From bccee75c5ab794cb8ca50cceca5023531e32f3e0 Mon Sep 17 00:00:00 2001 From: BernieWhite Date: Sun, 1 Oct 2023 03:33:56 +0000 Subject: [PATCH] deploy: a95fc6d0ba4c52ff3b824b8033c8d60aef55c55a --- CHANGELOG-v1/index.html | 7 +- __pycache__/hooks.cpython-311.pyc | Bin 15640 -> 16255 bytes about/index.html | 4 +- en/rules/Azure.ACR.AdminUser/index.html | 1 + en/rules/Azure.ACR.AnonymousAccess/index.html | 1 + en/rules/Azure.ACR.ContainerScan/index.html | 1 + en/rules/Azure.ACR.ContentTrust/index.html | 1 + en/rules/Azure.ACR.Firewall/index.html | 1 + en/rules/Azure.ACR.GeoReplica/index.html | 1 + en/rules/Azure.ACR.ImageHealth/index.html | 1 + en/rules/Azure.ACR.MinSku/index.html | 1 + en/rules/Azure.ACR.Name/index.html | 1 + en/rules/Azure.ACR.Quarantine/index.html | 1 + en/rules/Azure.ACR.Retention/index.html | 1 + en/rules/Azure.ACR.SoftDelete/index.html | 1 + en/rules/Azure.ACR.Usage/index.html | 1 + en/rules/Azure.ADX.DiskEncryption/index.html | 1 + en/rules/Azure.ADX.ManagedIdentity/index.html | 1 + en/rules/Azure.ADX.SLA/index.html | 1 + en/rules/Azure.ADX.Usage/index.html | 1 + en/rules/Azure.AKS.AuditLogs/index.html | 1 + en/rules/Azure.AKS.AuthorizedIPs/index.html | 1 + en/rules/Azure.AKS.AutoScaling/index.html | 1 + en/rules/Azure.AKS.AutoUpgrade/index.html | 1 + .../Azure.AKS.AvailabilityZone/index.html | 1 + .../Azure.AKS.AzurePolicyAddOn/index.html | 1 + en/rules/Azure.AKS.AzureRBAC/index.html | 1 + en/rules/Azure.AKS.CNISubnetSize/index.html | 1 + .../Azure.AKS.ContainerInsights/index.html | 1 + en/rules/Azure.AKS.DNSPrefix/index.html | 1 + en/rules/Azure.AKS.DefenderProfile/index.html | 1 + en/rules/Azure.AKS.EphemeralOSDisk/index.html | 1 + en/rules/Azure.AKS.HttpAppRouting/index.html | 1 + en/rules/Azure.AKS.LocalAccounts/index.html | 1 + en/rules/Azure.AKS.ManagedAAD/index.html | 1 + en/rules/Azure.AKS.ManagedIdentity/index.html | 1 + en/rules/Azure.AKS.MinNodeCount/index.html | 1 + en/rules/Azure.AKS.Name/index.html | 1 + en/rules/Azure.AKS.NetworkPolicy/index.html | 1 + en/rules/Azure.AKS.NodeMinPods/index.html | 1 + en/rules/Azure.AKS.PlatformLogs/index.html | 1 + en/rules/Azure.AKS.PoolScaleSet/index.html | 1 + en/rules/Azure.AKS.PoolVersion/index.html | 1 + en/rules/Azure.AKS.SecretStore/index.html | 1 + .../Azure.AKS.SecretStoreRotation/index.html | 1 + en/rules/Azure.AKS.StandardLB/index.html | 1 + en/rules/Azure.AKS.UseRBAC/index.html | 1 + en/rules/Azure.AKS.Version/index.html | 1 + en/rules/Azure.APIM.APIDescriptors/index.html | 1 + .../Azure.APIM.AvailabilityZone/index.html | 1 + en/rules/Azure.APIM.CORSPolicy/index.html | 1 + .../Azure.APIM.CertificateExpiry/index.html | 1 + en/rules/Azure.APIM.Ciphers/index.html | 1 + en/rules/Azure.APIM.DefenderCloud/index.html | 1 + en/rules/Azure.APIM.EncryptValues/index.html | 1 + en/rules/Azure.APIM.HTTPBackend/index.html | 1 + en/rules/Azure.APIM.HTTPEndpoint/index.html | 1 + .../Azure.APIM.ManagedIdentity/index.html | 1 + en/rules/Azure.APIM.MinAPIVersion/index.html | 1 + en/rules/Azure.APIM.MultiRegion/index.html | 1 + .../Azure.APIM.MultiRegionGateway/index.html | 1 + en/rules/Azure.APIM.Name/index.html | 1 + en/rules/Azure.APIM.PolicyBase/index.html | 1 + .../Azure.APIM.ProductApproval/index.html | 1 + .../Azure.APIM.ProductDescriptors/index.html | 1 + .../Azure.APIM.ProductSubscription/index.html | 1 + en/rules/Azure.APIM.ProductTerms/index.html | 1 + en/rules/Azure.APIM.Protocols/index.html | 1 + en/rules/Azure.APIM.SampleProducts/index.html | 1 + en/rules/Azure.ASE.MigrateV3/index.html | 1 + en/rules/Azure.ASG.Name/index.html | 1 + en/rules/Azure.AppConfig.AuditLogs/index.html | 1 + .../index.html | 1 + .../Azure.AppConfig.GeoReplica/index.html | 1 + en/rules/Azure.AppConfig.Name/index.html | 1 + .../Azure.AppConfig.PurgeProtect/index.html | 1 + en/rules/Azure.AppConfig.SKU/index.html | 1 + .../Azure.AppGw.AvailabilityZone/index.html | 1 + en/rules/Azure.AppGw.MigrateV2/index.html | 1 + en/rules/Azure.AppGw.MinInstance/index.html | 1 + en/rules/Azure.AppGw.MinSku/index.html | 1 + en/rules/Azure.AppGw.Name/index.html | 1 + en/rules/Azure.AppGw.OWASP/index.html | 1 + en/rules/Azure.AppGw.Prevention/index.html | 1 + en/rules/Azure.AppGw.SSLPolicy/index.html | 1 + en/rules/Azure.AppGw.UseHTTPS/index.html | 1 + en/rules/Azure.AppGw.UseWAF/index.html | 1 + en/rules/Azure.AppGw.WAFEnabled/index.html | 1 + en/rules/Azure.AppGw.WAFRules/index.html | 1 + en/rules/Azure.AppGwWAF.Enabled/index.html | 1 + en/rules/Azure.AppGwWAF.Exclusions/index.html | 1 + .../Azure.AppGwWAF.PreventionMode/index.html | 1 + en/rules/Azure.AppGwWAF.RuleGroups/index.html | 1 + en/rules/Azure.AppInsights.Name/index.html | 1 + .../Azure.AppInsights.Workspace/index.html | 1 + .../Azure.AppService.ARRAffinity/index.html | 1 + en/rules/Azure.AppService.AlwaysOn/index.html | 1 + en/rules/Azure.AppService.HTTP2/index.html | 1 + .../index.html | 1 + en/rules/Azure.AppService.MinPlan/index.html | 1 + en/rules/Azure.AppService.MinTLS/index.html | 1 + .../Azure.AppService.NETVersion/index.html | 1 + .../Azure.AppService.PHPVersion/index.html | 1 + .../index.html | 1 + .../Azure.AppService.RemoteDebug/index.html | 1 + en/rules/Azure.AppService.UseHTTPS/index.html | 1 + en/rules/Azure.AppService.WebProbe/index.html | 1 + .../Azure.AppService.WebProbePath/index.html | 1 + .../Azure.AppService.WebSecureFtp/index.html | 1 + .../Azure.Arc.Kubernetes.Defender/index.html | 1 + .../index.html | 1 + .../Azure.Automation.AuditLogs/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.Automation.PlatformLogs/index.html | 1 + .../Azure.Automation.WebHookExpiry/index.html | 1 + en/rules/Azure.BV.Immutable/index.html | 1 + en/rules/Azure.Bastion.Name/index.html | 1 + en/rules/Azure.CDN.EndpointName/index.html | 1 + en/rules/Azure.CDN.HTTP/index.html | 1 + en/rules/Azure.CDN.MinTLS/index.html | 1 + en/rules/Azure.CDN.UseFrontDoor/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.Cognitive.PublicAccess/index.html | 1 + .../Azure.ContainerApp.APIVersion/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.ContainerApp.Insecure/index.html | 1 + .../index.html | 1 + en/rules/Azure.ContainerApp.Name/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.ContainerApp.Storage/index.html | 1 + en/rules/Azure.Cosmos.AccountName/index.html | 1 + .../Azure.Cosmos.DefenderCloud/index.html | 1 + .../index.html | 1 + en/rules/Azure.DataFactory.Version/index.html | 1 + .../index.html | 1 + en/rules/Azure.Defender.Api/index.html | 1 + .../Azure.Defender.AppServices/index.html | 1 + en/rules/Azure.Defender.Arm/index.html | 1 + en/rules/Azure.Defender.Containers/index.html | 1 + en/rules/Azure.Defender.CosmosDb/index.html | 1 + en/rules/Azure.Defender.Cspm/index.html | 1 + en/rules/Azure.Defender.Dns/index.html | 1 + en/rules/Azure.Defender.KeyVault/index.html | 1 + en/rules/Azure.Defender.OssRdb/index.html | 1 + en/rules/Azure.Defender.SQL/index.html | 1 + en/rules/Azure.Defender.SQLOnVM/index.html | 1 + en/rules/Azure.Defender.Servers/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.DefenderCloud.Contact/index.html | 1 + .../index.html | 1 + .../Azure.Deployment.AdminUsername/index.html | 1 + en/rules/Azure.Deployment.Name/index.html | 1 + .../Azure.Deployment.OuterSecret/index.html | 1 + .../index.html | 1 + .../Azure.Deployment.SecureValue/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../index.html | 1 + en/rules/Azure.EventHub.MinTLS/index.html | 1 + en/rules/Azure.EventHub.Usage/index.html | 1 + en/rules/Azure.Firewall.Mode/index.html | 1 + en/rules/Azure.Firewall.Name/index.html | 1 + en/rules/Azure.Firewall.PolicyMode/index.html | 1 + en/rules/Azure.Firewall.PolicyName/index.html | 1 + en/rules/Azure.FrontDoor.Logs/index.html | 1 + .../index.html | 1 + en/rules/Azure.FrontDoor.MinTLS/index.html | 1 + en/rules/Azure.FrontDoor.Name/index.html | 1 + en/rules/Azure.FrontDoor.Probe/index.html | 1 + .../Azure.FrontDoor.ProbeMethod/index.html | 1 + en/rules/Azure.FrontDoor.ProbePath/index.html | 1 + en/rules/Azure.FrontDoor.State/index.html | 1 + .../Azure.FrontDoor.UseCaching/index.html | 1 + en/rules/Azure.FrontDoor.UseWAF/index.html | 1 + .../Azure.FrontDoor.WAF.Enabled/index.html | 1 + en/rules/Azure.FrontDoor.WAF.Mode/index.html | 1 + en/rules/Azure.FrontDoor.WAF.Name/index.html | 1 + .../Azure.FrontDoorWAF.Enabled/index.html | 1 + .../Azure.FrontDoorWAF.Exclusions/index.html | 1 + .../index.html | 1 + .../Azure.FrontDoorWAF.RuleGroups/index.html | 1 + .../index.html | 1 + en/rules/Azure.IoTHub.MinTLS/index.html | 1 + .../Azure.KeyVault.AccessPolicy/index.html | 1 + .../index.html | 1 + en/rules/Azure.KeyVault.Firewall/index.html | 1 + en/rules/Azure.KeyVault.KeyName/index.html | 1 + en/rules/Azure.KeyVault.Logs/index.html | 1 + en/rules/Azure.KeyVault.Name/index.html | 1 + .../Azure.KeyVault.PurgeProtect/index.html | 1 + en/rules/Azure.KeyVault.RBAC/index.html | 1 + en/rules/Azure.KeyVault.SecretName/index.html | 1 + en/rules/Azure.KeyVault.SoftDelete/index.html | 1 + en/rules/Azure.LB.AvailabilityZone/index.html | 1 + en/rules/Azure.LB.Name/index.html | 1 + en/rules/Azure.LB.Probe/index.html | 1 + en/rules/Azure.LB.StandardSKU/index.html | 1 + .../index.html | 1 + .../Azure.MariaDB.AllowAzureAccess/index.html | 1 + .../Azure.MariaDB.DatabaseName/index.html | 1 + .../Azure.MariaDB.DefenderCloud/index.html | 1 + .../Azure.MariaDB.FirewallIPRange/index.html | 1 + .../index.html | 1 + .../Azure.MariaDB.FirewallRuleName/index.html | 1 + .../index.html | 1 + en/rules/Azure.MariaDB.MinTLS/index.html | 1 + en/rules/Azure.MariaDB.ServerName/index.html | 1 + en/rules/Azure.MariaDB.UseSSL/index.html | 1 + .../Azure.MariaDB.VNETRuleName/index.html | 1 + .../Azure.Monitor.ServiceHealth/index.html | 1 + en/rules/Azure.MySQL.AAD/index.html | 1 + en/rules/Azure.MySQL.AADOnly/index.html | 1 + .../Azure.MySQL.AllowAzureAccess/index.html | 1 + en/rules/Azure.MySQL.DefenderCloud/index.html | 1 + .../Azure.MySQL.FirewallIPRange/index.html | 1 + .../Azure.MySQL.FirewallRuleCount/index.html | 1 + .../Azure.MySQL.GeoRedundantBackup/index.html | 1 + en/rules/Azure.MySQL.MinTLS/index.html | 1 + en/rules/Azure.MySQL.ServerName/index.html | 1 + en/rules/Azure.MySQL.UseFlexible/index.html | 1 + en/rules/Azure.MySQL.UseSSL/index.html | 1 + en/rules/Azure.NSG.AKSRules/index.html | 1 + .../Azure.NSG.AnyInboundSource/index.html | 1 + en/rules/Azure.NSG.Associated/index.html | 1 + en/rules/Azure.NSG.DenyAllInbound/index.html | 1 + .../Azure.NSG.LateralTraversal/index.html | 1 + en/rules/Azure.NSG.Name/index.html | 1 + .../index.html | 1 + .../index.html | 1 + en/rules/Azure.Policy.Descriptors/index.html | 1 + .../index.html | 1 + en/rules/Azure.Policy.WaiverExpiry/index.html | 1 + en/rules/Azure.PostgreSQL.AAD/index.html | 1 + en/rules/Azure.PostgreSQL.AADOnly/index.html | 1 + .../index.html | 1 + .../Azure.PostgreSQL.DefenderCloud/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../index.html | 1 + en/rules/Azure.PostgreSQL.MinTLS/index.html | 1 + .../Azure.PostgreSQL.ServerName/index.html | 1 + en/rules/Azure.PostgreSQL.UseSSL/index.html | 1 + .../Azure.PrivateEndpoint.Name/index.html | 1 + .../index.html | 1 + en/rules/Azure.PublicIP.DNSLabel/index.html | 1 + en/rules/Azure.PublicIP.IsAttached/index.html | 1 + .../Azure.PublicIP.MigrateStandard/index.html | 1 + en/rules/Azure.PublicIP.Name/index.html | 1 + .../Azure.PublicIP.StandardSKU/index.html | 1 + .../Azure.RBAC.CoAdministrator/index.html | 1 + .../Azure.RBAC.LimitMGDelegation/index.html | 1 + en/rules/Azure.RBAC.LimitOwner/index.html | 1 + en/rules/Azure.RBAC.PIM/index.html | 1 + en/rules/Azure.RBAC.UseGroups/index.html | 1 + .../Azure.RBAC.UseRGDelegation/index.html | 1 + en/rules/Azure.RSV.Immutable/index.html | 1 + en/rules/Azure.RSV.Name/index.html | 1 + .../Azure.RSV.ReplicationAlert/index.html | 1 + en/rules/Azure.RSV.StorageType/index.html | 1 + .../Azure.Redis.AvailabilityZone/index.html | 1 + .../Azure.Redis.FirewallIPRange/index.html | 1 + .../Azure.Redis.FirewallRuleCount/index.html | 1 + .../Azure.Redis.MaxMemoryReserved/index.html | 1 + en/rules/Azure.Redis.MinSKU/index.html | 1 + en/rules/Azure.Redis.MinTLS/index.html | 1 + en/rules/Azure.Redis.NonSslPort/index.html | 1 + .../index.html | 1 + en/rules/Azure.Redis.Version/index.html | 1 + .../Azure.RedisEnterprise.MinTLS/index.html | 1 + .../Azure.RedisEnterprise.Zones/index.html | 1 + .../Azure.Resource.AllowedRegions/index.html | 1 + en/rules/Azure.Resource.UseTags/index.html | 1 + en/rules/Azure.ResourceGroup.Name/index.html | 1 + en/rules/Azure.Route.Name/index.html | 1 + en/rules/Azure.SQL.AAD/index.html | 1 + en/rules/Azure.SQL.AADOnly/index.html | 1 + .../Azure.SQL.AllowAzureAccess/index.html | 1 + en/rules/Azure.SQL.Auditing/index.html | 1 + en/rules/Azure.SQL.DBName/index.html | 1 + en/rules/Azure.SQL.DefenderCloud/index.html | 1 + en/rules/Azure.SQL.FGName/index.html | 1 + en/rules/Azure.SQL.FirewallIPRange/index.html | 1 + .../Azure.SQL.FirewallRuleCount/index.html | 1 + en/rules/Azure.SQL.MinTLS/index.html | 1 + en/rules/Azure.SQL.ServerName/index.html | 1 + en/rules/Azure.SQL.TDE/index.html | 1 + en/rules/Azure.SQLMI.AAD/index.html | 1 + en/rules/Azure.SQLMI.AADOnly/index.html | 1 + .../Azure.SQLMI.ManagedIdentity/index.html | 1 + en/rules/Azure.SQLMI.Name/index.html | 1 + en/rules/Azure.Search.IndexSLA/index.html | 1 + .../Azure.Search.ManagedIdentity/index.html | 1 + en/rules/Azure.Search.Name/index.html | 1 + en/rules/Azure.Search.QuerySLA/index.html | 1 + en/rules/Azure.Search.SKU/index.html | 1 + .../Azure.ServiceBus.AuditLogs/index.html | 1 + .../index.html | 1 + en/rules/Azure.ServiceBus.MinTLS/index.html | 1 + en/rules/Azure.ServiceBus.Usage/index.html | 1 + en/rules/Azure.ServiceFabric.AAD/index.html | 1 + .../Azure.SignalR.ManagedIdentity/index.html | 1 + en/rules/Azure.SignalR.Name/index.html | 1 + en/rules/Azure.SignalR.SLA/index.html | 1 + .../Azure.Storage.BlobAccessType/index.html | 1 + .../Azure.Storage.BlobPublicAccess/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.Storage.DefenderCloud/index.html | 1 + .../index.html | 1 + en/rules/Azure.Storage.Firewall/index.html | 1 + en/rules/Azure.Storage.MinTLS/index.html | 1 + en/rules/Azure.Storage.Name/index.html | 1 + .../Azure.Storage.SecureTransfer/index.html | 1 + en/rules/Azure.Storage.SoftDelete/index.html | 1 + .../Azure.Storage.UseReplication/index.html | 1 + .../Azure.Template.DebugDeployment/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.Template.LocationDefault/index.html | 1 + .../Azure.Template.LocationType/index.html | 1 + .../Azure.Template.MetadataLink/index.html | 1 + .../index.html | 1 + .../Azure.Template.ParameterFile/index.html | 1 + .../index.html | 1 + .../index.html | 1 + .../Azure.Template.ParameterScheme/index.html | 1 + .../index.html | 1 + .../Azure.Template.ParameterValue/index.html | 1 + .../index.html | 1 + en/rules/Azure.Template.Resources/index.html | 1 + .../Azure.Template.TemplateFile/index.html | 1 + .../Azure.Template.TemplateSchema/index.html | 1 + .../Azure.Template.TemplateScheme/index.html | 1 + .../Azure.Template.UseComments/index.html | 1 + .../Azure.Template.UseDescriptions/index.html | 1 + .../index.html | 1 + .../Azure.Template.UseParameters/index.html | 1 + .../Azure.Template.UseVariables/index.html | 1 + .../Azure.Template.ValidSecretRef/index.html | 1 + .../Azure.TrafficManager.Endpoints/index.html | 1 + .../Azure.TrafficManager.Protocol/index.html | 1 + en/rules/Azure.VM.ADE/index.html | 1 + en/rules/Azure.VM.AMA/index.html | 1 + en/rules/Azure.VM.ASAlignment/index.html | 1 + en/rules/Azure.VM.ASMinMembers/index.html | 1 + en/rules/Azure.VM.ASName/index.html | 1 + .../Azure.VM.AcceleratedNetworking/index.html | 1 + en/rules/Azure.VM.Agent/index.html | 1 + en/rules/Azure.VM.BasicSku/index.html | 1 + en/rules/Azure.VM.ComputerName/index.html | 1 + en/rules/Azure.VM.DiskAttached/index.html | 1 + en/rules/Azure.VM.DiskCaching/index.html | 1 + en/rules/Azure.VM.DiskName/index.html | 1 + .../Azure.VM.DiskSizeAlignment/index.html | 1 + .../Azure.VM.MaintenanceConfig/index.html | 1 + en/rules/Azure.VM.MigrateAMA/index.html | 1 + en/rules/Azure.VM.NICAttached/index.html | 1 + en/rules/Azure.VM.NICName/index.html | 1 + en/rules/Azure.VM.Name/index.html | 1 + en/rules/Azure.VM.PPGName/index.html | 1 + en/rules/Azure.VM.PromoSku/index.html | 1 + en/rules/Azure.VM.PublicKey/index.html | 1 + en/rules/Azure.VM.SQLServerDisk/index.html | 1 + en/rules/Azure.VM.ScriptExtensions/index.html | 1 + .../Azure.VM.ShouldNotBeStopped/index.html | 1 + en/rules/Azure.VM.Standalone/index.html | 1 + en/rules/Azure.VM.UniqueDns/index.html | 1 + en/rules/Azure.VM.Updates/index.html | 1 + .../Azure.VM.UseHybridUseBenefit/index.html | 1 + en/rules/Azure.VM.UseManagedDisks/index.html | 1 + en/rules/Azure.VMSS.AMA/index.html | 1 + en/rules/Azure.VMSS.ComputerName/index.html | 1 + en/rules/Azure.VMSS.MigrateAMA/index.html | 1 + en/rules/Azure.VMSS.Name/index.html | 1 + en/rules/Azure.VMSS.PublicKey/index.html | 1 + .../Azure.VMSS.ScriptExtensions/index.html | 1 + en/rules/Azure.VNET.BastionSubnet/index.html | 1 + en/rules/Azure.VNET.FirewallSubnet/index.html | 1 + en/rules/Azure.VNET.LocalDNS/index.html | 1 + en/rules/Azure.VNET.Name/index.html | 1 + en/rules/Azure.VNET.PeerState/index.html | 1 + en/rules/Azure.VNET.SingleDNS/index.html | 1 + en/rules/Azure.VNET.SubnetName/index.html | 1 + en/rules/Azure.VNET.UseNSGs/index.html | 1 + en/rules/Azure.VNG.ConnectionName/index.html | 1 + .../index.html | 1 + en/rules/Azure.VNG.ERLegacySKU/index.html | 1 + en/rules/Azure.VNG.Name/index.html | 1 + en/rules/Azure.VNG.VPNActiveActive/index.html | 1 + .../index.html | 1 + en/rules/Azure.VNG.VPNLegacySKU/index.html | 1 + .../index.html | 1 + en/rules/Azure.WebPubSub.SLA/index.html | 1 + en/rules/Azure.vWAN.Name/index.html | 1 + en/rules/metadata.json | 8131 +++++++++-------- es/rules/Azure.ACR.AdminUser/index.html | 1 + es/rules/Azure.ACR.ContainerScan/index.html | 1 + es/rules/Azure.ACR.ContentTrust/index.html | 1 + es/rules/Azure.ACR.GeoReplica/index.html | 1 + es/rules/Azure.ACR.ImageHealth/index.html | 1 + es/rules/Azure.ACR.MinSku/index.html | 1 + es/rules/Azure.ACR.Name/index.html | 1 + es/rules/Azure.ACR.Quarantine/index.html | 1 + es/rules/Azure.ACR.Retention/index.html | 1 + es/rules/Azure.ACR.Usage/index.html | 1 + es/rules/metadata.json | 7355 ++++++++------- features/index.html | 4 +- hooks.py | 7 + index.html | 2 +- search/search_index.json | 2 +- sitemap.xml.gz | Bin 4153 -> 4153 bytes working-with-baselines/index.html | 4 +- 420 files changed, 8574 insertions(+), 7351 deletions(-) diff --git a/CHANGELOG-v1/index.html b/CHANGELOG-v1/index.html index 0b35d17ad2..49a686ec61 100644 --- a/CHANGELOG-v1/index.html +++ b/CHANGELOG-v1/index.html @@ -14988,6 +14988,11 @@

Unreleased@BernieWhite. + #2115 + +
  • Engineering:

    If you want to write your own tests, you can do that too in your choice of YAML, JSON, or PowerShell. -However with over 390 tests already built, you can identify and fix issues day one.

