microsoft
/
PSRule.Rules.Azure
зеркало из https://github.com/Azure/PSRule.Rules.Azure.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Azure Front Door updates to logging and docs #2704 #1772 #2570 (#2705)

This commit is contained in:
Bernie White 2024-02-24 18:06:13 +10:00 коммит произвёл GitHub
Родитель a0bb5d654f
Коммит ffabce110d
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
60 изменённых файлов: 887 добавлений и 433 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
.vscode/settings.json поставляемый
Просмотреть файл

@ -54,6 +54,7 @@
"australiaeast",
"australiasoutheast",
"AUTOMATIONACCOUNT",
"autoscale",
"autoscaler",
"bicepparam",
"cmdlet",

16
data/policy-ignore.json
Просмотреть файл

@ -126,5 +126,21 @@
],
"reason": "Duplicate",
"value": "Azure.KeyVault.RBAC"
},
{
"policyDefinitionIds": [
"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598",
"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d"
],
"reason": "Duplicate",
"value": "Azure.EventHub.DisableLocalAuth"
},
{
"policyDefinitionIds": [
"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c",
"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04"
],
"reason": "Duplicate",
"value": "Azure.EventGrid.DisableLocalAuth"
}
]

10
docs/CHANGELOG-v1.md
Просмотреть файл

@ -48,6 +48,16 @@ What's changed since v1.33.2:
- Improved guidance and examples specifically for system node pools.
- Added configuration to support changing the minimum number of node.
- Set `AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES` to set the minimum number of system nodes.
- Front Door:
- Updated `Azure.FrontDoor.Logs` to cover premium and standard profiles instead of just classic by @BernieWhite.
[#2704](https://github.com/Azure/PSRule.Rules.Azure/issues/2704)
- Added a selector for premium and standard profiles `Azure.FrontDoor.IsStandardOrPremium`.
- Added a selector for classic profiles `Azure.FrontDoor.IsClassic`.
- Updated rule set to `2024_03`.
- General improvements:
- Documentation and metadata improvements by @BernieWhite.
[#1772](https://github.com/Azure/PSRule.Rules.Azure/issues/1772)
[#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
- Engineering:
- Bump Microsoft.NET.Test.Sdk to v17.9.0.
[#2680](https://github.com/Azure/PSRule.Rules.Azure/pull/2680)

9
docs/en/baselines/Azure.All.md
Просмотреть файл

@ -4,7 +4,7 @@ Includes all Azure rules.
## Rules
The following rules are included within `Azure.All`. This baseline includes a total of 410 rules.
The following rules are included within `Azure.All`. This baseline includes a total of 411 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -41,7 +41,8 @@ Name | Synopsis | Severity
[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -175,14 +176,14 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important
[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness

9
docs/en/baselines/Azure.Default.md
Просмотреть файл

@ -4,7 +4,7 @@ Default baseline for Azure rules.
## Rules
The following rules are included within `Azure.Default`. This baseline includes a total of 399 rules.
The following rules are included within `Azure.Default`. This baseline includes a total of 400 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -37,7 +37,8 @@ Name | Synopsis | Severity
[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -167,14 +168,14 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important
[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness

5
docs/en/baselines/Azure.GA_2020_06.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released June 2020 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2020_06`. This baseline includes a total of 137 rules.
The following rules are included within `Azure.GA_2020_06`. This baseline includes a total of 136 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -15,7 +15,7 @@ Name | Synopsis | Severity
[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness
[Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -52,7 +52,6 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Contact](../rules/Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.State](../rules/Azure.FrontDoor.State.md) | Enable Azure Front Door Classic instance. | Important

5
docs/en/baselines/Azure.GA_2020_09.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released September 2020 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2020_09`. This baseline includes a total of 153 rules.
The following rules are included within `Azure.GA_2020_09`. This baseline includes a total of 152 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -15,7 +15,7 @@ Name | Synopsis | Severity
[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness
[Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -58,7 +58,6 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Contact](../rules/Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.State](../rules/Azure.FrontDoor.State.md) | Enable Azure Front Door Classic instance. | Important

5
docs/en/baselines/Azure.GA_2020_12.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released December 2020 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2020_12`. This baseline includes a total of 177 rules.
The following rules are included within `Azure.GA_2020_12`. This baseline includes a total of 176 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -21,7 +21,7 @@ Name | Synopsis | Severity
[Azure.AKS.AzurePolicyAddOn](../rules/Azure.AKS.AzurePolicyAddOn.md) | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important
[Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -72,7 +72,6 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Contact](../rules/Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.State](../rules/Azure.FrontDoor.State.md) | Enable Azure Front Door Classic instance. | Important

5
docs/en/baselines/Azure.GA_2021_03.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released March 2021 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2021_03`. This baseline includes a total of 192 rules.
The following rules are included within `Azure.GA_2021_03`. This baseline includes a total of 191 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -21,7 +21,7 @@ Name | Synopsis | Severity
[Azure.AKS.AzurePolicyAddOn](../rules/Azure.AKS.AzurePolicyAddOn.md) | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | Important
[Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -72,7 +72,6 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Contact](../rules/Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

5
docs/en/baselines/Azure.GA_2021_06.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released June 2021 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2021_06`. This baseline includes a total of 206 rules.
The following rules are included within `Azure.GA_2021_06`. This baseline includes a total of 205 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -24,7 +24,7 @@ Name | Synopsis | Severity
[Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -77,7 +77,6 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Contact](../rules/Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

5
docs/en/baselines/Azure.GA_2021_09.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released September 2021 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2021_09`. This baseline includes a total of 225 rules.
The following rules are included within `Azure.GA_2021_09`. This baseline includes a total of 224 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -29,7 +29,7 @@ Name | Synopsis | Severity
[Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -87,7 +87,6 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Contact](../rules/Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

5
docs/en/baselines/Azure.GA_2021_12.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released December 2021 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2021_12`. This baseline includes a total of 251 rules.
The following rules are included within `Azure.GA_2021_12`. This baseline includes a total of 250 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -31,7 +31,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -100,7 +100,6 @@ Name | Synopsis | Severity
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2022_03.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released March 2022 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2022_03`. This baseline includes a total of 267 rules.
The following rules are included within `Azure.GA_2022_03`. This baseline includes a total of 266 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -35,7 +35,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -102,12 +102,11 @@ Name | Synopsis | Severity
[Azure.DefenderCloud.Provisioning](../rules/Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2022_06.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released June 2022 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2022_06`. This baseline includes a total of 271 rules.
The following rules are included within `Azure.GA_2022_06`. This baseline includes a total of 270 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -35,7 +35,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -106,12 +106,11 @@ Name | Synopsis | Severity
[Azure.Deployment.OutputSecretValue](../rules/Azure.Deployment.OutputSecretValue.md) | Avoid outputting sensitive deployment values. | Critical
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2022_09.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released September 2022 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2022_09`. This baseline includes a total of 302 rules.
The following rules are included within `Azure.GA_2022_09`. This baseline includes a total of 301 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -36,7 +36,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -125,12 +125,11 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2022_12.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released December 2022 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2022_12`. This baseline includes a total of 340 rules.
The following rules are included within `Azure.GA_2022_12`. This baseline includes a total of 339 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -36,7 +36,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -134,12 +134,11 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2023_03.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released March 2023 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2023_03`. This baseline includes a total of 360 rules.
The following rules are included within `Azure.GA_2023_03`. This baseline includes a total of 359 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -37,7 +37,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -145,13 +145,12 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2023_06.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released June 2023 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2023_06`. This baseline includes a total of 375 rules.
The following rules are included within `Azure.GA_2023_06`. This baseline includes a total of 374 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -37,7 +37,7 @@ Name | Synopsis | Severity
[Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -155,13 +155,12 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness
[Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important

7
docs/en/baselines/Azure.GA_2023_09.md
Просмотреть файл

@ -6,7 +6,7 @@ Include rules released September 2023 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2023_09`. This baseline includes a total of 386 rules.
The following rules are included within `Azure.GA_2023_09`. This baseline includes a total of 385 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -39,7 +39,7 @@ Name | Synopsis | Severity
[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -161,14 +161,13 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness

7
docs/en/baselines/Azure.GA_2023_12.md
Просмотреть файл

@ -4,7 +4,7 @@ Include rules released December 2023 or prior for Azure GA features.
## Rules
The following rules are included within `Azure.GA_2023_12`. This baseline includes a total of 395 rules.
The following rules are included within `Azure.GA_2023_12`. This baseline includes a total of 394 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -37,7 +37,7 @@ Name | Synopsis | Severity
[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -163,14 +163,13 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness

7
docs/en/baselines/Azure.MCSB.v1.md
Просмотреть файл

@ -6,7 +6,7 @@ Microsoft Cloud Security Benchmark v1.
## Controls
The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 126 rules.
The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 129 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -83,10 +83,13 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important
[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.UseWAF](../rules/Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical
[Azure.FrontDoor.WAF.Enabled](../rules/Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical
[Azure.IoTHub.MinTLS](../rules/Azure.IoTHub.MinTLS.md) | IoT Hubs should reject TLS versions older than 1.2. | Critical
[Azure.KeyVault.Logs](../rules/Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important

9
docs/en/baselines/Azure.Preview.md
Просмотреть файл

@ -4,7 +4,7 @@ Includes rules for Azure GA and preview features.
## Rules
The following rules are included within `Azure.Preview`. This baseline includes a total of 410 rules.
The following rules are included within `Azure.Preview`. This baseline includes a total of 411 rules.
Name | Synopsis | Severity
---- | -------- | --------
@ -41,7 +41,8 @@ Name | Synopsis | Severity
[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important
[Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important
[Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important
[Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important
[Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important
[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness
[Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important
[Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important
@ -175,14 +176,14 @@ Name | Synopsis | Severity
[Azure.EventGrid.DisableLocalAuth](../rules/Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important
[Azure.EventGrid.ManagedIdentity](../rules/Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important
[Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important
[Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important
[Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical
[Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important
[Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical
[Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness
[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical
[Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important
[Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important
[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
[Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical
[Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness

81
docs/en/rules/Azure.AppGw.SSLPolicy.md
Просмотреть файл

@ -1,7 +1,8 @@
---
reviewed: 2024-02-24
severity: Critical
pillar: Security
category: Data protection
category: SE:07 Encryption
resource: Application Gateway
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.SSLPolicy/
---
@ -14,11 +15,17 @@ Application Gateway should only accept a minimum of TLS 1.2.
## DESCRIPTION
The minimum version of TLS that Application Gateways accept is configurable.
Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2.
By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.
## RECOMMENDATION
Consider configuring Application Gateway to accept a minimum of TLS 1.2.
Consider configuring Application Gateways to accept a minimum of TLS 1.2.
### Configure with Azure template
@ -38,26 +45,31 @@ For example:
```json
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"sslPolicy": {
"policyType": "Custom",
"minProtocolVersion": "TLSv1_2",
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
}
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2023-09-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"zones": [
"1",
"2",
"3"
],
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"sslPolicy": {
"policyType": "Custom",
"minProtocolVersion": "TLSv1_2",
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
}
}
}
```
@ -78,9 +90,14 @@ To deploy Application Gateways that pass this rule use a predefined or custom po
For example:
```bicep
resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
name: 'appGw-001'
resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {
name: name
location: location
zones: [
'1'
'2'
'3'
]
properties: {
sku: {
name: 'WAF_v2'
@ -100,13 +117,21 @@ resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
}
```
### Configure with Azure PowerShell
```powershell
$gw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
Set-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
```
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Application Gateway SSL policy overview](https://docs.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview)
- [Configure SSL policy versions and cipher suites on Application Gateway](https://docs.microsoft.com/azure/application-gateway/application-gateway-configure-ssl-policy-powershell)
- [Overview of TLS termination and end to end TLS with Application Gateway](https://docs.microsoft.com/azure/application-gateway/ssl-overview)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.network/applicationgateways)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/application-gateway-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Application Gateway SSL policy overview](https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview)
- [Configure SSL policy versions and cipher suites on Application Gateway](https://learn.microsoft.com/azure/application-gateway/application-gateway-configure-ssl-policy-powershell)
- [Overview of TLS termination and end to end TLS with Application Gateway](https://learn.microsoft.com/azure/application-gateway/ssl-overview)
- [Predefined TLS policy](https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview#predefined-tls-policy)
- [Cipher suites](https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview#cipher-suites)
- [Limitations](https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview#limitations)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways)

85
docs/en/rules/Azure.AppGw.UseHTTPS.md
Просмотреть файл

@ -1,11 +1,9 @@
---
severity: Critical
pillar: Security
category: Data protection
category: SE:07 Encryption
resource: Application Gateway
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.UseHTTPS/
author: BernieWhite
ms-date: 2021/07/25
---
# Expose frontend HTTP endpoints over HTTPS
@ -17,7 +15,7 @@ Application Gateways should only expose frontend HTTP endpoints over HTTPS.
## DESCRIPTION
Application Gateways support HTTP and HTTPS endpoints for backend and frontend traffic.
When using frontend HTTP (80) endpoints, traffic between client and Application Gateway is not encrypted.
When using frontend HTTP (`80`) endpoints, traffic between client and Application Gateway is not encrypted.
Unencrypted communication could allow disclosure of information to an un-trusted party.
@ -32,31 +30,43 @@ To deploy Application Gateways that pass this rule:
- Set the `properties.frontendPorts.properties.port` property to `443`.
Fors example:
For example:
```json
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"sslPolicy": {
"minProtocolVersion": "TLSv1_2"
},
"frontendPorts": [
{
"name": "https",
"properties": {
"Port": 443
}
}
]
}
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2023-09-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"zones": [
"1",
"2",
"3"
],
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"sslPolicy": {
"policyType": "Custom",
"minProtocolVersion": "TLSv1_2",
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
},
"frontendPorts": [
{
"name": "https",
"properties": {
"Port": 443
}
}
]
}
}
```
@ -69,16 +79,28 @@ To deploy Application Gateways that pass this rule:
For example:
```bicep
resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
name: 'appGw-001'
resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {
name: name
location: location
zones: [
'1'
'2'
'3'
]
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
sslPolicy: {
policyType: 'Custom'
minProtocolVersion: 'TLSv1_2'
cipherSuites: [
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
]
}
frontendPorts: [
{
@ -94,6 +116,7 @@ resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Create an application gateway with HTTP to HTTPS redirection using the Azure portal](https://docs.microsoft.com/azure/application-gateway/redirect-http-to-https-portal)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.network/applicationgateways)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/application-gateway-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Create an application gateway with HTTP to HTTPS redirection using the Azure portal](https://learn.microsoft.com/azure/application-gateway/redirect-http-to-https-portal)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways)

7
docs/en/rules/Azure.EventGrid.DisableLocalAuth.md
Просмотреть файл

@ -76,6 +76,13 @@ resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {
}
```
### Configure with Azure Policy
To address this issue at runtime use the following policies:
- [Azure Event Grid topics should have local authentication methods disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_DisableLocalAuth_AuditDeny.json)
- [Configure Azure Event Grid topics to disable local authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_DisableLocalAuth_Modify.json)
## LINKS
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)

7
docs/en/rules/Azure.EventHub.DisableLocalAuth.md
Просмотреть файл

@ -89,6 +89,13 @@ resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {
}
```
### Configure with Azure Policy
To address this issue at runtime use the following policies:
- [Azure Event Hub namespaces should have local authentication methods disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_DisableLocalAuth_AuditDeny.json)
- [Configure Azure Event Hub namespaces to disable local authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_DisableLocalAuth_Modify.json)
## LINKS
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#use-identity-based-authentication)

170
docs/en/rules/Azure.FrontDoor.Logs.md
Просмотреть файл

@ -1,7 +1,8 @@
---
reviewed: 2024-02-24
severity: Important
pillar: Security
category: Security operations
category: SE:10 Monitoring and threat detection
resource: Front Door
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.FrontDoor.Logs/
---
@ -10,75 +11,105 @@ online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.FrontD
## SYNOPSIS
Audit and monitor access through Front Door.
Audit and monitor access through Azure Front Door profiles.
## DESCRIPTION
To capture network activity through Front Door, diagnostic settings must be configured.
When configuring diagnostics settings enable `FrontdoorAccessLog` logs.
Azure Front Door (AFD) supports logging network access to resources through the service.
This includes access logs and web application firewall logs.
Capturing these logs can help detect and respond to security threats as part of a security monitoring strategy.
Additionally, many compliance standards require logging and monitoring of network access.
Enable `FrontdoorWebApplicationFirewallLog` when web application firewall (WAF) policy is configured.
Like all security monitoring, it is only effective if the logs are reviewed and correlated with other security events.
Microsoft Sentinel can be used to analyze and correlate logs, or third-party solutions can be used.
To capture network access events through Front Door, diagnostic settings must be configured.
When configuring diagnostics settings enable collection of the following logs:
- `FrontdoorAccessLog` - Can be used to monitor network activity and access through Front Door.
- `FrontdoorWebApplicationFirewallLog` - Can be used to detect potential attacks, or false positive detections.
This log will be empty if a WAF policy is not configured.
Management operations for Front Door is captured automatically within Azure Activity Logs.
## RECOMMENDATION
Consider configuring diagnostics setting to log network activity through Front Door.
Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD).
Also consider correlating logs with other security events to detect and respond to security threats.
## EXAMPLES
### Configure with Azure template
To deploy a Front Door resource that passes this rule:
To deploy Azure Front Door Premium/ Standard profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the `FrontdoorAccessLog` category.
- Enable logging for the `FrontdoorWebApplicationFirewallLog` category.
- Enable logging for the `FrontdoorWebApplicationFirewallLog` category if a WAF policy is configured.
For example:
```json
{
"resources": [
{
"type": "Microsoft.Cdn/profiles",
"apiVersion": "2021-06-01",
"name": "[parameters('frontDoorName')]",
"location": "Global",
"sku": {
"name": "Standard_AzureFrontDoor"
}
},
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2020-05-01-preview",
"scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('frontDoorName'))]",
"name": "service",
"location": "[parameters('location')]",
"properties": {
"workspaceId": "[parameters('workSpaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]",
"name": "audit",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
"dependsOn": [
"[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]"
]
}
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]"
]
}
```
To deploy Azure Front Door Classic profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the `FrontdoorAccessLog` category.
- Enable logging for the `FrontdoorWebApplicationFirewallLog` category if a WAF policy is configured.
For example:
```json
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]",
"name": "audit",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/frontDoors', parameters('name'))]"
]
}
```
### Configure with Bicep
To deploy a Front Door resource that passes this rule:
To deploy Azure Front Door Premium/ Standard profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the `FrontdoorAccessLog` category.
@ -87,19 +118,9 @@ To deploy a Front Door resource that passes this rule:
For example:
```bicep
targetScope = 'resourceGroup'
resource frontDoorResource 'Microsoft.Cdn/profiles@2021-06-01' = {
name: frontDoorName
location: 'Global'
sku: {
name: 'Standard_AzureFrontDoor'
}
}
resource frontDoorInsightsResource 'Microsoft.Insights/diagnosticSettings@2020-05-01-preview' = {
name: 'frontDoorInsights'
scope: frontDoorResource
location: 'Global'
resource audit 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'audit'
scope: afd_profile
properties: {
workspaceId: workspaceId
logs: [
@ -116,8 +137,43 @@ resource frontDoorInsightsResource 'Microsoft.Insights/diagnosticSettings@2020-0
}
```
To deploy Azure Front Door Classic profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the `FrontdoorAccessLog` category.
- Enable logging for the `FrontdoorWebApplicationFirewallLog` category.
For example:
```bicep
resource audit_classic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'audit'
scope: afd_classic
properties: {
workspaceId: workspaceId
logs: [
{
category: 'FrontdoorAccessLog'
enabled: true
}
{
category: 'FrontdoorWebApplicationFirewallLog'
enabled: true
}
]
}
}
```
## NOTES
This rule applies to Azure Front Door Premium/ Standard/ Classic profiles.
## LINKS
- [Monitoring metrics and logs in Azure Front Door Service](https://docs.microsoft.com/azure/frontdoor/front-door-diagnostics#diagnostic-logging)
- [Create a Front Door Standard/Premium using Bicep](https://learn.microsoft.com/azure/frontdoor/create-front-door-bicep?tabs=CLI)
- [Security logs and alerts using Azure services](https://learn.microsoft.com/azure/architecture/framework/security/monitor-logs-alerts)
- [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats)
- [LT-4: Enable logging for security investigation](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-front-door-security-baseline#lt-4-enable-logging-for-security-investigation)
- [Monitor metrics and logs in Azure Front Door](https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-standard-premium)
- [Monitor metrics and logs in Azure Front Door Classic](https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-classic)
- [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.insights/diagnosticsettings)

37
docs/en/rules/Azure.FrontDoor.UseCaching.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Performance Efficiency
category: Performance patterns
pillar: Performance Efficiency
category: PE:08 Data performance
resource: Front Door
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.FrontDoor.UseCaching/
---
@ -14,11 +14,22 @@ Use caching to reduce retrieving contents from origins.
## DESCRIPTION
Azure Front Door delivers large files without a cap on file size. Front Door uses a technique called object chunking. When a large file is requested, Front Door retrieves smaller pieces of the file from the backend. After receiving a full or byte-range file request, the Front Door environment requests the file from the backend in chunks of 8 MB.
Azure Front Door delivers large files without a cap on file size.
Front Door uses a technique called object chunking.
When a large file is requested, Front Door retrieves smaller pieces of the file from the backend.
After receiving a full or byte-range file request, the Front Door environment requests the file from the backend in chunks of 8 MB.
After the chunk arrives at the Front Door environment, it's cached and immediately served to the user. Front Door then pre-fetches the next chunk in parallel. This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency. This process continues until the entire file gets downloaded (if requested) or the client closes the connection.
After the chunk arrives at the Front Door environment, it's cached and immediately served to the user.
Front Door then pre-fetches the next chunk in parallel.
This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency.
This process continues until the entire file gets downloaded (if requested) or the client closes the connection.
For more information on the byte-range request, read RFC 7233. Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache. Ensuing requests for the file or byte ranges are served from the cache. If the chunks aren't all cached, pre-fetching is used to request chunks from the backend. This optimization relies on the backend's ability to support byte-range requests. If the backend doesn't support byte-range requests, this optimization isn't effective.
For more information on the byte-range request, read RFC 7233.
Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache.
Ensuing requests for the file or byte ranges are served from the cache.
If the chunks aren't all cached, pre-fetching is used to request chunks from the backend.
This optimization relies on the backend's ability to support byte-range requests.
If the backend doesn't support byte-range requests, this optimization isn't effective.
## RECOMMENDATION
@ -32,7 +43,8 @@ To deploy front door instances pass this rule:
- Configure `properties.routingRules.properties.routeConfiguration.cacheConfiguration`.
**Important** The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link `Routing architecture overview` for more information around this.
**Important** The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules.
Check the link `Routing architecture overview` for more information around this.
For example:
@ -139,12 +151,13 @@ To deploy front door instances pass this rule:
- Configure `properties.routingRules.properties.routeConfiguration.cacheConfiguration`.
**Important** The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link `Routing architecture overview` for more information around this.
**Important** The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules.
Check the link `Routing architecture overview` for more information around this.
For example:
```bicep
@description('The name of the frontdoor resource.')
@description('The name of the Front Door profile.')
param frontDoorName string
@description('The hostname of the backend. Must be an IP address or FQDN.')
@ -257,12 +270,12 @@ resource frontDoor 'Microsoft.Network/frontDoors@2021-06-01' = {
## NOTES
This rule only applies to Front Door Classic `(Microsoft.Network/frontDoors)`.
This rule only applies to Azure Front Door Classic profiles (`Microsoft.Network/frontDoors`).
## LINKS
- [Performance patterns](https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency-patterns)
- [PE:08 Data performance](https://learn.microsoft.com/azure/well-architected/performance-efficiency/optimize-data-performance)
- [Caching with Azure Front Door](https://learn.microsoft.com/azure/frontdoor/front-door-caching)
- [Routing architecture overview](https://learn.microsoft.com/azure/frontdoor/front-door-routing-architecture)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors/rulesengines)
- [Azure deployment reference - Classic Profile](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors)
- [Azure deployment reference - Classic Rules engine](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors/rulesengines)

