[Preview]: All Internet traffic should be routed via your deployed Azure Firewall |
Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |
AuditIfNotExists, Disabled |
3.0.0-preview |
A vulnerability assessment solution should be enabled on your virtual machines |
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |
AuditIfNotExists, Disabled |
3.0.0 |
All network ports should be restricted on network security groups associated to your virtual machine |
Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |
AuditIfNotExists, Disabled |
3.0.0 |
App Service apps should only be accessible over HTTPS |
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit, Disabled, Deny |
4.0.0 |
App Service apps should require FTPS only |
Enable FTPS enforcement for enhanced security. |
AuditIfNotExists, Disabled |
3.0.0 |
App Service apps should use the latest TLS version |
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
AuditIfNotExists, Disabled |
2.1.0 |
Authentication to Linux machines should require SSH keys |
Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. |
AuditIfNotExists, Disabled |
3.2.0 |
Automation account variables should be encrypted |
It is important to enable encryption of Automation account variable assets when storing sensitive data |
Audit, Deny, Disabled |
1.1.0 |
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) |
Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |
Audit, Deny, Disabled |
2.2.0 |
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Azure Defender for Azure SQL Database servers should be enabled |
Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |
AuditIfNotExists, Disabled |
1.0.2 |
Azure Defender for open-source relational databases should be enabled |
Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center |
AuditIfNotExists, Disabled |
1.0.0 |
Azure Defender for SQL servers on machines should be enabled |
Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |
AuditIfNotExists, Disabled |
1.0.2 |
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
Audit each SQL Managed Instance without advanced data security. |
AuditIfNotExists, Disabled |
1.0.2 |
Azure Machine Learning workspaces should be encrypted with a customer-managed key |
Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. |
Audit, Deny, Disabled |
1.1.0 |
Azure Web Application Firewall should be enabled for Azure Front Door entry-points |
Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
Audit, Deny, Disabled |
1.0.2 |
Container registries should be encrypted with a customer-managed key |
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. |
Audit, Deny, Disabled |
1.1.2 |
Enforce SSL connection should be enabled for MySQL database servers |
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Audit, Disabled |
1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers |
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |
Audit, Disabled |
1.0.1 |
Function apps should only be accessible over HTTPS |
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |
Audit, Disabled, Deny |
5.0.0 |
Function apps should require FTPS only |
Enable FTPS enforcement for enhanced security. |
AuditIfNotExists, Disabled |
3.0.0 |
Function apps should use the latest TLS version |
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |
AuditIfNotExists, Disabled |
2.1.0 |
Internet-facing virtual machines should be protected with network security groups |
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc |
AuditIfNotExists, Disabled |
3.0.0 |
IP Forwarding on your virtual machine should be disabled |
Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |
AuditIfNotExists, Disabled |
3.0.0 |
Management ports of virtual machines should be protected with just-in-time network access control |
Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |
AuditIfNotExists, Disabled |
3.0.0 |
Management ports should be closed on your virtual machines |
Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |
AuditIfNotExists, Disabled |
3.0.0 |
Microsoft Defender for Storage should be enabled |
Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |
AuditIfNotExists, Disabled |
1.0.0 |
MySQL servers should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
AuditIfNotExists, Disabled |
1.0.4 |
Non-internet-facing virtual machines should be protected with network security groups |
Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc |
AuditIfNotExists, Disabled |
3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled |
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
Audit, Deny, Disabled |
1.0.0 |
PostgreSQL servers should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
AuditIfNotExists, Disabled |
1.0.4 |
Secure transfer to storage accounts should be enabled |
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
Audit, Deny, Disabled |
2.0.0 |
SQL managed instances should use customer-managed keys to encrypt data at rest |
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |
Audit, Deny, Disabled |
2.0.0 |
SQL servers should use customer-managed keys to encrypt data at rest |
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |
Audit, Deny, Disabled |
2.0.1 |
Storage accounts should use customer-managed key for encryption |
Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Audit, Disabled |
1.0.3 |
Subnets should be associated with a Network Security Group |
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |
AuditIfNotExists, Disabled |
3.0.0 |
Transparent Data Encryption on SQL databases should be enabled |
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |
AuditIfNotExists, Disabled |
2.0.0 |
Vulnerability assessment should be enabled on SQL Managed Instance |
Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |
AuditIfNotExists, Disabled |
1.0.1 |
Vulnerability assessment should be enabled on your SQL servers |
Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |
AuditIfNotExists, Disabled |
3.0.0 |
Web Application Firewall (WAF) should be enabled for Application Gateway |
Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |
Audit, Deny, Disabled |
2.0.0 |
Windows machines should be configured to use secure communication protocols |
To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |
AuditIfNotExists, Disabled |
4.1.1 |