From bccee75c5ab794cb8ca50cceca5023531e32f3e0 Mon Sep 17 00:00:00 2001
From: BernieWhite If you want to write your own tests, you can do that too in your choice of YAML, JSON, or PowerShell.
-However with over 390 tests already built, you can identify and fix issues day one.Unreleased@BernieWhite.
+ #2115
+
+
v1.0.0-B2101006 (pre-release)Why use PSRule for Azure?ARM templates syntax.
Get started with a sample repository
To get started with a sample repository, see PSRule for Azure Quick Start on GitHub.
@@ -12088,7 +12088,7 @@Security · Container Registry + · Rule · 2020_06
Use Azure AD identities instead of using the registry admin user.
Security · Container Registry + · Rule · Preview · 2023_09
Disable anonymous pull access.
diff --git a/en/rules/Azure.ACR.ContainerScan/index.html b/en/rules/Azure.ACR.ContainerScan/index.html index d15ab2e940..b4666917ed 100644 --- a/en/rules/Azure.ACR.ContainerScan/index.html +++ b/en/rules/Azure.ACR.ContainerScan/index.html @@ -12163,6 +12163,7 @@Security · Container Registry + · Rule · 2020_12
Enable vulnerability scanning for container images.
Security · Container Registry + · Rule · 2020_12
Use container images signed by a trusted image publisher.
Security · Container Registry + · Rule · 2023_09
Limit network access of container registries to only trusted clients.
Reliability · Container Registry + · Rule · 2020_12
Use geo-replicated container registries to compliment a multi-region container deployments.
Security · Container Registry + · Rule · 2020_12
Remove container images with known vulnerabilities.
Reliability · Container Registry + · Rule · 2020_06
ACR should use the Premium or Standard SKU for production deployments.
Operational Excellence · Container Registry + · Rule · 2020_06
Container registry names should meet naming requirements.
Security · Container Registry + · Rule · Preview · 2020_12
Enable container image quarantine, scan, and mark images as verified.
diff --git a/en/rules/Azure.ACR.Retention/index.html b/en/rules/Azure.ACR.Retention/index.html index 4a14d5adb3..1b20f7d4de 100644 --- a/en/rules/Azure.ACR.Retention/index.html +++ b/en/rules/Azure.ACR.Retention/index.html @@ -12135,6 +12135,7 @@Cost Optimization · Container Registry + · Rule · Preview · 2020_12
Use a retention policy to cleanup untagged manifests.
diff --git a/en/rules/Azure.ACR.SoftDelete/index.html b/en/rules/Azure.ACR.SoftDelete/index.html index d8835c96b4..72486e6d5b 100644 --- a/en/rules/Azure.ACR.SoftDelete/index.html +++ b/en/rules/Azure.ACR.SoftDelete/index.html @@ -12135,6 +12135,7 @@Reliability · Container Registry + · Rule · Preview · 2022_09
Azure Container Registries should have soft delete policy enabled.
diff --git a/en/rules/Azure.ACR.Usage/index.html b/en/rules/Azure.ACR.Usage/index.html index fe277acf69..091b5bb685 100644 --- a/en/rules/Azure.ACR.Usage/index.html +++ b/en/rules/Azure.ACR.Usage/index.html @@ -12081,6 +12081,7 @@Cost Optimization · Container Registry + · Rule · 2020_12
Regularly remove deprecated and unneeded images to reduce storage usage.
Security · Data Explorer + · Rule · 2022_03
Use disk encryption for Azure Data Explorer (ADX) clusters.
Security · Data Explorer + · Rule · 2022_03
Configure Data Explorer clusters to use managed identities to access Azure resources securely.
Reliability · Data Explorer + · Rule · 2022_03
Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.
Cost Optimization · Data Explorer + · Rule · 2022_03
Regularly remove unused resources to reduce costs.
Security · Azure Kubernetes Service + · Rule · 2021_09
AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.
Security · Azure Kubernetes Service + · Rule · 2021_06
Restrict access to API server endpoints to authorized IP addresses.
Performance Efficiency · Azure Kubernetes Service + · Rule · 2021_09
Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present.
Operational Excellence · Azure Kubernetes Service + · Rule · 2021_12
Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.
Reliability · Azure Kubernetes Service + · Rule · 2021_09
AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.
Security · Azure Kubernetes Service + · Rule · 2020_12
Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.
Security · Azure Kubernetes Service + · Rule · 2021_06
Use Azure RBAC for Kubernetes Authorization with AKS clusters.