4
docs/en/rules/Azure.KeyVault.Logs.md
Просмотреть файл

@ -2,7 +2,7 @@
reviewed: 2023-08-20
severity: Important
pillar: Security
category: Logs and alerts
category: SE:10 Monitoring and threat detection
resource: Key Vault
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.Logs/
---
@ -131,7 +131,7 @@ resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
## LINKS
- [Security logs and alerts using Azure services](https://learn.microsoft.com/azure/architecture/framework/security/monitor-logs-alerts)
- [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats)
- [LT-4: Enable logging for security investigation](https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline#lt-4-enable-logging-for-security-investigation)
- [Best practices to use Key Vault](https://learn.microsoft.com/azure/key-vault/general/best-practices)
- [Azure Key Vault logging](https://learn.microsoft.com/azure/key-vault/general/logging)

8
docs/en/rules/Azure.LB.AvailabilityZone.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Reliability
category: Design
category: RE:05 Regions and availability zones
resource: Load Balancer
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.LB.AvailabilityZone/
---
@ -119,6 +119,6 @@ resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {
## LINKS
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.network/loadbalancers?tabs=json)
- [Load Balancer and Availability Zones](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones)
- [Use zone-aware services](https://learn.microsoft.com/azure/architecture/framework/resiliency/design-best-practices#use-zone-aware-services)
- [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones)
- [Reliability in Load Balancer](https://learn.microsoft.com/azure/reliability/reliability-load-balancer)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/loadbalancers)

9
docs/en/rules/Azure.LB.Probe.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Reliability
category: Load balancing and failover
category: RE:05 Redundancy
resource: Load Balancer
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.LB.Probe/
---
@ -22,6 +22,7 @@ Consider using a dedicated health check endpoint for HTTP or HTTPS health probes
## LINKS
- [Load Balancer health probes](https://docs.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview)
- [Creating good health probes](https://learn.microsoft.com/azure/architecture/framework/resiliency/monitoring#creating-good-health-probes)
- [Health Endpoint Monitoring pattern](https://docs.microsoft.com/azure/architecture/patterns/health-endpoint-monitoring)
- [RE:05 Redundancy](https://learn.microsoft.com/azure/well-architected/reliability/redundancy)
- [Load Balancer health probes](https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview)
- [Health Endpoint Monitoring pattern](https://learn.microsoft.com/azure/architecture/patterns/health-endpoint-monitoring)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/loadbalancers)

12
docs/en/rules/Azure.LB.StandardSKU.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Reliability
category: Design
category: RE:04 Target metrics
resource: Load Balancer
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.LB.StandardSKU/
---
@ -19,7 +19,7 @@ It supports inbound as well as outbound connections, provides low latency and hi
It enables Availability Zones with zone-redundant and zonal front ends as well as cross-zone load balancing for public and internal scenarios.
You can scale Network Virtual Appliance scenarios and make them more resilient by using internal HA Ports load balancing rules.
It also provides new diagnostics insights with multi-dimensional metrics in Azure Monitor.
## RECOMMENDATION
Consider using Standard SKU for load balancers deployed in production.
@ -112,7 +112,7 @@ resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {
## LINKS
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.network/loadbalancers?tabs=json)
- [Why use Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview#why-use-azure-load-balancer)
- [Azure Load Balancer SKUs](https://docs.microsoft.com/azure/load-balancer/skus)
- [Meet application platform requirements](https://learn.microsoft.com/azure/architecture/framework/resiliency/design-requirements#meet-application-platform-requirements)
- [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
- [Why use Azure Load Balancer?](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview#why-use-azure-load-balancer)
- [Azure Load Balancer SKUs](https://learn.microsoft.com/azure/load-balancer/skus)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/loadbalancers)

10
docs/en/rules/Azure.Redis.MinTLS.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Critical
pillar: Security
category: Data protection
category: SE:07 Encryption
resource: Azure Cache for Redis
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.MinTLS/
ms-content-id: 31240bca-b04f-4267-9c31-cfca4e91cfbf
@ -122,9 +122,9 @@ Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11)
- [Configure Azure Cache for Redis settings](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11)
- [Configure Azure Cache for Redis settings](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis)

6
docs/en/rules/Azure.RedisEnterprise.MinTLS.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Critical
pillar: Security
category: Data protection
category: SE:07 Encryption
resource: Azure Cache for Redis Enterprise
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.MinTLS/
---
@ -97,9 +97,9 @@ Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11)
- [Configure Azure Cache for Redis settings](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure#access-ports)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise)

7
docs/en/rules/index.md
Просмотреть файл

@ -45,7 +45,7 @@ AZR-000020 | [Azure.AKS.CNISubnetSize](Azure.AKS.CNISubnetSize.md) | AKS cluster
AZR-000021 | [Azure.AKS.AvailabilityZone](Azure.AKS.AvailabilityZone.md) | AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. | GA
AZR-000022 | [Azure.AKS.AuditLogs](Azure.AKS.AuditLogs.md) | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | GA
AZR-000023 | [Azure.AKS.PlatformLogs](Azure.AKS.PlatformLogs.md) | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | GA
AZR-000024 | [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | GA
AZR-000024 | [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | GA
AZR-000025 | [Azure.AKS.ManagedIdentity](Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | GA
AZR-000026 | [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | GA
AZR-000027 | [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | GA
@ -122,12 +122,12 @@ AZR-000098 | [Azure.EventGrid.TopicPublicAccess](Azure.EventGrid.TopicPublicAcce
AZR-000099 | [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | GA
AZR-000100 | [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | GA
AZR-000101 | [Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | GA
AZR-000102 | [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | GA
AZR-000102 | [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | GA
AZR-000103 | [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | GA
AZR-000104 | [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | GA
AZR-000105 | [Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | GA
AZR-000106 | [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | GA
AZR-000107 | [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | GA
AZR-000107 | [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | GA
AZR-000108 | [Azure.FrontDoor.Probe](Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | GA
AZR-000109 | [Azure.FrontDoor.ProbeMethod](Azure.FrontDoor.ProbeMethod.md) | Configure health probes to use HEAD requests to reduce performance overhead. | GA
AZR-000110 | [Azure.FrontDoor.ProbePath](Azure.FrontDoor.ProbePath.md) | Configure a dedicated path for health probe requests. | GA
@ -432,5 +432,6 @@ AZR-000408 | [Azure.Deployment.SecureParameter](Azure.Deployment.SecureParameter
AZR-000409 | [Azure.Databricks.SKU](Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | GA
AZR-000410 | [Azure.Databricks.PublicAccess](Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | GA
AZR-000411 | [Azure.DevBox.ProjectLimit](Azure.DevBox.ProjectLimit.md) | Limit the number of Dev Boxes a single user can create for a project. | GA
AZR-000412 | [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | GA
*[GA]: Generally Available &mdash; Rules related to a generally available Azure features.

