,7 @@ Microsoft Cloud Security Benchmark v1.
## Controls
The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 108 rules.
The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 109 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -98,6 +98,7 @@ Name | Synopsis | Severity
[Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical
[Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical
[Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical
[Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical
[Azure.Search.ManagedIdentity](../rules/Azure.Search.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important
[Azure.ServiceBus.DisableLocalAuth](../rules/Azure.ServiceBus.DisableLocalAuth.md) | Authenticate Service Bus publishers and consumers with Azure AD identities. | Important
[Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. | Critical

2
docs/en/baselines/Azure.Preview.md
Просмотреть файл

@ -261,7 +261,7 @@ Name | Synopsis | Severity
[Azure.RBAC.UseGroups](../rules/Azure.RBAC.UseGroups.md) | Use groups for assigning permissions instead of individual user accounts. | Important
[Azure.RBAC.UseRGDelegation](../rules/Azure.RBAC.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Important
[Azure.Redis.AvailabilityZone](../rules/Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallIPRange](../rules/Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical
[Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness
[Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important
[Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important

4
docs/en/rules/Azure.ACR.AdminUser.md
Просмотреть файл

@ -134,4 +134,8 @@ Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>'
- [Use an Azure managed identity to authenticate to an Azure container registry](https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity)
- [Azure Container Registry roles and permissions](https://learn.microsoft.com/azure/container-registry/container-registry-roles)
- [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview)
- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#im-1-use-centralized-identity-and-authentication-system)
- [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#im-3-manage-application-identities-securely-and-automatically)
- [PA-1: Separate and limit highly privileged/administrative users](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#pa-1-separate-and-limit-highly-privilegedadministrative-users)
- [Azure Policy Regulatory Compliance controls for Azure Container Registry](https://learn.microsoft.com/azure/container-registry/security-controls-policy)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerregistry/registries)

10
docs/en/rules/Azure.ACR.MinSku.md
Просмотреть файл

@ -26,7 +26,7 @@ Use a minimum of Standard for production container registries.
The Premium SKU provides higher image throughput and included storage, and is required for:
- Geo-replication
- Availablity zones
- Availability zones
- Private Endpoints
- Firewall restrictions
- Tokens and scope-maps
@ -39,9 +39,9 @@ Consider using the Premium Container Registry SKU for production deployments.
### Configure with Azure template
To deploy Container Registries that pass this rule:
To deploy registries that pass this rule:
- Set `sku.name` to `Premium` or `Standard`.
- Set the `sku.name` property to `Premium` or `Standard`.
For example:
@ -82,9 +82,9 @@ For example:
### Configure with Bicep
To deploy Container Registries that pass this rule:
To deploy registries that pass this rule:
- Set `sku.name` to `Premium` or `Standard`.
- Set the `sku.name` property to `Premium` or `Standard`.
For example:

15
docs/en/rules/Azure.ACR.SoftDelete.md
Просмотреть файл

@ -16,9 +16,12 @@ Azure Container Registries should have soft delete policy enabled.
Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.
This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.
This feature is available in all the service tiers (also known as SKUs).
For information about registry service tiers, see Azure Container Registry service tiers.
Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.
Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period.
Thereby you have ability to list, filter, and restore the soft deleted artifacts.
Once the retention period is complete, all the soft deleted artifacts are auto-purged.
Current preview limitations:
@ -28,7 +31,7 @@ Current preview limitations:
## RECOMMENDATION
Azure Container Registries should have soft delete policy enabled.
Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.
## EXAMPLES
@ -36,7 +39,7 @@ Azure Container Registries should have soft delete policy enabled.
To deploy an Azure Container Registry that pass this rule:
- Set `properties.policies.softDeletePolicy.status` to `enabled`.
- Set the `properties.policies.softDeletePolicy.status` property to `enabled`.
For example:
@ -79,7 +82,7 @@ For example:
To deploy an Azure Container Registry that pass this rule:
- Set `properties.policies.softDeletePolicy.status` to `enabled`.
- Set the `properties.policies.softDeletePolicy.status` property to `enabled`.
For example:
@ -119,7 +122,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
### Configure with Azure CLI
```bash
az acr config soft-delete update -r MyRegistry --days 90 --status enabled
az acr config soft-delete update -r '<name>' --days 90 --status enabled
```
## LINKS

2
docs/en/rules/Azure.ACR.Usage.md
Просмотреть файл

@ -1,5 +1,5 @@
---
reviewed: 2022/01/22
reviewed: 2022-01-22
severity: Important
pillar: Cost Optimization
category: Reports

195
docs/en/rules/Azure.AKS.NodeMinPods.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Performance Efficiency
category: Capacity planning
category: Application scalability
resource: Azure Kubernetes Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.NodeMinPods/
---
@ -26,6 +26,195 @@ In many environments, deploying DaemonSets for monitoring and management tools c
Consider deploying node pools with a minimum number of pods per node.
## EXAMPLES
### Configure with Azure template
To deploy clusters that pass this rule:
- Set the `properties.agentPoolProfiles[].maxPods` property to at least `50` by default.
For example:
```json
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-04-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "system",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 5,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "System",
"osDiskType": "Ephemeral"
},
{
"name": "user",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 20,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "User",
"osDiskType": "Ephemeral"
}
],
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"azurepolicy": {
"enabled": true
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
},
"dependsOn": [
"identity"
]
}
```
### Configure with Bicep
To deploy clusters that pass this rule:
- Set the `properties.agentPoolProfiles[].maxPods` property to at least `50` by default.
For example:
```bicep
resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
location: location
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: [
{
name: 'system'
osDiskSizeGB: 0
minCount: 3
maxCount: 5
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'System'
osDiskType: 'Ephemeral'
}
{
name: 'user'
osDiskSizeGB: 0
minCount: 3
maxCount: 20
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'User'
osDiskType: 'Ephemeral'
}
]
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
oidcIssuerProfile: {
enabled: true
}
addonProfiles: {
azurepolicy: {
enabled: true
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
}
```
## NOTES
By default, this rule fails when node pools have `maxPods` set to less than 50.
@ -36,4 +225,6 @@ To configure this rule:
## LINKS
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools#ManagedClusterAgentPoolProfileProperties)
- [Plan for growth](https://learn.microsoft.com/azure/well-architected/scalability/design-scale#plan-for-growth)
- [Plan IP addressing for your cluster](https://learn.microsoft.com/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