Reliability · Azure Kubernetes Service + · Rule · 2021_09
AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.
Operational Excellence · Azure Kubernetes Service + · Rule · 2021_09
Enable Container insights to monitor AKS cluster workloads.
Operational Excellence · Azure Kubernetes Service + · Rule · 2020_06
Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.
Security · Azure Kubernetes Service + · Rule · 2023_03
Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.
Performance Efficiency · Azure Kubernetes Service + · Rule · 2022_09
AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.
Security · Azure Kubernetes Service + · Rule · 2021_12
Disable HTTP application routing add-on in AKS clusters.
Security · Azure Kubernetes Service + · Rule · Preview · 2021_06
Enforce named user accounts with RBAC assigned permissions.
diff --git a/en/rules/Azure.AKS.ManagedAAD/index.html b/en/rules/Azure.AKS.ManagedAAD/index.html index c2f1d38878..dcca08b6b5 100644 --- a/en/rules/Azure.AKS.ManagedAAD/index.html +++ b/en/rules/Azure.AKS.ManagedAAD/index.html @@ -12135,6 +12135,7 @@Security · Azure Kubernetes Service + · Rule · 2021_06
Use AKS-managed Azure AD to simplify authorization and improve security.
Security · Azure Kubernetes Service + · Rule · 2020_06
Configure AKS clusters to use managed identities for managing cluster infrastructure.
Reliability · Azure Kubernetes Service + · Rule · 2020_06
AKS clusters should have minimum number of nodes for failover and updates.
Operational Excellence · Azure Kubernetes Service + · Rule · 2020_06
Azure Kubernetes Service (AKS) cluster names should meet naming requirements.
Security · Azure Kubernetes Service + · Rule · 2020_06
Deploy AKS clusters with Network Policies enabled.
Performance Efficiency · Azure Kubernetes Service + · Rule · 2020_06
Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.
Operational Excellence · Azure Kubernetes Service + · Rule · 2021_09
AKS clusters should collect platform diagnostic logs to monitor the state of workloads.
Performance Efficiency · Azure Kubernetes Service + · Rule · 2020_06
Deploy AKS clusters with nodes pools based on VM scale sets.
Reliability · Azure Kubernetes Service + · Rule · 2020_06
AKS node pools should match Kubernetes control plane version.
Security · Azure Kubernetes Service + · Rule · 2021_12
Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.
Security · Azure Kubernetes Service + · Rule · 2021_12
Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.
Performance Efficiency · Azure Kubernetes Service + · Rule · 2020_06
Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.
Security · Azure Kubernetes Service + · Rule · 2020_06
Deploy AKS cluster with role-based access control (RBAC) enabled.
Reliability · Azure Kubernetes Service + · Rule · 2020_06
AKS control plane and nodes pools should use a current stable release.
Operational Excellence · API Management + · Rule · 2020_09
API Management APIs should have a display name and description.
Reliability · API Management + · Rule · 2021_12
API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
Security · API Management + · Rule · 2023_03
Avoid using wildcard for any configuration option in CORS policies.
Operational Excellence · API Management + · Rule · 2020_06
Renew certificates used for custom domain bindings.
Security · API Management + · Rule · 2022_03
API Management should not accept weak or deprecated ciphers for client or backend communication.
Security · API Management + · Rule · 2023_06
APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.
Security · API Management + · Rule · 2023_06
Encrypt all API Management named values with Key Vault secrets.
Security · API Management + · Rule · 2020_06
Use HTTPS for communication to backend services.
Security · API Management + · Rule · 2020_06
Enforce HTTPS for communication to API clients.
Security · API Management + · Rule · 2020_06
Configure managed identities to access Azure resources.
Operational Excellence · API Management + · Rule · 2022_12
API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.
Reliability · API Management + · Rule · 2022_12
API Management instances should use multi-region deployment to improve service availability.
Reliability · API Management + · Rule · 2022_12
API Management instances should have multi-region deployment gateways enabled.
Operational Excellence · API Management + · Rule · 2020_09
API Management service names should meet naming requirements.
Security · API Management + · Rule · 2023_06
Base element for any policy element in a section should be configured.
Security · API Management + · Rule · 2020_06
Configure products to require approval.
Operational Excellence · API Management + · Rule · 2020_09
API Management products should have a display name and description.
Security · API Management + · Rule · 2020_06
Configure products to require a subscription.