58
docs/en/rules/module.md
Просмотреть файл

@ -314,6 +314,12 @@ Name | Synopsis | Severity | Level
[Azure.AKS.AutoScaling](Azure.AKS.AutoScaling.md) | Use autoscaling to scale clusters based on workload requirements. | Important | Error
[Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error
### PE:08 Data performance
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.FrontDoor.UseCaching](Azure.FrontDoor.UseCaching.md) | Use caching to reduce retrieving contents from origins. | Important | Error
### Performance
Name | Synopsis | Severity | Level
@ -328,12 +334,6 @@ Name | Synopsis | Severity | Level
[Azure.AKS.EphemeralOSDisk](Azure.AKS.EphemeralOSDisk.md) | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | Important | Warning
[Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important | Error
### Performance patterns
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.FrontDoor.UseCaching](Azure.FrontDoor.UseCaching.md) | Use caching to reduce retrieving contents from origins. | Important | Error
## Reliability
### Application design
@ -376,8 +376,6 @@ Name | Synopsis | Severity | Level
[Azure.AKS.PoolVersion](Azure.AKS.PoolVersion.md) | AKS node pools should match Kubernetes control plane version. | Important | Error
[Azure.APIM.AvailabilityZone](Azure.APIM.AvailabilityZone.md) | API management services deployed with Premium SKU should use availability zones in supported regions for high availability. | Important | Error
[Azure.AppGw.AvailabilityZone](Azure.AppGw.AvailabilityZone.md) | Application gateways should use availability zones in supported regions for high availability. | Important | Error
[Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error
[Azure.LB.StandardSKU](Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | Error
[Azure.PublicIP.AvailabilityZone](Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important | Error
[Azure.Redis.AvailabilityZone](Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important | Error
[Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error
@ -399,9 +397,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important | Error
[Azure.AppGw.MinInstance](Azure.AppGw.MinInstance.md) | Application Gateways should use a minimum of two instances. | Important | Error
[Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error
[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two virtual machines (VMs). | Important | Error
### RE:01 Simplicity and efficiency
@ -415,16 +411,26 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.Version](Azure.AKS.Version.md) | AKS control plane and nodes pools should use a current stable release. | Important | Error
[Azure.LB.StandardSKU](Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | Error
### RE:05 Redundancy
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error
[Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error
[Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error
[Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error
[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error
[Azure.VNG.VPNActiveActive](Azure.VNG.VPNActiveActive.md) | Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. | Important | Error
[Azure.VNG.VPNAvailabilityZoneSKU](Azure.VNG.VPNAvailabilityZoneSKU.md) | Use availability zone SKU for virtual network gateways deployed with VPN gateway type. | Important | Error
### RE:05 Regions and availability zones
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error
### RE:07 Self-preservation
Name | Synopsis | Severity | Level
@ -496,7 +502,6 @@ Name | Synopsis | Severity | Level
[Azure.FrontDoor.UseWAF](Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical | Error
[Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error
[Azure.KeyVault.Firewall](Azure.KeyVault.Firewall.md) | Key Vault should only accept explicitly allowed traffic. | Important | Error
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical | Error
[Azure.Storage.Firewall](Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important | Error
### Authentication
@ -507,7 +512,6 @@ Name | Synopsis | Severity | Level
[Azure.Cognitive.DisableLocalAuth](Azure.Cognitive.DisableLocalAuth.md) | Authenticate requests to Cognitive Services with Azure AD identities. | Important | Error
[Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error
[Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Azure AD identities for management place operations in Azure Cosmos DB. | Important | Error
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important | Error
[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error
[Azure.ML.DisableLocalAuth](Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical | Error
[Azure.MySQL.AAD](Azure.MySQL.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. | Critical | Error
@ -560,8 +564,6 @@ Name | Synopsis | Severity | Level
[Azure.ACR.ContentTrust](Azure.ACR.ContentTrust.md) | Use container images signed by a trusted image publisher. | Important | Error
[Azure.APIM.EncryptValues](Azure.APIM.EncryptValues.md) | Encrypt all API Management named values with Key Vault secrets. | Important | Error
[Azure.APIM.HTTPEndpoint](Azure.APIM.HTTPEndpoint.md) | Enforce HTTPS for communication to API clients. | Important | Error
[Azure.AppGw.SSLPolicy](Azure.AppGw.SSLPolicy.md) | Application Gateway should only accept a minimum of TLS 1.2. | Critical | Error
[Azure.AppGw.UseHTTPS](Azure.AppGw.UseHTTPS.md) | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical | Error
[Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Azure App Service apps should only accept encrypted connections. | Important | Error
[Azure.AppService.WebSecureFtp](Azure.AppService.WebSecureFtp.md) | Web apps should disable insecure FTP and configure SFTP when required. | Important | Error
[Azure.Automation.EncryptVariables](Azure.Automation.EncryptVariables.md) | Azure Automation variables should be encrypted. | Important | Error
@ -570,8 +572,6 @@ Name | Synopsis | Severity | Level
[Azure.MariaDB.UseSSL](Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical | Error
[Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error
[Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error
[Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error
[Azure.Storage.DefenderCloud](Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical | Error
[Azure.Storage.DefenderCloud.MalwareScan](Azure.Storage.DefenderCloud.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical | Error
@ -592,7 +592,6 @@ Name | Synopsis | Severity | Level
[Azure.APIM.CORSPolicy](Azure.APIM.CORSPolicy.md) | Avoid using wildcard for any configuration option in CORS policies. | Important | Error
[Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | Important | Error
[Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error
[Azure.Resource.AllowedRegions](Azure.Resource.AllowedRegions.md) | Resources should be deployed to allowed regions. | Important | Error
### Encryption
@ -604,7 +603,6 @@ Name | Synopsis | Severity | Level
[Azure.APIM.Protocols](Azure.APIM.Protocols.md) | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical | Error
[Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older than 1.2. | Critical | Error
[Azure.CDN.MinTLS](Azure.CDN.MinTLS.md) | Azure CDN endpoints should reject TLS versions older than 1.2. | Important | Error
[Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical | Error
[Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | Error
[Azure.IoTHub.MinTLS](Azure.IoTHub.MinTLS.md) | IoT Hubs should reject TLS versions older than 1.2. | Critical | Error
[Azure.MariaDB.MinTLS](Azure.MariaDB.MinTLS.md) | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical | Error
@ -615,7 +613,7 @@ Name | Synopsis | Severity | Level
[Azure.Storage.MinTLS](Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical | Error
[Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important | Error
### Identity and Access Management
### Identity and access management
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
@ -664,12 +662,6 @@ Name | Synopsis | Severity | Level
[Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error
[Azure.KeyVault.AutoRotationPolicy](Azure.KeyVault.AutoRotationPolicy.md) | Key Vault keys should have auto-rotation enabled. | Important | Error
### Logs and alerts
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error
### Monitor
Name | Synopsis | Severity | Level
@ -732,6 +724,12 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error
### SE:01 Security baseline
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Resource.AllowedRegions](Azure.Resource.AllowedRegions.md) | Resources should be deployed to allowed regions. | Important | Error
### SE:04 Segmentation
Name | Synopsis | Severity | Level
@ -753,6 +751,7 @@ Name | Synopsis | Severity | Level
[Azure.Cognitive.ManagedIdentity](Azure.Cognitive.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | Error
[Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error
[Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error
[Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning
### SE:06 Network controls
@ -763,12 +762,18 @@ Name | Synopsis | Severity | Level
[Azure.Databricks.PublicAccess](Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical | Error
[Azure.Databricks.SecureConnectivity](Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical | Error
[Azure.EventGrid.TopicPublicAccess](Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important | Error
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical | Error
[Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | Critical | Error
### SE:07 Encryption
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppGw.SSLPolicy](Azure.AppGw.SSLPolicy.md) | Application Gateway should only accept a minimum of TLS 1.2. | Critical | Error
[Azure.AppGw.UseHTTPS](Azure.AppGw.UseHTTPS.md) | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical | Error
[Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical | Error
[Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important | Error
### SE:10 Monitoring and threat detection
@ -778,6 +783,8 @@ Name | Synopsis | Severity | Level
[Azure.APIM.DefenderCloud](Azure.APIM.DefenderCloud.md) | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical | Error
[Azure.AppConfig.AuditLogs](Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important | Error
[Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important | Error
[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error
### Secrets
@ -815,7 +822,6 @@ Name | Synopsis | Severity | Level
[Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | Critical | Error
[Azure.DefenderCloud.Contact](Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important | Error
[Azure.DefenderCloud.Provisioning](Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error
[Azure.MariaDB.DefenderCloud](Azure.MariaDB.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important | Error
[Azure.MySQL.DefenderCloud](Azure.MySQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important | Error
[Azure.PostgreSQL.DefenderCloud](Azure.PostgreSQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important | Error

7
docs/en/rules/resource.md
Просмотреть файл

@ -238,7 +238,8 @@ Name | Synopsis | Severity | Level
[Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important | Error
[Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | Error
[Azure.AKS.ManagedIdentity](Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important | Error
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important | Error
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error
[Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error
[Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error
[Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important | Error
[Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error
@ -383,7 +384,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important | Error
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error
[Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical | Error
[Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
@ -401,7 +402,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important | Error
[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error
[Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | Error
[Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness | Error