199
docs/en/rules/Azure.AKS.PoolScaleSet.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Performance Efficiency
category: Scalability
category: Application scalability
resource: Azure Kubernetes Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.PoolScaleSet/
---
@ -26,9 +26,198 @@ Multiple node pools and the cluster autoscaler can be used to improve the scalab
Using VM scale sets is a deployment time configuration.
Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.
## EXAMPLES
### Configure with Azure template
To deploy clusters that pass this rule:
- Set the `properties.agentPoolProfiles[].type` property to `VirtualMachineScaleSets` for each node pool.
For example:
```json
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-04-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "system",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 5,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "System",
"osDiskType": "Ephemeral"
},
{
"name": "user",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 20,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "User",
"osDiskType": "Ephemeral"
}
],
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"azurepolicy": {
"enabled": true
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
},
"dependsOn": [
"identity"
]
}
```
### Configure with Bicep
To deploy clusters that pass this rule:
- Set the `properties.agentPoolProfiles[].type` property to `VirtualMachineScaleSets` for each node pool.
For example:
```bicep
resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
location: location
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: [
{
name: 'system'
osDiskSizeGB: 0
minCount: 3
maxCount: 5
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'System'
osDiskType: 'Ephemeral'
}
{
name: 'user'
osDiskSizeGB: 0
minCount: 3
maxCount: 20
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'User'
osDiskType: 'Ephemeral'
}
]
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
oidcIssuerProfile: {
enabled: true
}
addonProfiles: {
azurepolicy: {
enabled: true
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
}
```
## LINKS
- [Scalability](https://learn.microsoft.com/azure/architecture/framework/scalability/design-scale)
- [Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/use-multiple-node-pools)
- [Cluster autoscaler](https://docs.microsoft.com/azure/aks/concepts-scale#cluster-autoscaler)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
- [Plan for growth](https://learn.microsoft.com/azure/well-architected/scalability/design-scale#plan-for-growth)
- [Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/use-multiple-node-pools)
- [Scaling options for applications in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-scale#cluster-autoscaler)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

146
docs/en/rules/Azure.AKS.StandardLB.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Performance Efficiency
category: Capacity planning
category: Application scalability
resource: Azure Kubernetes Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.StandardLB/
---
@ -23,16 +23,152 @@ A Standard load balancer SKU is required for several AKS features including:
These features improve the scalability and reliability of the cluster.
AKS clusters can not be updated to use a Standard load balancer SKU after deployment.
For switch to an Standard load balancer SKU, the cluster must be redeployed.
## RECOMMENDATION
Consider using Standard load balancer SKU during AKS cluster creation.
Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.
## NOTES
## EXAMPLES
AKS clusters can not be updated to use a Standard load balancer SKU after deployment.
### Configure with Azure template
To deploy clusters that pass this rule:
- Set the `properties.networkProfile.loadBalancerSku` property to `standard`.
For example:
```json
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-04-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": "[variables('allPools')]",
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"azurepolicy": {
"enabled": true
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
},
"dependsOn": [
"identity"
]
}
```
### Configure with Bicep
To deploy clusters that pass this rule:
- Set the `properties.networkProfile.loadBalancerSku` property to `standard`.
For example:
```bicep
resource cluster 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
location: location
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: allPools
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
oidcIssuerProfile: {
enabled: true
}
addonProfiles: {
azurepolicy: {
enabled: true
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
}
```
## LINKS
- [Use a Standard SKU load balancer in Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/load-balancer-standard)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters#containerservicenetworkprofile-object)
- [Plan for growth](https://learn.microsoft.com/azure/well-architected/scalability/design-scale#plan-for-growth)
- [Use a Standard SKU load balancer in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/load-balancer-standard)
- [LoadBalancer annotations](https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

2
docs/en/rules/Azure.AppService.MinPlan.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Performance Efficiency
category: Capacity planning
category: Application capacity
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.MinPlan/
ms-content-id: 97b58cfa-7b7e-4630-ac13-4596defe1795

16
docs/en/rules/Azure.Redis.MaxMemoryReserved.md
Просмотреть файл

@ -1,7 +1,8 @@
---
reviewed: 2023-07-08
severity: Important
pillar: Performance Efficiency
category: Capacity planning
category: Application capacity
resource: Azure Cache for Redis
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.MaxMemoryReserved/
---
@ -16,6 +17,11 @@ Configure `maxmemory-reserved` to reserve memory for non-cache operations.
Azure Cache for Redis supports configuration of the `maxmemory-reserved` setting.
The `maxmemory-reserved` setting configures the amount of memory reserved for non-cache operations.
Non-cache operations include background tasks, eviction, and compaction.
By reserving memory for these operations, you prevent Redis cache from using all available memory for cache.
If enough memory is not reserved for these operations it can lead to performance degradation and instability.
Setting this value allows you to have a more consistent experience when your load varies.
This value should be set higher for workloads that are write heavy.
@ -31,7 +37,7 @@ Consider configuring `maxmemory-reserved` to at least 10% of available cache mem
To deploy caches that pass this rule:
- Set the `properties.redisConfiguration.maxmemory-reserved` property to at least 10% of the cache size.
- Set the `properties.redisConfiguration.maxmemory-reserved` property to at least 10% of the cache memory.
For example:
@ -66,7 +72,7 @@ For example:
To deploy caches that pass this rule:
- Set the `properties.redisConfiguration.maxmemory-reserved` property to at least 10% of the cache size.
- Set the `properties.redisConfiguration.maxmemory-reserved` property to at least 10% of the cache memory.
For example:
@ -97,7 +103,9 @@ resource cache 'Microsoft.Cache/redis@2023-04-01' = {
## LINKS
- [Choosing the right resources](https://learn.microsoft.com/azure/well-architected/scalability/capacity#choosing-the-right-resources)
- [Choose the right resources](https://learn.microsoft.com/azure/well-architected/scalability/design-capacity#choose-the-right-resources)
- [Choosing the right tier](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-overview#choosing-the-right-tier)
- [Scaling and memory](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-best-practices-scale#scaling-and-memory)
- [Memory management](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-best-practices-memory-management)
- [SKU sizes](https://azure.microsoft.com/pricing/details/cache/)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis)

10
docs/en/rules/Azure.Redis.MinSKU.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Performance Efficiency
category: Capacity planning
category: Application capacity
resource: Azure Cache for Redis
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.MinSKU/
---
@ -100,7 +100,9 @@ resource cache 'Microsoft.Cache/redis@2023-04-01' = {
## LINKS
- [Best practices for Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-best-practices)
- [Azure Cache for Redis pricing](https://azure.microsoft.com/pricing/details/cache/)
- [Choosing the right resources](https://learn.microsoft.com/azure/architecture/framework/scalability/capacity#choosing-the-right-resources)
- [Choose the right resources](https://learn.microsoft.com/azure/well-architected/scalability/design-capacity#choose-the-right-resources)
- [Choosing the right tier](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-overview#choosing-the-right-tier)
- [Scaling and memory](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-best-practices-scale#scaling-and-memory)
- [Memory management](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-best-practices-memory-management)
- [SKU sizes](https://azure.microsoft.com/pricing/details/cache/)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis)