    +However with over 400 tests already built, you can identify and fix issues day one.

    Get started with a sample repository

    To get started with a sample repository, see PSRule for Azure Quick Start on GitHub.

    @@ -12088,7 +12088,7 @@

    Who uses PSRule for Azure?Disable ACR admin userAzure.ACR.AdminUserAZR-000005Error

    Security · Container Registry + · Rule · 2020_06

    Use Azure AD identities instead of using the registry admin user.

    Description#

    diff --git a/en/rules/Azure.ACR.AnonymousAccess/index.html b/en/rules/Azure.ACR.AnonymousAccess/index.html index 75b7aaf6d8..233dc468ba 100644 --- a/en/rules/Azure.ACR.AnonymousAccess/index.html +++ b/en/rules/Azure.ACR.AnonymousAccess/index.html @@ -12149,6 +12149,7 @@

    Anonymous pull accessAzure.ACR.AnonymousAccessAZR-000401Error

    Security · Container Registry + · Rule · Preview · 2023_09

    Disable anonymous pull access.

    diff --git a/en/rules/Azure.ACR.ContainerScan/index.html b/en/rules/Azure.ACR.ContainerScan/index.html index d15ab2e940..b4666917ed 100644 --- a/en/rules/Azure.ACR.ContainerScan/index.html +++ b/en/rules/Azure.ACR.ContainerScan/index.html @@ -12163,6 +12163,7 @@

    Scan Container Registry imagesAzure.ACR.ContainerScanAZR-000002Error

    Security · Container Registry + · Rule · 2020_12

    Enable vulnerability scanning for container images.

    Description#

    diff --git a/en/rules/Azure.ACR.ContentTrust/index.html b/en/rules/Azure.ACR.ContentTrust/index.html index b961351753..492334079d 100644 --- a/en/rules/Azure.ACR.ContentTrust/index.html +++ b/en/rules/Azure.ACR.ContentTrust/index.html @@ -12121,6 +12121,7 @@

    Use trusted container imagesAzure.ACR.ContentTrustAZR-000009Error

    Security · Container Registry + · Rule · 2020_12

    Use container images signed by a trusted image publisher.

    Description#

    diff --git a/en/rules/Azure.ACR.Firewall/index.html b/en/rules/Azure.ACR.Firewall/index.html index e111c3fa96..0c4eacf5f0 100644 --- a/en/rules/Azure.ACR.Firewall/index.html +++ b/en/rules/Azure.ACR.Firewall/index.html @@ -12135,6 +12135,7 @@

    Restrict network access

    Security · Container Registry + · Rule · 2023_09

    Limit network access of container registries to only trusted clients.

    Description#

    diff --git a/en/rules/Azure.ACR.GeoReplica/index.html b/en/rules/Azure.ACR.GeoReplica/index.html index 375ddc7267..2f283e8dd1 100644 --- a/en/rules/Azure.ACR.GeoReplica/index.html +++ b/en/rules/Azure.ACR.GeoReplica/index.html @@ -12135,6 +12135,7 @@

    Geo-replicate container imagesAzure.ACR.GeoReplicaAZR-000004Error

    Reliability · Container Registry + · Rule · 2020_12

    Use geo-replicated container registries to compliment a multi-region container deployments.

    Description#

    diff --git a/en/rules/Azure.ACR.ImageHealth/index.html b/en/rules/Azure.ACR.ImageHealth/index.html index f233ce8d36..642a30688f 100644 --- a/en/rules/Azure.ACR.ImageHealth/index.html +++ b/en/rules/Azure.ACR.ImageHealth/index.html @@ -12081,6 +12081,7 @@

    Remove vulnerable container imagesAzure.ACR.ImageHealthAZR-000003Error

    Security · Container Registry + · Rule · 2020_12

    Remove container images with known vulnerabilities.

    Description#

    diff --git a/en/rules/Azure.ACR.MinSku/index.html b/en/rules/Azure.ACR.MinSku/index.html index d24b918f7c..86064b35d2 100644 --- a/en/rules/Azure.ACR.MinSku/index.html +++ b/en/rules/Azure.ACR.MinSku/index.html @@ -12121,6 +12121,7 @@

    Use ACR production SKUAzure.ACR.MinSkuAZR-000006Error

    Reliability · Container Registry + · Rule · 2020_06

    ACR should use the Premium or Standard SKU for production deployments.

    Description#

    diff --git a/en/rules/Azure.ACR.Name/index.html b/en/rules/Azure.ACR.Name/index.html index 32d7818e9a..791814615e 100644 --- a/en/rules/Azure.ACR.Name/index.html +++ b/en/rules/Azure.ACR.Name/index.html @@ -12135,6 +12135,7 @@

    Use valid registry namesAzure.ACR.NameAZR-000007Error

    Operational Excellence · Container Registry + · Rule · 2020_06

    Container registry names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.ACR.Quarantine/index.html b/en/rules/Azure.ACR.Quarantine/index.html index da56c918b2..b6788fc20d 100644 --- a/en/rules/Azure.ACR.Quarantine/index.html +++ b/en/rules/Azure.ACR.Quarantine/index.html @@ -12135,6 +12135,7 @@

    Use container image quarantine p

    Security · Container Registry + · Rule · Preview · 2020_12

    Enable container image quarantine, scan, and mark images as verified.

    diff --git a/en/rules/Azure.ACR.Retention/index.html b/en/rules/Azure.ACR.Retention/index.html index 4a14d5adb3..1b20f7d4de 100644 --- a/en/rules/Azure.ACR.Retention/index.html +++ b/en/rules/Azure.ACR.Retention/index.html @@ -12135,6 +12135,7 @@

    Configure ACR retention policiesAzure.ACR.RetentionAZR-000010Error

    Cost Optimization · Container Registry + · Rule · Preview · 2020_12

    Use a retention policy to cleanup untagged manifests.

    diff --git a/en/rules/Azure.ACR.SoftDelete/index.html b/en/rules/Azure.ACR.SoftDelete/index.html index d8835c96b4..72486e6d5b 100644 --- a/en/rules/Azure.ACR.SoftDelete/index.html +++ b/en/rules/Azure.ACR.SoftDelete/index.html @@ -12135,6 +12135,7 @@

    Use ACR soft delete policyAzure.ACR.SoftDeleteAZR-000310Error

    Reliability · Container Registry + · Rule · Preview · 2022_09

    Azure Container Registries should have soft delete policy enabled.

    diff --git a/en/rules/Azure.ACR.Usage/index.html b/en/rules/Azure.ACR.Usage/index.html index fe277acf69..091b5bb685 100644 --- a/en/rules/Azure.ACR.Usage/index.html +++ b/en/rules/Azure.ACR.Usage/index.html @@ -12081,6 +12081,7 @@

    Container registry storage usageAzure.ACR.UsageAZR-000001Error

    Cost Optimization · Container Registry + · Rule · 2020_12

    Regularly remove deprecated and unneeded images to reduce storage usage.

    Description#

    diff --git a/en/rules/Azure.ADX.DiskEncryption/index.html b/en/rules/Azure.ADX.DiskEncryption/index.html index 4409174e98..67f92688e3 100644 --- a/en/rules/Azure.ADX.DiskEncryption/index.html +++ b/en/rules/Azure.ADX.DiskEncryption/index.html @@ -12121,6 +12121,7 @@

    Use disk encryptio

    Security · Data Explorer + · Rule · 2022_03

    Use disk encryption for Azure Data Explorer (ADX) clusters.

    Description#

    diff --git a/en/rules/Azure.ADX.ManagedIdentity/index.html b/en/rules/Azure.ADX.ManagedIdentity/index.html index f944ab252b..7d29afd3ca 100644 --- a/en/rules/Azure.ADX.ManagedIdentity/index.html +++ b/en/rules/Azure.ADX.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Use managed identitie

    Security · Data Explorer + · Rule · 2022_03

    Configure Data Explorer clusters to use managed identities to access Azure resources securely.

    Description#

    diff --git a/en/rules/Azure.ADX.SLA/index.html b/en/rules/Azure.ADX.SLA/index.html index 13abb395e5..a89519ceed 100644 --- a/en/rules/Azure.ADX.SLA/index.html +++ b/en/rules/Azure.ADX.SLA/index.html @@ -12121,6 +12121,7 @@

    Use an SLA for Azure Data E

    Reliability · Data Explorer + · Rule · 2022_03

    Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.

    Description#

    diff --git a/en/rules/Azure.ADX.Usage/index.html b/en/rules/Azure.ADX.Usage/index.html index b0a0af68d5..78b5828e0c 100644 --- a/en/rules/Azure.ADX.Usage/index.html +++ b/en/rules/Azure.ADX.Usage/index.html @@ -12081,6 +12081,7 @@

    Remove unused Data Explorer cluste

    Cost Optimization · Data Explorer + · Rule · 2022_03

    Regularly remove unused resources to reduce costs.

    Description#

    diff --git a/en/rules/Azure.AKS.AuditLogs/index.html b/en/rules/Azure.AKS.AuditLogs/index.html index c7c8e1a5fb..b6ef9b0d5e 100644 --- a/en/rules/Azure.AKS.AuditLogs/index.html +++ b/en/rules/Azure.AKS.AuditLogs/index.html @@ -12107,6 +12107,7 @@

    AKS clusters shou

    Security · Azure Kubernetes Service + · Rule · 2021_09

    AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.

    Description#

    diff --git a/en/rules/Azure.AKS.AuthorizedIPs/index.html b/en/rules/Azure.AKS.AuthorizedIPs/index.html index 559cf76aee..6eb19a292e 100644 --- a/en/rules/Azure.AKS.AuthorizedIPs/index.html +++ b/en/rules/Azure.AKS.AuthorizedIPs/index.html @@ -12107,6 +12107,7 @@

    Restrict access to AKS API

    Security · Azure Kubernetes Service + · Rule · 2021_06

    Restrict access to API server endpoints to authorized IP addresses.

    Description#

    diff --git a/en/rules/Azure.AKS.AutoScaling/index.html b/en/rules/Azure.AKS.AutoScaling/index.html index 719f53a88a..f339047422 100644 --- a/en/rules/Azure.AKS.AutoScaling/index.html +++ b/en/rules/Azure.AKS.AutoScaling/index.html @@ -12161,6 +12161,7 @@

    Enable AKS cluster autoscalerAzure.AKS.AutoScalingAZR-000019Error

    Performance Efficiency · Azure Kubernetes Service + · Rule · 2021_09

    Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present.

    Description#

    diff --git a/en/rules/Azure.AKS.AutoUpgrade/index.html b/en/rules/Azure.AKS.AutoUpgrade/index.html index 8b8f5de2d3..672fc96bf7 100644 --- a/en/rules/Azure.AKS.AutoUpgrade/index.html +++ b/en/rules/Azure.AKS.AutoUpgrade/index.html @@ -12135,6 +12135,7 @@

    Set AKS auto-upgrade channelAzure.AKS.AutoUpgradeAZR-000036Error

    Operational Excellence · Azure Kubernetes Service + · Rule · 2021_12

    Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.

    Description#

    diff --git a/en/rules/Azure.AKS.AvailabilityZone/index.html b/en/rules/Azure.AKS.AvailabilityZone/index.html index aa94e216aa..919d888ed0 100644 --- a/en/rules/Azure.AKS.AvailabilityZone/index.html +++ b/en/rules/Azure.AKS.AvailabilityZone/index.html @@ -12161,6 +12161,7 @@

    AKS clu

    Reliability · Azure Kubernetes Service + · Rule · 2021_09

    AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.

    Description#

    diff --git a/en/rules/Azure.AKS.AzurePolicyAddOn/index.html b/en/rules/Azure.AKS.AzurePolicyAddOn/index.html index 5cb5baccca..11f6e2f5ad 100644 --- a/en/rules/Azure.AKS.AzurePolicyAddOn/index.html +++ b/en/rules/Azure.AKS.AzurePolicyAddOn/index.html @@ -12135,6 +12135,7 @@

    Use Azure Policy Add-on with

    Security · Azure Kubernetes Service + · Rule · 2020_12

    Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.

    Description#

    diff --git a/en/rules/Azure.AKS.AzureRBAC/index.html b/en/rules/Azure.AKS.AzureRBAC/index.html index 0c3a034021..fc75ef18bf 100644 --- a/en/rules/Azure.AKS.AzureRBAC/index.html +++ b/en/rules/Azure.AKS.AzureRBAC/index.html @@ -12121,6 +12121,7 @@

    Use Azure RBAC for Kubernet

    Security · Azure Kubernetes Service + · Rule · 2021_06

    Use Azure RBAC for Kubernetes Authorization with AKS clusters.

    Description#

    diff --git a/en/rules/Azure.AKS.CNISubnetSize/index.html b/en/rules/Azure.AKS.CNISubnetSize/index.html index 0974e36ffd..b5a7b03dbf 100644 --- a/en/rules/Azure.AKS.CNISubnetSize/index.html +++ b/en/rules/Azure.AKS.CNISubnetSize/index.html @@ -12081,6 +12081,7 @@

    AKS clusters usin

    Reliability · Azure Kubernetes Service + · Rule · 2021_09

    AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.

    Description#

    diff --git a/en/rules/Azure.AKS.ContainerInsights/index.html b/en/rules/Azure.AKS.ContainerInsights/index.html index da5623e2fd..7f1353c061 100644 --- a/en/rules/Azure.AKS.ContainerInsights/index.html +++ b/en/rules/Azure.AKS.ContainerInsights/index.html @@ -12161,6 +12161,7 @@

    Enable AKS Container insightsAzure.AKS.ContainerInsightsAZR-000041Error

    Operational Excellence · Azure Kubernetes Service + · Rule · 2021_09

    Enable Container insights to monitor AKS cluster workloads.

    Description#

    diff --git a/en/rules/Azure.AKS.DNSPrefix/index.html b/en/rules/Azure.AKS.DNSPrefix/index.html index d41a2bccc5..c38eb8e19d 100644 --- a/en/rules/Azure.AKS.DNSPrefix/index.html +++ b/en/rules/Azure.AKS.DNSPrefix/index.html @@ -12067,6 +12067,7 @@

    Use valid AKS cluster DNS prefixAzure.AKS.DNSPrefixAZR-000040Error

    Operational Excellence · Azure Kubernetes Service + · Rule · 2020_06

    Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.AKS.DefenderProfile/index.html b/en/rules/Azure.AKS.DefenderProfile/index.html index 9cd4b409b9..c52a65ac0e 100644 --- a/en/rules/Azure.AKS.DefenderProfile/index.html +++ b/en/rules/Azure.AKS.DefenderProfile/index.html @@ -12135,6 +12135,7 @@

    Enable Defender profileAzure.AKS.DefenderProfileAZR-000370Error

    Security · Azure Kubernetes Service + · Rule · 2023_03

    Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.

    Description#

    diff --git a/en/rules/Azure.AKS.EphemeralOSDisk/index.html b/en/rules/Azure.AKS.EphemeralOSDisk/index.html index 8544138b7e..ac0c81df7c 100644 --- a/en/rules/Azure.AKS.EphemeralOSDisk/index.html +++ b/en/rules/Azure.AKS.EphemeralOSDisk/index.html @@ -12121,6 +12121,7 @@

    Use AKS Ephemeral OS diskAzure.AKS.EphemeralOSDiskAZR-000287Warning

    Performance Efficiency · Azure Kubernetes Service + · Rule · 2022_09

    AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.

    Description#

    diff --git a/en/rules/Azure.AKS.HttpAppRouting/index.html b/en/rules/Azure.AKS.HttpAppRouting/index.html index e234b8f4e0..b94e82f06a 100644 --- a/en/rules/Azure.AKS.HttpAppRouting/index.html +++ b/en/rules/Azure.AKS.HttpAppRouting/index.html @@ -12121,6 +12121,7 @@

    Disable HTTP application routin

    Security · Azure Kubernetes Service + · Rule · 2021_12

    Disable HTTP application routing add-on in AKS clusters.

    Description#

    diff --git a/en/rules/Azure.AKS.LocalAccounts/index.html b/en/rules/Azure.AKS.LocalAccounts/index.html index ad0b07514d..2badf4615a 100644 --- a/en/rules/Azure.AKS.LocalAccounts/index.html +++ b/en/rules/Azure.AKS.LocalAccounts/index.html @@ -12149,6 +12149,7 @@

    Disable AKS local accountsAzure.AKS.LocalAccountsAZR-000031Error

    Security · Azure Kubernetes Service + · Rule · Preview · 2021_06

    Enforce named user accounts with RBAC assigned permissions.

    diff --git a/en/rules/Azure.AKS.ManagedAAD/index.html b/en/rules/Azure.AKS.ManagedAAD/index.html index c2f1d38878..dcca08b6b5 100644 --- a/en/rules/Azure.AKS.ManagedAAD/index.html +++ b/en/rules/Azure.AKS.ManagedAAD/index.html @@ -12135,6 +12135,7 @@

    Enable AKS-managed Azure ADAzure.AKS.ManagedAADAZR-000029Error

    Security · Azure Kubernetes Service + · Rule · 2021_06

    Use AKS-managed Azure AD to simplify authorization and improve security.

    Description#

    diff --git a/en/rules/Azure.AKS.ManagedIdentity/index.html b/en/rules/Azure.AKS.ManagedIdentity/index.html index 977a181998..f51f4d9635 100644 --- a/en/rules/Azure.AKS.ManagedIdentity/index.html +++ b/en/rules/Azure.AKS.ManagedIdentity/index.html @@ -12081,6 +12081,7 @@

    Use managed ident

    Security · Azure Kubernetes Service + · Rule · 2020_06

    Configure AKS clusters to use managed identities for managing cluster infrastructure.

    Description#

    diff --git a/en/rules/Azure.AKS.MinNodeCount/index.html b/en/rules/Azure.AKS.MinNodeCount/index.html index cca0947a68..b0a31ec91a 100644 --- a/en/rules/Azure.AKS.MinNodeCount/index.html +++ b/en/rules/Azure.AKS.MinNodeCount/index.html @@ -12067,6 +12067,7 @@

    Azure.AKS.MinNodeCountAzure.AKS.MinNodeCountAZR-000024Error

    Reliability · Azure Kubernetes Service + · Rule · 2020_06

    AKS clusters should have minimum number of nodes for failover and updates.

    Description#

    diff --git a/en/rules/Azure.AKS.Name/index.html b/en/rules/Azure.AKS.Name/index.html index 8c58f671de..b425bee794 100644 --- a/en/rules/Azure.AKS.Name/index.html +++ b/en/rules/Azure.AKS.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid AKS cluster namesAzure.AKS.NameAZR-000039Error

    Operational Excellence · Azure Kubernetes Service + · Rule · 2020_06

    Azure Kubernetes Service (AKS) cluster names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.AKS.NetworkPolicy/index.html b/en/rules/Azure.AKS.NetworkPolicy/index.html index a9da22ef19..6f8b48f062 100644 --- a/en/rules/Azure.AKS.NetworkPolicy/index.html +++ b/en/rules/Azure.AKS.NetworkPolicy/index.html @@ -12135,6 +12135,7 @@

    AKS clusters use Network PoliciesAzure.AKS.NetworkPolicyAZR-000027Error

    Security · Azure Kubernetes Service + · Rule · 2020_06

    Deploy AKS clusters with Network Policies enabled.