Operational Excellence · API Management + · Rule · 2020_09
Set legal terms for each product registered in API Management.
Security · API Management + · Rule · 2020_06
API Management should only accept a minimum of TLS 1.2 for client and backend communication.
Operational Excellence · API Management + · Rule · 2020_06
Remove starter and unlimited sample products.
Operational Excellence · App Service Environment + · Rule · 2022_12
Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.
Operational Excellence · Application Security Group + · Rule · 2021_12
Application Security Group (ASG) names should meet naming requirements.
Security · App Configuration + · Rule · 2022_09
Ensure app configuration store audit diagnostic logs are enabled.
Security · App Configuration + · Rule · 2022_09
Authenticate App Configuration clients with Azure AD identities.
Reliability · App Configuration + · Rule · 2022_09
Consider replication for app configuration store to ensure resiliency to region outages.
Operational Excellence · App Configuration + · Rule · 2020_12
App Configuration store names should meet naming requirements.
Reliability · App Configuration + · Rule · 2022_12
Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.
Reliability · App Configuration + · Rule · 2020_12
App Configuration should use a minimum size of Standard.
Reliability · Application Gateway + · Rule · 2021_09
Application gateways should use availability zones in supported regions for high availability.
Operational Excellence · Application Gateway + · Rule · 2023_06
Use a Application Gateway v2 SKU.
Reliability · Application Gateway + · Rule · 2020_06
Application Gateways should use a minimum of two instances.
Operational Excellence · Application Gateway + · Rule · 2020_06
Application Gateway should use a minimum instance size of Medium.
Operational Excellence · Application Gateway + · Rule · 2022_12
Application Gateways should meet naming requirements.
Security · Application Gateway + · Rule · 2020_06
Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.
Security · Application Gateway + · Rule · 2020_06
Internet exposed Application Gateways should use prevention mode to protect backend resources.
Security · Application Gateway + · Rule · 2020_06
Application Gateway should only accept a minimum of TLS 1.2.
Security · Application Gateway + · Rule · 2021_09
Application Gateways should only expose frontend HTTP endpoints over HTTPS.
Security · Application Gateway + · Rule · 2020_06
Internet accessible Application Gateways should use protect endpoints with WAF.
Security · Application Gateway + · Rule · 2020_06
Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.
Security · Application Gateway + · Rule · 2020_06
Application Gateway Web Application Firewall (WAF) should have all rules enabled.
Security · Application Gateway + · Rule · 2022_09
Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.
Security · Application Gateway + · Rule · 2022_09
Application Gateway Web Application Firewall (WAF) should have all rules enabled.
Security · Application Gateway + · Rule · 2022_09
Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.
Security · Application Gateway + · Rule · 2022_09
Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.
Operational Excellence · Application Insights + · Rule · 2021_06
Azure Application Insights resources names should meet naming requirements.
Operational Excellence · Application Insights + · Rule · 2021_06
Configure Application Insights resources to store data in workspaces.
Performance Efficiency · App Service + · Rule · 2020_06
Disable client affinity for stateless services.
Reliability · App Service + · Rule · 2020_12
Configure Always On for App Service apps.
Performance Efficiency · App Service + · Rule · 2020_12
Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.
Security · App Service + · Rule · 2020_12
Configure managed identities to access Azure resources.
Performance Efficiency · App Service + · Rule · 2020_06
Use at least a Standard App Service Plan.
Security · App Service + · Rule · 2020_06
App Service should reject TLS versions older than 1.2.
Security · App Service + · Rule · 2020_12
Configure applications to use newer .NET versions.
Security · App Service + · Rule · 2020_12
Configure applications to use newer PHP runtime versions.
Reliability · App Service + · Rule · 2020_06
App Service Plan should use a minimum number of instances for failover.
Security · App Service + · Rule · 2020_12
Disable remote debugging on App Service apps when not in use.
Security · App Service + · Rule · 2020_06
Azure App Service apps should only accept encrypted connections.
Reliability · App Service + · Rule · 2022_06
Configure and enable instance health probes.
Reliability · App Service + · Rule · 2022_06
Configure a dedicated path for health probe requests.
Security · App Service + · Rule · 2022_06
Web apps should disable insecure FTP and configure SFTP when required.
Security · Arc + · Rule · 2023_06
Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.
Operational Excellence · Arc + · Rule · 2023_06
Use a maintenance configuration for Arc-enabled servers.
Security · Automation Account + · Rule · 2021_12
Ensure automation account audit diagnostic logs are enabled.