63
docs/en/selectors/Azure.FrontDoor.IsClassic.md Normal file
Просмотреть файл

@ -0,0 +1,63 @@
# AAzure.FrontDoor.IsClassic
## SYNOPSIS
Azure Front Door profiles using the Classic SKU.
## DESCRIPTION
Use this selector to filter rules to only run against Azure Front Door profiles using the Classic SKU.
## EXAMPLES
### Configure with YAML-based rules
- Use the `with` property to set `PSRule.Rules.Azure\Azure.FrontDoor.IsClassic`.
```yaml
---
# Synopsis: An example rule.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Local.MyRule
spec:
with:
- PSRule.Rules.Azure\Azure.FrontDoor.IsClassic
condition:
# Rule logic goes here
```
### Configure with JSON-based rules
- Use the `with` property to set `PSRule.Rules.Azure\Azure.FrontDoor.IsClassic`.
```json
{
// Synopsis: An example rule.
"apiVersion": "github.com/microsoft/PSRule/v1",
"kind": "Rule",
"metadata": {
"name": "Local.MyRule"
},
"spec": {
"with": [
"PSRule.Rules.Azure\\Azure.FrontDoor.IsClassic"
],
"condition": {
// Rule logic goes here
}
}
}
```
### Configure with PowerShell-based rules
- Use the `-With` parameter to set `PSRule.Rules.Azure\Azure.FrontDoor.IsClassic`.
```powershell
# Synopsis: An example rule.
Rule 'Local.MyRule' -With 'PSRule.Rules.Azure\Azure.FrontDoor.IsClassic' {
# Rule logic goes here
}
```

63
docs/en/selectors/Azure.FrontDoor.IsStandardOrPremium.md Normal file
Просмотреть файл

@ -0,0 +1,63 @@
# Azure.FrontDoor.IsStandardOrPremium
## SYNOPSIS
Azure Front Door profiles using the Standard or Premium SKU.
## DESCRIPTION
Use this selector to filter rules to only run against Azure Front Door profiles using the Standard or Premium SKU.
## EXAMPLES
### Configure with YAML-based rules
- Use the `with` property to set `PSRule.Rules.Azure\Azure.FrontDoor.IsStandardOrPremium`.
```yaml
---
# Synopsis: An example rule.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Local.MyRule
spec:
with:
- PSRule.Rules.Azure\Azure.FrontDoor.IsStandardOrPremium
condition:
# Rule logic goes here
```
### Configure with JSON-based rules
- Use the `with` property to set `PSRule.Rules.Azure\Azure.FrontDoor.IsStandardOrPremium`.
```json
{
// Synopsis: An example rule.
"apiVersion": "github.com/microsoft/PSRule/v1",
"kind": "Rule",
"metadata": {
"name": "Local.MyRule"
},
"spec": {
"with": [
"PSRule.Rules.Azure\\Azure.FrontDoor.IsStandardOrPremium"
],
"condition": {
// Rule logic goes here
}
}
}
```
### Configure with PowerShell-based rules
- Use the `-With` parameter to set `PSRule.Rules.Azure\Azure.FrontDoor.IsStandardOrPremium`.
```powershell
# Synopsis: An example rule.
Rule 'Local.MyRule' -With 'PSRule.Rules.Azure\Azure.FrontDoor.IsStandardOrPremium' {
# Rule logic goes here
}
```

7
docs/es/rules/index.md
Просмотреть файл

@ -45,7 +45,7 @@ AZR-000020 | [Azure.AKS.CNISubnetSize](Azure.AKS.CNISubnetSize.md) | AKS cluster
AZR-000021 | [Azure.AKS.AvailabilityZone](Azure.AKS.AvailabilityZone.md) | AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. | GA
AZR-000022 | [Azure.AKS.AuditLogs](Azure.AKS.AuditLogs.md) | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | GA
AZR-000023 | [Azure.AKS.PlatformLogs](Azure.AKS.PlatformLogs.md) | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | GA
AZR-000024 | [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | GA
AZR-000024 | [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | GA
AZR-000025 | [Azure.AKS.ManagedIdentity](Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | GA
AZR-000026 | [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | GA
AZR-000027 | [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | GA
@ -122,12 +122,12 @@ AZR-000098 | [Azure.EventGrid.TopicPublicAccess](Azure.EventGrid.TopicPublicAcce
AZR-000099 | [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | GA
AZR-000100 | [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | GA
AZR-000101 | [Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | GA
AZR-000102 | [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | GA
AZR-000102 | [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | GA
AZR-000103 | [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | GA
AZR-000104 | [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | GA
AZR-000105 | [Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | GA
AZR-000106 | [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | GA
AZR-000107 | [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | GA
AZR-000107 | [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | GA
AZR-000108 | [Azure.FrontDoor.Probe](Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | GA
AZR-000109 | [Azure.FrontDoor.ProbeMethod](Azure.FrontDoor.ProbeMethod.md) | Configure health probes to use HEAD requests to reduce performance overhead. | GA
AZR-000110 | [Azure.FrontDoor.ProbePath](Azure.FrontDoor.ProbePath.md) | Configure a dedicated path for health probe requests. | GA
@ -432,5 +432,6 @@ AZR-000408 | [Azure.Deployment.SecureParameter](Azure.Deployment.SecureParameter
AZR-000409 | [Azure.Databricks.SKU](Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | GA
AZR-000410 | [Azure.Databricks.PublicAccess](Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | GA
AZR-000411 | [Azure.DevBox.ProjectLimit](Azure.DevBox.ProjectLimit.md) | Limit the number of Dev Boxes a single user can create for a project. | GA
AZR-000412 | [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | GA
*[GA]: Generally Available &mdash; Rules related to a generally available Azure features.

58
docs/es/rules/module.md
Просмотреть файл

@ -314,6 +314,12 @@ Name | Synopsis | Severity | Level
[Azure.AKS.AutoScaling](Azure.AKS.AutoScaling.md) | Use autoscaling to scale clusters based on workload requirements. | Important | Error
[Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error
### PE:08 Data performance
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.FrontDoor.UseCaching](Azure.FrontDoor.UseCaching.md) | Use caching to reduce retrieving contents from origins. | Important | Error
### Performance
Name | Synopsis | Severity | Level
@ -328,12 +334,6 @@ Name | Synopsis | Severity | Level
[Azure.AKS.EphemeralOSDisk](Azure.AKS.EphemeralOSDisk.md) | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | Important | Warning
[Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important | Error
### Performance patterns
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.FrontDoor.UseCaching](Azure.FrontDoor.UseCaching.md) | Use caching to reduce retrieving contents from origins. | Important | Error
## Reliability
### Application design
@ -376,8 +376,6 @@ Name | Synopsis | Severity | Level
[Azure.AKS.PoolVersion](Azure.AKS.PoolVersion.md) | AKS node pools should match Kubernetes control plane version. | Important | Error
[Azure.APIM.AvailabilityZone](Azure.APIM.AvailabilityZone.md) | API management services deployed with Premium SKU should use availability zones in supported regions for high availability. | Important | Error
[Azure.AppGw.AvailabilityZone](Azure.AppGw.AvailabilityZone.md) | Application gateways should use availability zones in supported regions for high availability. | Important | Error
[Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error
[Azure.LB.StandardSKU](Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | Error
[Azure.PublicIP.AvailabilityZone](Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important | Error
[Azure.Redis.AvailabilityZone](Azure.Redis.AvailabilityZone.md) | Premium Redis cache should be deployed with availability zones for high availability. | Important | Error
[Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error
@ -399,9 +397,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important | Error
[Azure.AppGw.MinInstance](Azure.AppGw.MinInstance.md) | Application Gateways should use a minimum of two instances. | Important | Error
[Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error
[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two virtual machines (VMs). | Important | Error
### RE:01 Simplicity and efficiency
@ -415,16 +411,26 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.Version](Azure.AKS.Version.md) | AKS control plane and nodes pools should use a current stable release. | Important | Error
[Azure.LB.StandardSKU](Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | Error
### RE:05 Redundancy
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error
[Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error
[Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error
[Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error
[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error
[Azure.VNG.VPNActiveActive](Azure.VNG.VPNActiveActive.md) | Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. | Important | Error
[Azure.VNG.VPNAvailabilityZoneSKU](Azure.VNG.VPNAvailabilityZoneSKU.md) | Use availability zone SKU for virtual network gateways deployed with VPN gateway type. | Important | Error
### RE:05 Regions and availability zones
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error
### RE:07 Self-preservation
Name | Synopsis | Severity | Level
@ -496,7 +502,6 @@ Name | Synopsis | Severity | Level
[Azure.FrontDoor.UseWAF](Azure.FrontDoor.UseWAF.md) | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | Critical | Error
[Azure.FrontDoor.WAF.Enabled](Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error
[Azure.KeyVault.Firewall](Azure.KeyVault.Firewall.md) | Key Vault should only accept explicitly allowed traffic. | Important | Error
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical | Error
[Azure.Storage.Firewall](Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important | Error
### Authentication
@ -507,7 +512,6 @@ Name | Synopsis | Severity | Level
[Azure.Cognitive.DisableLocalAuth](Azure.Cognitive.DisableLocalAuth.md) | Authenticate requests to Cognitive Services with Azure AD identities. | Important | Error
[Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error
[Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Azure AD identities for management place operations in Azure Cosmos DB. | Important | Error
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important | Error
[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error
[Azure.ML.DisableLocalAuth](Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical | Error
[Azure.MySQL.AAD](Azure.MySQL.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. | Critical | Error
@ -560,8 +564,6 @@ Name | Synopsis | Severity | Level
[Azure.ACR.ContentTrust](Azure.ACR.ContentTrust.md) | Use container images signed by a trusted image publisher. | Important | Error
[Azure.APIM.EncryptValues](Azure.APIM.EncryptValues.md) | Encrypt all API Management named values with Key Vault secrets. | Important | Error
[Azure.APIM.HTTPEndpoint](Azure.APIM.HTTPEndpoint.md) | Enforce HTTPS for communication to API clients. | Important | Error
[Azure.AppGw.SSLPolicy](Azure.AppGw.SSLPolicy.md) | Application Gateway should only accept a minimum of TLS 1.2. | Critical | Error
[Azure.AppGw.UseHTTPS](Azure.AppGw.UseHTTPS.md) | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical | Error
[Azure.AppService.UseHTTPS](Azure.AppService.UseHTTPS.md) | Azure App Service apps should only accept encrypted connections. | Important | Error
[Azure.AppService.WebSecureFtp](Azure.AppService.WebSecureFtp.md) | Web apps should disable insecure FTP and configure SFTP when required. | Important | Error
[Azure.Automation.EncryptVariables](Azure.Automation.EncryptVariables.md) | Azure Automation variables should be encrypted. | Important | Error
@ -570,8 +572,6 @@ Name | Synopsis | Severity | Level
[Azure.MariaDB.UseSSL](Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical | Error
[Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error
[Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error
[Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error
[Azure.Storage.DefenderCloud](Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical | Error
[Azure.Storage.DefenderCloud.MalwareScan](Azure.Storage.DefenderCloud.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical | Error
@ -592,7 +592,6 @@ Name | Synopsis | Severity | Level
[Azure.APIM.CORSPolicy](Azure.APIM.CORSPolicy.md) | Avoid using wildcard for any configuration option in CORS policies. | Important | Error
[Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | Important | Error
[Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error
[Azure.Resource.AllowedRegions](Azure.Resource.AllowedRegions.md) | Resources should be deployed to allowed regions. | Important | Error
### Encryption
@ -604,7 +603,6 @@ Name | Synopsis | Severity | Level
[Azure.APIM.Protocols](Azure.APIM.Protocols.md) | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical | Error
[Azure.AppService.MinTLS](Azure.AppService.MinTLS.md) | App Service should reject TLS versions older than 1.2. | Critical | Error
[Azure.CDN.MinTLS](Azure.CDN.MinTLS.md) | Azure CDN endpoints should reject TLS versions older than 1.2. | Important | Error
[Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical | Error
[Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | Error
[Azure.IoTHub.MinTLS](Azure.IoTHub.MinTLS.md) | IoT Hubs should reject TLS versions older than 1.2. | Critical | Error
[Azure.MariaDB.MinTLS](Azure.MariaDB.MinTLS.md) | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | Critical | Error
@ -615,7 +613,7 @@ Name | Synopsis | Severity | Level
[Azure.Storage.MinTLS](Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical | Error
[Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important | Error
### Identity and Access Management
### Identity and access management
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
@ -664,12 +662,6 @@ Name | Synopsis | Severity | Level
[Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error
[Azure.KeyVault.AutoRotationPolicy](Azure.KeyVault.AutoRotationPolicy.md) | Key Vault keys should have auto-rotation enabled. | Important | Error
### Logs and alerts
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error
### Monitor
Name | Synopsis | Severity | Level
@ -732,6 +724,12 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error
### SE:01 Security baseline
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Resource.AllowedRegions](Azure.Resource.AllowedRegions.md) | Resources should be deployed to allowed regions. | Important | Error
### SE:04 Segmentation
Name | Synopsis | Severity | Level
@ -753,6 +751,7 @@ Name | Synopsis | Severity | Level
[Azure.Cognitive.ManagedIdentity](Azure.Cognitive.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | Error
[Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error
[Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error
[Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning
### SE:06 Network controls
@ -763,12 +762,18 @@ Name | Synopsis | Severity | Level
[Azure.Databricks.PublicAccess](Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical | Error
[Azure.Databricks.SecureConnectivity](Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical | Error
[Azure.EventGrid.TopicPublicAccess](Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important | Error
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | Critical | Error
[Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | Critical | Error
### SE:07 Encryption
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppGw.SSLPolicy](Azure.AppGw.SSLPolicy.md) | Application Gateway should only accept a minimum of TLS 1.2. | Critical | Error
[Azure.AppGw.UseHTTPS](Azure.AppGw.UseHTTPS.md) | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical | Error
[Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical | Error
[Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error
[Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important | Error
### SE:10 Monitoring and threat detection
@ -778,6 +783,8 @@ Name | Synopsis | Severity | Level
[Azure.APIM.DefenderCloud](Azure.APIM.DefenderCloud.md) | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical | Error
[Azure.AppConfig.AuditLogs](Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important | Error
[Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important | Error
[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error
### Secrets
@ -815,7 +822,6 @@ Name | Synopsis | Severity | Level
[Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | Critical | Error
[Azure.DefenderCloud.Contact](Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important | Error
[Azure.DefenderCloud.Provisioning](Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error
[Azure.MariaDB.DefenderCloud](Azure.MariaDB.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important | Error
[Azure.MySQL.DefenderCloud](Azure.MySQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important | Error
[Azure.PostgreSQL.DefenderCloud](Azure.PostgreSQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important | Error