    Description#

    diff --git a/en/rules/Azure.AKS.NodeMinPods/index.html b/en/rules/Azure.AKS.NodeMinPods/index.html index 6f7cf6973f..769c2fa872 100644 --- a/en/rules/Azure.AKS.NodeMinPods/index.html +++ b/en/rules/Azure.AKS.NodeMinPods/index.html @@ -12135,6 +12135,7 @@

    Nodes use a minimum number of podsAzure.AKS.NodeMinPodsAZR-000018Error

    Performance Efficiency · Azure Kubernetes Service + · Rule · 2020_06

    Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.

    Description#

    diff --git a/en/rules/Azure.AKS.PlatformLogs/index.html b/en/rules/Azure.AKS.PlatformLogs/index.html index 0b6ef77e0f..05a9421fca 100644 --- a/en/rules/Azure.AKS.PlatformLogs/index.html +++ b/en/rules/Azure.AKS.PlatformLogs/index.html @@ -12121,6 +12121,7 @@

    AKS clusters shoul

    Operational Excellence · Azure Kubernetes Service + · Rule · 2021_09

    AKS clusters should collect platform diagnostic logs to monitor the state of workloads.

    Description#

    diff --git a/en/rules/Azure.AKS.PoolScaleSet/index.html b/en/rules/Azure.AKS.PoolScaleSet/index.html index 06c15e740f..abd3ae4e02 100644 --- a/en/rules/Azure.AKS.PoolScaleSet/index.html +++ b/en/rules/Azure.AKS.PoolScaleSet/index.html @@ -12121,6 +12121,7 @@

    AKS clusters use VM scale setsAzure.AKS.PoolScaleSetAZR-000017Error

    Performance Efficiency · Azure Kubernetes Service + · Rule · 2020_06

    Deploy AKS clusters with nodes pools based on VM scale sets.

    Description#

    diff --git a/en/rules/Azure.AKS.PoolVersion/index.html b/en/rules/Azure.AKS.PoolVersion/index.html index 5321af72af..07122b0299 100644 --- a/en/rules/Azure.AKS.PoolVersion/index.html +++ b/en/rules/Azure.AKS.PoolVersion/index.html @@ -12067,6 +12067,7 @@

    Upgrade AKS node pool versionAzure.AKS.PoolVersionAZR-000016Error

    Reliability · Azure Kubernetes Service + · Rule · 2020_06

    AKS node pools should match Kubernetes control plane version.

    Description#

    diff --git a/en/rules/Azure.AKS.SecretStore/index.html b/en/rules/Azure.AKS.SecretStore/index.html index 27492a37ea..80b8251aa6 100644 --- a/en/rules/Azure.AKS.SecretStore/index.html +++ b/en/rules/Azure.AKS.SecretStore/index.html @@ -12135,6 +12135,7 @@

    AKS clusters use Key Vault

    Security · Azure Kubernetes Service + · Rule · 2021_12

    Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.

    Description#

    diff --git a/en/rules/Azure.AKS.SecretStoreRotation/index.html b/en/rules/Azure.AKS.SecretStoreRotation/index.html index a9b5afbfa0..28dc3c94c5 100644 --- a/en/rules/Azure.AKS.SecretStoreRotation/index.html +++ b/en/rules/Azure.AKS.SecretStoreRotation/index.html @@ -12135,6 +12135,7 @@

    AKS clusters refresh secret

    Security · Azure Kubernetes Service + · Rule · 2021_12

    Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.

    Description#

    diff --git a/en/rules/Azure.AKS.StandardLB/index.html b/en/rules/Azure.AKS.StandardLB/index.html index 0a052bb8a3..686b992419 100644 --- a/en/rules/Azure.AKS.StandardLB/index.html +++ b/en/rules/Azure.AKS.StandardLB/index.html @@ -12121,6 +12121,7 @@

    Use the Standard load balancer SKUAzure.AKS.StandardLBAZR-000026Error

    Performance Efficiency · Azure Kubernetes Service + · Rule · 2020_06

    Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.

    Description#

    diff --git a/en/rules/Azure.AKS.UseRBAC/index.html b/en/rules/Azure.AKS.UseRBAC/index.html index 1de416ad4b..fb17beef5d 100644 --- a/en/rules/Azure.AKS.UseRBAC/index.html +++ b/en/rules/Azure.AKS.UseRBAC/index.html @@ -12067,6 +12067,7 @@

    AKS clusters use RBACAzure.AKS.UseRBACAZR-000038Error

    Security · Azure Kubernetes Service + · Rule · 2020_06

    Deploy AKS cluster with role-based access control (RBAC) enabled.

    Description#

    diff --git a/en/rules/Azure.AKS.Version/index.html b/en/rules/Azure.AKS.Version/index.html index cc24a05502..324f2a3832 100644 --- a/en/rules/Azure.AKS.Version/index.html +++ b/en/rules/Azure.AKS.Version/index.html @@ -12163,6 +12163,7 @@

    Upgrade Kubernetes versionAzure.AKS.VersionAZR-000015Error

    Reliability · Azure Kubernetes Service + · Rule · 2020_06

    AKS control plane and nodes pools should use a current stable release.

    Description#

    diff --git a/en/rules/Azure.APIM.APIDescriptors/index.html b/en/rules/Azure.APIM.APIDescriptors/index.html index a2111d2239..2a3e90a024 100644 --- a/en/rules/Azure.APIM.APIDescriptors/index.html +++ b/en/rules/Azure.APIM.APIDescriptors/index.html @@ -12121,6 +12121,7 @@

    Use API descriptorsAzure.APIM.APIDescriptorsAZR-000043Warning

    Operational Excellence · API Management + · Rule · 2020_09

    API Management APIs should have a display name and description.

    Description#

    diff --git a/en/rules/Azure.APIM.AvailabilityZone/index.html b/en/rules/Azure.APIM.AvailabilityZone/index.html index 78addfe4e8..9265c052d6 100644 --- a/en/rules/Azure.APIM.AvailabilityZone/index.html +++ b/en/rules/Azure.APIM.AvailabilityZone/index.html @@ -12135,6 +12135,7 @@

    Azure.APIM.AvailabilityZoneAZR-000052Error

    Reliability · API Management + · Rule · 2021_12

    API management services deployed with Premium SKU should use availability zones in supported regions for high availability.

    Description#

    diff --git a/en/rules/Azure.APIM.CORSPolicy/index.html b/en/rules/Azure.APIM.CORSPolicy/index.html index e85f2d1ee2..0e3190fbf2 100644 --- a/en/rules/Azure.APIM.CORSPolicy/index.html +++ b/en/rules/Azure.APIM.CORSPolicy/index.html @@ -12149,6 +12149,7 @@

    Avoid wildcards in APIM CORS poli

    Security · API Management + · Rule · 2023_03

    Avoid using wildcard for any configuration option in CORS policies.

    Description#

    diff --git a/en/rules/Azure.APIM.CertificateExpiry/index.html b/en/rules/Azure.APIM.CertificateExpiry/index.html index 5b71c84b0d..7052496a21 100644 --- a/en/rules/Azure.APIM.CertificateExpiry/index.html +++ b/en/rules/Azure.APIM.CertificateExpiry/index.html @@ -12081,6 +12081,7 @@

    API Management uses current ce

    Operational Excellence · API Management + · Rule · 2020_06

    Renew certificates used for custom domain bindings.

    Description#

    diff --git a/en/rules/Azure.APIM.Ciphers/index.html b/en/rules/Azure.APIM.Ciphers/index.html index c4cc8bd8ca..657fe73d07 100644 --- a/en/rules/Azure.APIM.Ciphers/index.html +++ b/en/rules/Azure.APIM.Ciphers/index.html @@ -12121,6 +12121,7 @@

    Use secure ciphers for API Manage

    Security · API Management + · Rule · 2022_03

    API Management should not accept weak or deprecated ciphers for client or backend communication.

    Description#

    diff --git a/en/rules/Azure.APIM.DefenderCloud/index.html b/en/rules/Azure.APIM.DefenderCloud/index.html index e1607695e2..949c5ac323 100644 --- a/en/rules/Azure.APIM.DefenderCloud/index.html +++ b/en/rules/Azure.APIM.DefenderCloud/index.html @@ -12135,6 +12135,7 @@

    Onboard Defender for APIsAzure.APIM.DefenderCloudAZR-000387Error

    Security · API Management + · Rule · 2023_06

    APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.

    Description#

    diff --git a/en/rules/Azure.APIM.EncryptValues/index.html b/en/rules/Azure.APIM.EncryptValues/index.html index bff79de4ce..82a69c2031 100644 --- a/en/rules/Azure.APIM.EncryptValues/index.html +++ b/en/rules/Azure.APIM.EncryptValues/index.html @@ -12121,6 +12121,7 @@

    Use encrypted named valuesAzure.APIM.EncryptValuesAZR-000045Error

    Security · API Management + · Rule · 2023_06

    Encrypt all API Management named values with Key Vault secrets.

    Description#

    diff --git a/en/rules/Azure.APIM.HTTPBackend/index.html b/en/rules/Azure.APIM.HTTPBackend/index.html index 23f8855f8c..0ebbf6fd20 100644 --- a/en/rules/Azure.APIM.HTTPBackend/index.html +++ b/en/rules/Azure.APIM.HTTPBackend/index.html @@ -12121,6 +12121,7 @@

    Use HTTPS backend connectionsAzure.APIM.HTTPBackendAZR-000044Error

    Security · API Management + · Rule · 2020_06

    Use HTTPS for communication to backend services.

    Description#

    diff --git a/en/rules/Azure.APIM.HTTPEndpoint/index.html b/en/rules/Azure.APIM.HTTPEndpoint/index.html index 98ac1bd010..61a54c525f 100644 --- a/en/rules/Azure.APIM.HTTPEndpoint/index.html +++ b/en/rules/Azure.APIM.HTTPEndpoint/index.html @@ -12067,6 +12067,7 @@

    Publish APIs through HTTPS conne

    Security · API Management + · Rule · 2020_06

    Enforce HTTPS for communication to API clients.

    Description#

    diff --git a/en/rules/Azure.APIM.ManagedIdentity/index.html b/en/rules/Azure.APIM.ManagedIdentity/index.html index 655c85e49a..a36f79d95f 100644 --- a/en/rules/Azure.APIM.ManagedIdentity/index.html +++ b/en/rules/Azure.APIM.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    API Management uses a managed id

    Security · API Management + · Rule · 2020_06

    Configure managed identities to access Azure resources.

    Description#

    diff --git a/en/rules/Azure.APIM.MinAPIVersion/index.html b/en/rules/Azure.APIM.MinAPIVersion/index.html index 9f0f79d1e9..93ac60da4e 100644 --- a/en/rules/Azure.APIM.MinAPIVersion/index.html +++ b/en/rules/Azure.APIM.MinAPIVersion/index.html @@ -12135,6 +12135,7 @@

    API Man

    Operational Excellence · API Management + · Rule · 2022_12

    API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.

    Description#

    diff --git a/en/rules/Azure.APIM.MultiRegion/index.html b/en/rules/Azure.APIM.MultiRegion/index.html index 806eda6c2f..4202a1e674 100644 --- a/en/rules/Azure.APIM.MultiRegion/index.html +++ b/en/rules/Azure.APIM.MultiRegion/index.html @@ -12135,6 +12135,7 @@

    Multi-region deploymentAzure.APIM.MultiRegionAZR-000340Error

    Reliability · API Management + · Rule · 2022_12

    API Management instances should use multi-region deployment to improve service availability.

    Description#

    diff --git a/en/rules/Azure.APIM.MultiRegionGateway/index.html b/en/rules/Azure.APIM.MultiRegionGateway/index.html index 4c9a5b4359..42505b1280 100644 --- a/en/rules/Azure.APIM.MultiRegionGateway/index.html +++ b/en/rules/Azure.APIM.MultiRegionGateway/index.html @@ -12121,6 +12121,7 @@

    Multi-region deployment gatewaysAzure.APIM.MultiRegionGatewayAZR-000341Error

    Reliability · API Management + · Rule · 2022_12

    API Management instances should have multi-region deployment gateways enabled.

    Description#

    diff --git a/en/rules/Azure.APIM.Name/index.html b/en/rules/Azure.APIM.Name/index.html index 5eeab13dce..fd91ee5717 100644 --- a/en/rules/Azure.APIM.Name/index.html +++ b/en/rules/Azure.APIM.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid API Management service

    Operational Excellence · API Management + · Rule · 2020_09

    API Management service names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.APIM.PolicyBase/index.html b/en/rules/Azure.APIM.PolicyBase/index.html index e577c0de8f..60950d6af2 100644 --- a/en/rules/Azure.APIM.PolicyBase/index.html +++ b/en/rules/Azure.APIM.PolicyBase/index.html @@ -12135,6 +12135,7 @@

    Base elementAzure.APIM.PolicyBaseAZR-000371Error

    Security · API Management + · Rule · 2023_06

    Base element for any policy element in a section should be configured.

    Description#

    diff --git a/en/rules/Azure.APIM.ProductApproval/index.html b/en/rules/Azure.APIM.ProductApproval/index.html index 1b277ae9fd..939851cbcb 100644 --- a/en/rules/Azure.APIM.ProductApproval/index.html +++ b/en/rules/Azure.APIM.ProductApproval/index.html @@ -12067,6 +12067,7 @@

    Require approval for productsAzure.APIM.ProductApprovalAZR-000047Error

    Security · API Management + · Rule · 2020_06

    Configure products to require approval.

    Description#

    diff --git a/en/rules/Azure.APIM.ProductDescriptors/index.html b/en/rules/Azure.APIM.ProductDescriptors/index.html index 87bf09979a..3b78d6b38e 100644 --- a/en/rules/Azure.APIM.ProductDescriptors/index.html +++ b/en/rules/Azure.APIM.ProductDescriptors/index.html @@ -12121,6 +12121,7 @@

    Use product descriptorsAzure.APIM.ProductDescriptorsAZR-000049Warning

    Operational Excellence · API Management + · Rule · 2020_09

    API Management products should have a display name and description.

    Description#

    diff --git a/en/rules/Azure.APIM.ProductSubscription/index.html b/en/rules/Azure.APIM.ProductSubscription/index.html index 6f53a97510..7ebcddca75 100644 --- a/en/rules/Azure.APIM.ProductSubscription/index.html +++ b/en/rules/Azure.APIM.ProductSubscription/index.html @@ -12067,6 +12067,7 @@

    Require a subscription for products

    Security · API Management + · Rule · 2020_06

    Configure products to require a subscription.

    Description#

    diff --git a/en/rules/Azure.APIM.ProductTerms/index.html b/en/rules/Azure.APIM.ProductTerms/index.html index a47fbe1e7f..c0b07e8f2a 100644 --- a/en/rules/Azure.APIM.ProductTerms/index.html +++ b/en/rules/Azure.APIM.ProductTerms/index.html @@ -12067,6 +12067,7 @@

    Use API product legal termsAzure.APIM.ProductTermsAZR-000050Error

    Operational Excellence · API Management + · Rule · 2020_09

    Set legal terms for each product registered in API Management.

    Description#

    diff --git a/en/rules/Azure.APIM.Protocols/index.html b/en/rules/Azure.APIM.Protocols/index.html index 2b018e7c43..8f8e7d321e 100644 --- a/en/rules/Azure.APIM.Protocols/index.html +++ b/en/rules/Azure.APIM.Protocols/index.html @@ -12121,6 +12121,7 @@

    Use secure TLS versions for

    Security · API Management + · Rule · 2020_06

    API Management should only accept a minimum of TLS 1.2 for client and backend communication.

    Description#

    diff --git a/en/rules/Azure.APIM.SampleProducts/index.html b/en/rules/Azure.APIM.SampleProducts/index.html index de1e72679a..13a2998cb7 100644 --- a/en/rules/Azure.APIM.SampleProducts/index.html +++ b/en/rules/Azure.APIM.SampleProducts/index.html @@ -12067,6 +12067,7 @@

    Remove default productsAzure.APIM.SampleProductsAZR-000048Error

    Operational Excellence · API Management + · Rule · 2020_06

    Remove starter and unlimited sample products.

    Description#

    diff --git a/en/rules/Azure.ASE.MigrateV3/index.html b/en/rules/Azure.ASE.MigrateV3/index.html index 12e5e8d14a..ff1efb6808 100644 --- a/en/rules/Azure.ASE.MigrateV3/index.html +++ b/en/rules/Azure.ASE.MigrateV3/index.html @@ -12121,6 +12121,7 @@

    Migrate to App Service Environmen

    Operational Excellence · App Service Environment + · Rule · 2022_12

    Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.

    Description#

    diff --git a/en/rules/Azure.ASG.Name/index.html b/en/rules/Azure.ASG.Name/index.html index 9c933052f2..bac3c21784 100644 --- a/en/rules/Azure.ASG.Name/index.html +++ b/en/rules/Azure.ASG.Name/index.html @@ -12135,6 +12135,7 @@

    Use valid ASG namesAzure.ASG.NameAZR-000085Error

    Operational Excellence · Application Security Group + · Rule · 2021_12

    Application Security Group (ASG) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.AppConfig.AuditLogs/index.html b/en/rules/Azure.AppConfig.AuditLogs/index.html index e3abfe6bf2..77a486c77f 100644 --- a/en/rules/Azure.AppConfig.AuditLogs/index.html +++ b/en/rules/Azure.AppConfig.AuditLogs/index.html @@ -12135,6 +12135,7 @@

    Audit App Configuration StoreAzure.AppConfig.AuditLogsAZR-000311Error

    Security · App Configuration + · Rule · 2022_09

    Ensure app configuration store audit diagnostic logs are enabled.

    Description#

    diff --git a/en/rules/Azure.AppConfig.DisableLocalAuth/index.html b/en/rules/Azure.AppConfig.DisableLocalAuth/index.html index 58b2ce4fb5..869be0b6ef 100644 --- a/en/rules/Azure.AppConfig.DisableLocalAuth/index.html +++ b/en/rules/Azure.AppConfig.DisableLocalAuth/index.html @@ -12135,6 +12135,7 @@

    Use identity-ba

    Security · App Configuration + · Rule · 2022_09

    Authenticate App Configuration clients with Azure AD identities.

    Description#

    diff --git a/en/rules/Azure.AppConfig.GeoReplica/index.html b/en/rules/Azure.AppConfig.GeoReplica/index.html index 67d9076d02..ae230a9a7c 100644 --- a/en/rules/Azure.AppConfig.GeoReplica/index.html +++ b/en/rules/Azure.AppConfig.GeoReplica/index.html @@ -12121,6 +12121,7 @@

    Geo-replicate app configuration s

    Reliability · App Configuration + · Rule · 2022_09

    Consider replication for app configuration store to ensure resiliency to region outages.

    Description#

    diff --git a/en/rules/Azure.AppConfig.Name/index.html b/en/rules/Azure.AppConfig.Name/index.html index 11d6704652..215d4414d4 100644 --- a/en/rules/Azure.AppConfig.Name/index.html +++ b/en/rules/Azure.AppConfig.Name/index.html @@ -12135,6 +12135,7 @@

    Use valid App Configuration sto

    Operational Excellence · App Configuration + · Rule · 2020_12

    App Configuration store names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.AppConfig.PurgeProtect/index.html b/en/rules/Azure.AppConfig.PurgeProtect/index.html index 90ed1de26d..422376375e 100644 --- a/en/rules/Azure.AppConfig.PurgeProtect/index.html +++ b/en/rules/Azure.AppConfig.PurgeProtect/index.html @@ -12135,6 +12135,7 @@

    Purge Protect App Configuration

    Reliability · App Configuration + · Rule · 2022_12

    Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.

    Description#

    diff --git a/en/rules/Azure.AppConfig.SKU/index.html b/en/rules/Azure.AppConfig.SKU/index.html index 38c6822f5b..a0eb6e9ec3 100644 --- a/en/rules/Azure.AppConfig.SKU/index.html +++ b/en/rules/Azure.AppConfig.SKU/index.html @@ -12135,6 +12135,7 @@

    Use production App Configuration S

    Reliability · App Configuration + · Rule · 2020_12

    App Configuration should use a minimum size of Standard.

    Description#

    diff --git a/en/rules/Azure.AppGw.AvailabilityZone/index.html b/en/rules/Azure.AppGw.AvailabilityZone/index.html index bdda2c220c..a89bdd14a2 100644 --- a/en/rules/Azure.AppGw.AvailabilityZone/index.html +++ b/en/rules/Azure.AppGw.AvailabilityZone/index.html @@ -12175,6 +12175,7 @@

    Azure.AppGw.AvailabilityZoneAZR-000060Error

    Reliability · Application Gateway + · Rule · 2021_09

    Application gateways should use availability zones in supported regions for high availability.

    Description#

    diff --git a/en/rules/Azure.AppGw.MigrateV2/index.html b/en/rules/Azure.AppGw.MigrateV2/index.html index 077fff631f..f50b883b5b 100644 --- a/en/rules/Azure.AppGw.MigrateV2/index.html +++ b/en/rules/Azure.AppGw.MigrateV2/index.html @@ -12135,6 +12135,7 @@

    Migrate to Application Gateway v2Azure.AppGw.MigrateV2AZR-000376Error

    Operational Excellence · Application Gateway + · Rule · 2023_06

    Use a Application Gateway v2 SKU.

    Description#

    diff --git a/en/rules/Azure.AppGw.MinInstance/index.html b/en/rules/Azure.AppGw.MinInstance/index.html index daca4fa873..42c643ef79 100644 --- a/en/rules/Azure.AppGw.MinInstance/index.html +++ b/en/rules/Azure.AppGw.MinInstance/index.html @@ -12121,6 +12121,7 @@

    Use two or more Applicati

    Reliability · Application Gateway + · Rule · 2020_06

    Application Gateways should use a minimum of two instances.