Security · Automation Account + · Rule · 2020_06
Azure Automation variables should be encrypted.
Security · Automation Account + · Rule · 2021_12
Ensure Managed Identity is used for authentication.
Operational Excellence · Automation Account + · Rule · 2021_12
Ensure automation account platform diagnostic logs are enabled.
Security · Automation Account + · Rule · 2020_06
Do not create webhooks with an expiry time greater than 1 year (default).
Security · Backup Vault + · Rule · 2023_09
Ensure immutability is configured to protect backup data.
Operational Excellence · Bastion + · Rule · 2022_12
Bastion hosts should meet naming requirements.
Operational Excellence · Content Delivery Network + · Rule · 2020_09
Azure CDN Endpoint names should meet naming requirements.
Security · Content Delivery Network + · Rule · 2020_06
Enforce HTTPS for client connections.
Security · Content Delivery Network + · Rule · 2020_09
Azure CDN endpoints should reject TLS versions older than 1.2.
Performance Efficiency · Front Door + · Rule · 2022_09
Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.
Security · Cognitive Services + · Rule · 2022_09
Authenticate requests to Cognitive Services with Azure AD identities.
Security · Cognitive Services + · Rule · 2022_09
Configure managed identities to access Azure resources.
Security · Cognitive Services + · Rule · 2022_09
Use Private Endpoints to access Cognitive Services accounts.
Security · Cognitive Services + · Rule · 2022_09
Restrict access of Cognitive Services accounts to authorized virtual networks.
Operational Excellence · Container App + · Rule · 2023_09
Migrate from retired API version to a supported version.
Performance Efficiency · Container App + · Rule · 2023_06
Disable session affinity to prevent unbalanced distribution.
Security · Container App + · Rule · 2023_03
Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.
Security · Container App + · Rule · 2023_06
Ensure insecure inbound traffic is not permitted to the container app.
Security · Container App + · Rule · 2023_03
Ensure managed identity is used for authentication.
Operational Excellence · Container App + · Rule · 2023_03
Container Apps should meet naming requirements.
Security · Container App + · Rule · 2023_03
Ensure public network access for Container Apps environment is disabled.
Security · Container App + · Rule · 2023_06
IP ingress restrictions mode should be set to allow action for all rules defined.
Reliability · Container App + · Rule · 2023_03
Use of Azure Files volume mounts to persistent storage container data.
Operational Excellence · Cosmos DB + · Rule · 2021_09
Cosmos DB account names should meet naming requirements.
Security · Cosmos DB + · Rule · 2023_06
Enable Microsoft Defender for Azure Cosmos DB.
Security · Cosmos DB + · Rule · 2021_09
Use Azure AD identities for management place operations in Azure Cosmos DB.
Operational Excellence · Data Factory + · Rule · 2020_06
Consider migrating to DataFactory v2.
Security · Databricks + · Rule · 2023_09
Use Databricks workspaces configured for secure cluster connectivity.
Security · Microsoft Defender for Cloud + · Rule · 2023_06
Enable Microsoft Defender for APIs.
Security · Microsoft Defender for Cloud + · Rule · 2022_09
Enable Microsoft Defender for App Service.
Security · Microsoft Defender for Cloud + · Rule · 2023_03
Enable Microsoft Defender for Azure Resource Manager (ARM).
Security · Microsoft Defender for Cloud + · Rule · 2022_09
Enable Microsoft Defender for Containers.
Security · Microsoft Defender for Cloud + · Rule · 2023_06
Enable Microsoft Defender for Azure Cosmos DB.
Security · Microsoft Defender for Cloud + · Rule · 2023_06
Enable Microsoft Defender Cloud Security Posture Management Standard plan.
Security · Microsoft Defender for Cloud + · Rule · 2023_03
Enable Microsoft Defender for DNS.
Security · Microsoft Defender for Cloud + · Rule · 2023_03
Enable Microsoft Defender for Key Vault.
Security · Microsoft Defender for Cloud + · Rule · 2023_06
Enable Microsoft Defender for open-source relational databases.
Security · Microsoft Defender for Cloud + · Rule · 2022_09
Enable Microsoft Defender for SQL servers.
Security · Microsoft Defender for Cloud + · Rule · 2022_09
Enable Microsoft Defender for SQL servers on machines.
Security · Microsoft Defender for Cloud + · Rule · 2022_09
Enable Microsoft Defender for Servers.