25
docs/en/rules/Azure.Redis.MinTLS.md
Просмотреть файл

@ -96,10 +96,35 @@ resource cache 'Microsoft.Cache/redis@2023-04-01' = {
}
```
### Configure with Azure CLI
To deploy caches that pass this rule:
- Use the `--set` parameter.
For example:
```bash
az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2
```
### Configure with Azure PowerShell
To deploy caches that pass this rule:
- Use the `-MinimumTlsVersion` parameter.
For example:
```powershell
Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'
```
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11)
- [Configure Azure Cache for Redis settings](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis)

22
docs/en/rules/Azure.Redis.NonSslPort.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Critical
pillar: Security
category: Data protection
category: Encryption
resource: Azure Cache for Redis
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.NonSslPort/
ms-content-id: cf433410-8a30-4b74-b046-0b8c7c708368
@ -15,19 +15,16 @@ Azure Cache for Redis should only accept secure connections.
## DESCRIPTION
Azure Cache for Redis is configured to accept unencrypted connections using a non-SSL port.
Unencrypted connections are disabled by default.
Azure Cache for Redis can be configured to accept encrypted and unencrypted connections.
By default, only encrypted communication is accepted.
To accept unencrypted connections, the non-SSL port must be enabled.
Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.
Unencrypted communication to Redis Cache could allow disclosure of information to an untrusted party.
Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.
## RECOMMENDATION
Azure Cache for Redis should be configured to only accept secure connections.
When the non-SSL port is enabled, encrypted and unencrypted connections are permitted.
To prevent unencrypted connections, disable the non-SSL port.
Unless explicitly required, consider disabling the non-SSL port.
Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.
## EXAMPLES
@ -102,6 +99,7 @@ resource cache 'Microsoft.Cache/redis@2023-04-01' = {
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [when should I enable the non-SSL port for connecting to Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-faq#when-should-i-enable-the-non-ssl-port-for-connecting-to-redis)
- [How to configure Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [How to configure Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Azure Policy Regulatory Compliance controls for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/security-controls-policy)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis)

29
docs/en/rules/Azure.Redis.PublicNetworkAccess.md
Просмотреть файл

@ -1,4 +1,5 @@
---
reviewed: 2023-07-08
severity: Critical
pillar: Security
category: Connectivity
@ -6,7 +7,7 @@ resource: Azure Cache for Redis
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.PublicNetworkAccess/
---
# Limit public network access to Redis cache instances
# Use private endpoints with Azure Cache for Redis
## SYNOPSIS
@ -14,15 +15,24 @@ Redis cache should disable public network access.
## DESCRIPTION
Public access to redis instances can be disabled.
This ensures secure and private connectivity to redis instances using private endpoints instead.
When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet.
By default, the cache is configured to be accessible from the public Internet.
Private endpoint is a network interface that connects you privately and securely to Azure Cache for
Redis powered by Azure Private Link.
To limit network access to the cache you can use firewall rules or private endpoints.
Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.
Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.
A private endpoint provides secure and private connectivity to Redis instances by:
- Using a private IP address from your VNET.
- Blocking all traffic from public networks.
If you are using VNET injection, it is recommended to migrate to private endpoints.
## RECOMMENDATION
Redis cache should disable public network access when public connectivity is not required.
Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.
## EXAMPLES
@ -30,7 +40,7 @@ Redis cache should disable public network access when public connectivity is not
To deploy caches that pass this rule:
- Set `properties.publicNetworkAccess` property to `Disabled`.
- Set the `properties.publicNetworkAccess` property to `Disabled`.
For example:
@ -66,7 +76,7 @@ For example:
To deploy caches that pass this rule:
- Set `properties.publicNetworkAccess` property to `Disabled`.
- Set the `properties.publicNetworkAccess` property to `Disabled`.
For example:
@ -101,5 +111,8 @@ resource cache 'Microsoft.Cache/redis@2023-04-01' = {
- [Azure services for securing network connectivity](https://learn.microsoft.com/azure/well-architected/security/design-network-connectivity)
- [Azure Cache for Redis with Azure Private Link](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-private-link)
- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints)
- [Migrate from VNet injection caches to Private Link caches](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-vnet-migration)
- [What is Azure Private Endpoint?](https://learn.microsoft.com/azure/private-link/private-endpoint-overview)
- [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#ns-2-secure-cloud-services-with-network-controls)
- [Azure Policy Regulatory Compliance controls for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/security-controls-policy)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis)

76
docs/en/rules/Azure.RedisEnterprise.MinTLS.md
Просмотреть файл

@ -4,7 +4,6 @@ pillar: Security
category: Data protection
resource: Azure Cache for Redis Enterprise
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.MinTLS/
ms-content-id: 31240bca-b04f-4267-9c31-cfca4e91cfbf
---
# Redis Cache minimum TLS version
@ -26,18 +25,81 @@ By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Consider configuring the minimum supported TLS version to be 1.2.
Support for TLS 1.0/ 1.1 version will be removed.
## Examples
## EXAMPLES
To disable old versions of TLS on Redis Cache Enterprise using PowerShell
### Configure with Azure template
To deploy caches that pass this rule:
- Set the `properties.minimumTlsVersion` property to `1.2`.
For example:
```json
{
"type": "Microsoft.Cache/redisEnterprise",
"apiVersion": "2022-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Enterprise_E10"
},
"properties": {
"minimumTlsVersion": "1.2"
}
}
```
### Configure with Bicep
To deploy caches that pass this rule:
- Set the `properties.minimumTlsVersion` property to `1.2`.
For example:
```bicep
resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {
name: name
location: location
sku: {
name: 'Enterprise_E10'
}
properties: {
minimumTlsVersion: '1.2'
}
}
```
### Configure with Azure CLI
To deploy caches that pass this rule:
- Use the `--set` parameter.
For example:
```bash
az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2
```
### Configure with Azure PowerShell
To deploy caches that pass this rule:
- Use the `-MinimumTlsVersion` parameter.
For example:
```powershell
Set-AzRedisCache -Name <YourRedisName> -MinimumTlsVersion '1.2'
Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'
```
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11)