    Description#

    diff --git a/en/rules/Azure.AppGw.MinSku/index.html b/en/rules/Azure.AppGw.MinSku/index.html index 9dccb45041..334e3ffb00 100644 --- a/en/rules/Azure.AppGw.MinSku/index.html +++ b/en/rules/Azure.AppGw.MinSku/index.html @@ -12121,6 +12121,7 @@

    Use production Application Gatew

    Operational Excellence · Application Gateway + · Rule · 2020_06

    Application Gateway should use a minimum instance size of Medium.

    Description#

    diff --git a/en/rules/Azure.AppGw.Name/index.html b/en/rules/Azure.AppGw.Name/index.html index a114d93f5e..a1c7f512a1 100644 --- a/en/rules/Azure.AppGw.Name/index.html +++ b/en/rules/Azure.AppGw.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid namesAzure.AppGw.NameAZR-000348Error

    Operational Excellence · Application Gateway + · Rule · 2022_12

    Application Gateways should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.AppGw.OWASP/index.html b/en/rules/Azure.AppGw.OWASP/index.html index 9f4b252a37..b1492f689a 100644 --- a/en/rules/Azure.AppGw.OWASP/index.html +++ b/en/rules/Azure.AppGw.OWASP/index.html @@ -12149,6 +12149,7 @@

    Use OWASP 3.x rulesAzure.AppGw.OWASPAZR-000067Error

    Security · Application Gateway + · Rule · 2020_06

    Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.

    Description#

    diff --git a/en/rules/Azure.AppGw.Prevention/index.html b/en/rules/Azure.AppGw.Prevention/index.html index 52c2a2aa8b..f1d9befd49 100644 --- a/en/rules/Azure.AppGw.Prevention/index.html +++ b/en/rules/Azure.AppGw.Prevention/index.html @@ -12149,6 +12149,7 @@

    Use WAF prevention modeAzure.AppGw.PreventionAZR-000065Error

    Security · Application Gateway + · Rule · 2020_06

    Internet exposed Application Gateways should use prevention mode to protect backend resources.

    Description#

    diff --git a/en/rules/Azure.AppGw.SSLPolicy/index.html b/en/rules/Azure.AppGw.SSLPolicy/index.html index c80ee6d771..8f704ff031 100644 --- a/en/rules/Azure.AppGw.SSLPolicy/index.html +++ b/en/rules/Azure.AppGw.SSLPolicy/index.html @@ -12107,6 +12107,7 @@

    Application Gateways use a mi

    Security · Application Gateway + · Rule · 2020_06

    Application Gateway should only accept a minimum of TLS 1.2.

    Description#

    diff --git a/en/rules/Azure.AppGw.UseHTTPS/index.html b/en/rules/Azure.AppGw.UseHTTPS/index.html index c4bbb78042..8a1f5e7c3a 100644 --- a/en/rules/Azure.AppGw.UseHTTPS/index.html +++ b/en/rules/Azure.AppGw.UseHTTPS/index.html @@ -12107,6 +12107,7 @@

    Expose frontend HTTP endpoint

    Security · Application Gateway + · Rule · 2021_09

    Application Gateways should only expose frontend HTTP endpoints over HTTPS.

    Description#

    diff --git a/en/rules/Azure.AppGw.UseWAF/index.html b/en/rules/Azure.AppGw.UseWAF/index.html index a150769f41..b1662ba4f6 100644 --- a/en/rules/Azure.AppGw.UseWAF/index.html +++ b/en/rules/Azure.AppGw.UseWAF/index.html @@ -12149,6 +12149,7 @@

    Application Gateway uses WAF SKUAzure.AppGw.UseWAFAZR-000063Error

    Security · Application Gateway + · Rule · 2020_06

    Internet accessible Application Gateways should use protect endpoints with WAF.

    Description#

    diff --git a/en/rules/Azure.AppGw.WAFEnabled/index.html b/en/rules/Azure.AppGw.WAFEnabled/index.html index 157b029acd..346326e5e2 100644 --- a/en/rules/Azure.AppGw.WAFEnabled/index.html +++ b/en/rules/Azure.AppGw.WAFEnabled/index.html @@ -12149,6 +12149,7 @@

    Application Gateway WAF is enabledAzure.AppGw.WAFEnabledAZR-000066Error

    Security · Application Gateway + · Rule · 2020_06

    Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

    Description#

    diff --git a/en/rules/Azure.AppGw.WAFRules/index.html b/en/rules/Azure.AppGw.WAFRules/index.html index a0ca015c3a..477e59816f 100644 --- a/en/rules/Azure.AppGw.WAFRules/index.html +++ b/en/rules/Azure.AppGw.WAFRules/index.html @@ -12121,6 +12121,7 @@

    Application Gateway rules are ena

    Security · Application Gateway + · Rule · 2020_06

    Application Gateway Web Application Firewall (WAF) should have all rules enabled.

    Description#

    diff --git a/en/rules/Azure.AppGwWAF.Enabled/index.html b/en/rules/Azure.AppGwWAF.Enabled/index.html index 0fdebee34c..a7d1e1dcef 100644 --- a/en/rules/Azure.AppGwWAF.Enabled/index.html +++ b/en/rules/Azure.AppGwWAF.Enabled/index.html @@ -12149,6 +12149,7 @@

    Application Gateway WAF is enabledAzure.AppGwWAF.EnabledAZR-000309Error

    Security · Application Gateway + · Rule · 2022_09

    Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

    Description#

    diff --git a/en/rules/Azure.AppGwWAF.Exclusions/index.html b/en/rules/Azure.AppGwWAF.Exclusions/index.html index ebd2040f52..ab944d463f 100644 --- a/en/rules/Azure.AppGwWAF.Exclusions/index.html +++ b/en/rules/Azure.AppGwWAF.Exclusions/index.html @@ -12067,6 +12067,7 @@

    Application Gateway rules are ena

    Security · Application Gateway + · Rule · 2022_09

    Application Gateway Web Application Firewall (WAF) should have all rules enabled.

    Description#

    diff --git a/en/rules/Azure.AppGwWAF.PreventionMode/index.html b/en/rules/Azure.AppGwWAF.PreventionMode/index.html index 41de757a6a..cd69c00ed6 100644 --- a/en/rules/Azure.AppGwWAF.PreventionMode/index.html +++ b/en/rules/Azure.AppGwWAF.PreventionMode/index.html @@ -12067,6 +12067,7 @@

    Use Application G

    Security · Application Gateway + · Rule · 2022_09

    Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.AppGwWAF.RuleGroups/index.html b/en/rules/Azure.AppGwWAF.RuleGroups/index.html index c5df2377a6..6f59ec3f0f 100644 --- a/en/rules/Azure.AppGwWAF.RuleGroups/index.html +++ b/en/rules/Azure.AppGwWAF.RuleGroups/index.html @@ -12067,6 +12067,7 @@

    Use Recommen

    Security · Application Gateway + · Rule · 2022_09

    Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.AppInsights.Name/index.html b/en/rules/Azure.AppInsights.Name/index.html index 034806aca3..060c92c462 100644 --- a/en/rules/Azure.AppInsights.Name/index.html +++ b/en/rules/Azure.AppInsights.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Application Ins

    Operational Excellence · Application Insights + · Rule · 2021_06

    Azure Application Insights resources names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.AppInsights.Workspace/index.html b/en/rules/Azure.AppInsights.Workspace/index.html index 895794e8ad..0621ca18fa 100644 --- a/en/rules/Azure.AppInsights.Workspace/index.html +++ b/en/rules/Azure.AppInsights.Workspace/index.html @@ -12121,6 +12121,7 @@

    Use workspace-based App Insi

    Operational Excellence · Application Insights + · Rule · 2021_06

    Configure Application Insights resources to store data in workspaces.

    Description#

    diff --git a/en/rules/Azure.AppService.ARRAffinity/index.html b/en/rules/Azure.AppService.ARRAffinity/index.html index 06fdc829ff..0b4dc2797b 100644 --- a/en/rules/Azure.AppService.ARRAffinity/index.html +++ b/en/rules/Azure.AppService.ARRAffinity/index.html @@ -12067,6 +12067,7 @@

    Disable Application Request Routing

    Performance Efficiency · App Service + · Rule · 2020_06

    Disable client affinity for stateless services.

    Description#

    diff --git a/en/rules/Azure.AppService.AlwaysOn/index.html b/en/rules/Azure.AppService.AlwaysOn/index.html index 53ebff4244..92f316eeaf 100644 --- a/en/rules/Azure.AppService.AlwaysOn/index.html +++ b/en/rules/Azure.AppService.AlwaysOn/index.html @@ -12135,6 +12135,7 @@

    Use App Service Always OnAzure.AppService.AlwaysOnAZR-000077Error

    Reliability · App Service + · Rule · 2020_12

    Configure Always On for App Service apps.

    Description#

    diff --git a/en/rules/Azure.AppService.HTTP2/index.html b/en/rules/Azure.AppService.HTTP2/index.html index 0305dfbb5a..a0267302f6 100644 --- a/en/rules/Azure.AppService.HTTP2/index.html +++ b/en/rules/Azure.AppService.HTTP2/index.html @@ -12121,6 +12121,7 @@

    Use HTTP/2 connections for A

    Performance Efficiency · App Service + · Rule · 2020_12

    Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.

    Description#

    diff --git a/en/rules/Azure.AppService.ManagedIdentity/index.html b/en/rules/Azure.AppService.ManagedIdentity/index.html index 0b7805bcd9..67c715da50 100644 --- a/en/rules/Azure.AppService.ManagedIdentity/index.html +++ b/en/rules/Azure.AppService.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    App Service apps uses a manage

    Security · App Service + · Rule · 2020_12

    Configure managed identities to access Azure resources.

    Description#

    diff --git a/en/rules/Azure.AppService.MinPlan/index.html b/en/rules/Azure.AppService.MinPlan/index.html index 33b1e8c18d..bed93d6157 100644 --- a/en/rules/Azure.AppService.MinPlan/index.html +++ b/en/rules/Azure.AppService.MinPlan/index.html @@ -12121,6 +12121,7 @@

    Use App Service production SKUAzure.AppService.MinPlanAZR-000072Error

    Performance Efficiency · App Service + · Rule · 2020_06

    Use at least a Standard App Service Plan.

    Description#

    diff --git a/en/rules/Azure.AppService.MinTLS/index.html b/en/rules/Azure.AppService.MinTLS/index.html index 6e3557e521..872caa69bf 100644 --- a/en/rules/Azure.AppService.MinTLS/index.html +++ b/en/rules/Azure.AppService.MinTLS/index.html @@ -12121,6 +12121,7 @@

    App Service minimum TLS versionAzure.AppService.MinTLSAZR-000073Error

    Security · App Service + · Rule · 2020_06

    App Service should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.AppService.NETVersion/index.html b/en/rules/Azure.AppService.NETVersion/index.html index 58a1ae79fc..5176c0293f 100644 --- a/en/rules/Azure.AppService.NETVersion/index.html +++ b/en/rules/Azure.AppService.NETVersion/index.html @@ -12121,6 +12121,7 @@

    Use a newer .NET versionAzure.AppService.NETVersionAZR-000075Error

    Security · App Service + · Rule · 2020_12

    Configure applications to use newer .NET versions.

    Description#

    diff --git a/en/rules/Azure.AppService.PHPVersion/index.html b/en/rules/Azure.AppService.PHPVersion/index.html index f836c41d1c..bd7fb76d9e 100644 --- a/en/rules/Azure.AppService.PHPVersion/index.html +++ b/en/rules/Azure.AppService.PHPVersion/index.html @@ -12121,6 +12121,7 @@

    Use a newer PHP runtime versionAzure.AppService.PHPVersionAZR-000076Error

    Security · App Service + · Rule · 2020_12

    Configure applications to use newer PHP runtime versions.

    Description#

    diff --git a/en/rules/Azure.AppService.PlanInstanceCount/index.html b/en/rules/Azure.AppService.PlanInstanceCount/index.html index 768fc9c1ee..25ebab3840 100644 --- a/en/rules/Azure.AppService.PlanInstanceCount/index.html +++ b/en/rules/Azure.AppService.PlanInstanceCount/index.html @@ -12121,6 +12121,7 @@

    Use two or more App Service

    Reliability · App Service + · Rule · 2020_06

    App Service Plan should use a minimum number of instances for failover.

    Description#

    diff --git a/en/rules/Azure.AppService.RemoteDebug/index.html b/en/rules/Azure.AppService.RemoteDebug/index.html index e7a15a915e..ffa50748ed 100644 --- a/en/rules/Azure.AppService.RemoteDebug/index.html +++ b/en/rules/Azure.AppService.RemoteDebug/index.html @@ -12121,6 +12121,7 @@

    Disable App Service remote debuggi

    Security · App Service + · Rule · 2020_12

    Disable remote debugging on App Service apps when not in use.

    Description#

    diff --git a/en/rules/Azure.AppService.UseHTTPS/index.html b/en/rules/Azure.AppService.UseHTTPS/index.html index cb55996f63..577bc94849 100644 --- a/en/rules/Azure.AppService.UseHTTPS/index.html +++ b/en/rules/Azure.AppService.UseHTTPS/index.html @@ -12121,6 +12121,7 @@

    Enforce encrypted App Service

    Security · App Service + · Rule · 2020_06

    Azure App Service apps should only accept encrypted connections.

    Description#

    diff --git a/en/rules/Azure.AppService.WebProbe/index.html b/en/rules/Azure.AppService.WebProbe/index.html index 4faf8e1091..9db729fa2a 100644 --- a/en/rules/Azure.AppService.WebProbe/index.html +++ b/en/rules/Azure.AppService.WebProbe/index.html @@ -12121,6 +12121,7 @@

    Web apps use health probesAzure.AppService.WebProbeAZR-000079Error

    Reliability · App Service + · Rule · 2022_06

    Configure and enable instance health probes.

    Description#

    diff --git a/en/rules/Azure.AppService.WebProbePath/index.html b/en/rules/Azure.AppService.WebProbePath/index.html index 172b65b589..1ee87e9c04 100644 --- a/en/rules/Azure.AppService.WebProbePath/index.html +++ b/en/rules/Azure.AppService.WebProbePath/index.html @@ -12121,6 +12121,7 @@

    Web apps use a dedicated hea

    Reliability · App Service + · Rule · 2022_06

    Configure a dedicated path for health probe requests.

    Description#

    diff --git a/en/rules/Azure.AppService.WebSecureFtp/index.html b/en/rules/Azure.AppService.WebSecureFtp/index.html index f1876117ea..28e343a19d 100644 --- a/en/rules/Azure.AppService.WebSecureFtp/index.html +++ b/en/rules/Azure.AppService.WebSecureFtp/index.html @@ -12121,6 +12121,7 @@

    Web apps disable insecure FTPAzure.AppService.WebSecureFtpAZR-000081Error

    Security · App Service + · Rule · 2022_06

    Web apps should disable insecure FTP and configure SFTP when required.

    Description#

    diff --git a/en/rules/Azure.Arc.Kubernetes.Defender/index.html b/en/rules/Azure.Arc.Kubernetes.Defender/index.html index eb66d8b58d..c65479f3fa 100644 --- a/en/rules/Azure.Arc.Kubernetes.Defender/index.html +++ b/en/rules/Azure.Arc.Kubernetes.Defender/index.html @@ -12121,6 +12121,7 @@

    Use Microsoft DefenderAzure.Arc.Kubernetes.DefenderAZR-000373Error

    Security · Arc + · Rule · 2023_06

    Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.

    Description#

    diff --git a/en/rules/Azure.Arc.Server.MaintenanceConfig/index.html b/en/rules/Azure.Arc.Server.MaintenanceConfig/index.html index d21eb199ee..a8107c52eb 100644 --- a/en/rules/Azure.Arc.Server.MaintenanceConfig/index.html +++ b/en/rules/Azure.Arc.Server.MaintenanceConfig/index.html @@ -12135,6 +12135,7 @@

    Associate a maintenance configura

    Operational Excellence · Arc + · Rule · 2023_06

    Use a maintenance configuration for Arc-enabled servers.

    Description#

    diff --git a/en/rules/Azure.Automation.AuditLogs/index.html b/en/rules/Azure.Automation.AuditLogs/index.html index fe38ff224a..08b1107491 100644 --- a/en/rules/Azure.Automation.AuditLogs/index.html +++ b/en/rules/Azure.Automation.AuditLogs/index.html @@ -12121,6 +12121,7 @@

    Audit Automation Account data acce

    Security · Automation Account + · Rule · 2021_12

    Ensure automation account audit diagnostic logs are enabled.

    Description#

    diff --git a/en/rules/Azure.Automation.EncryptVariables/index.html b/en/rules/Azure.Automation.EncryptVariables/index.html index d2f888b89a..c346e727f4 100644 --- a/en/rules/Azure.Automation.EncryptVariables/index.html +++ b/en/rules/Azure.Automation.EncryptVariables/index.html @@ -12067,6 +12067,7 @@

    Encrypt automation variablesAzure.Automation.EncryptVariablesAZR-000086Error

    Security · Automation Account + · Rule · 2020_06

    Azure Automation variables should be encrypted.

    Description#

    diff --git a/en/rules/Azure.Automation.ManagedIdentity/index.html b/en/rules/Azure.Automation.ManagedIdentity/index.html index 7bacd758aa..98dedb0a7f 100644 --- a/en/rules/Azure.Automation.ManagedIdentity/index.html +++ b/en/rules/Azure.Automation.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Use managed identity for authen

    Security · Automation Account + · Rule · 2021_12

    Ensure Managed Identity is used for authentication.

    Description#

    diff --git a/en/rules/Azure.Automation.PlatformLogs/index.html b/en/rules/Azure.Automation.PlatformLogs/index.html index d41bf0dfcb..deaa773839 100644 --- a/en/rules/Azure.Automation.PlatformLogs/index.html +++ b/en/rules/Azure.Automation.PlatformLogs/index.html @@ -12135,6 +12135,7 @@

    Automation

    Operational Excellence · Automation Account + · Rule · 2021_12

    Ensure automation account platform diagnostic logs are enabled.

    Description#

    diff --git a/en/rules/Azure.Automation.WebHookExpiry/index.html b/en/rules/Azure.Automation.WebHookExpiry/index.html index 81814fd192..84b43951dc 100644 --- a/en/rules/Azure.Automation.WebHookExpiry/index.html +++ b/en/rules/Azure.Automation.WebHookExpiry/index.html @@ -12053,6 +12053,7 @@

    Use short lived web hooksAzure.Automation.WebHookExpiryAZR-000087Error

    Security · Automation Account + · Rule · 2020_06

    Do not create webhooks with an expiry time greater than 1 year (default).

    Description#

    diff --git a/en/rules/Azure.BV.Immutable/index.html b/en/rules/Azure.BV.Immutable/index.html index e10d1f6577..27a834bd4c 100644 --- a/en/rules/Azure.BV.Immutable/index.html +++ b/en/rules/Azure.BV.Immutable/index.html @@ -12135,6 +12135,7 @@

    ImmutabilityAzure.BV.ImmutableAZR-000398Error

    Security · Backup Vault + · Rule · 2023_09

    Ensure immutability is configured to protect backup data.

    Description#

    diff --git a/en/rules/Azure.Bastion.Name/index.html b/en/rules/Azure.Bastion.Name/index.html index 55dbe087e6..b7753a8422 100644 --- a/en/rules/Azure.Bastion.Name/index.html +++ b/en/rules/Azure.Bastion.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid namesAzure.Bastion.NameAZR-000349Error

    Operational Excellence · Bastion + · Rule · 2022_12

    Bastion hosts should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.CDN.EndpointName/index.html b/en/rules/Azure.CDN.EndpointName/index.html index e0ff8a3e20..853de61705 100644 --- a/en/rules/Azure.CDN.EndpointName/index.html +++ b/en/rules/Azure.CDN.EndpointName/index.html @@ -12081,6 +12081,7 @@

    Use valid CDN endpoint namesAzure.CDN.EndpointNameAZR-000091Error

    Operational Excellence · Content Delivery Network + · Rule · 2020_09

    Azure CDN Endpoint names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.CDN.HTTP/index.html b/en/rules/Azure.CDN.HTTP/index.html index f53d51a192..f8433737df 100644 --- a/en/rules/Azure.CDN.HTTP/index.html +++ b/en/rules/Azure.CDN.HTTP/index.html @@ -12067,6 +12067,7 @@

    Use HTTPS client connectionsAzure.CDN.HTTPAZR-000093Error

    Security · Content Delivery Network + · Rule · 2020_06

    Enforce HTTPS for client connections.

    Description#

    diff --git a/en/rules/Azure.CDN.MinTLS/index.html b/en/rules/Azure.CDN.MinTLS/index.html index 9fc8abbfc8..693173faff 100644 --- a/en/rules/Azure.CDN.MinTLS/index.html +++ b/en/rules/Azure.CDN.MinTLS/index.html @@ -12067,6 +12067,7 @@

    Azure CDN endpoint minimum TLS v

    Security · Content Delivery Network + · Rule · 2020_09

    Azure CDN endpoints should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.CDN.UseFrontDoor/index.html b/en/rules/Azure.CDN.UseFrontDoor/index.html index 83513fe1ee..34cddc1e82 100644 --- a/en/rules/Azure.CDN.UseFrontDoor/index.html +++ b/en/rules/Azure.CDN.UseFrontDoor/index.html @@ -12121,6 +12121,7 @@

    Use Front Door Standard Or Premi

    Performance Efficiency · Front Door + · Rule · 2022_09

    Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.

    Description#

    diff --git a/en/rules/Azure.Cognitive.DisableLocalAuth/index.html b/en/rules/Azure.Cognitive.DisableLocalAuth/index.html index 7337bccea0..995415ef74 100644 --- a/en/rules/Azure.Cognitive.DisableLocalAuth/index.html +++ b/en/rules/Azure.Cognitive.DisableLocalAuth/index.html @@ -12121,6 +12121,7 @@

    Use id

    Security · Cognitive Services + · Rule · 2022_09

    Authenticate requests to Cognitive Services with Azure AD identities.

    Description#

    diff --git a/en/rules/Azure.Cognitive.ManagedIdentity/index.html b/en/rules/Azure.Cognitive.ManagedIdentity/index.html index 1fd7a673a0..9563ffd6f4 100644 --- a/en/rules/Azure.Cognitive.ManagedIdentity/index.html +++ b/en/rules/Azure.Cognitive.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Use Managed Identi

    Security · Cognitive Services + · Rule · 2022_09

    Configure managed identities to access Azure resources.