Security · Microsoft Defender for Cloud + · Rule · 2023_06
Enable Malware Scanning in Microsoft Defender for Storage.
Security · Microsoft Defender for Cloud + · Rule · 2023_06
Enable sensitive data threat detection in Microsoft Defender for Storage.
Security · Microsoft Defender for Cloud + · Rule · 2020_06
Microsoft Defender for Cloud email and phone contact details should be set.
Security · Microsoft Defender for Cloud + · Rule · 2020_06
Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.
Security · Deployment + · Rule · 2022_09
Use secure parameters for sensitive resource properties.
Operational Excellence · Deployment + · Rule · 2023_03
Nested deployments should meet naming requirements of deployments.
Security · Deployment + · Rule · 2022_12
Do not use Outer deployments when references SecureString or SecureObject parameters.
Security · Deployment + · Rule · 2022_06
Avoid outputting sensitive deployment values.
Security · Deployment + · Rule · 2022_12
Use secure parameters for setting properties of resources that contain sensitive information.
Security · Event Grid + · Rule · 2022_09
Authenticate publishing clients with Azure AD identities.
Security · Event Grid + · Rule · 2021_12
Use managed identities to deliver Event Grid Topic events.
Security · Event Grid + · Rule · 2021_12
Use Private Endpoints to access Event Grid topics and domains.
Security · Event Hub + · Rule · 2022_03
Authenticate Event Hub publishers and consumers with Azure AD identities.
Security · Event Hub + · Rule · 2023_03
Event Hub namespaces should reject TLS versions older than 1.2.
Cost Optimization · Event Hub + · Rule · 2022_03
Regularly remove unused resources to reduce costs.
Security · Firewall + · Rule · 2020_06
Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.
Operational Excellence · Firewall + · Rule · 2021_12
Firewall names should meet naming requirements.
Security · Firewall + · Rule · 2023_09
Deny high confidence malicious IP addresses, domains and URLs.
Operational Excellence · Firewall + · Rule · 2021_12
Firewall policy names should meet naming requirements.
Security · Front Door + · Rule · 2020_06
Audit and monitor access through Front Door.
Security · Front Door + · Rule · 2023_09
Ensure Front Door uses a managed identity to authorize access to Azure resources.
Security · Front Door + · Rule · 2020_06
Front Door Classic instances should reject TLS versions older than 1.2.
Operational Excellence · Front Door + · Rule · 2020_06
Front Door names should meet naming requirements.
Reliability · Front Door + · Rule · 2021_03
Use health probes to check the health of each backend.
Reliability · Front Door + · Rule · 2021_03
Configure health probes to use HEAD
requests to reduce performance overhead.
Reliability · Front Door + · Rule · 2021_03
Configure a dedicated path for health probe requests.
Cost Optimization · Front Door + · Rule · 2020_06
Enable Azure Front Door Classic instance.
Performance Efficiency · Front Door + · Rule · 2022_12
Use caching to reduce retrieving contents from origins.
Security · Front Door + · Rule · 2020_06
Enable Web Application Firewall (WAF) policies on each Front Door endpoint.
Security · Front Door + · Rule · 2020_06
Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.
Security · Front Door + · Rule · 2020_06
Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.
Operational Excellence · Front Door + · Rule · 2020_12
Front Door WAF policy names should meet naming requirements.
Security · Front Door + · Rule · 2022_09
Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.
Security · Front Door + · Rule · 2022_09
Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.
diff --git a/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html b/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html index f07248eac7..1504ddf683 100644 --- a/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html +++ b/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html @@ -12121,6 +12121,7 @@Security · Front Door + · Rule · 2022_09
Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.
Security · Front Door + · Rule · 2022_09
Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.
Operational Excellence · User Assigned Managed Identity + · Rule · 2021_12
Managed Identity names should meet naming requirements.
Security · IoT Hub + · Rule · 2023_03
IoT Hubs should reject TLS versions older than 1.2.
Security · Key Vault + · Rule · 2020_06
Use the principal of least privilege when assigning access to Key Vault.
Security · Key Vault + · Rule · 2022_09
Key Vault keys should have auto-rotation enabled.
Security · Key Vault + · Rule · 2023_03
Key Vault should only accept explicitly allowed traffic.
Operational Excellence · Key Vault + · Rule · 2021_03
Key Vault Key names should meet naming requirements.
Security · Key Vault + · Rule · 2020_06
Ensure audit diagnostics logs are enabled to audit Key Vault access.