- [Configure Azure Cache for Redis settings](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11)
- [Configure Azure Cache for Redis settings](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.cache/redis#RedisCreateProperties)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise)

4
docs/en/rules/Azure.Search.SKU.md
Просмотреть файл

@ -2,7 +2,7 @@
reviewed: 2023-07-02
severity: Critical
pillar: Performance Efficiency
category: Capacity planning
category: Application capacity
resource: Cognitive Search
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Search.SKU/
---
@ -84,7 +84,7 @@ resource search 'Microsoft.Search/searchServices@2022-09-01' = {
## LINKS
- [Choosing the right resources](https://learn.microsoft.com/azure/architecture/framework/scalability/capacity#choosing-the-right-resources)
- [Choose the right resources](https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity#choose-the-right-resources)
- [SLA for Azure Cognitive Search](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services)
- [Estimate and manage capacity of an Azure Cognitive Search service](https://learn.microsoft.com/azure/search/search-capacity-planning)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.search/searchservices)

4
docs/en/rules/Azure.Template.UseDescriptions.md
Просмотреть файл

@ -27,7 +27,7 @@ Specify descriptions for each resource in the template.
To define Bicep template files that pass this rule:
- Specify the `@description()` decorator for each resource in the template.
- Specify the `@description()` or `@sys.description()` decorator for each resource in the template.
For example:
@ -65,4 +65,4 @@ resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {
## LINKS
- [Better understand your cloud resources](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure#better-understand-your-cloud-resources)
- [Decorators](https://docs.microsoft.com/azure/azure-resource-manager/bicep/parameters#decorators)
- [Decorators](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#decorators)

6
docs/en/rules/Azure.WebPubSub.ManagedIdentity.md
Просмотреть файл

@ -87,5 +87,7 @@ resource service 'Microsoft.SignalRService/webPubSub@2021-10-01' = {
## LINKS
- [Use identity-based authentication](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-identity-based-authentication)
- [Managed identities for Azure Web PubSub Service](https://docs.microsoft.com/azure/azure-web-pubsub/howto-use-managed-identity)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.signalrservice/webpubsub)
- [Managed identities for Azure Web PubSub Service](https://learn.microsoft.com/azure/azure-web-pubsub/howto-use-managed-identity)
- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-web-pubsub-security-baseline#im-1-use-centralized-identity-and-authentication-system)
- [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-web-pubsub-security-baseline#im-3-manage-application-identities-securely-and-automatically)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.signalrservice/webpubsub)

4
docs/en/rules/Azure.WebPubSub.SLA.md
Просмотреть файл

@ -1,5 +1,5 @@
---
reviewed: 2022-03-15
reviewed: 2023-07-09
severity: Important
pillar: Reliability
category: Requirements
@ -81,4 +81,4 @@ resource service 'Microsoft.SignalRService/webPubSub@2021-10-01' = {
- [Target and non-functional requirements](https://learn.microsoft.com/azure/architecture/framework/resiliency/design-requirements#availability-targets)
- [Azure Web PubSub pricing](https://azure.microsoft.com/pricing/details/web-pubsub/)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.signalrservice/webpubsub)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.signalrservice/webpubsub)

8
docs/en/rules/Azure.vWAN.Name.md
Просмотреть файл

@ -1,5 +1,5 @@
---
reviewed: 2021/11/27
reviewed: 2023-07-09
severity: Awareness
pillar: Operational Excellence
category: Repeatable infrastructure
@ -36,6 +36,6 @@ This rule does not check if vWAN names are unique.
## LINKS
- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure)
- [Naming rules and restrictions for Azure resources](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.network/virtualwans)
- [Recommended abbreviations for Azure resource types](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules)
- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/virtualwans)

2
docs/en/rules/index.md
Просмотреть файл

@ -320,7 +320,7 @@ AZR-000296 | [Azure.Defender.Storage](Azure.Defender.Storage.md) | Enable Micros
AZR-000297 | [Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | GA
AZR-000298 | [Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | GA
AZR-000299 | [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | GA
AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | GA
AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | GA
AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA
AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA
AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA

35
docs/en/rules/module.md
Просмотреть файл

@ -217,6 +217,15 @@ Name | Synopsis | Severity | Level
## Performance Efficiency
### Application capacity
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important | Error
[Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error
[Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error
[Azure.Search.SKU](Azure.Search.SKU.md) | Use the basic and standard tiers for entry level workloads. | Critical | Error
### Application design
Name | Synopsis | Severity | Level
@ -224,16 +233,13 @@ Name | Synopsis | Severity | Level
[Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Awareness | Error
[Azure.AppService.HTTP2](Azure.AppService.HTTP2.md) | Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. | Awareness | Error
### Capacity planning
### Application scalability
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error
[Azure.AKS.PoolScaleSet](Azure.AKS.PoolScaleSet.md) | Deploy AKS clusters with nodes pools based on VM scale sets. | Important | Error
[Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error
[Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important | Error
[Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error
[Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error
[Azure.Search.SKU](Azure.Search.SKU.md) | Use the basic and standard tiers for entry level workloads. | Critical | Error
### Design for performance
@ -268,12 +274,6 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.FrontDoor.UseCaching](Azure.FrontDoor.UseCaching.md) | Use caching to reduce retrieving contents from origins. | Important | Error
### Scalability
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.PoolScaleSet](Azure.AKS.PoolScaleSet.md) | Deploy AKS clusters with nodes pools based on VM scale sets. | Important | Error
## Reliability
### Application design
@ -416,7 +416,6 @@ Name | Synopsis | Severity | Level
[Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error
[Azure.KeyVault.Firewall](Azure.KeyVault.Firewall.md) | Key Vault should only accept explicitly allowed traffic. | Important | Error
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical | Error
[Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error
[Azure.Storage.Firewall](Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important | Error
### Authentication
@ -455,6 +454,14 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.ManagedIdentity](Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important | Error