    Description#

    diff --git a/en/rules/Azure.Cognitive.PrivateEndpoints/index.html b/en/rules/Azure.Cognitive.PrivateEndpoints/index.html index 3fd48551f7..1def1b015d 100644 --- a/en/rules/Azure.Cognitive.PrivateEndpoints/index.html +++ b/en/rules/Azure.Cognitive.PrivateEndpoints/index.html @@ -12121,6 +12121,7 @@

    Use Cognitive Service Private E

    Security · Cognitive Services + · Rule · 2022_09

    Use Private Endpoints to access Cognitive Services accounts.

    Description#

    diff --git a/en/rules/Azure.Cognitive.PublicAccess/index.html b/en/rules/Azure.Cognitive.PublicAccess/index.html index 7f55792da7..ad70a701c4 100644 --- a/en/rules/Azure.Cognitive.PublicAccess/index.html +++ b/en/rules/Azure.Cognitive.PublicAccess/index.html @@ -12121,6 +12121,7 @@

    Restrict Cognitive Service endpoin

    Security · Cognitive Services + · Rule · 2022_09

    Restrict access of Cognitive Services accounts to authorized virtual networks.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.APIVersion/index.html b/en/rules/Azure.ContainerApp.APIVersion/index.html index bbdebbf32d..cb7cc3b11c 100644 --- a/en/rules/Azure.ContainerApp.APIVersion/index.html +++ b/en/rules/Azure.ContainerApp.APIVersion/index.html @@ -12121,6 +12121,7 @@

    Retired API versionAzure.ContainerApp.APIVersionAZR-000400Error

    Operational Excellence · Container App + · Rule · 2023_09

    Migrate from retired API version to a supported version.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.DisableAffinity/index.html b/en/rules/Azure.ContainerApp.DisableAffinity/index.html index ca4a6b5543..5dcbb40134 100644 --- a/en/rules/Azure.ContainerApp.DisableAffinity/index.html +++ b/en/rules/Azure.ContainerApp.DisableAffinity/index.html @@ -12121,6 +12121,7 @@

    Disable session affinityAzure.ContainerApp.DisableAffinityAZR-000378Error

    Performance Efficiency · Container App + · Rule · 2023_06

    Disable session affinity to prevent unbalanced distribution.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.ExternalIngress/index.html b/en/rules/Azure.ContainerApp.ExternalIngress/index.html index 55c79b6589..de1d0562a1 100644 --- a/en/rules/Azure.ContainerApp.ExternalIngress/index.html +++ b/en/rules/Azure.ContainerApp.ExternalIngress/index.html @@ -12135,6 +12135,7 @@

    Disable external ingressAzure.ContainerApp.ExternalIngressAZR-000362Error

    Security · Container App + · Rule · 2023_03

    Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.Insecure/index.html b/en/rules/Azure.ContainerApp.Insecure/index.html index bc41477e9d..7ebd16134e 100644 --- a/en/rules/Azure.ContainerApp.Insecure/index.html +++ b/en/rules/Azure.ContainerApp.Insecure/index.html @@ -12121,6 +12121,7 @@

    Disable insecure container app i

    Security · Container App + · Rule · 2023_06

    Ensure insecure inbound traffic is not permitted to the container app.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.ManagedIdentity/index.html b/en/rules/Azure.ContainerApp.ManagedIdentity/index.html index 34896625c7..5466598f61 100644 --- a/en/rules/Azure.ContainerApp.ManagedIdentity/index.html +++ b/en/rules/Azure.ContainerApp.ManagedIdentity/index.html @@ -12135,6 +12135,7 @@

    Use managed identity for authen

    Security · Container App + · Rule · 2023_03

    Ensure managed identity is used for authentication.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.Name/index.html b/en/rules/Azure.ContainerApp.Name/index.html index 024169eeb0..060ab6fb55 100644 --- a/en/rules/Azure.ContainerApp.Name/index.html +++ b/en/rules/Azure.ContainerApp.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid container app namesAzure.ContainerApp.NameAZR-000360Error

    Operational Excellence · Container App + · Rule · 2023_03

    Container Apps should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.PublicAccess/index.html b/en/rules/Azure.ContainerApp.PublicAccess/index.html index 9785085f8c..aa409badf2 100644 --- a/en/rules/Azure.ContainerApp.PublicAccess/index.html +++ b/en/rules/Azure.ContainerApp.PublicAccess/index.html @@ -12121,6 +12121,7 @@

    Disable public accessAzure.ContainerApp.PublicAccessAZR-000363Error

    Security · Container App + · Rule · 2023_03

    Ensure public network access for Container Apps environment is disabled.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.RestrictIngress/index.html b/en/rules/Azure.ContainerApp.RestrictIngress/index.html index af51e3a279..1c02e0a3a7 100644 --- a/en/rules/Azure.ContainerApp.RestrictIngress/index.html +++ b/en/rules/Azure.ContainerApp.RestrictIngress/index.html @@ -12135,6 +12135,7 @@

    IP ingress restrictions modeAzure.ContainerApp.RestrictIngressAZR-000380Error

    Security · Container App + · Rule · 2023_06

    IP ingress restrictions mode should be set to allow action for all rules defined.

    Description#

    diff --git a/en/rules/Azure.ContainerApp.Storage/index.html b/en/rules/Azure.ContainerApp.Storage/index.html index c7883d35c6..3579787697 100644 --- a/en/rules/Azure.ContainerApp.Storage/index.html +++ b/en/rules/Azure.ContainerApp.Storage/index.html @@ -12135,6 +12135,7 @@

    Persistant storageAzure.ContainerApp.StorageAZR-000364Error

    Reliability · Container App + · Rule · 2023_03

    Use of Azure Files volume mounts to persistent storage container data.

    Description#

    diff --git a/en/rules/Azure.Cosmos.AccountName/index.html b/en/rules/Azure.Cosmos.AccountName/index.html index 38bf43c1d5..2da096b227 100644 --- a/en/rules/Azure.Cosmos.AccountName/index.html +++ b/en/rules/Azure.Cosmos.AccountName/index.html @@ -12081,6 +12081,7 @@

    Use valid Cosmos DB account namesAzure.Cosmos.AccountNameAZR-000096Error

    Operational Excellence · Cosmos DB + · Rule · 2021_09

    Cosmos DB account names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Cosmos.DefenderCloud/index.html b/en/rules/Azure.Cosmos.DefenderCloud/index.html index e337095709..ce6f99ff11 100644 --- a/en/rules/Azure.Cosmos.DefenderCloud/index.html +++ b/en/rules/Azure.Cosmos.DefenderCloud/index.html @@ -12135,6 +12135,7 @@

    Enable Microsoft DefenderAzure.Cosmos.DefenderCloudAZR-000382Error

    Security · Cosmos DB + · Rule · 2023_06

    Enable Microsoft Defender for Azure Cosmos DB.

    Description#

    diff --git a/en/rules/Azure.Cosmos.DisableMetadataWrite/index.html b/en/rules/Azure.Cosmos.DisableMetadataWrite/index.html index 3900e3b3d6..635785dd92 100644 --- a/en/rules/Azure.Cosmos.DisableMetadataWrite/index.html +++ b/en/rules/Azure.Cosmos.DisableMetadataWrite/index.html @@ -12121,6 +12121,7 @@

    Restrict use

    Security · Cosmos DB + · Rule · 2021_09

    Use Azure AD identities for management place operations in Azure Cosmos DB.

    Description#

    diff --git a/en/rules/Azure.DataFactory.Version/index.html b/en/rules/Azure.DataFactory.Version/index.html index 8189354fed..40fe683af4 100644 --- a/en/rules/Azure.DataFactory.Version/index.html +++ b/en/rules/Azure.DataFactory.Version/index.html @@ -12053,6 +12053,7 @@

    Use Data Factory v2Azure.DataFactory.VersionAZR-000097Error

    Operational Excellence · Data Factory + · Rule · 2020_06

    Consider migrating to DataFactory v2.

    Description#

    diff --git a/en/rules/Azure.Databricks.SecureConnectivity/index.html b/en/rules/Azure.Databricks.SecureConnectivity/index.html index a881f567d6..91f0c8581d 100644 --- a/en/rules/Azure.Databricks.SecureConnectivity/index.html +++ b/en/rules/Azure.Databricks.SecureConnectivity/index.html @@ -12121,6 +12121,7 @@

    Enable secure conn

    Security · Databricks + · Rule · 2023_09

    Use Databricks workspaces configured for secure cluster connectivity.

    Description#

    diff --git a/en/rules/Azure.Defender.Api/index.html b/en/rules/Azure.Defender.Api/index.html index 271f525c44..d404ebb694 100644 --- a/en/rules/Azure.Defender.Api/index.html +++ b/en/rules/Azure.Defender.Api/index.html @@ -12163,6 +12163,7 @@

    Set Microsoft Defe

    Security · Microsoft Defender for Cloud + · Rule · 2023_06

    Enable Microsoft Defender for APIs.

    Description#

    diff --git a/en/rules/Azure.Defender.AppServices/index.html b/en/rules/Azure.Defender.AppServices/index.html index 9237691f1c..ef8e7abe6b 100644 --- a/en/rules/Azure.Defender.AppServices/index.html +++ b/en/rules/Azure.Defender.AppServices/index.html @@ -12163,6 +12163,7 @@

    Conf

    Security · Microsoft Defender for Cloud + · Rule · 2022_09

    Enable Microsoft Defender for App Service.

    Description#

    diff --git a/en/rules/Azure.Defender.Arm/index.html b/en/rules/Azure.Defender.Arm/index.html index 918d04e66b..c96f6037ac 100644 --- a/en/rules/Azure.Defender.Arm/index.html +++ b/en/rules/Azure.Defender.Arm/index.html @@ -12163,6 +12163,7 @@

    Set Microsoft Defen

    Security · Microsoft Defender for Cloud + · Rule · 2023_03

    Enable Microsoft Defender for Azure Resource Manager (ARM).

    Description#

    diff --git a/en/rules/Azure.Defender.Containers/index.html b/en/rules/Azure.Defender.Containers/index.html index 824007fba3..234f3b3f45 100644 --- a/en/rules/Azure.Defender.Containers/index.html +++ b/en/rules/Azure.Defender.Containers/index.html @@ -12163,6 +12163,7 @@

    Set Microsof

    Security · Microsoft Defender for Cloud + · Rule · 2022_09

    Enable Microsoft Defender for Containers.

    Description#

    diff --git a/en/rules/Azure.Defender.CosmosDb/index.html b/en/rules/Azure.Defender.CosmosDb/index.html index 9eafacb87b..c916ccb28b 100644 --- a/en/rules/Azure.Defender.CosmosDb/index.html +++ b/en/rules/Azure.Defender.CosmosDb/index.html @@ -12163,6 +12163,7 @@

    Set Microsoft

    Security · Microsoft Defender for Cloud + · Rule · 2023_06

    Enable Microsoft Defender for Azure Cosmos DB.

    Description#

    diff --git a/en/rules/Azure.Defender.Cspm/index.html b/en/rules/Azure.Defender.Cspm/index.html index 9ecda09e1e..61ce20f426 100644 --- a/en/rules/Azure.Defender.Cspm/index.html +++ b/en/rules/Azure.Defender.Cspm/index.html @@ -12163,6 +12163,7 @@

    Azure.Defender.CspmAZR-000372Error

    Security · Microsoft Defender for Cloud + · Rule · 2023_06

    Enable Microsoft Defender Cloud Security Posture Management Standard plan.

    Description#

    diff --git a/en/rules/Azure.Defender.Dns/index.html b/en/rules/Azure.Defender.Dns/index.html index 62ba96fd09..9021751669 100644 --- a/en/rules/Azure.Defender.Dns/index.html +++ b/en/rules/Azure.Defender.Dns/index.html @@ -12163,6 +12163,7 @@

    Set Microsoft Defen

    Security · Microsoft Defender for Cloud + · Rule · 2023_03

    Enable Microsoft Defender for DNS.

    Description#

    diff --git a/en/rules/Azure.Defender.KeyVault/index.html b/en/rules/Azure.Defender.KeyVault/index.html index b3f7502317..a942755c2b 100644 --- a/en/rules/Azure.Defender.KeyVault/index.html +++ b/en/rules/Azure.Defender.KeyVault/index.html @@ -12163,6 +12163,7 @@

    Set Microsoft

    Security · Microsoft Defender for Cloud + · Rule · 2023_03

    Enable Microsoft Defender for Key Vault.

    Description#

    diff --git a/en/rules/Azure.Defender.OssRdb/index.html b/en/rules/Azure.Defender.OssRdb/index.html index 299663a711..17fac8b601 100644 --- a/en/rules/Azure.Defender.OssRdb/index.html +++ b/en/rules/Azure.Defender.OssRdb/index.html @@ -12163,6 +12163,7 @@

    Azure.Defender.OssRdbAZR-000381Error

    Security · Microsoft Defender for Cloud + · Rule · 2023_06

    Enable Microsoft Defender for open-source relational databases.

    Description#

    diff --git a/en/rules/Azure.Defender.SQL/index.html b/en/rules/Azure.Defender.SQL/index.html index d93e094698..12e26a8af5 100644 --- a/en/rules/Azure.Defender.SQL/index.html +++ b/en/rules/Azure.Defender.SQL/index.html @@ -12163,6 +12163,7 @@

    Configure Mic

    Security · Microsoft Defender for Cloud + · Rule · 2022_09

    Enable Microsoft Defender for SQL servers.

    Description#

    diff --git a/en/rules/Azure.Defender.SQLOnVM/index.html b/en/rules/Azure.Defender.SQLOnVM/index.html index aef0744047..777eee9918 100644 --- a/en/rules/Azure.Defender.SQLOnVM/index.html +++ b/en/rules/Azure.Defender.SQLOnVM/index.html @@ -12163,6 +12163,7 @@

    Azure.Defender.SQLOnVMAZR-000297Error

    Security · Microsoft Defender for Cloud + · Rule · 2022_09

    Enable Microsoft Defender for SQL servers on machines.

    Description#

    diff --git a/en/rules/Azure.Defender.Servers/index.html b/en/rules/Azure.Defender.Servers/index.html index 71e1ff1a75..7f38722c45 100644 --- a/en/rules/Azure.Defender.Servers/index.html +++ b/en/rules/Azure.Defender.Servers/index.html @@ -12163,6 +12163,7 @@

    Co

    Security · Microsoft Defender for Cloud + · Rule · 2022_09

    Enable Microsoft Defender for Servers.

    Description#

    diff --git a/en/rules/Azure.Defender.Storage.MalwareScan/index.html b/en/rules/Azure.Defender.Storage.MalwareScan/index.html index 5fb53897ce..64ba9567b5 100644 --- a/en/rules/Azure.Defender.Storage.MalwareScan/index.html +++ b/en/rules/Azure.Defender.Storage.MalwareScan/index.html @@ -12135,6 +12135,7 @@

    Malware ScanningAzure.Defender.Storage.MalwareScanAZR-000383Error

    Security · Microsoft Defender for Cloud + · Rule · 2023_06

    Enable Malware Scanning in Microsoft Defender for Storage.

    Description#

    diff --git a/en/rules/Azure.Defender.Storage.SensitiveData/index.html b/en/rules/Azure.Defender.Storage.SensitiveData/index.html index ae7eb52918..77104d0b15 100644 --- a/en/rules/Azure.Defender.Storage.SensitiveData/index.html +++ b/en/rules/Azure.Defender.Storage.SensitiveData/index.html @@ -12135,6 +12135,7 @@

    Sensitive data threat detectionAzure.Defender.Storage.SensitiveDataAZR-000385Error

    Security · Microsoft Defender for Cloud + · Rule · 2023_06

    Enable sensitive data threat detection in Microsoft Defender for Storage.

    Description#

    diff --git a/en/rules/Azure.DefenderCloud.Contact/index.html b/en/rules/Azure.DefenderCloud.Contact/index.html index 72845628fe..b0a66c71c9 100644 --- a/en/rules/Azure.DefenderCloud.Contact/index.html +++ b/en/rules/Azure.DefenderCloud.Contact/index.html @@ -12067,6 +12067,7 @@

    Set Security Center contact details

    Security · Microsoft Defender for Cloud + · Rule · 2020_06

    Microsoft Defender for Cloud email and phone contact details should be set.

    Description#

    diff --git a/en/rules/Azure.DefenderCloud.Provisioning/index.html b/en/rules/Azure.DefenderCloud.Provisioning/index.html index 15953ee175..bc5213847d 100644 --- a/en/rules/Azure.DefenderCloud.Provisioning/index.html +++ b/en/rules/Azure.DefenderCloud.Provisioning/index.html @@ -12067,6 +12067,7 @@

    Enable Microsoft

    Security · Microsoft Defender for Cloud + · Rule · 2020_06

    Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.

    Description#

    diff --git a/en/rules/Azure.Deployment.AdminUsername/index.html b/en/rules/Azure.Deployment.AdminUsername/index.html index 4615e9236a..e89a234374 100644 --- a/en/rules/Azure.Deployment.AdminUsername/index.html +++ b/en/rules/Azure.Deployment.AdminUsername/index.html @@ -12135,6 +12135,7 @@

    Administrator Username TypesAzure.Deployment.AdminUsernameAZR-000284Error

    Security · Deployment + · Rule · 2022_09

    Use secure parameters for sensitive resource properties.

    Description#

    diff --git a/en/rules/Azure.Deployment.Name/index.html b/en/rules/Azure.Deployment.Name/index.html index 14d46bf4a0..2566607f2c 100644 --- a/en/rules/Azure.Deployment.Name/index.html +++ b/en/rules/Azure.Deployment.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid nested deployments namesAzure.Deployment.NameAZR-000359Error

    Operational Excellence · Deployment + · Rule · 2023_03

    Nested deployments should meet naming requirements of deployments.

    Description#

    diff --git a/en/rules/Azure.Deployment.OuterSecret/index.html b/en/rules/Azure.Deployment.OuterSecret/index.html index 02a00bf8b6..8563eebc35 100644 --- a/en/rules/Azure.Deployment.OuterSecret/index.html +++ b/en/rules/Azure.Deployment.OuterSecret/index.html @@ -12121,6 +12121,7 @@

    Secret value in deployment outputAzure.Deployment.OuterSecretAZR-000331Error

    Security · Deployment + · Rule · 2022_12

    Do not use Outer deployments when references SecureString or SecureObject parameters.

    Description#

    diff --git a/en/rules/Azure.Deployment.OutputSecretValue/index.html b/en/rules/Azure.Deployment.OutputSecretValue/index.html index 8470cf6cba..e27ca3a64c 100644 --- a/en/rules/Azure.Deployment.OutputSecretValue/index.html +++ b/en/rules/Azure.Deployment.OutputSecretValue/index.html @@ -12121,6 +12121,7 @@

    Secret value in deployment outputAzure.Deployment.OutputSecretValueAZR-000279Error

    Security · Deployment + · Rule · 2022_06

    Avoid outputting sensitive deployment values.

    Description#

    diff --git a/en/rules/Azure.Deployment.SecureValue/index.html b/en/rules/Azure.Deployment.SecureValue/index.html index d6fc9c0571..6413265022 100644 --- a/en/rules/Azure.Deployment.SecureValue/index.html +++ b/en/rules/Azure.Deployment.SecureValue/index.html @@ -12135,6 +12135,7 @@

    Use secure resource valuesAzure.Deployment.SecureValueAZR-000316Error

    Security · Deployment + · Rule · 2022_12

    Use secure parameters for setting properties of resources that contain sensitive information.

    Description#

    diff --git a/en/rules/Azure.EventGrid.DisableLocalAuth/index.html b/en/rules/Azure.EventGrid.DisableLocalAuth/index.html index 609c11d8f5..30f581d564 100644 --- a/en/rules/Azure.EventGrid.DisableLocalAuth/index.html +++ b/en/rules/Azure.EventGrid.DisableLocalAuth/index.html @@ -12121,6 +12121,7 @@

    Use identity-ba

    Security · Event Grid + · Rule · 2022_09

    Authenticate publishing clients with Azure AD identities.

    Description#

    diff --git a/en/rules/Azure.EventGrid.ManagedIdentity/index.html b/en/rules/Azure.EventGrid.ManagedIdentity/index.html index b157cceaff..88d453647d 100644 --- a/en/rules/Azure.EventGrid.ManagedIdentity/index.html +++ b/en/rules/Azure.EventGrid.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Use Managed Identity for Eve

    Security · Event Grid + · Rule · 2021_12

    Use managed identities to deliver Event Grid Topic events.

    Description#

    diff --git a/en/rules/Azure.EventGrid.TopicPublicAccess/index.html b/en/rules/Azure.EventGrid.TopicPublicAccess/index.html index 57525421a6..ec9454d555 100644 --- a/en/rules/Azure.EventGrid.TopicPublicAccess/index.html +++ b/en/rules/Azure.EventGrid.TopicPublicAccess/index.html @@ -12121,6 +12121,7 @@

    Use Event Grid Private EndpointsAzure.EventGrid.TopicPublicAccessAZR-000098Error

    Security · Event Grid + · Rule · 2021_12

    Use Private Endpoints to access Event Grid topics and domains.

    Description#

    diff --git a/en/rules/Azure.EventHub.DisableLocalAuth/index.html b/en/rules/Azure.EventHub.DisableLocalAuth/index.html index 8ad9e3868e..338bd5fa29 100644 --- a/en/rules/Azure.EventHub.DisableLocalAuth/index.html +++ b/en/rules/Azure.EventHub.DisableLocalAuth/index.html @@ -12121,6 +12121,7 @@

    Use identity

    Security · Event Hub + · Rule · 2022_03

    Authenticate Event Hub publishers and consumers with Azure AD identities.

