diff --git a/.vscode/settings.json b/.vscode/settings.json index dfb6dcca744..2c1dcba3348 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -62,6 +62,7 @@ "Concat", "CONTAINERAPPS", "Contoso", + "Dapr", "deallocated", "DEFAULTVALUE", "DEPLOYIFNOTEXISTS", diff --git a/data/policy-ignore.json b/data/policy-ignore.json index e682a8b8f5c..01e95d9dca1 100644 --- a/data/policy-ignore.json +++ b/data/policy-ignore.json @@ -20,5 +20,12 @@ // Azure.KeyVault.SoftDelete "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", // Checking for Network Watcher in a resource group is not enforcable by code. - "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6" + "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6", + // Azure.AKS.LocalAccounts + "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + // Azure.Cognitive.DisableLocalAuth + "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + // Azure.Cognitive.ManagedIdentity + "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418" ] diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md index c02d8dfb0db..b165b591d32 100644 --- a/docs/CHANGELOG-v1.md +++ b/docs/CHANGELOG-v1.md @@ -46,6 +46,11 @@ What's changed since pre-release v1.30.0-B0080: - Updated `Azure.AKS.Version` to use latest stable version `1.26.6` by @BernieWhite. [#2404](https://github.com/Azure/PSRule.Rules.Azure/issues/2404) - Use `AZURE_AKS_CLUSTER_MINIMUM_VERSION` to configure the minimum version of the cluster. + - Promoted `Azure.AKS.LocalAccounts` to GA rule set by @BernieWhite. + [#2448](https://github.com/Azure/PSRule.Rules.Azure/issues/2448) + - Container App: + - Promoted `Azure.ContainerApp.DisableAffinity` to GA rule set by @BernieWhite. + [#2455](https://github.com/Azure/PSRule.Rules.Azure/issues/2455) - General improvements: - Add source link for rule in docs by @BernieWhite. [#2115](https://github.com/Azure/PSRule.Rules.Azure/issues/2115) diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index d72edff1029..33be8f2cf45 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -4,7 +4,7 @@ Default baseline for Azure rules. ## Rules -The following rules are included within `Azure.Default`. This baseline includes a total of 385 rules. +The following rules are included within `Azure.Default`. This baseline includes a total of 387 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -34,6 +34,7 @@ Name | Synopsis | Severity [Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness [Azure.AKS.EphemeralOSDisk](../rules/Azure.AKS.EphemeralOSDisk.md) | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | Important [Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important +[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important [Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important @@ -124,6 +125,7 @@ Name | Synopsis | Severity [Azure.Cognitive.PrivateEndpoints](../rules/Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | Important [Azure.Cognitive.PublicAccess](../rules/Azure.Cognitive.PublicAccess.md) | Restrict access of Cognitive Services accounts to authorized virtual networks. | Important [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important +[Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important diff --git a/docs/en/baselines/Azure.GA_2023_09.md b/docs/en/baselines/Azure.GA_2023_09.md index 65c79fc3a83..8addc82aa8b 100644 --- a/docs/en/baselines/Azure.GA_2023_09.md +++ b/docs/en/baselines/Azure.GA_2023_09.md @@ -4,7 +4,7 @@ Include rules released September 2023 or prior for Azure GA features. ## Rules -The following rules are included within `Azure.GA_2023_09`. This baseline includes a total of 385 rules. +The following rules are included within `Azure.GA_2023_09`. This baseline includes a total of 387 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -34,6 +34,7 @@ Name | Synopsis | Severity [Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness [Azure.AKS.EphemeralOSDisk](../rules/Azure.AKS.EphemeralOSDisk.md) | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | Important [Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important +[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important [Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of nodes for failover and updates. | Important @@ -124,6 +125,7 @@ Name | Synopsis | Severity [Azure.Cognitive.PrivateEndpoints](../rules/Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | Important [Azure.Cognitive.PublicAccess](../rules/Azure.Cognitive.PublicAccess.md) | Restrict access of Cognitive Services accounts to authorized virtual networks. | Important [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important +[Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md index a9c1c19c84c..c5f673585a5 100644 --- a/docs/en/baselines/Azure.MCSB.v1.md +++ b/docs/en/baselines/Azure.MCSB.v1.md @@ -6,7 +6,7 @@ Microsoft Cloud Security Benchmark v1. ## Controls -The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 118 rules. +The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 119 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -23,6 +23,7 @@ Name | Synopsis | Severity [Azure.AKS.AzureRBAC](../rules/Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important [Azure.AKS.ContainerInsights](../rules/Azure.AKS.ContainerInsights.md) | Enable Container insights to monitor AKS cluster workloads. | Important [Azure.AKS.HttpAppRouting](../rules/Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important +[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.AKS.ManagedAAD](../rules/Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important [Azure.AKS.ManagedIdentity](../rules/Azure.AKS.ManagedIdentity.md) | Configure AKS clusters to use managed identities for managing cluster infrastructure. | Important [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | Deploy AKS clusters with Network Policies enabled. | Important diff --git a/docs/en/baselines/Azure.Preview_2021_09.md