7
docs/es/rules/resource.md
Просмотреть файл

@ -238,7 +238,8 @@ Name | Synopsis | Severity | Level
[Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important | Error
[Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | Error
[Azure.AKS.ManagedIdentity](Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important | Error
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important | Error
[Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error
[Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error
[Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error
[Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important | Error
[Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error
@ -383,7 +384,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important | Error
[Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error
[Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical | Error
[Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
@ -401,7 +402,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error
[Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Azure Front Door profiles. | Important | Error
[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error
[Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | Error
[Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness | Error

14
docs/examples-appgw.bicep
Просмотреть файл

@ -7,7 +7,7 @@ param name string
@description('The location resources will be deployed.')
param location string = resourceGroup().location
resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {
name: name
location: location
zones: [
@ -21,6 +21,16 @@ resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
name: 'WAF_v2'
tier: 'WAF_v2'
}
sslPolicy: {
policyType: 'Custom'
minProtocolVersion: 'TLSv1_2'
cipherSuites: [
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
]
}
gatewayIPConfigurations: []
frontendIPConfigurations: []
frontendPorts: []
@ -44,7 +54,7 @@ resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
}
}
resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-01-01' = {
resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2023-09-01' = {
name: 'agwwaf'
location: location
properties: {

18
docs/examples-appgw.json
Просмотреть файл

@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.10.61.36676",
"templateHash": "17322635064657728998"
"version": "0.25.53.49325",
"templateHash": "16003563993180625268"
}
},
"parameters": {
@ -26,7 +26,7 @@
"resources": [
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-09-01",
"apiVersion": "2023-09-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"zones": [
@ -40,6 +40,16 @@
"name": "WAF_v2",
"tier": "WAF_v2"
},
"sslPolicy": {
"policyType": "Custom",
"minProtocolVersion": "TLSv1_2",
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
},
"gatewayIPConfigurations": [],
"frontendIPConfigurations": [],
"frontendPorts": [],
@ -64,7 +74,7 @@
},
{
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
"apiVersion": "2022-01-01",
"apiVersion": "2023-09-01",
"name": "agwwaf",
"location": "[parameters('location')]",
"properties": {

57
docs/examples-frontdoor.bicep
Просмотреть файл

@ -6,6 +6,9 @@
@description('The name of the resource.')
param name string = 'frontdoor'
@description('A resource ID that specifies the Log Analytics workspace to send logs.')
param workspaceId string
@description('Define a WAF policy for Front Door Premium.')
resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {
name: name
@ -148,6 +151,8 @@ resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {
properties: {
hostName: '${name}.azurefd.net'
sessionAffinityEnabledState: 'Disabled'
#disable-next-line BCP073
customHttpsConfiguration: {
minimumTlsVersion: '1.2'
}
@ -161,8 +166,27 @@ resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {
}
}
@description('Define Front Door Premium.')
resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {
// Configure settings to send audit logs to a Log Analytics workspace.
resource audit_classic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'audit'
scope: afd_classic
properties: {
workspaceId: workspaceId
logs: [
{
category: 'FrontdoorAccessLog'
enabled: true
}
{
category: 'FrontdoorWebApplicationFirewallLog'
enabled: true
}
]
}
}
// Define an Azure Front Door Premium profile.
resource afd_profile 'Microsoft.Cdn/profiles@2023-05-01' = {
name: name
location: 'Global'
sku: {
@ -170,8 +194,9 @@ resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {
}
}
resource adf_endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2021-06-01' = {
parent: afd_premium
// Defines an endpoint for Azure Front Door Standard/ Premium profile.
resource adf_endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2023-05-01' = {
parent: afd_profile
name: name
location: 'Global'
properties: {
@ -179,9 +204,10 @@ resource adf_endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2021-06-01' = {
}
}
resource adf_origin_group 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {
// Define an origin group for a Front Door Standard/ Premium profile.
resource adf_origin_group 'Microsoft.Cdn/profiles/originGroups@2023-05-01' = {
name: name
parent: afd_premium
parent: afd_profile
properties: {
loadBalancingSettings: {
sampleSize: 4
@ -195,3 +221,22 @@ resource adf_origin_group 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {
}
}
}
// Configure settings to send audit logs to a Log Analytics workspace.
resource audit 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'audit'
scope: afd_profile
properties: {
workspaceId: workspaceId
logs: [
{
category: 'FrontdoorAccessLog'
enabled: true
}
{
category: 'FrontdoorWebApplicationFirewallLog'
enabled: true
}
]
}
}

83
docs/examples-frontdoor.json
Просмотреть файл

@ -1,13 +1,11 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"languageVersion": "1.9-experimental",
"contentVersion": "1.0.0.0",
"metadata": {
"_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
"_generator": {
"name": "bicep",
"version": "0.14.46.61228",
"templateHash": "5803424126704954217"
"version": "0.25.53.49325",
"templateHash": "16025868691049564889"
}
},
"parameters": {
@ -18,6 +16,12 @@
"description": "The name of the resource."
}
},
"workspaceId": {
"type": "string",
"metadata": {
"description": "A resource ID that specifies the Log Analytics workspace to send logs."
}
},
"backendAddress": {
"type": "string",
"metadata": {
@ -119,8 +123,8 @@
}
]
},
"resources": {
"waf": {
"resources": [
{
"type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies",
"apiVersion": "2022-05-01",
"name": "[parameters('name')]",
@ -156,7 +160,7 @@
"description": "Define a WAF policy for Front Door Premium."
}
},
"afd_classic": {
{
"type": "Microsoft.Network/frontDoors",
"apiVersion": "2021-06-01",
"name": "[parameters('name')]",
@ -184,33 +188,52 @@
"description": "Define a Front Door Classic."
}
},
"afd_premium": {
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]",
"name": "audit",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/frontDoors', parameters('name'))]"
]
},
{
"type": "Microsoft.Cdn/profiles",
"apiVersion": "2021-06-01",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "Global",
"sku": {
"name": "Premium_AzureFrontDoor"
},
"metadata": {
"description": "Define Front Door Premium."
}
},
"adf_endpoint": {
{
"type": "Microsoft.Cdn/profiles/afdEndpoints",
"apiVersion": "2021-06-01",
"apiVersion": "2023-05-01",
"name": "[format('{0}/{1}', parameters('name'), parameters('name'))]",
"location": "Global",
"properties": {
"enabledState": "Enabled"
},
"dependsOn": [
"afd_premium"
"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]"
]
},
"adf_origin_group": {
{
"type": "Microsoft.Cdn/profiles/originGroups",
"apiVersion": "2021-06-01",
"apiVersion": "2023-05-01",
"name": "[format('{0}/{1}', parameters('name'), parameters('name'))]",
"properties": {
"loadBalancingSettings": {
@ -225,8 +248,30 @@
}
},
"dependsOn": [
"afd_premium"
"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]"
]
},
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]",
"name": "audit",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]"
]
}
}
]
}