    Description#

    diff --git a/en/rules/Azure.EventHub.MinTLS/index.html b/en/rules/Azure.EventHub.MinTLS/index.html index ff80594ad3..cec38dc078 100644 --- a/en/rules/Azure.EventHub.MinTLS/index.html +++ b/en/rules/Azure.EventHub.MinTLS/index.html @@ -12121,6 +12121,7 @@

    Minimum TLS versionAzure.EventHub.MinTLSAZR-000356Error

    Security · Event Hub + · Rule · 2023_03

    Event Hub namespaces should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.EventHub.Usage/index.html b/en/rules/Azure.EventHub.Usage/index.html index 9ff9138b08..bed626fa68 100644 --- a/en/rules/Azure.EventHub.Usage/index.html +++ b/en/rules/Azure.EventHub.Usage/index.html @@ -12081,6 +12081,7 @@

    Remove unused Event Hub namespacesAzure.EventHub.UsageAZR-000101Error

    Cost Optimization · Event Hub + · Rule · 2022_03

    Regularly remove unused resources to reduce costs.

    Description#

    diff --git a/en/rules/Azure.Firewall.Mode/index.html b/en/rules/Azure.Firewall.Mode/index.html index 2880746be2..958056e70c 100644 --- a/en/rules/Azure.Firewall.Mode/index.html +++ b/en/rules/Azure.Firewall.Mode/index.html @@ -12107,6 +12107,7 @@

    Conf

    Security · Firewall + · Rule · 2020_06

    Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.

    Description#

    diff --git a/en/rules/Azure.Firewall.Name/index.html b/en/rules/Azure.Firewall.Name/index.html index d83decf46b..d6e1cf91b2 100644 --- a/en/rules/Azure.Firewall.Name/index.html +++ b/en/rules/Azure.Firewall.Name/index.html @@ -12135,6 +12135,7 @@

    Use valid Firewall namesAzure.Firewall.NameAZR-000103Error

    Operational Excellence · Firewall + · Rule · 2021_12

    Firewall names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Firewall.PolicyMode/index.html b/en/rules/Azure.Firewall.PolicyMode/index.html index 3079914340..ace12a91cb 100644 --- a/en/rules/Azure.Firewall.PolicyMode/index.html +++ b/en/rules/Azure.Firewall.PolicyMode/index.html @@ -12121,6 +12121,7 @@

    Threat intelligence-based filtering

    Security · Firewall + · Rule · 2023_09

    Deny high confidence malicious IP addresses, domains and URLs.

    Description#

    diff --git a/en/rules/Azure.Firewall.PolicyName/index.html b/en/rules/Azure.Firewall.PolicyName/index.html index 8e6ca9bf9b..cd3ad68edf 100644 --- a/en/rules/Azure.Firewall.PolicyName/index.html +++ b/en/rules/Azure.Firewall.PolicyName/index.html @@ -12081,6 +12081,7 @@

    Use valid Firewall policy namesAzure.Firewall.PolicyNameAZR-000104Error

    Operational Excellence · Firewall + · Rule · 2021_12

    Firewall policy names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.Logs/index.html b/en/rules/Azure.FrontDoor.Logs/index.html index 90881e791d..9d89892087 100644 --- a/en/rules/Azure.FrontDoor.Logs/index.html +++ b/en/rules/Azure.FrontDoor.Logs/index.html @@ -12121,6 +12121,7 @@

    Audit Front Door AccessAzure.FrontDoor.LogsAZR-000107Error

    Security · Front Door + · Rule · 2020_06

    Audit and monitor access through Front Door.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.ManagedIdentity/index.html b/en/rules/Azure.FrontDoor.ManagedIdentity/index.html index b56acc934d..59df28f394 100644 --- a/en/rules/Azure.FrontDoor.ManagedIdentity/index.html +++ b/en/rules/Azure.FrontDoor.ManagedIdentity/index.html @@ -12135,6 +12135,7 @@

    Managed identityAzure.FrontDoor.ManagedIdentityAZR-000396Error

    Security · Front Door + · Rule · 2023_09

    Ensure Front Door uses a managed identity to authorize access to Azure resources.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.MinTLS/index.html b/en/rules/Azure.FrontDoor.MinTLS/index.html index c6fb3c811b..a50845754e 100644 --- a/en/rules/Azure.FrontDoor.MinTLS/index.html +++ b/en/rules/Azure.FrontDoor.MinTLS/index.html @@ -12121,6 +12121,7 @@

    Front Door Minimum TLSAzure.FrontDoor.MinTLSAZR-000106Error

    Security · Front Door + · Rule · 2020_06

    Front Door Classic instances should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.Name/index.html b/en/rules/Azure.FrontDoor.Name/index.html index 869458f27f..c34f616adf 100644 --- a/en/rules/Azure.FrontDoor.Name/index.html +++ b/en/rules/Azure.FrontDoor.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Front Door namesAzure.FrontDoor.NameAZR-000113Error

    Operational Excellence · Front Door + · Rule · 2020_06

    Front Door names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.Probe/index.html b/en/rules/Azure.FrontDoor.Probe/index.html index 5508d49c52..a9b7926ce4 100644 --- a/en/rules/Azure.FrontDoor.Probe/index.html +++ b/en/rules/Azure.FrontDoor.Probe/index.html @@ -12149,6 +12149,7 @@

    Use Health Probes for Front D

    Reliability · Front Door + · Rule · 2021_03

    Use health probes to check the health of each backend.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.ProbeMethod/index.html b/en/rules/Azure.FrontDoor.ProbeMethod/index.html index a56df6759c..e0ca87f4ef 100644 --- a/en/rules/Azure.FrontDoor.ProbeMethod/index.html +++ b/en/rules/Azure.FrontDoor.ProbeMethod/index.html @@ -12149,6 +12149,7 @@

    Use HEAD health probes f

    Reliability · Front Door + · Rule · 2021_03

    Configure health probes to use HEAD requests to reduce performance overhead.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.ProbePath/index.html b/en/rules/Azure.FrontDoor.ProbePath/index.html index d150f0827b..12771a031b 100644 --- a/en/rules/Azure.FrontDoor.ProbePath/index.html +++ b/en/rules/Azure.FrontDoor.ProbePath/index.html @@ -12149,6 +12149,7 @@

    Use a Dedicated

    Reliability · Front Door + · Rule · 2021_03

    Configure a dedicated path for health probe requests.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.State/index.html b/en/rules/Azure.FrontDoor.State/index.html index d3422c3b43..67336709fc 100644 --- a/en/rules/Azure.FrontDoor.State/index.html +++ b/en/rules/Azure.FrontDoor.State/index.html @@ -12121,6 +12121,7 @@

    Enable Front Door Classic instanceAzure.FrontDoor.StateAZR-000112Error

    Cost Optimization · Front Door + · Rule · 2020_06

    Enable Azure Front Door Classic instance.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.UseCaching/index.html b/en/rules/Azure.FrontDoor.UseCaching/index.html index ece46abd8c..cfd877d7ba 100644 --- a/en/rules/Azure.FrontDoor.UseCaching/index.html +++ b/en/rules/Azure.FrontDoor.UseCaching/index.html @@ -12135,6 +12135,7 @@

    Use cachingAzure.FrontDoor.UseCachingAZR-000320Error

    Performance Efficiency · Front Door + · Rule · 2022_12

    Use caching to reduce retrieving contents from origins.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.UseWAF/index.html b/en/rules/Azure.FrontDoor.UseWAF/index.html index 9f8ccb8f13..3efdaf2dec 100644 --- a/en/rules/Azure.FrontDoor.UseWAF/index.html +++ b/en/rules/Azure.FrontDoor.UseWAF/index.html @@ -12067,6 +12067,7 @@

    Front Door endpoints should use WAF

    Security · Front Door + · Rule · 2020_06

    Enable Web Application Firewall (WAF) policies on each Front Door endpoint.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.WAF.Enabled/index.html b/en/rules/Azure.FrontDoor.WAF.Enabled/index.html index c18b987859..ad2d244dc9 100644 --- a/en/rules/Azure.FrontDoor.WAF.Enabled/index.html +++ b/en/rules/Azure.FrontDoor.WAF.Enabled/index.html @@ -12067,6 +12067,7 @@

    Enable Front Door WAF policyAzure.FrontDoor.WAF.EnabledAZR-000115Error

    Security · Front Door + · Rule · 2020_06

    Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.WAF.Mode/index.html b/en/rules/Azure.FrontDoor.WAF.Mode/index.html index 09c67c0a01..36ab2095ff 100644 --- a/en/rules/Azure.FrontDoor.WAF.Mode/index.html +++ b/en/rules/Azure.FrontDoor.WAF.Mode/index.html @@ -12067,6 +12067,7 @@

    Use Front Door WAF policy

    Security · Front Door + · Rule · 2020_06

    Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.FrontDoor.WAF.Name/index.html b/en/rules/Azure.FrontDoor.WAF.Name/index.html index c8331069e2..d2c4938a00 100644 --- a/en/rules/Azure.FrontDoor.WAF.Name/index.html +++ b/en/rules/Azure.FrontDoor.WAF.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Front Door WAF policy n

    Operational Excellence · Front Door + · Rule · 2020_12

    Front Door WAF policy names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.FrontDoorWAF.Enabled/index.html b/en/rules/Azure.FrontDoorWAF.Enabled/index.html index 6d397bb3ed..839880ada4 100644 --- a/en/rules/Azure.FrontDoorWAF.Enabled/index.html +++ b/en/rules/Azure.FrontDoorWAF.Enabled/index.html @@ -12121,6 +12121,7 @@

    Enable Front Door WAF policyAzure.FrontDoorWAF.EnabledAZR-000305Error

    Security · Front Door + · Rule · 2022_09

    Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.FrontDoorWAF.Exclusions/index.html b/en/rules/Azure.FrontDoorWAF.Exclusions/index.html index 6d48c0b144..8dead78a5b 100644 --- a/en/rules/Azure.FrontDoorWAF.Exclusions/index.html +++ b/en/rules/Azure.FrontDoorWAF.Exclusions/index.html @@ -12121,6 +12121,7 @@

    Avoid configuring Fron

    Security · Front Door + · Rule · 2022_09

    Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.

    diff --git a/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html b/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html index f07248eac7..1504ddf683 100644 --- a/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html +++ b/en/rules/Azure.FrontDoorWAF.PreventionMode/index.html @@ -12121,6 +12121,7 @@

    Use Front Door WAF policy

    Security · Front Door + · Rule · 2022_09

    Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.FrontDoorWAF.RuleGroups/index.html b/en/rules/Azure.FrontDoorWAF.RuleGroups/index.html index 28382d5a9f..124157163f 100644 --- a/en/rules/Azure.FrontDoorWAF.RuleGroups/index.html +++ b/en/rules/Azure.FrontDoorWAF.RuleGroups/index.html @@ -12121,6 +12121,7 @@

    Use Recommended Front

    Security · Front Door + · Rule · 2022_09

    Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    Description#

    diff --git a/en/rules/Azure.Identity.UserAssignedName/index.html b/en/rules/Azure.Identity.UserAssignedName/index.html index 4a9c671d3c..f935babe9f 100644 --- a/en/rules/Azure.Identity.UserAssignedName/index.html +++ b/en/rules/Azure.Identity.UserAssignedName/index.html @@ -12081,6 +12081,7 @@

    Use valid Managed Identity namesAzure.Identity.UserAssignedNameAZR-000117Error

    Operational Excellence · User Assigned Managed Identity + · Rule · 2021_12

    Managed Identity names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.IoTHub.MinTLS/index.html b/en/rules/Azure.IoTHub.MinTLS/index.html index b2d24d8bca..747560718e 100644 --- a/en/rules/Azure.IoTHub.MinTLS/index.html +++ b/en/rules/Azure.IoTHub.MinTLS/index.html @@ -12135,6 +12135,7 @@

    Minimum TLS versionAzure.IoTHub.MinTLSAZR-000357Error

    Security · IoT Hub + · Rule · 2023_03

    IoT Hubs should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.KeyVault.AccessPolicy/index.html b/en/rules/Azure.KeyVault.AccessPolicy/index.html index 449ba8e1a8..0ccf353936 100644 --- a/en/rules/Azure.KeyVault.AccessPolicy/index.html +++ b/en/rules/Azure.KeyVault.AccessPolicy/index.html @@ -12121,6 +12121,7 @@

    Limit access to Key Vault dataAzure.KeyVault.AccessPolicyAZR-000118Error

    Security · Key Vault + · Rule · 2020_06

    Use the principal of least privilege when assigning access to Key Vault.

    Description#

    diff --git a/en/rules/Azure.KeyVault.AutoRotationPolicy/index.html b/en/rules/Azure.KeyVault.AutoRotationPolicy/index.html index d094f24a7d..a7ba77d720 100644 --- a/en/rules/Azure.KeyVault.AutoRotationPolicy/index.html +++ b/en/rules/Azure.KeyVault.AutoRotationPolicy/index.html @@ -12121,6 +12121,7 @@

    Enable Key Vault key auto-rotationAzure.KeyVault.AutoRotationPolicyAZR-000123Error

    Security · Key Vault + · Rule · 2022_09

    Key Vault keys should have auto-rotation enabled.

    Description#

    diff --git a/en/rules/Azure.KeyVault.Firewall/index.html b/en/rules/Azure.KeyVault.Firewall/index.html index ec4097be2e..4fe715e2e6 100644 --- a/en/rules/Azure.KeyVault.Firewall/index.html +++ b/en/rules/Azure.KeyVault.Firewall/index.html @@ -12121,6 +12121,7 @@

    Configure Azure Key Vault firewallAzure.KeyVault.FirewallAZR-000355Error

    Security · Key Vault + · Rule · 2023_03

    Key Vault should only accept explicitly allowed traffic.

    Description#

    diff --git a/en/rules/Azure.KeyVault.KeyName/index.html b/en/rules/Azure.KeyVault.KeyName/index.html index ecfd4f0b45..fe5b9607af 100644 --- a/en/rules/Azure.KeyVault.KeyName/index.html +++ b/en/rules/Azure.KeyVault.KeyName/index.html @@ -12081,6 +12081,7 @@

    Use valid Key Vault Key namesAzure.KeyVault.KeyNameAZR-000122Error

    Operational Excellence · Key Vault + · Rule · 2021_03

    Key Vault Key names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.KeyVault.Logs/index.html b/en/rules/Azure.KeyVault.Logs/index.html index 9330f0097d..4c5f6c47b8 100644 --- a/en/rules/Azure.KeyVault.Logs/index.html +++ b/en/rules/Azure.KeyVault.Logs/index.html @@ -12121,6 +12121,7 @@

    Audit Key Vault Data AccessAzure.KeyVault.LogsAZR-000119Error

    Security · Key Vault + · Rule · 2020_06

    Ensure audit diagnostics logs are enabled to audit Key Vault access.

    Description#

    diff --git a/en/rules/Azure.KeyVault.Name/index.html b/en/rules/Azure.KeyVault.Name/index.html index d1fded88d3..15e926bd3a 100644 --- a/en/rules/Azure.KeyVault.Name/index.html +++ b/en/rules/Azure.KeyVault.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Key Vault namesAzure.KeyVault.NameAZR-000120Error

    Operational Excellence · Key Vault + · Rule · 2021_03

    Key Vault names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.KeyVault.PurgeProtect/index.html b/en/rules/Azure.KeyVault.PurgeProtect/index.html index 9dc94cc8a3..c7d1586983 100644 --- a/en/rules/Azure.KeyVault.PurgeProtect/index.html +++ b/en/rules/Azure.KeyVault.PurgeProtect/index.html @@ -12135,6 +12135,7 @@

    Use Key Vault Purge ProtectionAzure.KeyVault.PurgeProtectAZR-000125Error

    Reliability · Key Vault + · Rule · 2020_06

    Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.

    Description#

    diff --git a/en/rules/Azure.KeyVault.RBAC/index.html b/en/rules/Azure.KeyVault.RBAC/index.html index 54a420c2b6..218932d5c3 100644 --- a/en/rules/Azure.KeyVault.RBAC/index.html +++ b/en/rules/Azure.KeyVault.RBAC/index.html @@ -12163,6 +12163,7 @@

    Use Azure role-based access control

    Security · Key Vault + · Rule · 2023_06

    Key Vaults should use Azure RBAC as the authorization system for the data plane.

    Description#

    diff --git a/en/rules/Azure.KeyVault.SecretName/index.html b/en/rules/Azure.KeyVault.SecretName/index.html index f0fa59ef22..472dcf1d32 100644 --- a/en/rules/Azure.KeyVault.SecretName/index.html +++ b/en/rules/Azure.KeyVault.SecretName/index.html @@ -12081,6 +12081,7 @@

    Use valid Key Vault Secret namesAzure.KeyVault.SecretNameAZR-000121Error

    Operational Excellence · Key Vault + · Rule · 2021_03

    Key Vault Secret names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.KeyVault.SoftDelete/index.html b/en/rules/Azure.KeyVault.SoftDelete/index.html index 76b391029b..e40df572e8 100644 --- a/en/rules/Azure.KeyVault.SoftDelete/index.html +++ b/en/rules/Azure.KeyVault.SoftDelete/index.html @@ -12121,6 +12121,7 @@

    Use Key Vault Soft DeleteAzure.KeyVault.SoftDeleteAZR-000124Error

    Reliability · Key Vault + · Rule · 2020_06

    Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

    Description#

    diff --git a/en/rules/Azure.LB.AvailabilityZone/index.html b/en/rules/Azure.LB.AvailabilityZone/index.html index 586c115e67..f128b760a6 100644 --- a/en/rules/Azure.LB.AvailabilityZone/index.html +++ b/en/rules/Azure.LB.AvailabilityZone/index.html @@ -12135,6 +12135,7 @@

    Load balancers should be zone-r

    Reliability · Load Balancer + · Rule · 2021_09

    Load balancers deployed with Standard SKU should be zone-redundant for high availability.

    Description#

    diff --git a/en/rules/Azure.LB.Name/index.html b/en/rules/Azure.LB.Name/index.html index 51ae4cb7b9..0b11cd6193 100644 --- a/en/rules/Azure.LB.Name/index.html +++ b/en/rules/Azure.LB.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Load Balancer namesAzure.LB.NameAZR-000129Error

    Operational Excellence · Load Balancer + · Rule · 2020_06

    Load Balancer names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.LB.Probe/index.html b/en/rules/Azure.LB.Probe/index.html index b913dfbcb3..475473c320 100644 --- a/en/rules/Azure.LB.Probe/index.html +++ b/en/rules/Azure.LB.Probe/index.html @@ -12067,6 +12067,7 @@

    Use specific load balancer probeAzure.LB.ProbeAZR-000126Error

    Reliability · Load Balancer + · Rule · 2020_06

    Use a specific probe for web protocols.

    Description#

    diff --git a/en/rules/Azure.LB.StandardSKU/index.html b/en/rules/Azure.LB.StandardSKU/index.html index 57f0552c3a..416b42f8be 100644 --- a/en/rules/Azure.LB.StandardSKU/index.html +++ b/en/rules/Azure.LB.StandardSKU/index.html @@ -12121,6 +12121,7 @@

    Load balancers should use Standa

    Reliability · Load Balancer + · Rule · 2021_09

    Load balancers should be deployed with Standard SKU for production workloads.

    Description#

    diff --git a/en/rules/Azure.LogicApp.LimitHTTPTrigger/index.html b/en/rules/Azure.LogicApp.LimitHTTPTrigger/index.html index e6fe20412c..de17d9b571 100644 --- a/en/rules/Azure.LogicApp.LimitHTTPTrigger/index.html +++ b/en/rules/Azure.LogicApp.LimitHTTPTrigger/index.html @@ -12067,6 +12067,7 @@

    Limit Logic App HTTP request trig

    Security · Logic App + · Rule · 2020_12

    Limit HTTP request trigger access to trusted IP addresses.

    Description#

    diff --git a/en/rules/Azure.MariaDB.AllowAzureAccess/index.html b/en/rules/Azure.MariaDB.AllowAzureAccess/index.html index 0f1afe2a7d..de07eec0bd 100644 --- a/en/rules/Azure.MariaDB.AllowAzureAccess/index.html +++ b/en/rules/Azure.MariaDB.AllowAzureAccess/index.html @@ -12121,6 +12121,7 @@

    Disable Ma

    Security · Azure Database for MariaDB + · Rule · 2022_12

    Determine if access from Azure services is required.

    Description#

    diff --git a/en/rules/Azure.MariaDB.DatabaseName/index.html b/en/rules/Azure.MariaDB.DatabaseName/index.html index e1a8b227b0..5252d94ae2 100644 --- a/en/rules/Azure.MariaDB.DatabaseName/index.html +++ b/en/rules/Azure.MariaDB.DatabaseName/index.html @@ -12081,6 +12081,7 @@

    Use valid database namesAzure.MariaDB.DatabaseNameAZR-000337Error

    Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB databases should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.MariaDB.DefenderCloud/index.html b/en/rules/Azure.MariaDB.DefenderCloud/index.html index 0dabef213b..29f53de351 100644 --- a/en/rules/Azure.MariaDB.DefenderCloud/index.html +++ b/en/rules/Azure.MariaDB.DefenderCloud/index.html @@ -12121,6 +12121,7 @@

    Use Microsoft DefenderAzure.MariaDB.DefenderCloudAZR-000330Error

    Security · Azure Database for MariaDB + · Rule · 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for MariaDB.

    Description#

    diff --git a/en/rules/Azure.MariaDB.FirewallIPRange/index.html b/en/rules/Azure.MariaDB.FirewallIPRange/index.html index 1c1dd8ba73..dfec491901 100644 --- a/en/rules/Azure.MariaDB.FirewallIPRange/index.html +++ b/en/rules/Azure.MariaDB.FirewallIPRange/index.html @@ -12081,6 +12081,7 @@

    Revi

    Security · Azure Database for MariaDB + · Rule · 2022_12

    Determine if there is an excessive number of permitted IP addresses.

    Description#

    diff --git a/en/rules/Azure.MariaDB.FirewallRuleCount/index.html b/en/rules/Azure.MariaDB.FirewallRuleCount/index.html index 9e6a9d5c63..0fa9cdbb50 100644 --- a/en/rules/Azure.MariaDB.FirewallRuleCount/index.html +++ b/en/rules/Azure.MariaDB.FirewallRuleCount/index.html @@ -12081,6 +12081,7 @@

    Review Azure MariaDB server

    Security · Azure Database for MariaDB + · Rule · 2022_12

    Determine if there is an excessive number of firewall rules.