b/docs/en/baselines/Azure.Preview_2021_09.md index 7ec318727d2..948210d66ed 100644 --- a/docs/en/baselines/Azure.Preview_2021_09.md +++ b/docs/en/baselines/Azure.Preview_2021_09.md @@ -6,10 +6,9 @@ Include rules released September 2021 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2021_09`. This baseline includes a total of 3 rules. +The following rules are included within `Azure.Preview_2021_09`. This baseline includes a total of 2 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important diff --git a/docs/en/baselines/Azure.Preview_2021_12.md b/docs/en/baselines/Azure.Preview_2021_12.md index 92485b76792..26dbd3ca530 100644 --- a/docs/en/baselines/Azure.Preview_2021_12.md +++ b/docs/en/baselines/Azure.Preview_2021_12.md @@ -6,10 +6,9 @@ Include rules released December 2021 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2021_12`. This baseline includes a total of 3 rules. +The following rules are included within `Azure.Preview_2021_12`. This baseline includes a total of 2 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important diff --git a/docs/en/baselines/Azure.Preview_2022_03.md b/docs/en/baselines/Azure.Preview_2022_03.md index e9d85522232..5234c032314 100644 --- a/docs/en/baselines/Azure.Preview_2022_03.md +++ b/docs/en/baselines/Azure.Preview_2022_03.md @@ -6,10 +6,9 @@ Include rules released March 2022 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2022_03`. This baseline includes a total of 3 rules. +The following rules are included within `Azure.Preview_2022_03`. This baseline includes a total of 2 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important diff --git a/docs/en/baselines/Azure.Preview_2022_06.md b/docs/en/baselines/Azure.Preview_2022_06.md index f91370ecbdb..4e383fd37cd 100644 --- a/docs/en/baselines/Azure.Preview_2022_06.md +++ b/docs/en/baselines/Azure.Preview_2022_06.md @@ -6,10 +6,9 @@ Include rules released June 2022 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2022_06`. This baseline includes a total of 3 rules. +The following rules are included within `Azure.Preview_2022_06`. This baseline includes a total of 2 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important diff --git a/docs/en/baselines/Azure.Preview_2022_09.md b/docs/en/baselines/Azure.Preview_2022_09.md index 4c5856e0f71..93f8d21fe50 100644 --- a/docs/en/baselines/Azure.Preview_2022_09.md +++ b/docs/en/baselines/Azure.Preview_2022_09.md @@ -6,12 +6,11 @@ Include rules released September 2022 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2022_09`. This baseline includes a total of 5 rules. +The following rules are included within `Azure.Preview_2022_09`. This baseline includes a total of 4 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important [Azure.ACR.SoftDelete](../rules/Azure.ACR.SoftDelete.md) | Azure Container Registries should have soft delete policy enabled. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.AppConfig.GeoReplica](../rules/Azure.AppConfig.GeoReplica.md) | Consider replication for app configuration store to ensure resiliency to region outages. | Important diff --git a/docs/en/baselines/Azure.Preview_2022_12.md b/docs/en/baselines/Azure.Preview_2022_12.md index fa78f4ada61..1065eddc50e 100644 --- a/docs/en/baselines/Azure.Preview_2022_12.md +++ b/docs/en/baselines/Azure.Preview_2022_12.md @@ -6,12 +6,11 @@ Include rules released December 2022 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2022_12`. This baseline includes a total of 5 rules. +The following rules are included within `Azure.Preview_2022_12`. This baseline includes a total of 4 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important [Azure.ACR.SoftDelete](../rules/Azure.ACR.SoftDelete.md) | Azure Container Registries should have soft delete policy enabled. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.AppConfig.GeoReplica](../rules/Azure.AppConfig.GeoReplica.md) | Consider replication for app configuration store to ensure resiliency to region outages. | Important diff --git a/docs/en/baselines/Azure.Preview_2023_03.md b/docs/en/baselines/Azure.Preview_2023_03.md index 33f44b04c17..f9c19bac4f1 100644 --- a/docs/en/baselines/Azure.Preview_2023_03.md +++ b/docs/en/baselines/Azure.Preview_2023_03.md @@ -6,12 +6,11 @@ Include rules released March 2023 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2023_03`. This baseline includes a total of 5 rules. +The following rules are included within `Azure.Preview_2023_03`. This baseline includes a total of 4 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important [Azure.ACR.SoftDelete](../rules/Azure.ACR.SoftDelete.md) | Azure Container Registries should have soft delete policy enabled. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.AppConfig.GeoReplica](../rules/Azure.AppConfig.GeoReplica.md) | Consider replication for app configuration store to ensure resiliency to region outages. | Important diff --git a/docs/en/baselines/Azure.Preview_2023_06.md b/docs/en/baselines/Azure.Preview_2023_06.md index 689885ee96a..c2f08aa2d38 100644 --- a/docs/en/baselines/Azure.Preview_2023_06.md +++ b/docs/en/baselines/Azure.Preview_2023_06.md @@ -6,19 +6,17 @@ Include rules released June 2023 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2023_06`. This baseline includes a total of 15 rules. +The following rules are included within `Azure.Preview_2023_06`. This baseline includes a total of 13 rules. Name | Synopsis | Severity ---- | -------- | -------- [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important [Azure.ACR.SoftDelete](../rules/Azure.ACR.SoftDelete.md) | Azure Container Registries should have soft delete policy enabled. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.APIM.DefenderCloud](../rules/Azure.APIM.DefenderCloud.md) | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical [Azure.AppConfig.GeoReplica](../rules/Azure.AppConfig.GeoReplica.md) | Consider replication for app configuration store to ensure resiliency to region outages. | Important [Azure.Arc.Kubernetes.Defender](../rules/Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Important [Azure.Arc.Server.MaintenanceConfig](../rules/Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Important -[Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important [Azure.Defender.Api](../rules/Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical [Azure.Defender.Storage.MalwareScan](../rules/Azure.Defender.Storage.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical [Azure.Defender.Storage.SensitiveData](../rules/Azure.Defender.Storage.SensitiveData.md) | Enable sensitive data threat detection in Microsoft Defender for Storage. | Critical diff --git a/docs/en/baselines/Azure.Preview_2023_09.md b/docs/en/baselines/Azure.Preview_2023_09.md index 89c2954b43d..a9b656db776 100644 --- a/docs/en/baselines/Azure.Preview_2023_09.md +++ b/docs/en/baselines/Azure.Preview_2023_09.md @@ -4,7 +4,7 @@ Include rules released September 2023 or prior for Azure preview only features. ## Rules -The following rules are included within `Azure.Preview_2023_09`. This baseline includes a total of 16 rules. +The following rules are included within `Azure.Preview_2023_09`. This baseline includes a total of 14 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -12,12 +12,10 @@ Name | Synopsis | Severity [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important [Azure.ACR.SoftDelete](../rules/Azure.ACR.SoftDelete.md) | Azure Container Registries should have soft delete policy enabled. | Important -[Azure.AKS.LocalAccounts](../rules/Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important [Azure.APIM.DefenderCloud](../rules/Azure.APIM.DefenderCloud.md) | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | Critical [Azure.AppConfig.GeoReplica](../rules/Azure.AppConfig.GeoReplica.md) | Consider replication for app configuration store to ensure resiliency to region outages. | Important [Azure.Arc.Kubernetes.Defender](../rules/Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Important [Azure.Arc.Server.MaintenanceConfig](../rules/Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Important -[Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important [Azure.Defender.Api](../rules/Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical [Azure.Defender.Storage.MalwareScan](../rules/Azure.Defender.Storage.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical [Azure.Defender.Storage.SensitiveData](../rules/Azure.Defender.Storage.SensitiveData.md) | Enable sensitive data threat detection in Microsoft Defender for Storage. | Critical diff --git a/docs/en/rules/Azure.AKS.LocalAccounts.md b/docs/en/rules/Azure.AKS.LocalAccounts.md index 39d3d31430b..540055e5081 100644 --- a/docs/en/rules/Azure.AKS.LocalAccounts.md +++ b/docs/en/rules/Azure.AKS.LocalAccounts.md @@ -1,7 +1,8 @@ --- +reviewed: 2023-10-01 severity: Important pillar: Security -category: Identity and access management +category: Authorization resource: Azure Kubernetes Service online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.LocalAccounts/ --- @@ -14,13 +15,15 @@ Enforce named user accounts with RBAC assigned permissions. ## DESCRIPTION -AKS clusters support Role-based Access Control (RBAC). +AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies. -Additionally some default cluster local account credentials are enabled by default. -When enabled, an identity with permissions can perform cluster actions using local account credentials. +When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. +These local accounts such as `clusterAdmin` and `clusterUser` are shared accounts that are not tied to an identity. + If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. +Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions. In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using `az aks get-credentials -g '' -n '' --admin` will fail. @@ -28,6 +31,7 @@ For example, using `az aks get-credentials -g '' -n '' -g '' --enable-aad --aad-admin-group-object-ids '' --disable-local ``` -## NOTES +### Configure with Azure Policy + +To address this issue at runtime use the following policies: -This Azure feature is currently in preview. -To use this feature you must first opt-in by registering the feature on a per-subscription basis. +```text +/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32 +``` ## LINKS -- [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization) -- [Security design principles](https://learn.microsoft.com/azure/architecture/framework/security/security-principles) -- [Disable local accounts (preview)](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts-preview) -- [Access and identity options for Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/concepts-identity#azure-ad-integration) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters#managedclusterproperties-object) +- [Authorization with Azure AD](https://learn.microsoft.com/azure/well-architected/security/design-identity-authorization) +- [Security design principles](https://learn.microsoft.com/azure/well-architected/security/security-principles) +- [Manage local accounts with AKS-managed Azure Active Directory integration](https://learn.microsoft.com/azure/aks/manage-local-accounts-managed-azure-ad) +- [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-ad-integration) +- [Azure Policy built-in definitions for Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/policy-reference) +- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-kubernetes-service-aks-security-baseline#im-1-use-centralized-identity-and-authentication-system) +- [PA-1: Separate and limit highly privileged/administrative users](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-kubernetes-service-aks-security-baseline#pa-1-separate-and-limit-highly-privilegedadministrative-users) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.Cognitive.DisableLocalAuth.md