4
docs/examples-redis.bicep
Просмотреть файл

@ -10,7 +10,7 @@ param name string
param location string = resourceGroup().location
// An example Redis Cache.
resource cache 'Microsoft.Cache/redis@2023-04-01' = {
resource cache 'Microsoft.Cache/redis@2023-08-01' = {
name: name
location: location
properties: {
@ -35,7 +35,7 @@ resource cache 'Microsoft.Cache/redis@2023-04-01' = {
}
// An example firewall rule for Redis Cache.
resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {
resource rule 'Microsoft.Cache/redis/firewallRules@2023-08-01' = {
parent: cache
name: 'allow-on-premises'
properties: {

20
docs/examples-redis.json
Просмотреть файл

@ -1,13 +1,11 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"languageVersion": "1.10-experimental",
"contentVersion": "1.0.0.0",
"metadata": {
"_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
"_generator": {
"name": "bicep",
"version": "0.18.4.5664",
"templateHash": "13212070657845815407"
"version": "0.25.53.49325",
"templateHash": "7482944073131107404"
}
},
"parameters": {
@ -25,10 +23,10 @@
}
}
},
"resources": {
"cache": {
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2023-04-01",
"apiVersion": "2023-08-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
@ -51,17 +49,17 @@
"3"
]
},
"rule": {
{
"type": "Microsoft.Cache/redis/firewallRules",
"apiVersion": "2023-04-01",
"apiVersion": "2023-08-01",
"name": "[format('{0}/{1}', parameters('name'), 'allow-on-premises')]",
"properties": {
"startIP": "10.0.1.1",
"endIP": "10.0.1.31"
},
"dependsOn": [
"cache"
"[resourceId('Microsoft.Cache/redis', parameters('name'))]"
]
}
}
]
}

2
docs/examples-redisenterprise.bicep
Просмотреть файл

@ -10,7 +10,7 @@ param name string
param location string = resourceGroup().location
// An example Redis Enterprise cache.
resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {
resource cache 'Microsoft.Cache/redisEnterprise@2023-11-01' = {
name: name
location: location
sku: {

14
docs/examples-redisenterprise.json
Просмотреть файл

@ -1,13 +1,11 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"languageVersion": "1.10-experimental",
"contentVersion": "1.0.0.0",
"metadata": {
"_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
"_generator": {
"name": "bicep",
"version": "0.18.4.5664",
"templateHash": "18327166122228082136"
"version": "0.25.53.49325",
"templateHash": "3600259857722261042"
}
},
"parameters": {
@ -25,10 +23,10 @@
}
}
},
"resources": {
"cache": {
"resources": [
{
"type": "Microsoft.Cache/redisEnterprise",
"apiVersion": "2022-01-01",
"apiVersion": "2023-11-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
@ -38,5 +36,5 @@
"minimumTlsVersion": "1.2"
}
}
}
]
}

4
src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1
Просмотреть файл

@ -19,8 +19,8 @@ Rule 'Azure.AppConfig.AuditLogs' -Ref 'AZR-000311' -Type 'Microsoft.AppConfigura
$Assert.Greater($diagnostics, '.', 0).ReasonFrom(
'properties.logs',
$LocalizedData.AppConfigStoresDiagnosticSetting,
'Audit',
$LocalizedData.AppConfigStoresDiagnosticSetting,
'Audit',
$joinedLogCategoryGroups
).PathPrefix('resources')
}

52
src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml
Просмотреть файл

@ -15,8 +15,8 @@ metadata:
name: Azure.AppGw.MinInstance
ref: AZR-000061
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Reliability
spec:
type:
@ -39,9 +39,9 @@ metadata:
name: Azure.AppGw.MinSku
ref: AZR-000062
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Operational Excellence'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Operational Excellence
spec:
type:
- Microsoft.Network/applicationGateways
@ -63,11 +63,11 @@ metadata:
name: Azure.AppGw.UseWAF
ref: AZR-000063
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'NS-6'
Azure.MCSB.v1/control: NS-6
spec:
with:
- Azure.IsAppGwPublic
@ -85,11 +85,11 @@ metadata:
name: Azure.AppGw.SSLPolicy
ref: AZR-000064
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'NS-8'
Azure.MCSB.v1/control: DP-3
spec:
type:
- Microsoft.Network/applicationGateways
@ -113,9 +113,9 @@ metadata:
name: Azure.AppGw.Prevention
ref: AZR-000065
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
spec:
with:
- Azure.AppGw.WithClassicWAF
@ -131,11 +131,11 @@ metadata:
name: Azure.AppGw.WAFEnabled
ref: AZR-000066
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'NS-6'
Azure.MCSB.v1/control: NS-6
spec:
with:
- Azure.IsAppGwPublic
@ -154,9 +154,9 @@ metadata:
name: Azure.AppGw.OWASP
ref: AZR-000067
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
spec:
with:
- Azure.AppGw.WithClassicWAF
@ -175,9 +175,9 @@ metadata:
name: Azure.AppGw.WAFRules
ref: AZR-000068
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
spec:
with:
- Azure.AppGw.WithClassicWAF

6
src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml
Просмотреть файл

@ -15,9 +15,9 @@ metadata:
name: Azure.CDN.HTTP
ref: AZR-000093
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'DP-3'
spec:

34
src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1
Просмотреть файл

@ -8,7 +8,7 @@
#region Front Door
# Synopsis: Front Door should reject TLS versions older than 1.2.
Rule 'Azure.FrontDoor.MinTLS' -Ref 'AZR-000106' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; 'Azure.MCSB.v1/control' = 'DP-3' } {
Rule 'Azure.FrontDoor.MinTLS' -Ref 'AZR-000106' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-3' } {
$endpoints = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.Network/frontDoors') {
$endpoints = @($TargetObject.Properties.frontendEndpoints);
@ -18,25 +18,27 @@ Rule 'Azure.FrontDoor.MinTLS' -Ref 'AZR-000106' -Type 'Microsoft.Network/frontDo
}
}
# Synopsis: Use diagnostics to audit Front Door access
Rule 'Azure.FrontDoor.Logs' -Ref 'AZR-000107' -Type 'Microsoft.Network/frontDoors' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Reason $LocalizedData.DiagnosticSettingsNotConfigured;
$diagnostics = @(GetSubResources -ResourceType 'microsoft.insights/diagnosticSettings', 'Microsoft.Network/frontDoors/providers/diagnosticSettings');
$logCategories = @($diagnostics | ForEach-Object {
foreach ($log in $_.Properties.logs) {
if ($log.category -eq 'FrontdoorAccessLog' -and $log.enabled -eq $True) {
$log;
}
}
});
$Null -ne $logCategories -and $logCategories.Length -gt 0;
# Synopsis: Audit and monitor access through Azure Front Door profiles.
Rule 'Azure.FrontDoor.Logs' -Ref 'AZR-000107' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Cdn/profiles' -With 'Azure.FrontDoor.IsStandardOrPremium', 'Azure.FrontDoor.IsClassic' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } {
$logCategoryGroups = 'audit', 'allLogs'
$diagnostics = @(GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings', 'Microsoft.Network/frontDoors/providers/diagnosticSettings', 'Microsoft.Cdn/profiles/providers/diagnosticSettings' | ForEach-Object {
$_.Properties.logs | Where-Object {
($_.category -eq 'FrontdoorAccessLog' -or $_.categoryGroup -in $logCategoryGroups) -and $_.enabled
}
})
$Assert.Greater($diagnostics, '.', 0).ReasonFrom(
'properties.logs',
$LocalizedData.DiagnosticSettingsLoggingNotConfigured,
'FrontdoorAccessLog'
).PathPrefix('resources[*]')
}
# Synopsis: Configure and enable health probes for each backend pool.
Rule 'Azure.FrontDoor.Probe' -Ref 'AZR-000108' -Type 'Microsoft.Network/frontdoors', 'Microsoft.Network/Frontdoors/HealthProbeSettings' -Tag @{ release = 'GA'; ruleSet = '2021_03'; 'Azure.WAF/pillar' = 'Reliability'; } {
$probes = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.Network/frontDoors') {
$probes = @($TargetObject.Properties.healthProbeSettings);
$probes = @($TargetObject.properties.healthProbeSettings);
}
foreach ($probe in $probes) {
$Assert.HasFieldValue($probe, 'properties.enabledState', 'Enabled');
@ -66,7 +68,7 @@ Rule 'Azure.FrontDoor.ProbePath' -Ref 'AZR-000110' -Type 'Microsoft.Network/fron
}
# Synopsis: Enable Web Application Firewall (WAF) policies on each Front Door endpoint.
Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; 'Azure.MCSB.v1/control' = 'NS-6' } {
Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-6' } {
$endpoints = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.Network/frontDoors') {
$endpoints = @($TargetObject.Properties.frontendEndpoints);
@ -77,7 +79,7 @@ Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDo
}
# Synopsis: Use caching to reduce retrieving contents from origins.
Rule 'Azure.FrontDoor.UseCaching' -Ref 'AZR-000320' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/rulesEngines' -Tag @{ release = 'GA'; ruleSet = '2022_12'; } {
Rule 'Azure.FrontDoor.UseCaching' -Ref 'AZR-000320' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/rulesEngines' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Performance Efficiency'; } {
if ($PSRule.TargetType -eq 'Microsoft.Network/frontDoors') {
$cachingDisabledRoutingRules = @($TargetObject.properties.routingRules | Where-Object { $_.properties.enabledState -eq 'Enabled' -and
$_.properties.routeConfiguration.'@odata.type' -eq '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' -and