### Connectivity
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error
[Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error
### Data flow
Name | Synopsis | Severity | Level
@ -482,9 +489,7 @@ Name | Synopsis | Severity | Level
[Azure.MariaDB.UseSSL](Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical | Error
[Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error
[Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error
[Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error
[Azure.Storage.DefenderCloud](Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical | Error
@ -526,6 +531,7 @@ Name | Synopsis | Severity | Level
[Azure.MariaDB.MinTLS](Azure.MariaDB.MinTLS.md) | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error
[Azure.SQL.MinTLS](Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.Storage.MinTLS](Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical | Error
[Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important | Error
@ -626,7 +632,6 @@ Name | Synopsis | Severity | Level
[Azure.PostgreSQL.AllowAzureAccess](Azure.PostgreSQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error
[Azure.PostgreSQL.FirewallIPRange](Azure.PostgreSQL.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses. | Important | Error
[Azure.PostgreSQL.FirewallRuleCount](Azure.PostgreSQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error
[Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error
[Azure.SQL.AllowAzureAccess](Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error
[Azure.SQL.FirewallIPRange](Azure.SQL.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). | Important | Error
[Azure.SQL.FirewallRuleCount](Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error

2
docs/en/rules/resource.md
Просмотреть файл

@ -155,7 +155,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Redis.AvailabilityZone](Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important | Error
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error
[Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error
[Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error

2
docs/es/rules/index.md
Просмотреть файл

@ -320,7 +320,7 @@ AZR-000296 | [Azure.Defender.Storage](Azure.Defender.Storage.md) | Enable Micros
AZR-000297 | [Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | GA
AZR-000298 | [Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | GA
AZR-000299 | [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | GA
AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | GA
AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | GA
AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA
AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA
AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA

35
docs/es/rules/module.md
Просмотреть файл

@ -217,6 +217,15 @@ Name | Synopsis | Severity | Level
## Performance Efficiency
### Application capacity
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important | Error
[Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error
[Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error
[Azure.Search.SKU](Azure.Search.SKU.md) | Use the basic and standard tiers for entry level workloads. | Critical | Error
### Application design
Name | Synopsis | Severity | Level
@ -224,16 +233,13 @@ Name | Synopsis | Severity | Level
[Azure.AppService.ARRAffinity](Azure.AppService.ARRAffinity.md) | Disable client affinity for stateless services. | Awareness | Error
[Azure.AppService.HTTP2](Azure.AppService.HTTP2.md) | Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. | Awareness | Error
### Capacity planning
### Application scalability
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error
[Azure.AKS.PoolScaleSet](Azure.AKS.PoolScaleSet.md) | Deploy AKS clusters with nodes pools based on VM scale sets. | Important | Error
[Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error
[Azure.AppService.MinPlan](Azure.AppService.MinPlan.md) | Use at least a Standard App Service Plan. | Important | Error
[Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error
[Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error
[Azure.Search.SKU](Azure.Search.SKU.md) | Use the basic and standard tiers for entry level workloads. | Critical | Error
### Design for performance
@ -268,12 +274,6 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.FrontDoor.UseCaching](Azure.FrontDoor.UseCaching.md) | Use caching to reduce retrieving contents from origins. | Important | Error
### Scalability
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.PoolScaleSet](Azure.AKS.PoolScaleSet.md) | Deploy AKS clusters with nodes pools based on VM scale sets. | Important | Error
## Reliability
### Application design
@ -416,7 +416,6 @@ Name | Synopsis | Severity | Level
[Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error
[Azure.KeyVault.Firewall](Azure.KeyVault.Firewall.md) | Key Vault should only accept explicitly allowed traffic. | Important | Error
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical | Error
[Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error
[Azure.Storage.Firewall](Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important | Error
### Authentication
@ -455,6 +454,14 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.ManagedIdentity](Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important | Error
### Connectivity
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error
[Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error
### Data flow
Name | Synopsis | Severity | Level
@ -482,9 +489,7 @@ Name | Synopsis | Severity | Level
[Azure.MariaDB.UseSSL](Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical | Error
[Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error
[Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error
[Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error
[Azure.Storage.DefenderCloud](Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical | Error
@ -526,6 +531,7 @@ Name | Synopsis | Severity | Level
[Azure.MariaDB.MinTLS](Azure.MariaDB.MinTLS.md) | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error
[Azure.SQL.MinTLS](Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | Error
[Azure.Storage.MinTLS](Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical | Error
[Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important | Error
@ -626,7 +632,6 @@ Name | Synopsis | Severity | Level
[Azure.PostgreSQL.AllowAzureAccess](Azure.PostgreSQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error
[Azure.PostgreSQL.FirewallIPRange](Azure.PostgreSQL.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses. | Important | Error
[Azure.PostgreSQL.FirewallRuleCount](Azure.PostgreSQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error
[Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error
[Azure.SQL.AllowAzureAccess](Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error
[Azure.SQL.FirewallIPRange](Azure.SQL.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). | Important | Error
[Azure.SQL.FirewallRuleCount](Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error

2
docs/es/rules/resource.md
Просмотреть файл

@ -155,7 +155,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Redis.AvailabilityZone](Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important | Error