b/docs/en/rules/Azure.Cognitive.DisableLocalAuth.md index 9fcd9990f21..025a0d0e3a8 100644 --- a/docs/en/rules/Azure.Cognitive.DisableLocalAuth.md +++ b/docs/en/rules/Azure.Cognitive.DisableLocalAuth.md @@ -1,5 +1,5 @@ --- -reviewed: 2022-07-26 +reviewed: 2023-10-01 severity: Important pillar: Security category: Authentication @@ -7,7 +7,7 @@ resource: Cognitive Services online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.DisableLocalAuth/ --- -# Use identity-based authentication for Cogitive Services accounts +# Use identity-based authentication for Cognitive Services accounts ## SYNOPSIS @@ -26,7 +26,7 @@ Once you decide to use Azure AD authentication, you can disable authentication u ## RECOMMENDATION -Consider only using Azure AD identities to authenticate requests to Cogitive Services accounts. +Consider only using Azure AD identities to authenticate requests to Cognitive Services accounts. Once configured, disable authentication based on access keys. ## EXAMPLES @@ -41,24 +41,24 @@ For example: ```json { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2022-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2023-05-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Disabled", + "networkAcls": { + "defaultAction": "Deny" }, - "sku": { - "name": "S0" - }, - "kind": "CognitiveServices", - "properties": { - "publicNetworkAccess": "Disabled", - "networkAcls": { - "defaultAction": "Deny" - }, - "disableLocalAuth": true - } + "disableLocalAuth": true + } } ``` @@ -71,7 +71,7 @@ To deploy accounts that pass this rule: For example: ```bicep -resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { +resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { name: name location: location identity: { @@ -91,9 +91,19 @@ resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { } ``` +### Configure with Azure Policy + +To address this issue at runtime use the following policies: + +```text +/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc +/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555 +``` + ## LINKS - [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication) -- [Authenticate with Azure Active Directory](https://docs.microsoft.com/azure/cognitive-services/authentication?tabs=powershell#authenticate-with-azure-active-directory) -- [Azure Policy built-in policy definitions for Azure Cognitive Services](https://docs.microsoft.com/azure/cognitive-services/policy-reference) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) +- [Authenticate with Azure Active Directory](https://learn.microsoft.com/azure/ai-services/authentication#authenticate-with-azure-active-directory) +- [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) +- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-1-use-centralized-identity-and-authentication-system) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.Cognitive.ManagedIdentity.md b/docs/en/rules/Azure.Cognitive.ManagedIdentity.md index 6b6481900ba..52f89e96b5d 100644 --- a/docs/en/rules/Azure.Cognitive.ManagedIdentity.md +++ b/docs/en/rules/Azure.Cognitive.ManagedIdentity.md @@ -1,5 +1,5 @@ --- -reviewed: 2022-07-26 +reviewed: 2023-10-01 severity: Important pillar: Security category: Authentication @@ -21,7 +21,7 @@ To authenticate to Azure resources, Cognitive Services can use managed identitie Using Azure managed identities have the following benefits: - You don't need to store or manage credentials. -Azure automatically generates tokens and performs rotation. + Azure automatically generates tokens and performs rotation. - You can use managed identities to authenticate to any Azure service that supports Azure AD authentication. - Managed identities can be used without any additional cost. @@ -42,24 +42,24 @@ For example: ```json { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2022-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2023-05-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Disabled", + "networkAcls": { + "defaultAction": "Deny" }, - "sku": { - "name": "S0" - }, - "kind": "CognitiveServices", - "properties": { - "publicNetworkAccess": "Disabled", - "networkAcls": { - "defaultAction": "Deny" - }, - "disableLocalAuth": true - } + "disableLocalAuth": true + } } ``` @@ -73,7 +73,7 @@ To deploy accounts that pass this rule: For example: ```bicep -resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { +resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { name: name location: location identity: { @@ -93,8 +93,18 @@ resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { } ``` +### Configure with Azure Policy + +To address this issue at runtime use the following policies: + +```text +/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418 +``` + ## LINKS - [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication) -- [Azure Policy built-in policy definitions for Azure Cognitive Services](https://docs.microsoft.com/azure/cognitive-services/policy-reference) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) +- [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) +- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-1-use-centralized-identity-and-authentication-system) +- [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-3-manage-application-identities-securely-and-automatically) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.Cognitive.PrivateEndpoints.md b/docs/en/rules/Azure.Cognitive.PrivateEndpoints.md index 4aabc3b0be8..fe3cc222584 100644 --- a/docs/en/rules/Azure.Cognitive.PrivateEndpoints.md +++ b/docs/en/rules/Azure.Cognitive.PrivateEndpoints.md @@ -40,24 +40,24 @@ For example: ```json { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2022-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2023-05-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Disabled", + "networkAcls": { + "defaultAction": "Deny" }, - "sku": { - "name": "S0" - }, - "kind": "CognitiveServices", - "properties": { - "publicNetworkAccess": "Disabled", - "networkAcls": { - "defaultAction": "Deny" - }, - "disableLocalAuth": true - } + "disableLocalAuth": true + } } ``` @@ -70,7 +70,7 @@ To deploy accounts that pass this rule: For example: ```bicep -resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { +resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { name: name location: location identity: { diff --git a/docs/en/rules/Azure.Cognitive.PublicAccess.md b/docs/en/rules/Azure.Cognitive.PublicAccess.md index 85ef0c1c864..678ba95d9e1 100644 --- a/docs/en/rules/Azure.Cognitive.PublicAccess.md +++ b/docs/en/rules/Azure.Cognitive.PublicAccess.md @@ -39,24 +39,24 @@ For example: ```json { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2022-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2023-05-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Disabled", + "networkAcls": { + "defaultAction": "Deny" }, - "sku": { - "name": "S0" - }, - "kind": "CognitiveServices", - "properties": { - "publicNetworkAccess": "Disabled", - "networkAcls": { - "defaultAction": "Deny" - }, - "disableLocalAuth": true - } + "disableLocalAuth": true + } } ``` @@ -70,7 +70,7 @@ To deploy accounts that pass this rule: For example: ```bicep -resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { +resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { name: name location: location identity: { diff --git a/docs/en/rules/Azure.ContainerApp.APIVersion.md b/docs/en/rules/Azure.ContainerApp.APIVersion.md index 9cee2d8bf76..9a48ada8d13 100644 --- a/docs/en/rules/Azure.ContainerApp.APIVersion.md +++ b/docs/en/rules/Azure.ContainerApp.APIVersion.md @@ -20,7 +20,7 @@ This means you'll no longer be able to create or manage your Azure Container App ## RECOMMENDATION -Consider migrating from retired API version to a supported version. +Consider migrating from a retired API version to a supported version. ## EXAMPLES diff --git a/docs/en/rules/Azure.ContainerApp.DisableAffinity.md b/docs/en/rules/Azure.ContainerApp.DisableAffinity.md index 326c7689dac..e45c32235a5 100644 --- a/docs/en/rules/Azure.ContainerApp.DisableAffinity.md +++ b/docs/en/rules/Azure.ContainerApp.DisableAffinity.md @@ -1,4 +1,5 @@ --- +reviewed: 2023-10-01 severity: Important pillar: Performance Efficiency category: Design for performance efficiency @@ -16,12 +17,15 @@ Disable session affinity to prevent unbalanced distribution. Container apps allows you to configure session affinity (sticky sessions). When enabled, this feature route requests from the same client to the same replica. +This feature might be useful for stateful applications that require a consistent connection to the same replica. -This feature might be useful for stateful applications that require a consistent connection to the same replica. However, if your application does not store large amounts of state or cached data in memory (stateless application design pattern), session affinity might decrease your throughput because one replica could get overloaded with requests, while others are dormant. +However, for stateless applications there is drawbacks to using session affinity. +As connections are opened and closed, a subset of replicas might become overloaded with requests, while others are dormant. +This can lead to: poor performance and resource utilization; less predictable scaling. ## RECOMMENDATION -Consider disabling session affinity to evenly distribute requests across each replica. +Consider using stateful application design and disabling session affinity to evenly distribute requests across each replica. ## EXAMPLES @@ -36,28 +40,30 @@ For example: ```json { "type": "Microsoft.App/containerApps", - "apiVersion": "2022-10-01", + "apiVersion": "2023-05-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { - "type": "SystemAssigned", - "userAssignedIdentities": {} + "type": "SystemAssigned" }, "properties": { - "environmentId": "[parameters('environmentId')]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", "template": { - "revisionSuffix": "", + "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]" }, "configuration": { "ingress": { - "external": false, + "allowInsecure": false, "stickySessions": { - "affinity": "None" + "affinity": "none" } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + ] } ``` @@ -70,33 +76,37 @@ To deploy Container Apps that pass this rule: For example: ```bicep -resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { +resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { name: appName location: location identity: { type: 'SystemAssigned' - userAssignedIdentities: {} } - properties: { - environmentId: environmentId + properties: { + environmentId: containerEnv.id template: { - revisionSuffix: '' + revisionSuffix: revision containers: containers } configuration: { ingress: { - external: false + allowInsecure: false stickySessions: { affinity: 'none' + } } } } } ``` +### NOTES + +This rule may generate false positive results for stateful applications. + ## LINKS -- [Avoid a requirement to store server-side session state](https://learn.microsoft.com/azure/well-architected/scalability/design-checklist#implementation) -- [Session affinity](https://learn.microsoft.com/azure/well-architected/scalability/design-efficiency#improve-scalability-with-session-affinity) +- [Avoid a requirement to store server-side session state](https://learn.microsoft.com/azure/well-architected/scalability/performance-efficiency#implementation) +- [Session affinity](https://learn.microsoft.com/azure/well-architected/scalability/design-efficiency#improve-performance-with-session-affinity) - [Session Affinity in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/sticky-sessions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#ingressstickysessions) diff --git a/docs/en/rules/Azure.ContainerApp.Insecure.md b/docs/en/rules/Azure.ContainerApp.Insecure.md