38
src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml
Просмотреть файл

@ -15,8 +15,8 @@ metadata:
name: Azure.FrontDoor.State
ref: AZR-000112
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Cost Optimization
spec:
type:
@ -33,8 +33,8 @@ metadata:
name: Azure.FrontDoor.Name
ref: AZR-000113
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Operational Excellence
spec:
type:
@ -58,8 +58,8 @@ metadata:
name: Azure.FrontDoor.WAF.Mode
ref: AZR-000114
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
spec:
type:
@ -76,8 +76,8 @@ metadata:
name: Azure.FrontDoor.WAF.Enabled
ref: AZR-000115
tags:
release: 'GA'
ruleSet: '2020_06'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'NS-6'
@ -96,8 +96,8 @@ metadata:
name: Azure.FrontDoor.WAF.Name
ref: AZR-000116
tags:
release: 'GA'
ruleSet: '2020_12'
release: GA
ruleSet: 2020_12
Azure.WAF/pillar: Operational Excellence
spec:
type:
@ -144,11 +144,13 @@ spec:
#region Selectors
---
# Synopsis: Azure Front Door instances using the Standard or Premium SKU.
# Synopsis: Azure Front Door profiles using the Standard or Premium SKU.
apiVersion: github.com/microsoft/PSRule/v1
kind: Selector
metadata:
name: Azure.FrontDoor.IsStandardOrPremium
annotations:
export: true
spec:
if:
allOf:
@ -159,4 +161,18 @@ spec:
- Standard_AzureFrontDoor
- Premium_AzureFrontDoor
---
# Synopsis: Azure Front Door profiles using the Classic SKU.
apiVersion: github.com/microsoft/PSRule/v1
kind: Selector
metadata:
name: Azure.FrontDoor.IsClassic
annotations:
export: true
spec:
if:
allOf:
- type: '.'
equals: Microsoft.Network/frontDoors
#endregion Selectors

30
src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml
Просмотреть файл

@ -14,9 +14,9 @@ metadata:
name: Azure.FrontDoorWAF.Enabled
ref: AZR-000305
tags:
release: 'GA'
ruleSet: '2022_09'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2022_09
Azure.WAF/pillar: Security
spec:
type:
- Microsoft.Network/frontdoorwebapplicationfirewallpolicies
@ -24,7 +24,7 @@ spec:
allOf:
# WAF policy is enabled
- field: properties.policySettings.enabledState
equals: 'Enabled'
equals: Enabled
---
# Synopsis: FrontDoor WAF should be in prevention mode.
@ -34,17 +34,17 @@ metadata:
name: Azure.FrontDoorWAF.PreventionMode
ref: AZR-000306
tags:
release: 'GA'
ruleSet: '2022_09'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2022_09
Azure.WAF/pillar: Security
spec:
type:
- Microsoft.Network/frontdoorwebapplicationfirewallpolicies
condition:
allOf:
# WAF policy is set to prevention mode
- field: Properties.policySettings.mode
equals: 'Prevention'
- field: properties.policySettings.mode
equals: Prevention
---
# Synopsis: FrontDoor WAF should have no exclusions.
@ -54,9 +54,9 @@ metadata:
name: Azure.FrontDoorWAF.Exclusions
ref: AZR-000307
tags:
release: 'GA'
ruleSet: '2022_09'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2022_09
Azure.WAF/pillar: Security
spec:
type:
- Microsoft.Network/frontdoorwebapplicationfirewallpolicies
@ -80,9 +80,9 @@ metadata:
name: Azure.FrontDoorWAF.RuleGroups
ref: AZR-000308
tags:
release: 'GA'
ruleSet: '2022_09'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2022_09
Azure.WAF/pillar: Security
spec:
type:
- Microsoft.Network/frontdoorwebapplicationfirewallpolicies

6
src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1
Просмотреть файл

@ -8,7 +8,7 @@
#region Rules
# Synopsis: Use specific network probe
Rule 'Azure.LB.Probe' -Ref 'AZR-000126' -Type 'Microsoft.Network/loadBalancers' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.LB.Probe' -Ref 'AZR-000126' -Type 'Microsoft.Network/loadBalancers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Reliability'; } {
$probes = $TargetObject.Properties.probes;
foreach ($probe in $probes) {
if ($probe.properties.port -in 80, 443, 8080) {
@ -26,7 +26,7 @@ Rule 'Azure.LB.Probe' -Ref 'AZR-000126' -Type 'Microsoft.Network/loadBalancers'
}
# Synopsis: Load balancers deployed with Standard SKU should be zone-redundant for high availability.
Rule 'Azure.LB.AvailabilityZone' -Ref 'AZR-000127' -Type 'Microsoft.Network/loadBalancers' -If { IsStandardLoadBalancer } -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.LB.AvailabilityZone' -Ref 'AZR-000127' -Type 'Microsoft.Network/loadBalancers' -If { IsStandardLoadBalancer } -Tag @{ release = 'GA'; ruleSet = '2021_09'; 'Azure.WAF/pillar' = 'Reliability'; } {
foreach ($ipConfig in $TargetObject.Properties.frontendIPConfigurations) {
$Assert.AnyOf(
$Assert.NullOrEmpty($ipConfig, 'zones'),
@ -40,7 +40,7 @@ Rule 'Azure.LB.AvailabilityZone' -Ref 'AZR-000127' -Type 'Microsoft.Network/load
}
# Synopsis: Load balancers should be deployed with Standard SKU for production workloads.
Rule 'Azure.LB.StandardSKU' -Ref 'AZR-000128' -Type 'Microsoft.Network/loadBalancers' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.LB.StandardSKU' -Ref 'AZR-000128' -Type 'Microsoft.Network/loadBalancers' -Tag @{ release = 'GA'; ruleSet = '2021_09'; 'Azure.WAF/pillar' = 'Reliability'; } {
IsStandardLoadBalancer;
}

30
tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1
Просмотреть файл

@ -59,42 +59,42 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2020_06' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 137;
$filteredResult.Length | Should -Be 136;
}
It 'With Azure.GA_2020_09' {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2020_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 153;
$filteredResult.Length | Should -Be 152;
}
It 'With Azure.GA_2020_12' {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2020_12' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 177;
$filteredResult.Length | Should -Be 176;
}
It 'With Azure.GA_2021_03' {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2021_03' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 192;
$filteredResult.Length | Should -Be 191;
}
It 'With Azure.GA_2021_06' {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2021_06' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 206;
$filteredResult.Length | Should -Be 205;
}
It 'With Azure.GA_2021_09' {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2021_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 225;
$filteredResult.Length | Should -Be 224;
}
It 'With Azure.Preview_2021_09' {
@ -108,7 +108,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2021_12' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 251;
$filteredResult.Length | Should -Be 250;
}
It 'With Azure.Preview_2021_12' {
@ -122,7 +122,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_03' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 267;
$filteredResult.Length | Should -Be 266;
}
It 'With Azure.Preview_2022_03' {
@ -136,7 +136,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_06' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 271;
$filteredResult.Length | Should -Be 270;
}
It 'With Azure.Preview_2022_06' {
@ -150,7 +150,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 302;
$filteredResult.Length | Should -Be 301;
}
It 'With Azure.Preview_2022_09' {
@ -164,7 +164,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_12' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 340;
$filteredResult.Length | Should -Be 339;
}
It 'With Azure.Preview_2022_12' {
@ -178,7 +178,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_03' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 360;
$filteredResult.Length | Should -Be 359;
}
It 'With Azure.Preview_2023_03' {
@ -192,7 +192,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_06' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 375;
$filteredResult.Length | Should -Be 374;
}
It 'With Azure.Preview_2023_06' {
@ -206,7 +206,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_09' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 386;
$filteredResult.Length | Should -Be 385;
}
It 'With Azure.Preview_2023_09' {
@ -220,7 +220,7 @@ Describe 'Baselines' -Tag Baseline {
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_12' -WarningAction Ignore);
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
$filteredResult | Should -Not -BeNullOrEmpty;
$filteredResult.Length | Should -Be 395;
$filteredResult.Length | Should -Be 394;
}
It 'With Azure.Preview_2023_12' {

10
tests/PSRule.Rules.Azure.Tests/Azure.FrontDoor.Tests.ps1
Просмотреть файл

@ -74,17 +74,17 @@ Describe 'Azure.FrontDoor' -Tag 'Network', 'FrontDoor' {
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'frontdoor-B';
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -BeIn 'frontdoor-B', 'frontDoorProfile-E';
$ruleResult[0].Reason | Should -Not -BeNullOrEmpty;
$ruleResult[0].Reason | Should -BeExactly "Diagnostic settings are not configured.";
$ruleResult[0].Reason | Should -BeExactly "Path resources[*].properties.logs: Diagnostic settings is not configured to log events for 'FrontdoorAccessLog'.";
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 3;
$ruleResult.TargetName | Should -BeIn 'frontdoor-A', 'frontdoor-C', 'frontdoor-D';
$ruleResult.Length | Should -Be 4;
$ruleResult.TargetName | Should -BeIn 'frontdoor-A', 'frontdoor-C', 'frontdoor-D', 'frontDoorProfile-F';
}
It 'Azure.FrontDoor.Probe' {

40
tests/PSRule.Rules.Azure.Tests/Resources.FrontDoor.json
Просмотреть файл

@ -1175,6 +1175,44 @@
"properties": {
"extendedProperties": {},
"originResponseTimeoutSeconds": "int"
}
},
"resources": [
{
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/Microsoft.Cdn/profiles/frontDoorProfile-F/providers/microsoft.insights/diagnosticSettings/access-logs",
"Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/Microsoft.Cdn/profiles/frontDoorProfile-F/providers/microsoft.insights/diagnosticSettings/access-logs",
"ResourceName": "access-logs",
"Name": "access-logs",
"ExtensionResourceName": "access-logs",
"Properties": {
"workspaceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-A",
"metrics": [
{
"category": "AllMetrics",
"enabled": false,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}
],
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}
],
"logAnalyticsDestinationType": null
},
"ResourceGroupName": "rg-test",
"Type": "Microsoft.Cdn/profiles",
"ResourceType": "Microsoft.Cdn/profiles",
"ExtensionResourceType": "microsoft.insights/diagnosticSettings",
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
}
]
}
]