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive nunber of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | Critical | Error
[Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error
[Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error
[Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error

118
docs/examples-aks.bicep
Просмотреть файл

@ -6,7 +6,7 @@
// Define parameters
@description('The name of the AKS cluster.')
param clusterName string
param name string
@metadata({
description: 'Optional. The Azure region to deploy to.'
@ -58,14 +58,8 @@ param systemPoolMaxPods int = 50
})
param workspaceId string
@metadata({
description: 'The resource Id for the virtual network where the cluster and ACI will be deployed into.'
strongType: 'Microsoft.Network/virtualNetworks'
})
param vnetId string
@description('The name of the subnet do deploy cluster resources.')
param systemPoolSubnet string
@description('A reference to the subnet to deploy the cluster into.')
param clusterSubnetId string
@description('The object Ids of groups that will be added with the cluster admin role.')
param clusterAdmins array = []
@ -85,21 +79,10 @@ param clusterAdmins array = []
})
param pools array = []
@metadata({
description: 'Tags to apply to the resource.'
example: {
service: 'container-platform'
env: 'prod'
}
})
param tags object
// Define variables
var serviceCidr = '192.168.0.0/16'
var dnsServiceIP = '192.168.0.4'
var dockerBridgeCidr = '172.17.0.1/16'
var clusterSubnetId = '${vnetId}/subnets/${systemPoolSubnet}'
// Define pools
var allPools = union(systemPools, userPools)
@ -144,13 +127,12 @@ var userPools = [for i in range(0, length(pools)): {
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: identityName
location: location
tags: tags
}
// Cluster
resource cluster 'Microsoft.ContainerService/managedClusters@2022-09-01' = {
// An example AKS cluster
resource cluster 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
location: location
name: clusterName
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
@ -175,7 +157,6 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2022-09-01' = {
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
dockerBridgeCidr: dockerBridgeCidr
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
@ -184,9 +165,6 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2022-09-01' = {
enabled: true
}
addonProfiles: {
httpApplicationRouting: {
enabled: false
}
azurepolicy: {
enabled: true
}
@ -196,8 +174,87 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2022-09-01' = {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
kubeDashboard: {
enabled: false
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
}
// An example AKS cluster with pools defined.
resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
location: location
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: [
{
name: 'system'
osDiskSizeGB: 0
minCount: 3
maxCount: 5
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'System'
osDiskType: 'Ephemeral'
}
{
name: 'user'
osDiskSizeGB: 0
minCount: 3
maxCount: 20
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'User'
osDiskType: 'Ephemeral'
}
]
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
oidcIssuerProfile: {
enabled: true
}
addonProfiles: {
azurepolicy: {
enabled: true
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
azureKeyvaultSecretsProvider: {
enabled: true
@ -207,5 +264,4 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2022-09-01' = {
}
}
}
tags: tags
}

158
docs/examples-aks.json
Просмотреть файл

@ -1,15 +1,17 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"languageVersion": "1.10-experimental",
"contentVersion": "1.0.0.0",
"metadata": {
"_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "2737926357004416265"
"version": "0.18.4.5664",
"templateHash": "12666421165921150827"
}
},
"parameters": {
"clusterName": {
"name": {
"type": "string",
"metadata": {
"description": "The name of the AKS cluster."
@ -73,7 +75,7 @@
},
"kubernetesVersion": {
"type": "string",
"defaultValue": "1.22.6",
"defaultValue": "1.25.6",
"metadata": {
"description": "The version of Kubernetes."
}
@ -93,17 +95,10 @@
"strongType": "Microsoft.OperationalInsights/workspaces"
}
},
"vnetId": {
"clusterSubnetId": {
"type": "string",
"metadata": {
"description": "The resource Id for the virtual network where the cluster and ACI will be deployed into.",
"strongType": "Microsoft.Network/virtualNetworks"
}
},
"systemPoolSubnet": {
"type": "string",
"metadata": {
"description": "The name of the subnet do deploy cluster resources."
"description": "A reference to the subnet to deploy the cluster into."
}
},
"clusterAdmins": {
@ -129,16 +124,6 @@
}
]
}
},
"tags": {
"type": "object",
"metadata": {
"description": "Tags to apply to the resource.",
"example": {
"service": "container-platform",
"env": "prod"
}
}
}
},
"variables": {
@ -157,7 +142,7 @@
"vmSize": "[parameters('pools')[range(0, length(parameters('pools')))[copyIndex('userPools')]].vmSize]",
"osType": "[parameters('pools')[range(0, length(parameters('pools')))[copyIndex('userPools')]].osType]",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[variables('clusterSubnetId')]",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "User",
"osDiskType": "Ephemeral",
"scaleSetPriority": "[parameters('pools')[range(0, length(parameters('pools')))[copyIndex('userPools')]].priority]"
@ -166,8 +151,6 @@
],
"serviceCidr": "192.168.0.0/16",
"dnsServiceIP": "192.168.0.4",
"dockerBridgeCidr": "172.17.0.1/16",
"clusterSubnetId": "[format('{0}/subnets/{1}', parameters('vnetId'), parameters('systemPoolSubnet'))]",
"allPools": "[union(variables('systemPools'), variables('userPools'))]",
"systemPools": [
{
@ -181,25 +164,24 @@
"vmSize": "[parameters('systemVMSize')]",
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[variables('clusterSubnetId')]",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "System",
"osDiskType": "Ephemeral",
"scaleSetPriority": "Regular"
}
]
},
"resources": [
{
"resources": {
"identity": {
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "[parameters('identityName')]",
"location": "[parameters('location')]",
"tags": "[parameters('tags')]"
"location": "[parameters('location')]"
},
{
"cluster": {
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2022-01-01",
"name": "[parameters('clusterName')]",
"apiVersion": "2023-04-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
@ -224,21 +206,17 @@
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]",
"dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"httpApplicationRouting": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
"enabled": true
},
"omsagent": {
"enabled": true,
@ -246,8 +224,90 @@
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"kubeDashboard": {
"enabled": false
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
},
"dependsOn": [
"identity"
]
},
"clusterWithPools": {
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-04-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "system",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 5,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "System",
"osDiskType": "Ephemeral"
},
{
"name": "user",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 20,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "User",
"osDiskType": "Ephemeral"
}
],
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"azurepolicy": {
"enabled": true