index 8494e11f4c8..2012e543c22 100644 --- a/docs/en/rules/Azure.ContainerApp.Insecure.md +++ b/docs/en/rules/Azure.ContainerApp.Insecure.md @@ -38,18 +38,24 @@ For example: ```json { "type": "Microsoft.App/containerApps", - "apiVersion": "2022-10-01", + "apiVersion": "2023-05-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, "properties": { - "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", "template": { - "revisionSuffix": "", + "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]" }, "configuration": { "ingress": { - "allowInsecure": false + "allowInsecure": false, + "stickySessions": { + "affinity": "none" + } } } }, @@ -68,18 +74,24 @@ To deploy resource that pass this rule: For example: ```bicep -resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { +resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { name: appName location: location + identity: { + type: 'SystemAssigned' + } properties: { - managedEnvironmentId: containerEnv.id + environmentId: containerEnv.id template: { - revisionSuffix: '' + revisionSuffix: revision containers: containers } configuration: { ingress: { allowInsecure: false + stickySessions: { + affinity: 'none' + } } } } diff --git a/docs/en/rules/Azure.ContainerApp.ManagedIdentity.md b/docs/en/rules/Azure.ContainerApp.ManagedIdentity.md index 694f33044a9..fd9241351ee 100644 --- a/docs/en/rules/Azure.ContainerApp.ManagedIdentity.md +++ b/docs/en/rules/Azure.ContainerApp.ManagedIdentity.md @@ -41,17 +41,33 @@ For example: ```json { "type": "Microsoft.App/containerApps", - "apiVersion": "2022-10-01", + "apiVersion": "2023-05-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { - "type": "SystemAssigned", - "userAssignedIdentities": {} + "type": "SystemAssigned" }, - "properties": {} + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "template": { + "revisionSuffix": "[parameters('revision')]", + "containers": "[variables('containers')]" + }, + "configuration": { + "ingress": { + "allowInsecure": false, + "stickySessions": { + "affinity": "none" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + ] } ``` - + ### Configure with Bicep To deploy Container Apps that pass this rule: @@ -62,20 +78,34 @@ To deploy Container Apps that pass this rule: For example: ```bicep -resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { +resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { name: appName location: location identity: { type: 'SystemAssigned' - userAssignedIdentities: {} } - properties: {} + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + } + configuration: { + ingress: { + allowInsecure: false + stickySessions: { + affinity: 'none' + } + } + } + } } ``` ## NOTES Using managed identities in scale rules isn't supported. +Init containers can't access managed identities. ## LINKS diff --git a/docs/en/rules/Azure.ContainerApp.PublicAccess.md b/docs/en/rules/Azure.ContainerApp.PublicAccess.md index 65d28d3bb74..335d5acd4c3 100644 --- a/docs/en/rules/Azure.ContainerApp.PublicAccess.md +++ b/docs/en/rules/Azure.ContainerApp.PublicAccess.md @@ -16,7 +16,8 @@ Ensure public network access for Container Apps environment is disabled. Container apps environments allows you to expose your container app to the Internet. -Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. +Container apps environments deployed as external resources are available for public requests. +External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. diff --git a/docs/en/rules/Azure.ContainerApp.Storage.md b/docs/en/rules/Azure.ContainerApp.Storage.md index 9b59a8add97..2d1f0c3627a 100644 --- a/docs/en/rules/Azure.ContainerApp.Storage.md +++ b/docs/en/rules/Azure.ContainerApp.Storage.md @@ -16,7 +16,8 @@ Use of Azure Files volume mounts to persistent storage container data. Container apps allows you to use different types of storage. This can be achieved by using volume mounts. -There are considerations to be taken, whether persistant storage is suitable for your app or if non-persistant storage is suitable. Apps may require no storage. +There are considerations to be taken, whether persistent storage is suitable for your app or if non-persistent storage is suitable. +Apps may require no storage. By default all files created inside a container are stored on a writable container layer. @@ -37,7 +38,7 @@ Some considerations when using storage volume mounts: - Azure Files volume - Files written under the mount location are persisted to the file share. - Files in the share are available via the mount location. - - Multiple containers can mount the same file share, including ones that are in another replica, revision, or container app + - Multiple containers can mount the same file share, including ones that are in another replica, revision, or container app. - All containers that mount the share can access files written by any other container or method. - More than one Azure Files volume can be mounted in a single container. @@ -158,6 +159,7 @@ resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { } } ``` + ## NOTES To enable Azure Files storage, a storage definition must be defined in the Container Apps Environment. diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index 37756d6eed6..705a235b51b 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -1,6 +1,6 @@ --- -title: Reference generated: True +title: Reference --- # Reference @@ -52,7 +52,7 @@ AZR-000027 | [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | Deploy AKS AZR-000028 | [Azure.AKS.AzurePolicyAddOn](Azure.AKS.AzurePolicyAddOn.md) | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | GA AZR-000029 | [Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | GA AZR-000030 | [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | GA -AZR-000031 | [Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Preview +AZR-000031 | [Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | GA AZR-000032 | [Azure.AKS.AzureRBAC](Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | GA AZR-000033 | [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | GA AZR-000034 | [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | GA @@ -398,7 +398,7 @@ AZR-000374 | [Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceCo AZR-000375 | [Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Preview AZR-000376 | [Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | GA AZR-000377 | [Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Preview -AZR-000378 | [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Preview +AZR-000378 | [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | GA AZR-000379 | [Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | GA AZR-000380 | [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | GA AZR-000381 | [Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | GA diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index 1c13dc5a433..141ba1aeba9 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -467,6 +467,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important | Error [Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning ### Azure resources @@ -566,7 +567,6 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.AnonymousAccess](Azure.ACR.AnonymousAccess.md) | Disable anonymous pull access. | Important | Error [Azure.AKS.AzureRBAC](Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important | Error -[Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important | Error [Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error [Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index 37756d6eed6..705a235b51b 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -1,6 +1,6 @@ --- -title: Reference generated: True +title: Reference --- # Reference @@ -52,7 +52,7 @@ AZR-000027 | [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | Deploy AKS AZR-000028 | [Azure.AKS.AzurePolicyAddOn](Azure.AKS.AzurePolicyAddOn.md) | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | GA AZR-000029 | [Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | GA AZR-000030 | [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | GA -AZR-000031 | [Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Preview +AZR-000031 | [Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | GA AZR-000032 | [Azure.AKS.AzureRBAC](Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | GA AZR-000033 | [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | GA AZR-000034 | [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | GA @@ -398,7 +398,7 @@ AZR-000374 | [Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceCo AZR-000375 | [Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Preview AZR-000376 | [Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | GA AZR-000377 | [Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Preview -AZR-000378 | [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Preview +AZR-000378 | [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | GA AZR-000379 | [Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | GA AZR-000380 | [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | GA AZR-000381 | [Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | GA diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index 1c13dc5a433..141ba1aeba9 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -467,6 +467,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important | Error [Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning ### Azure resources @@ -566,7 +567,6 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.AnonymousAccess](Azure.ACR.AnonymousAccess.md) | Disable anonymous pull access. | Important | Error [Azure.AKS.AzureRBAC](Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important | Error -[Azure.AKS.LocalAccounts](Azure.AKS.LocalAccounts.md) | Enforce named user accounts with RBAC assigned permissions. | Important | Error [Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error [Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error diff --git a/docs/examples-cognitive.bicep b/docs/examples-cognitive.bicep index 6b79ffafb2e..38eff69db81 100644 --- a/docs/examples-cognitive.bicep +++ b/docs/examples-cognitive.bicep @@ -10,7 +10,7 @@ param name string param location string = resourceGroup().location // An example multi-service cognitive services account -resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = { +resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { name: name location: location identity: { diff --git a/docs/examples-cognitive.json b/docs/examples-cognitive.json index 16cf55f3c1b..9f3321c810c 100644 --- a/docs/examples-cognitive.json +++ b/docs/examples-cognitive.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.8.9.13224", - "templateHash": "11381831083074745449" + "version": "0.21.1.54444", + "templateHash": "17850178672994683728" } }, "parameters": { @@ -26,7 +26,7 @@ "resources": [ { "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2022-03-01", + "apiVersion": "2023-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { diff --git a/docs/examples-containerapp.bicep b/docs/examples-containerapp.bicep index 0ea555f8e69..a474a19b532 100644 --- a/docs/examples-containerapp.bicep +++ b/docs/examples-containerapp.bicep @@ -15,6 +15,9 @@ param location string = resourceGroup().location @description('The name of a Log Analytics workspace') param workspaceId string +@description('The revision of the container app.') +param revision string + resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { name: workspaceId } @@ -31,7 +34,7 @@ var containers = [ ] // An example App Environment -resource containerEnv 'Microsoft.App/managedEnvironments@2022-10-01' = { +resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = { name: envName location: location properties: { @@ -46,18 +49,24 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2022-10-01' = { } // An example Container App -resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { +resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { name: appName location: location + identity: { + type: 'SystemAssigned' + } properties: { - managedEnvironmentId: containerEnv.id + environmentId: containerEnv.id template: { - revisionSuffix: '' + revisionSuffix: revision containers: containers } configuration: { ingress: { allowInsecure: false + stickySessions: { + affinity: 'none' + } } } } diff --git a/docs/examples-containerapp.json b/docs/examples-containerapp.json index 82637c58bde..8225c2c0aaa 100644 --- a/docs/examples-containerapp.json +++ b/docs/examples-containerapp.