    Description#

    diff --git a/en/rules/Azure.MariaDB.FirewallRuleName/index.html b/en/rules/Azure.MariaDB.FirewallRuleName/index.html index 757cacc1cd..cd828c568a 100644 --- a/en/rules/Azure.MariaDB.FirewallRuleName/index.html +++ b/en/rules/Azure.MariaDB.FirewallRuleName/index.html @@ -12081,6 +12081,7 @@

    Use valid firewall rule namesAzure.MariaDB.FirewallRuleNameAZR-000338Error

    Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB firewall rules should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.MariaDB.GeoRedundantBackup/index.html b/en/rules/Azure.MariaDB.GeoRedundantBackup/index.html index 5d8dbf8616..3fadb3e30b 100644 --- a/en/rules/Azure.MariaDB.GeoRedundantBackup/index.html +++ b/en/rules/Azure.MariaDB.GeoRedundantBackup/index.html @@ -12135,6 +12135,7 @@

    Configure geo-redundant backupAzure.MariaDB.GeoRedundantBackupAZR-000329Error

    Reliability · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB should store backups in a geo-redundant storage.

    Description#

    diff --git a/en/rules/Azure.MariaDB.MinTLS/index.html b/en/rules/Azure.MariaDB.MinTLS/index.html index a65175ad97..ed88924856 100644 --- a/en/rules/Azure.MariaDB.MinTLS/index.html +++ b/en/rules/Azure.MariaDB.MinTLS/index.html @@ -12121,6 +12121,7 @@

    Minimum TLS versionAzure.MariaDB.MinTLSAZR-000335Error

    Security · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB servers should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.MariaDB.ServerName/index.html b/en/rules/Azure.MariaDB.ServerName/index.html index 635f894c21..52ade98eb8 100644 --- a/en/rules/Azure.MariaDB.ServerName/index.html +++ b/en/rules/Azure.MariaDB.ServerName/index.html @@ -12135,6 +12135,7 @@

    Use valid server namesAzure.MariaDB.ServerNameAZR-000336Error

    Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB servers should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.MariaDB.UseSSL/index.html b/en/rules/Azure.MariaDB.UseSSL/index.html index 7d92b85ab5..e57cb5f569 100644 --- a/en/rules/Azure.MariaDB.UseSSL/index.html +++ b/en/rules/Azure.MariaDB.UseSSL/index.html @@ -12121,6 +12121,7 @@

    Encrypted connectionsAzure.MariaDB.UseSSLAZR-000334Error

    Security · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB servers should only accept encrypted connections.

    Description#

    diff --git a/en/rules/Azure.MariaDB.VNETRuleName/index.html b/en/rules/Azure.MariaDB.VNETRuleName/index.html index 5603787a19..7250c21f0b 100644 --- a/en/rules/Azure.MariaDB.VNETRuleName/index.html +++ b/en/rules/Azure.MariaDB.VNETRuleName/index.html @@ -12081,6 +12081,7 @@

    Use valid VNET rule namesAzure.MariaDB.VNETRuleNameAZR-000339Error

    Operational Excellence · Azure Database for MariaDB + · Rule · 2022_12

    Azure Database for MariaDB VNET rules should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Monitor.ServiceHealth/index.html b/en/rules/Azure.Monitor.ServiceHealth/index.html index 43890c8677..198d020b7f 100644 --- a/en/rules/Azure.Monitor.ServiceHealth/index.html +++ b/en/rules/Azure.Monitor.ServiceHealth/index.html @@ -12067,6 +12067,7 @@

    Alert on service eventsAzure.Monitor.ServiceHealthAZR-000211Error

    Operational Excellence · Monitor + · Rule · 2020_06

    Configure Service Health alerts to notify administrators.

    Description#

    diff --git a/en/rules/Azure.MySQL.AAD/index.html b/en/rules/Azure.MySQL.AAD/index.html index f808b7dc87..755f256eb1 100644 --- a/en/rules/Azure.MySQL.AAD/index.html +++ b/en/rules/Azure.MySQL.AAD/index.html @@ -12135,6 +12135,7 @@

    Use AAD authentication with

    Security · Azure Database for MySQL + · Rule · 2023_06

    Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.

    Description#

    diff --git a/en/rules/Azure.MySQL.AADOnly/index.html b/en/rules/Azure.MySQL.AADOnly/index.html index 64a055168c..e7442b21f1 100644 --- a/en/rules/Azure.MySQL.AADOnly/index.html +++ b/en/rules/Azure.MySQL.AADOnly/index.html @@ -12135,6 +12135,7 @@

    Azure AD-only authenticationAzure.MySQL.AADOnlyAZR-000394Error

    Security · Azure Database for MySQL + · Rule · 2023_09

    Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.

    Description#

    diff --git a/en/rules/Azure.MySQL.AllowAzureAccess/index.html b/en/rules/Azure.MySQL.AllowAzureAccess/index.html index 5ca80539c2..8d9109d69a 100644 --- a/en/rules/Azure.MySQL.AllowAzureAccess/index.html +++ b/en/rules/Azure.MySQL.AllowAzureAccess/index.html @@ -12067,6 +12067,7 @@

    Disable MySQL Allow Azur

    Security · Azure Database for MySQL + · Rule · 2020_06

    Determine if access from Azure services is required.

    Description#

    diff --git a/en/rules/Azure.MySQL.DefenderCloud/index.html b/en/rules/Azure.MySQL.DefenderCloud/index.html index 16bd9a7f68..1e594b2411 100644 --- a/en/rules/Azure.MySQL.DefenderCloud/index.html +++ b/en/rules/Azure.MySQL.DefenderCloud/index.html @@ -12135,6 +12135,7 @@

    Use Microsoft DefenderAzure.MySQL.DefenderCloudAZR-000328Error

    Security · Azure Database for MySQL + · Rule · 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for MySQL.

    Description#

    diff --git a/en/rules/Azure.MySQL.FirewallIPRange/index.html b/en/rules/Azure.MySQL.FirewallIPRange/index.html index 8dad049139..7d307c9c77 100644 --- a/en/rules/Azure.MySQL.FirewallIPRange/index.html +++ b/en/rules/Azure.MySQL.FirewallIPRange/index.html @@ -12067,6 +12067,7 @@

    Limit MySQL server firewall rule

    Security · Azure Database for MySQL + · Rule · 2020_06

    Determine if there is an excessive number of permitted IP addresses.

    Description#

    diff --git a/en/rules/Azure.MySQL.FirewallRuleCount/index.html b/en/rules/Azure.MySQL.FirewallRuleCount/index.html index 17c593deb5..cb609a673f 100644 --- a/en/rules/Azure.MySQL.FirewallRuleCount/index.html +++ b/en/rules/Azure.MySQL.FirewallRuleCount/index.html @@ -12067,6 +12067,7 @@

    Cleanup MySQL server firewall rules

    Security · Azure Database for MySQL + · Rule · 2020_06

    Determine if there is an excessive number of firewall rules.

    Description#

    diff --git a/en/rules/Azure.MySQL.GeoRedundantBackup/index.html b/en/rules/Azure.MySQL.GeoRedundantBackup/index.html index 7cf9fe8a95..34244211fb 100644 --- a/en/rules/Azure.MySQL.GeoRedundantBackup/index.html +++ b/en/rules/Azure.MySQL.GeoRedundantBackup/index.html @@ -12135,6 +12135,7 @@

    Configure geo-redundant backupAzure.MySQL.GeoRedundantBackupAZR-000323Error

    Reliability · Azure Database for MySQL + · Rule · 2022_12

    Azure Database for MySQL should store backups in a geo-redundant storage.

    Description#

    diff --git a/en/rules/Azure.MySQL.MinTLS/index.html b/en/rules/Azure.MySQL.MinTLS/index.html index a9758371a8..ece0470890 100644 --- a/en/rules/Azure.MySQL.MinTLS/index.html +++ b/en/rules/Azure.MySQL.MinTLS/index.html @@ -12067,6 +12067,7 @@

    MySQL DB server minimum TLS version

    Security · Azure Database for MySQL + · Rule · 2020_09

    MySQL DB servers should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.MySQL.ServerName/index.html b/en/rules/Azure.MySQL.ServerName/index.html index 0df3e3bf82..b515fa0723 100644 --- a/en/rules/Azure.MySQL.ServerName/index.html +++ b/en/rules/Azure.MySQL.ServerName/index.html @@ -12081,6 +12081,7 @@

    Use valid MySQL DB server namesAzure.MySQL.ServerNameAZR-000136Error

    Operational Excellence · Azure Database for MySQL + · Rule · 2020_12

    Azure MySQL DB server names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.MySQL.UseFlexible/index.html b/en/rules/Azure.MySQL.UseFlexible/index.html index a9f767b1b3..f90693d90a 100644 --- a/en/rules/Azure.MySQL.UseFlexible/index.html +++ b/en/rules/Azure.MySQL.UseFlexible/index.html @@ -12067,6 +12067,7 @@

    Use Azure Database for MyS

    Operational Excellence · Azure Database for MySQL + · Rule · 2022_12

    Use Azure Database for MySQL Flexible Server deployment model.

    Description#

    diff --git a/en/rules/Azure.MySQL.UseSSL/index.html b/en/rules/Azure.MySQL.UseSSL/index.html index 8e56e2d2d5..5c274b4900 100644 --- a/en/rules/Azure.MySQL.UseSSL/index.html +++ b/en/rules/Azure.MySQL.UseSSL/index.html @@ -12067,6 +12067,7 @@

    Enforce encrypted MySQL connections

    Security · Azure Database for MySQL + · Rule · 2020_06

    Enforce encrypted MySQL connections.

    Description#

    diff --git a/en/rules/Azure.NSG.AKSRules/index.html b/en/rules/Azure.NSG.AKSRules/index.html index 3f858776a6..8d58a18c7f 100644 --- a/en/rules/Azure.NSG.AKSRules/index.html +++ b/en/rules/Azure.NSG.AKSRules/index.html @@ -12067,6 +12067,7 @@

    No custom NSG rules for AKS ma

    Operational Excellence · Network Security Group + · Rule · 2022_09

    AKS Network Security Group (NSG) should not have custom rules.

    Description#

    diff --git a/en/rules/Azure.NSG.AnyInboundSource/index.html b/en/rules/Azure.NSG.AnyInboundSource/index.html index 44a25e21a5..01f36efcb5 100644 --- a/en/rules/Azure.NSG.AnyInboundSource/index.html +++ b/en/rules/Azure.NSG.AnyInboundSource/index.html @@ -12121,6 +12121,7 @@

    Avoid rules that allow

    Security · Network Security Group + · Rule · 2020_06

    Network security groups (NSGs) should avoid rules that allow "any" as an inbound source.

    Description#

    diff --git a/en/rules/Azure.NSG.Associated/index.html b/en/rules/Azure.NSG.Associated/index.html index 3db4ecc277..99f841d9b8 100644 --- a/en/rules/Azure.NSG.Associated/index.html +++ b/en/rules/Azure.NSG.Associated/index.html @@ -12067,6 +12067,7 @@

    Associate NSGs or clean them upAzure.NSG.AssociatedAZR-000140Error

    Operational Excellence · Network Security Group + · Rule · 2020_06

    Network Security Groups (NSGs) should be associated to a subnet or network interface.

    Description#

    diff --git a/en/rules/Azure.NSG.DenyAllInbound/index.html b/en/rules/Azure.NSG.DenyAllInbound/index.html index 92ebe1ae8e..5e687af8fe 100644 --- a/en/rules/Azure.NSG.DenyAllInbound/index.html +++ b/en/rules/Azure.NSG.DenyAllInbound/index.html @@ -12121,6 +12121,7 @@

    Avoid denying all inbound trafficAzure.NSG.DenyAllInboundAZR-000138Error

    Operational Excellence · Network Security Group + · Rule · 2020_06

    Avoid denying all inbound traffic.

    Description#

    diff --git a/en/rules/Azure.NSG.LateralTraversal/index.html b/en/rules/Azure.NSG.LateralTraversal/index.html index 4bade3a0f3..d651a239d9 100644 --- a/en/rules/Azure.NSG.LateralTraversal/index.html +++ b/en/rules/Azure.NSG.LateralTraversal/index.html @@ -12135,6 +12135,7 @@

    Limit lateral traversal within s

    Security · Network Security Group + · Rule · 2020_06

    Deny outbound management connections from non-management hosts.

    Description#

    diff --git a/en/rules/Azure.NSG.Name/index.html b/en/rules/Azure.NSG.Name/index.html index e77e63d6d8..8f456ed030 100644 --- a/en/rules/Azure.NSG.Name/index.html +++ b/en/rules/Azure.NSG.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid NSG namesAzure.NSG.NameAZR-000141Error

    Operational Excellence · Network Security Group + · Rule · 2020_06

    Network Security Group (NSG) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Policy.AssignmentAssignedBy/index.html b/en/rules/Azure.Policy.AssignmentAssignedBy/index.html index 827e678cb2..bd4d5bd868 100644 --- a/en/rules/Azure.Policy.AssignmentAssignedBy/index.html +++ b/en/rules/Azure.Policy.AssignmentAssignedBy/index.html @@ -12107,6 +12107,7 @@

    Use assigned by for policy assig

    Operational Excellence · Policy + · Rule · 2021_06

    Policy assignments should use assignedBy metadata.

    Description#

    diff --git a/en/rules/Azure.Policy.AssignmentDescriptors/index.html b/en/rules/Azure.Policy.AssignmentDescriptors/index.html index e1368a347a..99322e6cc4 100644 --- a/en/rules/Azure.Policy.AssignmentDescriptors/index.html +++ b/en/rules/Azure.Policy.AssignmentDescriptors/index.html @@ -12107,6 +12107,7 @@

    Use descriptive policy assignmentsAzure.Policy.AssignmentDescriptorsAZR-000143Error

    Operational Excellence · Policy + · Rule · 2021_06

    Policy assignments should use a display name and description.

    Description#

    diff --git a/en/rules/Azure.Policy.Descriptors/index.html b/en/rules/Azure.Policy.Descriptors/index.html index 3fa962ef1d..e2f130e514 100644 --- a/en/rules/Azure.Policy.Descriptors/index.html +++ b/en/rules/Azure.Policy.Descriptors/index.html @@ -12107,6 +12107,7 @@

    Use descriptive policiesAzure.Policy.DescriptorsAZR-000142Error

    Operational Excellence · Policy + · Rule · 2020_06

    Policy and initiative definitions should use a display name, description, and category.

    Description#

    diff --git a/en/rules/Azure.Policy.ExemptionDescriptors/index.html b/en/rules/Azure.Policy.ExemptionDescriptors/index.html index b1f884f7c5..434ef5ae74 100644 --- a/en/rules/Azure.Policy.ExemptionDescriptors/index.html +++ b/en/rules/Azure.Policy.ExemptionDescriptors/index.html @@ -12107,6 +12107,7 @@

    Use descriptive policy exemptionsAzure.Policy.ExemptionDescriptorsAZR-000145Error

    Operational Excellence · Policy + · Rule · 2021_06

    Policy exemptions should use a display name and description.

    Description#

    diff --git a/en/rules/Azure.Policy.WaiverExpiry/index.html b/en/rules/Azure.Policy.WaiverExpiry/index.html index c17a71ba5a..4db720d0ef 100644 --- a/en/rules/Azure.Policy.WaiverExpiry/index.html +++ b/en/rules/Azure.Policy.WaiverExpiry/index.html @@ -12121,6 +12121,7 @@

    Policy waiver exemptions must expi

    Operational Excellence · Policy + · Rule · 2021_06

    Configure policy waiver exemptions to expire.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.AAD/index.html b/en/rules/Azure.PostgreSQL.AAD/index.html index 365220f7a3..94ec447f26 100644 --- a/en/rules/Azure.PostgreSQL.AAD/index.html +++ b/en/rules/Azure.PostgreSQL.AAD/index.html @@ -12135,6 +12135,7 @@

    Use AAD authentication

    Security · Azure Database for PostgreSQL + · Rule · 2023_06

    Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.AADOnly/index.html b/en/rules/Azure.PostgreSQL.AADOnly/index.html index 88fe776b0c..20b4c066e7 100644 --- a/en/rules/Azure.PostgreSQL.AADOnly/index.html +++ b/en/rules/Azure.PostgreSQL.AADOnly/index.html @@ -12135,6 +12135,7 @@

    Azure AD-only authenticationAzure.PostgreSQL.AADOnlyAZR-000390Error

    Security · Azure Database for PostgreSQL + · Rule · 2023_06

    Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.AllowAzureAccess/index.html b/en/rules/Azure.PostgreSQL.AllowAzureAccess/index.html index 5407972a0f..d188ccb929 100644 --- a/en/rules/Azure.PostgreSQL.AllowAzureAccess/index.html +++ b/en/rules/Azure.PostgreSQL.AllowAzureAccess/index.html @@ -12067,6 +12067,7 @@

    Disable PostgreSQL

    Security · Azure Database for PostgreSQL + · Rule · 2020_06

    Determine if access from Azure services is required.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.DefenderCloud/index.html b/en/rules/Azure.PostgreSQL.DefenderCloud/index.html index 09cd6dc0c3..55d821f4b0 100644 --- a/en/rules/Azure.PostgreSQL.DefenderCloud/index.html +++ b/en/rules/Azure.PostgreSQL.DefenderCloud/index.html @@ -12135,6 +12135,7 @@

    Use Microsoft DefenderAzure.PostgreSQL.DefenderCloudAZR-000327Error

    Security · Azure Database for PostgreSQL + · Rule · 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.FirewallIPRange/index.html b/en/rules/Azure.PostgreSQL.FirewallIPRange/index.html index 0075c1a5ea..1d3e16112d 100644 --- a/en/rules/Azure.PostgreSQL.FirewallIPRange/index.html +++ b/en/rules/Azure.PostgreSQL.FirewallIPRange/index.html @@ -12067,6 +12067,7 @@

    Limit PostgreSQL server fir

    Security · Azure Database for PostgreSQL + · Rule · 2020_06

    Determine if there is an excessive number of permitted IP addresses.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.FirewallRuleCount/index.html b/en/rules/Azure.PostgreSQL.FirewallRuleCount/index.html index 228aedcbd9..9b5fc90fd7 100644 --- a/en/rules/Azure.PostgreSQL.FirewallRuleCount/index.html +++ b/en/rules/Azure.PostgreSQL.FirewallRuleCount/index.html @@ -12067,6 +12067,7 @@

    Cleanup PostgreSQL server fire

    Security · Azure Database for PostgreSQL + · Rule · 2020_06

    Determine if there is an excessive number of firewall rules.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.GeoRedundantBackup/index.html b/en/rules/Azure.PostgreSQL.GeoRedundantBackup/index.html index 4b88970fc2..74d3999e77 100644 --- a/en/rules/Azure.PostgreSQL.GeoRedundantBackup/index.html +++ b/en/rules/Azure.PostgreSQL.GeoRedundantBackup/index.html @@ -12135,6 +12135,7 @@

    Configure geo-redundant backupAzure.PostgreSQL.GeoRedundantBackupAZR-000326Error

    Reliability · Azure Database for PostgreSQL + · Rule · 2022_12

    Azure Database for PostgreSQL should store backups in a geo-redundant storage.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.MinTLS/index.html b/en/rules/Azure.PostgreSQL.MinTLS/index.html index c653630165..2e1cedf86c 100644 --- a/en/rules/Azure.PostgreSQL.MinTLS/index.html +++ b/en/rules/Azure.PostgreSQL.MinTLS/index.html @@ -12067,6 +12067,7 @@

    PostgreSQL DB server minimum T

    Security · Azure Database for PostgreSQL + · Rule · 2020_09

    PostgreSQL DB servers should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.ServerName/index.html b/en/rules/Azure.PostgreSQL.ServerName/index.html index 1bf77835b2..d3213f67bb 100644 --- a/en/rules/Azure.PostgreSQL.ServerName/index.html +++ b/en/rules/Azure.PostgreSQL.ServerName/index.html @@ -12081,6 +12081,7 @@

    Use valid PostgreSQL DB server nam

    Operational Excellence · Azure Database for PostgreSQL + · Rule · 2020_12

    Azure PostgreSQL DB server names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.PostgreSQL.UseSSL/index.html b/en/rules/Azure.PostgreSQL.UseSSL/index.html index cab5f8dad7..5f8f551fe8 100644 --- a/en/rules/Azure.PostgreSQL.UseSSL/index.html +++ b/en/rules/Azure.PostgreSQL.UseSSL/index.html @@ -12067,6 +12067,7 @@

    Enforce encrypted PostgreSQL c

    Security · Azure Database for PostgreSQL + · Rule · 2020_06

    Enforce encrypted PostgreSQL connections.

    Description#

    diff --git a/en/rules/Azure.PrivateEndpoint.Name/index.html b/en/rules/Azure.PrivateEndpoint.Name/index.html index 617c9ae364..030418d188 100644 --- a/en/rules/Azure.PrivateEndpoint.Name/index.html +++ b/en/rules/Azure.PrivateEndpoint.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Private Endpoint namesAzure.PrivateEndpoint.NameAZR-000153Error

    Operational Excellence · Private Endpoint + · Rule · 2021_12

    Private Endpoint names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.PublicIP.AvailabilityZone/index.html b/en/rules/Azure.PublicIP.AvailabilityZone/index.html index 8938d4bc05..353ad81236 100644 --- a/en/rules/Azure.PublicIP.AvailabilityZone/index.html +++ b/en/rules/Azure.PublicIP.AvailabilityZone/index.html @@ -12135,6 +12135,7 @@

    Public IP addresses s

    Reliability · Public IP address + · Rule · 2021_12

    Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.

    Description#

    diff --git a/en/rules/Azure.PublicIP.DNSLabel/index.html b/en/rules/Azure.PublicIP.DNSLabel/index.html index abfb520519..3adac70b72 100644 --- a/en/rules/Azure.PublicIP.DNSLabel/index.html +++ b/en/rules/Azure.PublicIP.DNSLabel/index.html @@ -12081,6 +12081,7 @@

    Use valid Public IP DNS labelsAzure.PublicIP.DNSLabelAZR-000156Error

    Operational Excellence · Public IP address + · Rule · 2020_06

    Public IP domain name labels should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.PublicIP.IsAttached/index.html b/en/rules/Azure.PublicIP.IsAttached/index.html index 0813e94568..702c0a39db 100644 --- a/en/rules/Azure.PublicIP.IsAttached/index.html +++ b/en/rules/Azure.PublicIP.IsAttached/index.html @@ -12067,6 +12067,7 @@

    Remove unused Public IP addressesAzure.PublicIP.IsAttachedAZR-000154Error

    Cost Optimization · Public IP address + · Rule · 2020_06

    Public IP addresses should be attached or cleaned up if not in use.