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
@ -255,15 +315,11 @@
"enableSecretRotation": "true"
}
}
},
"podIdentityProfile": {
"enabled": true
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
"identity"
]
}
]
}
}

22
docs/examples-redisenterprise.bicep Normal file
Просмотреть файл

@ -0,0 +1,22 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
// Bicep documentation examples
@description('The name of the resource.')
param name string
@description('The location resources will be deployed.')
param location string = resourceGroup().location
// An example Redis Enterprise cache.
resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {
name: name
location: location
sku: {
name: 'Enterprise_E10'
}
properties: {
minimumTlsVersion: '1.2'
}
}

42
docs/examples-redisenterprise.json Normal file
Просмотреть файл

@ -0,0 +1,42 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"languageVersion": "1.10-experimental",
"contentVersion": "1.0.0.0",
"metadata": {
"_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
"_generator": {
"name": "bicep",
"version": "0.18.4.5664",
"templateHash": "18327166122228082136"
}
},
"parameters": {
"name": {
"type": "string",
"metadata": {
"description": "The name of the resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location resources will be deployed."
}
}
},
"resources": {
"cache": {
"type": "Microsoft.Cache/redisEnterprise",
"apiVersion": "2022-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Enterprise_E10"
},
"properties": {
"minimumTlsVersion": "1.2"
}
}
}
}

14
src/PSRule.Rules.Azure/Data/Template/ValidationIssue.cs
Просмотреть файл

@ -12,15 +12,15 @@ namespace PSRule.Rules.Azure.Data.Template
internal sealed class ValidationIssue
{
private readonly ValidationKind kind;
private readonly string name;
private readonly string message;
private readonly ValidationKind _Kind;
private readonly string _Name;
private readonly string _Message;
public ValidationIssue(ValidationKind kind, string name, string message)
{
this.kind = kind;
this.name = name;
this.message = message;
_Kind = kind;
_Name = name;
_Message = message;
}
}
}
}

2
src/PSRule.Rules.Azure/en/PSRule-rules.psd1
Просмотреть файл

@ -37,7 +37,7 @@
RoleAssignmentCount = "The number of assignments is {0}."
UnmanagedDisk = "The VM disk '{0}' is unmanaged."
UnmanagedSubscription = "The subscription is not managed."
DBServerFirewallRuleCount = "The number of firewall rules ({0}) exceeded {1}."
ExceededFirewallRuleCount = "The number of firewall rules ({0}) exceeded {1}."
DBServerFirewallPublicIPRange = "The number of public IP addresses permitted ({0}) exceeded {1}."
TemplateParameterDescription = "The parameter '{0}' does not have a description set."
ParameterNotFound = "The parameter '{0}' was not used within the template."

6
src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1
Просмотреть файл

@ -8,7 +8,7 @@
#region Rules
# Synopsis: Consider freeing up registry space.
Rule 'Azure.ACR.Usage' -Ref 'AZR-000001' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; method = 'in-flight'; } {
Rule 'Azure.ACR.Usage' -Ref 'AZR-000001' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Cost Optimization'; method = 'in-flight'; } {
$usages = @(GetSubResources -ResourceType 'Microsoft.ContainerRegistry/registries/listUsages' | ForEach-Object {
$_.value | Where-Object { $_.Name -eq 'Size' }
});
@ -34,7 +34,7 @@ Rule 'Azure.ACR.ImageHealth' -Ref 'AZR-000003' -Type 'Microsoft.ContainerRegistr
}
# Synopsis: Consider geo-replicating container images.
Rule 'Azure.ACR.GeoReplica' -Ref 'AZR-000004' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; method = 'in-flight'; } {
Rule 'Azure.ACR.GeoReplica' -Ref 'AZR-000004' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Reliability'; method = 'in-flight'; } {
$replications = @(GetSubResources -ResourceType 'Microsoft.ContainerRegistry/registries/replications');
$registryLocation = GetNormalLocation -Location $TargetObject.Location;
foreach ($replica in $replications) {
@ -49,7 +49,7 @@ Rule 'Azure.ACR.GeoReplica' -Ref 'AZR-000004' -Type 'Microsoft.ContainerRegistry
}
# Synopsis: Azure Container Registries should have soft delete policy enabled.
Rule 'Azure.ACR.SoftDelete' -Ref 'AZR-000310' -Type 'Microsoft.ContainerRegistry/registries' -If { GetACRSoftDeletePreviewLimitations } -Tag @{ release = 'preview'; ruleSet = '2022_09'; } {
Rule 'Azure.ACR.SoftDelete' -Ref 'AZR-000310' -Type 'Microsoft.ContainerRegistry/registries' -If { GetACRSoftDeletePreviewLimitations } -Tag @{ release = 'preview'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Reliability'; } {
$Assert.HasFieldValue($TargetObject, 'properties.policies.softDeletePolicy.status', 'enabled').Reason($LocalizedData.ACRSoftDeletePolicy, $TargetObject.name)
$Assert.HasFieldValue($TargetObject, 'properties.policies.softDeletePolicy.retentionDays').Reason($LocalizedData.ACRSoftDeletePolicyRetention, $TargetObject.name)
}

87
src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml
Просмотреть файл

@ -15,14 +15,14 @@ metadata:
name: Azure.ACR.AdminUser
ref: AZR-000005
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: [ 'IM-1', 'IM-3', 'PA-1', 'PA-7' ]
Azure.MCSB.v1/control: ['IM-1', 'IM-3', 'PA-1']
spec:
type:
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerRegistry/registries
condition:
field: Properties.adminUserEnabled
hasDefault: false
@ -35,14 +35,15 @@ metadata:
name: Azure.ACR.MinSku
ref: AZR-000006
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Reliability
spec:
type:
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerRegistry/registries
condition:
field: Sku.name
in: [ 'Premium', 'Standard' ]
field: sku.name
in: ['Premium', 'Standard']
---
# Synopsis: Container registry names should meet naming requirements.
@ -52,19 +53,20 @@ metadata:
name: Azure.ACR.Name
ref: AZR-000007
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Operational Excellence
spec:
type:
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerRegistry/registries
condition:
allOf:
- name: '.'
greaterOrEquals: 5
- name: '.'
lessOrEquals: 50
- name: '.'
match: '^[a-zA-Z0-9]*$'
- name: '.'
greaterOrEquals: 5
- name: '.'
lessOrEquals: 50
- name: '.'
match: '^[a-zA-Z0-9]*$'
---
# Synopsis: Enable container image quarantine, scan, and mark images as verified.
@ -74,16 +76,16 @@ metadata:
name: Azure.ACR.Quarantine
ref: AZR-000008
tags:
release: 'preview'
ruleSet: '2020_12'
Azure.WAF/pillar: 'Security'
release: preview
ruleSet: 2020_12
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: [ 'DS-6', 'PV-5' ]
Azure.MCSB.v1/control: ['DS-6', 'PV-5']
spec:
type:
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerRegistry/registries
condition:
field: Properties.policies.quarantinePolicy.status
field: properties.policies.quarantinePolicy.status
equals: enabled
---
@ -94,14 +96,14 @@ metadata:
name: Azure.ACR.ContentTrust
ref: AZR-000009
tags:
release: 'GA'
ruleSet: '2020_12'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_12
Azure.WAF/pillar: Security
spec:
with:
- Azure.ACR.IsPremiumSKU
- Azure.ACR.IsPremiumSKU
type:
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerRegistry/registries
where:
field: properties.encryption.keyVaultProperties.identity
exists: false
@ -117,15 +119,16 @@ metadata:
name: Azure.ACR.Retention
ref: AZR-000010
tags:
release: 'preview'
ruleSet: '2020_12'
release: preview
ruleSet: 2020_12
Azure.WAF/pillar: Cost Optimization
spec:
with:
- Azure.ACR.IsPremiumSKU
- Azure.ACR.IsPremiumSKU
type:
- Microsoft.ContainerRegistry/registries
- Microsoft.ContainerRegistry/registries
condition:
field: Properties.policies.retentionPolicy.status
field: properties.policies.retentionPolicy.status
equals: enabled
#endregion Rules
@ -141,12 +144,12 @@ metadata:
spec:
if:
allOf:
- type: '.'
equals: 'Microsoft.ContainerRegistry/registries'
- anyOf:
- field: Sku.name
equals: 'Premium'
- field: Sku.tier
equals: 'Premium'
- type: '.'
equals: Microsoft.ContainerRegistry/registries
- anyOf:
- field: sku.name
equals: Premium
- field: sku.tier
equals: Premium
#endregion Selectors

2
src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1
Просмотреть файл

@ -123,7 +123,7 @@ Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMa
$firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMariaDB/servers/firewallRules')
$Assert.LessOrEqual($firewallRules, '.', 10).
Reason($LocalizedData.DBServerFirewallRuleCount, $firewallRules.Length, 10).PathPrefix('resources')
Reason($LocalizedData.ExceededFirewallRuleCount, $firewallRules.Length, 10).PathPrefix('resources')
}
# Synopsis: Determine if there is an excessive number of permitted IP addresses.

2
src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1
Просмотреть файл

@ -10,7 +10,7 @@ Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMyS
$firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/firewallRules');
$Assert.
LessOrEqual($firewallRules, '.', 10).
WithReason(($LocalizedData.DBServerFirewallRuleCount -f $firewallRules.Length, 10), $True);
WithReason(($LocalizedData.ExceededFirewallRuleCount -f $firewallRules.Length, 10), $True);
}
# Synopsis: Determine if access from Azure services is required

2
src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1
Просмотреть файл

@ -10,7 +10,7 @@ Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBf
$firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/firewallRules');
$Assert.
LessOrEqual($firewallRules, '.', 10).
WithReason(($LocalizedData.DBServerFirewallRuleCount -f $firewallRules.Length, 10), $True);
WithReason(($LocalizedData.ExceededFirewallRuleCount -f $firewallRules.Length, 10), $True);
}
# Synopsis: Determine if access from Azure services is required

10
src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1
Просмотреть файл

@ -5,14 +5,6 @@
# Validation rules for Azure Redis Cache
#
# Synopsis: Use Azure Cache for Redis instances of at least Standard C1.
Rule 'Azure.Redis.MinSKU' -Ref 'AZR-000159' -Type 'Microsoft.Cache/Redis' -With 'Azure.Redis.HasSku' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Performance Efficiency'; } {
$Assert.In($TargetObject, 'Properties.sku.name', @('Standard', 'Premium'));
if ($TargetObject.Properties.sku.name -eq 'Standard') {
$Assert.GreaterOrEqual($TargetObject, 'Properties.sku.capacity', 1);
}
}
# Synopsis: Configure `maxmemory-reserved` to reserve memory for non-cache operations.
Rule 'Azure.Redis.MaxMemoryReserved' -Ref 'AZR-000160' -Type 'Microsoft.Cache/Redis' -With 'Azure.Redis.HasSku' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Performance Efficiency'; } {
$sku = "$($TargetObject.Properties.sku.family)$($TargetObject.Properties.sku.capacity)";
@ -99,7 +91,7 @@ Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/re
$firewallRules = @(GetSubResources -ResourceType 'Microsoft.Cache/redis/firewallRules');
$Assert.
LessOrEqual($firewallRules, '.', 10).
WithReason(($LocalizedData.DBServerFirewallRuleCount -f $firewallRules.Length, 10), $True);
WithReason(($LocalizedData.ExceededFirewallRuleCount -f $firewallRules.Length, 10), $True);
}
# Synopsis: Determine if there is an excessive number of permitted IP addresses for the Redis cache.

50
src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml
Просмотреть файл

@ -7,6 +7,32 @@
#region Rules
---
# Synopsis: Use Azure Cache for Redis instances of at least Standard C1.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.Redis.MinSKU
ref: AZR-000159
tags:
release: GA
ruleSet: 2020_12
Azure.WAF/pillar: Performance Efficiency
spec:
type:
- Microsoft.Cache/Redis
with:
- Azure.Redis.HasSku
condition:
anyOf:
- field: properties.sku.name
equals: Premium
- allOf:
- field: properties.sku.name
equals: Standard
- field: properties.sku.capacity
greaterOrEquals: 1
---
# Synopsis: Redis Cache should only accept secure connections.
apiVersion: github.com/microsoft/PSRule/v1
@ -19,10 +45,10 @@ metadata:
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'NS-2'
Azure.MCSB.v1/control: 'DP-3'
spec:
type:
- Microsoft.Cache/Redis
- Microsoft.Cache/Redis
condition:
field: properties.enableNonSslPort
equals: false
@ -42,7 +68,7 @@ metadata:
Azure.MCSB.v1/control: 'DP-3'
spec:
type:
- Microsoft.Cache/Redis
- Microsoft.Cache/Redis
condition:
field: properties.minimumTlsVersion
version: '>=1.2'
@ -62,7 +88,7 @@ metadata:
Azure.MCSB.v1/control: 'NS-2'
spec:
type:
- Microsoft.Cache/Redis
- Microsoft.Cache/Redis
condition:
field: properties.publicNetworkAccess
equals: Disabled
@ -82,13 +108,13 @@ metadata:
spec:
if:
allOf:
- type: '.'
equals: Microsoft.Cache/Redis
- field: properties.sku.capacity
exists: true
- field: properties.sku.family
exists: true
- field: properties.sku.name
exists: true
- type: '.'
equals: Microsoft.Cache/Redis
- field: properties.sku.capacity
exists: true
- field: properties.sku.family
exists: true
- field: properties.sku.name
exists: true
#endregion Selectors

9
src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml
Просмотреть файл

@ -7,7 +7,6 @@
#region Rules
---
# Synopsis: Redis Cache Enterprise should reject TLS versions older than 1.2.
apiVersion: github.com/microsoft/PSRule/v1
@ -18,12 +17,14 @@ metadata:
tags:
release: GA
ruleSet: 2022_09
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'DP-3'
spec:
type:
- 'Microsoft.Cache/redisEnterprise'
- Microsoft.Cache/redisEnterprise
condition:
field: properties.minimumTlsVersion
version: '>=1.2'
#endregion Rules
#endregion Rules

2
src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1
Просмотреть файл

@ -12,7 +12,7 @@ Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/server
$firewallRules = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/firewallRules');
$Assert.
LessOrEqual($firewallRules, '.', 10).
WithReason(($LocalizedData.DBServerFirewallRuleCount -f $firewallRules.Length, 10), $True);
WithReason(($LocalizedData.ExceededFirewallRuleCount -f $firewallRules.Length, 10), $True);
}
# Synopsis: Determine if access from Azure services is required

3
src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml
Просмотреть файл

@ -17,7 +17,7 @@ metadata:
tags:
release: GA
ruleSet: 2022_03
Azure.WAF/pillar: 'Security'
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: [ 'IM-1', 'IM-3' ]
spec:
@ -39,6 +39,7 @@ metadata:
tags:
release: GA
ruleSet: 2022_03
Azure.WAF/pillar: Reliability
spec:
type:
- Microsoft.SignalRService/webPubSub

1
src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml
Просмотреть файл

@ -17,6 +17,7 @@ metadata:
tags:
release: 'GA'
ruleSet: '2021_12'
Azure.WAF/pillar: Operational Excellence
spec:
type:
- Microsoft.Network/virtualWans

2
tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1
Просмотреть файл

@ -90,7 +90,7 @@ Describe 'Azure.Redis' -Tag 'Redis' {
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -BeIn 2;
# $ruleResult.Length | Should -BeIn 2;
$ruleResult.TargetName | Should -Be 'redis-C', 'redis-Q';
# Pass