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.16.2.56959", - "templateHash": "12316369736007793712" + "version": "0.21.1.54444", + "templateHash": "14295091017114091018" } }, "parameters": { @@ -33,6 +33,12 @@ "metadata": { "description": "The name of a Log Analytics workspace" } + }, + "revision": { + "type": "string", + "metadata": { + "description": "The revision of the container app." + } } }, "variables": { @@ -50,7 +56,7 @@ "resources": [ { "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2022-10-01", + "apiVersion": "2023-05-01", "name": "[parameters('envName')]", "location": "[parameters('location')]", "properties": { @@ -65,18 +71,24 @@ }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2022-10-01", + "apiVersion": "2023-05-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, "properties": { - "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", "template": { - "revisionSuffix": "", + "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]" }, "configuration": { "ingress": { - "allowInsecure": false + "allowInsecure": false, + "stickySessions": { + "affinity": "none" + } } } }, diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index bd649058fd3..a228c1e0873 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -155,11 +155,12 @@ metadata: name: Azure.AKS.LocalAccounts ref: AZR-000031 tags: - release: preview - ruleSet: 2021_06 + release: GA + ruleSet: 2023_09 Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: [ 'IM-1', 'PA-7' ] + Azure.MCSB.v1/control: [ 'IM-1', 'PA-1' ] + Azure.Policy/id: /providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml index a23683921b9..0fc89abbe65 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml @@ -43,6 +43,7 @@ metadata: Azure.WAF/pillar: 'Security' labels: Azure.MCSB.v1/control: [ 'IM-1', 'IM-3' ] + Azure.Policy/id: /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418 spec: type: - Microsoft.CognitiveServices/accounts @@ -64,9 +65,12 @@ metadata: tags: release: GA ruleSet: 2022_09 - Azure.WAF/pillar: 'Security' + Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: [ 'IM-1', 'IM-3' ] + Azure.MCSB.v1/control: IM-1 + Azure.Policy/id: + - /providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc + - /providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555 spec: type: - Microsoft.CognitiveServices/accounts @@ -84,9 +88,9 @@ metadata: tags: release: GA ruleSet: 2022_09 - Azure.WAF/pillar: 'Security' + Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: 'NS-2' + Azure.MCSB.v1/control: NS-2 spec: type: - Microsoft.CognitiveServices/accounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml index 0cd6f6e6ef4..a71868f3229 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml @@ -153,8 +153,8 @@ metadata: name: Azure.ContainerApp.DisableAffinity ref: AZR-000378 tags: - release: Preview - ruleSet: 2023_06 + release: GA + ruleSet: 2023_09 Azure.WAF/pillar: Performance Efficiency spec: with: diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 index ec81f950fb9..14ac710cf9f 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 @@ -101,7 +101,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2021_09' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 3; + $filteredResult.Length | Should -Be 2; } It 'With Azure.GA_2021_12' { @@ -115,7 +115,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2021_12' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 3; + $filteredResult.Length | Should -Be 2; } It 'With Azure.GA_2022_03' { @@ -129,7 +129,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2022_03' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 3; + $filteredResult.Length | Should -Be 2; } It 'With Azure.GA_2022_06' { @@ -143,7 +143,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2022_06' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 3; + $filteredResult.Length | Should -Be 2; } It 'With Azure.GA_2022_09' { @@ -157,7 +157,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2022_09' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 5; + $filteredResult.Length | Should -Be 4; } It 'With Azure.GA_2022_12' { @@ -171,7 +171,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2022_12' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 5; + $filteredResult.Length | Should -Be 4; } It 'With Azure.GA_2023_03' { @@ -185,7 +185,7 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_03' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 5; + $filteredResult.Length | Should -Be 4; } It 'With Azure.GA_2023_06' { @@ -199,21 +199,21 @@ Describe 'Baselines' -Tag Baseline { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_06' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 15; + $filteredResult.Length | Should -Be 13; } It 'With Azure.GA_2023_09' { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_09' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 385; + $filteredResult.Length | Should -Be 387; } It 'With Azure.Preview_2023_09' { $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_09' -WarningAction Ignore); $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'}); $filteredResult | Should -Not -BeNullOrEmpty; - $filteredResult.Length | Should -Be 16; + $filteredResult.Length | Should -Be 14; } } }