Operational Excellence · Key Vault + · Rule · 2021_03
Key Vault names should meet naming requirements.
Reliability · Key Vault + · Rule · 2020_06
Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.
Security · Key Vault + · Rule · 2023_06
Key Vaults should use Azure RBAC as the authorization system for the data plane.
Operational Excellence · Key Vault + · Rule · 2021_03
Key Vault Secret names should meet naming requirements.
Reliability · Key Vault + · Rule · 2020_06
Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.
Reliability · Load Balancer + · Rule · 2021_09
Load balancers deployed with Standard SKU should be zone-redundant for high availability.
Operational Excellence · Load Balancer + · Rule · 2020_06
Load Balancer names should meet naming requirements.
Reliability · Load Balancer + · Rule · 2020_06
Use a specific probe for web protocols.
Reliability · Load Balancer + · Rule · 2021_09
Load balancers should be deployed with Standard SKU for production workloads.
Security · Logic App + · Rule · 2020_12
Limit HTTP request trigger access to trusted IP addresses.
Security · Azure Database for MariaDB + · Rule · 2022_12
Determine if access from Azure services is required.
Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB databases should meet naming requirements.
Security · Azure Database for MariaDB + · Rule · 2022_12
Enable Microsoft Defender for Cloud for Azure Database for MariaDB.
Security · Azure Database for MariaDB + · Rule · 2022_12
Determine if there is an excessive number of permitted IP addresses.
Security · Azure Database for MariaDB + · Rule · 2022_12
Determine if there is an excessive number of firewall rules.
Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB firewall rules should meet naming requirements.
Reliability · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB should store backups in a geo-redundant storage.
Security · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB servers should reject TLS versions older than 1.2.
Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB servers should meet naming requirements.
Security · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB servers should only accept encrypted connections.
Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12
Azure Database for MariaDB VNET rules should meet naming requirements.
Operational Excellence · Monitor + · Rule · 2020_06
Configure Service Health alerts to notify administrators.
Security · Azure Database for MySQL + · Rule · 2023_06
Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.
Security · Azure Database for MySQL + · Rule · 2023_09
Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.
Security · Azure Database for MySQL + · Rule · 2020_06
Determine if access from Azure services is required.
Security · Azure Database for MySQL + · Rule · 2022_12
Enable Microsoft Defender for Cloud for Azure Database for MySQL.
Security · Azure Database for MySQL + · Rule · 2020_06
Determine if there is an excessive number of permitted IP addresses.
Security · Azure Database for MySQL + · Rule · 2020_06
Determine if there is an excessive number of firewall rules.
Reliability · Azure Database for MySQL + · Rule · 2022_12
Azure Database for MySQL should store backups in a geo-redundant storage.
Security · Azure Database for MySQL + · Rule · 2020_09
MySQL DB servers should reject TLS versions older than 1.2.
Operational Excellence · Azure Database for MySQL + · Rule · 2020_12
Azure MySQL DB server names should meet naming requirements.
Operational Excellence · Azure Database for MySQL + · Rule · 2022_12
Use Azure Database for MySQL Flexible Server deployment model.
Security · Azure Database for MySQL + · Rule · 2020_06
Enforce encrypted MySQL connections.
Operational Excellence · Network Security Group + · Rule · 2022_09
AKS Network Security Group (NSG) should not have custom rules.
Security · Network Security Group + · Rule · 2020_06
Network security groups (NSGs) should avoid rules that allow "any" as an inbound source.
Operational Excellence · Network Security Group + · Rule · 2020_06
Network Security Groups (NSGs) should be associated to a subnet or network interface.
Operational Excellence · Network Security Group + · Rule · 2020_06
Avoid denying all inbound traffic.
Security · Network Security Group + · Rule · 2020_06
Deny outbound management connections from non-management hosts.
Operational Excellence · Network Security Group + · Rule · 2020_06
Network Security Group (NSG) names should meet naming requirements.
Operational Excellence · Policy + · Rule · 2021_06
Policy assignments should use assignedBy
metadata.
Operational Excellence · Policy + · Rule · 2021_06
Policy assignments should use a display name and description.
Operational Excellence · Policy + · Rule · 2020_06
Policy and initiative definitions should use a display name, description, and category.
Operational Excellence · Policy + · Rule · 2021_06
Policy exemptions should use a display name and description.
Operational Excellence · Policy + · Rule · 2021_06
Configure policy waiver exemptions to expire.
Security · Azure Database for PostgreSQL + · Rule · 2023_06
Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.