AI security recommendations
This article lists all the AI security recommendations you might see in Microsoft Defender for Cloud.
The recommendations that appear in your environment are based on the resources that you're protecting and on your customized configuration.
To learn about actions that you can take in response to these recommendations, see Remediate recommendations in Defender for Cloud.
Azure recommendations
Azure AI Services resources should have key access disabled (disable local authentication)
Description: Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After the setting is disabled, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more.
This recommendation replaces the old recommendation Cognitive Services accounts should have local authentication methods disabled. It was formerly in category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
Severity: Medium
Azure AI Services resources should restrict network access
Description: By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service resource.
This recommendation replaces the old recommendation Cognitive Services accounts should restrict network access. It was formerly in category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
Severity: Medium
Azure AI Services resources should use Azure Private Link
Description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network.
Learn more about private links at: What is Azure Private Link?
This recommendation replaces the old recommendation Cognitive Services should use private link. It was formerly in category Data recommendations, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
Severity: Medium
(Enable if required) Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)
Description: Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements.
This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. (Related policy: Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK))
This recommendation replaces the old recommendation Cognitive services accounts should enable data encryption using customer keys. It was formerly in category Data recommendations, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
Severity: Low
Diagnostic logs in Azure AI services resources should be enabled
Description: Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised.
This recommendation replaces the old recommendation Diagnostic logs in Search services should be enabled. It was formerly in the category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
Severity: Low
Resource logs in Azure Machine Learning Workspaces should be enabled (Preview)
Description & related policy: Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.
Severity: Medium
Azure Machine Learning Workspaces should disable public network access (Preview)
Description & related policy: Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. For more information, see Configure a private endpoint for an Azure Machine Learning workspace.
Severity: Medium
Azure Machine Learning Computes should be in a virtual network (Preview)
Description & related policy: Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.
Severity: Medium
Azure Machine Learning Computes should have local authentication methods disabled (Preview)
Description & related policy: Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. For more information, see Azure Policy Regulatory Compliance controls for Azure Machine Learning.
Severity: Medium
Azure Machine Learning compute instances should be recreated to get the latest software updates (Preview)
Description & related policy: Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, see Vulnerability management for Azure Machine Learning.
Severity: Medium
Resource logs in Azure Databricks Workspaces should be enabled (Preview)
Description & related policy: Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.
Severity: Medium
Azure Databricks Workspaces should disable public network access (Preview)
Description & related policy: Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. For more information, see Enable Azure Private Link.
Severity: Medium
Azure Databricks Clusters should disable public IP (Preview)
Description & related policy: Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. For more information, see Secure cluster connectivity.
Severity: Medium
Azure Databricks Workspaces should be in a virtual network (Preview)
Description & related policy: Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. For more information, see Deploy Azure Databricks in your Azure virtual network.
Severity: Medium
Azure Databricks Workspaces should use private link (Preview)
Description & related policy: Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. For more information, see Create the workspace and private endpoints in the Azure portal UI.
Severity: Medium
AWS AI recommendations
AWS Bedrock should have model invocation logging enabled
Description: With invocation logging, you can collect the full request data, response data, and metadata associated with all calls performed in your account. This enables you to recreate activity trails for investigation purposes when a security incident occurs.
Severity: Low
AWS Bedrock should use AWS PrivateLink
Description Amazon Bedrock VPC endpoint powered by AWS PrivateLink, allows you to establish a private connection between the VPC in your account and the Amazon Bedrock service account. AWS PrivateLink enables VPC instances to communicate with Bedrock service resources, without the need for public IP addresses, ensuring your data is not exposed to the public internet and thereby helping with your compliance requirements.
Severity Medium
AWS Bedrock agents should use guardrails when allowing access to generative AI applications
Description Guardrails for Amazon Bedrock enhance the safety of generative AI applications by evaluating both user inputs and model-generated responses. These guardrails include content filters, which help detect and filter harmful content. Specifically, the "Prompt Attacks" category that includes safeguards on user prompts to prevent jailbreaks and prompt injections.
Severity Medium