    Description#

    diff --git a/en/rules/Azure.PublicIP.MigrateStandard/index.html b/en/rules/Azure.PublicIP.MigrateStandard/index.html index 5872876e74..de71d51c24 100644 --- a/en/rules/Azure.PublicIP.MigrateStandard/index.html +++ b/en/rules/Azure.PublicIP.MigrateStandard/index.html @@ -12121,6 +12121,7 @@

    Migrate to Standard SKUAzure.PublicIP.MigrateStandardAZR-000395Error

    Operational Excellence · Public IP address + · Rule · 2023_09

    Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.

    Description#

    diff --git a/en/rules/Azure.PublicIP.Name/index.html b/en/rules/Azure.PublicIP.Name/index.html index 1701639cce..70773d7f18 100644 --- a/en/rules/Azure.PublicIP.Name/index.html +++ b/en/rules/Azure.PublicIP.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Public IP namesAzure.PublicIP.NameAZR-000155Error

    Operational Excellence · Public IP address + · Rule · 2020_06

    Public IP names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.PublicIP.StandardSKU/index.html b/en/rules/Azure.PublicIP.StandardSKU/index.html index 60202d2724..d4fe9dbb66 100644 --- a/en/rules/Azure.PublicIP.StandardSKU/index.html +++ b/en/rules/Azure.PublicIP.StandardSKU/index.html @@ -12121,6 +12121,7 @@

    Public IP addresses should

    Reliability · Public IP address + · Rule · 2021_12

    Public IP addresses should be deployed with Standard SKU for production workloads.

    Description#

    diff --git a/en/rules/Azure.RBAC.CoAdministrator/index.html b/en/rules/Azure.RBAC.CoAdministrator/index.html index ca0df04eaf..f6f492a5d1 100644 --- a/en/rules/Azure.RBAC.CoAdministrator/index.html +++ b/en/rules/Azure.RBAC.CoAdministrator/index.html @@ -12067,6 +12067,7 @@

    Use role-based access controlAzure.RBAC.CoAdministratorAZR-000206Error

    Security · Subscription + · Rule · 2020_06

    Delegate access to manage Azure resources using role-based access control (RBAC).

    Description#

    diff --git a/en/rules/Azure.RBAC.LimitMGDelegation/index.html b/en/rules/Azure.RBAC.LimitMGDelegation/index.html index 8a1c6fc364..c4bfb7a2fa 100644 --- a/en/rules/Azure.RBAC.LimitMGDelegation/index.html +++ b/en/rules/Azure.RBAC.LimitMGDelegation/index.html @@ -12053,6 +12053,7 @@

    Limit Management Group delegationAzure.RBAC.LimitMGDelegationAZR-000205Error

    Security · Subscription + · Rule · 2020_06

    Limit Role-Base Access Control (RBAC) inheritance from Management Groups.

    Description#

    diff --git a/en/rules/Azure.RBAC.LimitOwner/index.html b/en/rules/Azure.RBAC.LimitOwner/index.html index 5d749eb878..7124430708 100644 --- a/en/rules/Azure.RBAC.LimitOwner/index.html +++ b/en/rules/Azure.RBAC.LimitOwner/index.html @@ -12067,6 +12067,7 @@

    Limit use of subscription s

    Security · Subscription + · Rule · 2020_06

    Limit the number of subscription Owners.

    Description#

    diff --git a/en/rules/Azure.RBAC.PIM/index.html b/en/rules/Azure.RBAC.PIM/index.html index 5f2ba0d79f..ae7a456f27 100644 --- a/en/rules/Azure.RBAC.PIM/index.html +++ b/en/rules/Azure.RBAC.PIM/index.html @@ -12067,6 +12067,7 @@

    Use JiT role activation with PIMAzure.RBAC.PIMAZR-000208Error

    Security · Subscription + · Rule · 2020_09

    Use just-in-time (JiT) activation of roles instead of persistent role assignment.

    Description#

    diff --git a/en/rules/Azure.RBAC.UseGroups/index.html b/en/rules/Azure.RBAC.UseGroups/index.html index a98963cae7..5948a33e48 100644 --- a/en/rules/Azure.RBAC.UseGroups/index.html +++ b/en/rules/Azure.RBAC.UseGroups/index.html @@ -12067,6 +12067,7 @@

    Use groupsAzure.RBAC.UseGroupsAZR-000203Error

    Security · Subscription + · Rule · 2020_06

    Use groups for assigning permissions instead of individual user accounts.

    Description#

    diff --git a/en/rules/Azure.RBAC.UseRGDelegation/index.html b/en/rules/Azure.RBAC.UseRGDelegation/index.html index fb6974216f..930b86257d 100644 --- a/en/rules/Azure.RBAC.UseRGDelegation/index.html +++ b/en/rules/Azure.RBAC.UseRGDelegation/index.html @@ -12067,6 +12067,7 @@

    Use Resource Group delegationAzure.RBAC.UseRGDelegationAZR-000207Error

    Security · Subscription + · Rule · 2020_06

    Use RBAC assignments on resource groups instead of individual resources.

    Description#

    diff --git a/en/rules/Azure.RSV.Immutable/index.html b/en/rules/Azure.RSV.Immutable/index.html index ca10e45dfe..b91df90a3b 100644 --- a/en/rules/Azure.RSV.Immutable/index.html +++ b/en/rules/Azure.RSV.Immutable/index.html @@ -12135,6 +12135,7 @@

    ImmutabilityAzure.RSV.ImmutableAZR-000397Error

    Security · Recovery Services Vault + · Rule · 2023_09

    Ensure immutability is configured to protect backup data.

    Description#

    diff --git a/en/rules/Azure.RSV.Name/index.html b/en/rules/Azure.RSV.Name/index.html index a1506c629d..734d05b512 100644 --- a/en/rules/Azure.RSV.Name/index.html +++ b/en/rules/Azure.RSV.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid namesAzure.RSV.NameAZR-000350Error

    Operational Excellence · Recovery Services Vault + · Rule · 2022_12

    Recovery Services vaults should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.RSV.ReplicationAlert/index.html b/en/rules/Azure.RSV.ReplicationAlert/index.html index d276498683..b16bd2fd14 100644 --- a/en/rules/Azure.RSV.ReplicationAlert/index.html +++ b/en/rules/Azure.RSV.ReplicationAlert/index.html @@ -12135,6 +12135,7 @@

    Use geo-replicated storageAzure.RSV.ReplicationAlertAZR-000171Error

    Reliability · Recovery Services Vault + · Rule · 2022_03

    Recovery Services Vaults (RSV) without replication alerts configured may be at risk.

    Description#

    diff --git a/en/rules/Azure.RSV.StorageType/index.html b/en/rules/Azure.RSV.StorageType/index.html index 93dffc4153..d92df45da2 100644 --- a/en/rules/Azure.RSV.StorageType/index.html +++ b/en/rules/Azure.RSV.StorageType/index.html @@ -12121,6 +12121,7 @@

    Use geo-replicated storageAzure.RSV.StorageTypeAZR-000170Error

    Reliability · Recovery Services Vault + · Rule · 2022_03

    Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.

    Description#

    diff --git a/en/rules/Azure.Redis.AvailabilityZone/index.html b/en/rules/Azure.Redis.AvailabilityZone/index.html index 42da68d2de..c144fe9666 100644 --- a/en/rules/Azure.Redis.AvailabilityZone/index.html +++ b/en/rules/Azure.Redis.AvailabilityZone/index.html @@ -12135,6 +12135,7 @@

    Redis ca

    Reliability · Azure Cache for Redis + · Rule · 2021_12

    Premium Redis cache should be deployed with availability zones for high availability.

    Description#

    diff --git a/en/rules/Azure.Redis.FirewallIPRange/index.html b/en/rules/Azure.Redis.FirewallIPRange/index.html index 03334f4554..619d7e71c0 100644 --- a/en/rules/Azure.Redis.FirewallIPRange/index.html +++ b/en/rules/Azure.Redis.FirewallIPRange/index.html @@ -12135,6 +12135,7 @@

    Limit Redis cache number of IP

    Security · Azure Cache for Redis + · Rule · 2022_09

    Determine if there is an excessive number of permitted IP addresses for the Redis cache.

    Description#

    diff --git a/en/rules/Azure.Redis.FirewallRuleCount/index.html b/en/rules/Azure.Redis.FirewallRuleCount/index.html index 9bde13e30b..e7afd00c76 100644 --- a/en/rules/Azure.Redis.FirewallRuleCount/index.html +++ b/en/rules/Azure.Redis.FirewallRuleCount/index.html @@ -12135,6 +12135,7 @@

    Cleanup Redis cache firewall rulesAzure.Redis.FirewallRuleCountAZR-000299Error

    Security · Azure Cache for Redis + · Rule · 2022_09

    Determine if there is an excessive number of firewall rules for the Redis cache.

    Description#

    diff --git a/en/rules/Azure.Redis.MaxMemoryReserved/index.html b/en/rules/Azure.Redis.MaxMemoryReserved/index.html index d9c5592be4..3d07e69038 100644 --- a/en/rules/Azure.Redis.MaxMemoryReserved/index.html +++ b/en/rules/Azure.Redis.MaxMemoryReserved/index.html @@ -12121,6 +12121,7 @@

    Configure cache maxmemory-re

    Performance Efficiency · Azure Cache for Redis + · Rule · 2020_12

    Configure maxmemory-reserved to reserve memory for non-cache operations.

    Description#

    diff --git a/en/rules/Azure.Redis.MinSKU/index.html b/en/rules/Azure.Redis.MinSKU/index.html index c12e41b4b1..ed304f6569 100644 --- a/en/rules/Azure.Redis.MinSKU/index.html +++ b/en/rules/Azure.Redis.MinSKU/index.html @@ -12121,6 +12121,7 @@

    Use at least Standard C1 cache

    Performance Efficiency · Azure Cache for Redis + · Rule · 2020_12

    Use Azure Cache for Redis instances of at least Standard C1.

    Description#

    diff --git a/en/rules/Azure.Redis.MinTLS/index.html b/en/rules/Azure.Redis.MinTLS/index.html index a21bb0e8bc..349077b600 100644 --- a/en/rules/Azure.Redis.MinTLS/index.html +++ b/en/rules/Azure.Redis.MinTLS/index.html @@ -12149,6 +12149,7 @@

    Redis Cache minimum TLS versionAzure.Redis.MinTLSAZR-000164Error

    Security · Azure Cache for Redis + · Rule · 2020_06

    Redis Cache should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.Redis.NonSslPort/index.html b/en/rules/Azure.Redis.NonSslPort/index.html index 3a1a8242de..e458713387 100644 --- a/en/rules/Azure.Redis.NonSslPort/index.html +++ b/en/rules/Azure.Redis.NonSslPort/index.html @@ -12121,6 +12121,7 @@

    Use secure connections to Red

    Security · Azure Cache for Redis + · Rule · 2020_06

    Azure Cache for Redis should only accept secure connections.

    Description#

    diff --git a/en/rules/Azure.Redis.PublicNetworkAccess/index.html b/en/rules/Azure.Redis.PublicNetworkAccess/index.html index e126682e68..d5059ea89d 100644 --- a/en/rules/Azure.Redis.PublicNetworkAccess/index.html +++ b/en/rules/Azure.Redis.PublicNetworkAccess/index.html @@ -12121,6 +12121,7 @@

    Use private endpoints

    Security · Azure Cache for Redis + · Rule · 2022_03

    Redis cache should disable public network access.

    Description#

    diff --git a/en/rules/Azure.Redis.Version/index.html b/en/rules/Azure.Redis.Version/index.html index 78abc9476d..c12965408b 100644 --- a/en/rules/Azure.Redis.Version/index.html +++ b/en/rules/Azure.Redis.Version/index.html @@ -12135,6 +12135,7 @@

    Redis version for Azure Cache f

    Reliability · Azure Cache for Redis + · Rule · 2022_12

    Azure Cache for Redis should use the latest supported version of Redis.

    Description#

    diff --git a/en/rules/Azure.RedisEnterprise.MinTLS/index.html b/en/rules/Azure.RedisEnterprise.MinTLS/index.html index d92b4fab6b..c969127d2f 100644 --- a/en/rules/Azure.RedisEnterprise.MinTLS/index.html +++ b/en/rules/Azure.RedisEnterprise.MinTLS/index.html @@ -12149,6 +12149,7 @@

    Redis Cache minimum TLS versionAzure.RedisEnterprise.MinTLSAZR-000301Error

    Security · Azure Cache for Redis Enterprise + · Rule · 2022_09

    Redis Cache should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.RedisEnterprise.Zones/index.html b/en/rules/Azure.RedisEnterprise.Zones/index.html index 3545c43f83..d799d73a7d 100644 --- a/en/rules/Azure.RedisEnterprise.Zones/index.html +++ b/en/rules/Azure.RedisEnterprise.Zones/index.html @@ -12135,6 +12135,7 @@

    Azure.RedisEnterprise.ZonesAZR-000162Error

    Reliability · Azure Cache for Redis Enterprise + · Rule · 2021_12

    Enterprise Redis cache should be zone-redundant for high availability.

    Description#

    diff --git a/en/rules/Azure.Resource.AllowedRegions/index.html b/en/rules/Azure.Resource.AllowedRegions/index.html index 88fa2e35c5..5ac464e8ae 100644 --- a/en/rules/Azure.Resource.AllowedRegions/index.html +++ b/en/rules/Azure.Resource.AllowedRegions/index.html @@ -12135,6 +12135,7 @@

    Use allowed regionsAzure.Resource.AllowedRegionsAZR-000167Error

    Security · All resources + · Rule · 2020_06

    Resources should be deployed to allowed regions.

    Description#

    diff --git a/en/rules/Azure.Resource.UseTags/index.html b/en/rules/Azure.Resource.UseTags/index.html index 06dd41e7f5..a7bfe0d511 100644 --- a/en/rules/Azure.Resource.UseTags/index.html +++ b/en/rules/Azure.Resource.UseTags/index.html @@ -12135,6 +12135,7 @@

    Use resource tagsAzure.Resource.UseTagsAZR-000166Error

    Cost Optimization · All resources + · Rule · 2020_06

    Azure resources should be tagged using a standard convention.

    Description#

    diff --git a/en/rules/Azure.ResourceGroup.Name/index.html b/en/rules/Azure.ResourceGroup.Name/index.html index d49196bcc2..9a5a2d4d76 100644 --- a/en/rules/Azure.ResourceGroup.Name/index.html +++ b/en/rules/Azure.ResourceGroup.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid resource group namesAzure.ResourceGroup.NameAZR-000168Error

    Operational Excellence · Resource Group + · Rule · 2020_06

    Resource Group names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Route.Name/index.html b/en/rules/Azure.Route.Name/index.html index 45521f8d47..f19f427e96 100644 --- a/en/rules/Azure.Route.Name/index.html +++ b/en/rules/Azure.Route.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Route table namesAzure.Route.NameAZR-000169Error

    Operational Excellence · Route table + · Rule · 2020_06

    Route table names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.SQL.AAD/index.html b/en/rules/Azure.SQL.AAD/index.html index 7db2e8f8d6..5b47debd2f 100644 --- a/en/rules/Azure.SQL.AAD/index.html +++ b/en/rules/Azure.SQL.AAD/index.html @@ -12163,6 +12163,7 @@

    Use AAD authentication with S

    Security · SQL Database + · Rule · 2020_06

    Use Azure Active Directory (AAD) authentication with Azure SQL databases.

    Description#

    diff --git a/en/rules/Azure.SQL.AADOnly/index.html b/en/rules/Azure.SQL.AADOnly/index.html index 96d8952364..133ff46735 100644 --- a/en/rules/Azure.SQL.AADOnly/index.html +++ b/en/rules/Azure.SQL.AADOnly/index.html @@ -12135,6 +12135,7 @@

    Azure AD-only authenticationAzure.SQL.AADOnlyAZR-000369Error

    Security · SQL Database + · Rule · 2023_03

    Ensure Azure AD-only authentication is enabled with Azure SQL Database.

    Description#

    diff --git a/en/rules/Azure.SQL.AllowAzureAccess/index.html b/en/rules/Azure.SQL.AllowAzureAccess/index.html index ffab630dce..405604fcd0 100644 --- a/en/rules/Azure.SQL.AllowAzureAccess/index.html +++ b/en/rules/Azure.SQL.AllowAzureAccess/index.html @@ -12067,6 +12067,7 @@

    Limit SQL dat

    Security · SQL Database + · Rule · 2020_06

    Determine if access from Azure services is required.

    Description#

    diff --git a/en/rules/Azure.SQL.Auditing/index.html b/en/rules/Azure.SQL.Auditing/index.html index 330375df8e..a96cdf3b46 100644 --- a/en/rules/Azure.SQL.Auditing/index.html +++ b/en/rules/Azure.SQL.Auditing/index.html @@ -12149,6 +12149,7 @@

    Enable auditing for Azure SQL D

    Security · SQL Database + · Rule · 2020_06

    Enable auditing for Azure SQL logical server.

    Description#

    diff --git a/en/rules/Azure.SQL.DBName/index.html b/en/rules/Azure.SQL.DBName/index.html index f6dd57e9fb..feab2f32e1 100644 --- a/en/rules/Azure.SQL.DBName/index.html +++ b/en/rules/Azure.SQL.DBName/index.html @@ -12081,6 +12081,7 @@

    Use valid SQL Database namesAzure.SQL.DBNameAZR-000192Error

    Operational Excellence · SQL Database + · Rule · 2020_12

    Azure SQL Database names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.SQL.DefenderCloud/index.html b/en/rules/Azure.SQL.DefenderCloud/index.html index 0d2e63b14a..2c553d86db 100644 --- a/en/rules/Azure.SQL.DefenderCloud/index.html +++ b/en/rules/Azure.SQL.DefenderCloud/index.html @@ -12121,6 +12121,7 @@

    Use Advanced Threat ProtectionAzure.SQL.DefenderCloudAZR-000186Error

    Security · SQL Database + · Rule · 2020_06

    Enable Microsoft Defender for Azure SQL logical server.

    Description#

    diff --git a/en/rules/Azure.SQL.FGName/index.html b/en/rules/Azure.SQL.FGName/index.html index 6783758f0c..9d730f4eb9 100644 --- a/en/rules/Azure.SQL.FGName/index.html +++ b/en/rules/Azure.SQL.FGName/index.html @@ -12081,6 +12081,7 @@

    Use valid SQL failover group namesAzure.SQL.FGNameAZR-000193Error

    Operational Excellence · SQL Database + · Rule · 2020_12

    Azure SQL failover group names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.SQL.FirewallIPRange/index.html b/en/rules/Azure.SQL.FirewallIPRange/index.html index dee3b396d0..3e68d44a21 100644 --- a/en/rules/Azure.SQL.FirewallIPRange/index.html +++ b/en/rules/Azure.SQL.FirewallIPRange/index.html @@ -12081,6 +12081,7 @@

    Limit SQL logical server f

    Security · SQL Database + · Rule · 2020_06

    Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).

    Description#

    diff --git a/en/rules/Azure.SQL.FirewallRuleCount/index.html b/en/rules/Azure.SQL.FirewallRuleCount/index.html index b7c2022722..49eededd34 100644 --- a/en/rules/Azure.SQL.FirewallRuleCount/index.html +++ b/en/rules/Azure.SQL.FirewallRuleCount/index.html @@ -12067,6 +12067,7 @@

    Cleanup SQL logical server fi

    Security · SQL Database + · Rule · 2020_06

    Determine if there is an excessive number of firewall rules.

    Description#

    diff --git a/en/rules/Azure.SQL.MinTLS/index.html b/en/rules/Azure.SQL.MinTLS/index.html index 5306f8fcac..89dcf56f47 100644 --- a/en/rules/Azure.SQL.MinTLS/index.html +++ b/en/rules/Azure.SQL.MinTLS/index.html @@ -12121,6 +12121,7 @@

    Azure SQL DB server minimum TLS

    Security · SQL Database + · Rule · 2020_09

    Azure SQL Database servers should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.SQL.ServerName/index.html b/en/rules/Azure.SQL.ServerName/index.html index 9702ea2d20..1494b34939 100644 --- a/en/rules/Azure.SQL.ServerName/index.html +++ b/en/rules/Azure.SQL.ServerName/index.html @@ -12081,6 +12081,7 @@

    Use valid SQL logical server namesAzure.SQL.ServerNameAZR-000190Error

    Operational Excellence · SQL Database + · Rule · 2020_12

    Azure SQL logical server names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.SQL.TDE/index.html b/en/rules/Azure.SQL.TDE/index.html index 729d971969..ebd19fb9aa 100644 --- a/en/rules/Azure.SQL.TDE/index.html +++ b/en/rules/Azure.SQL.TDE/index.html @@ -12135,6 +12135,7 @@

    Use SQL database TDEAzure.SQL.TDEAZR-000191Error

    Security · SQL Database + · Rule · 2020_06

    Use Transparent Data Encryption (TDE) with Azure SQL Database.

    Description#

    diff --git a/en/rules/Azure.SQLMI.AAD/index.html b/en/rules/Azure.SQLMI.AAD/index.html index 388347f923..bab36254fb 100644 --- a/en/rules/Azure.SQLMI.AAD/index.html +++ b/en/rules/Azure.SQLMI.AAD/index.html @@ -12135,6 +12135,7 @@

    Use AAD authentication

    Security · SQL Managed Instance + · Rule · 2023_03

    Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.

    Description#

    diff --git a/en/rules/Azure.SQLMI.AADOnly/index.html b/en/rules/Azure.SQLMI.AADOnly/index.html index 113aa8fc97..bf5f3ba21b 100644 --- a/en/rules/Azure.SQLMI.AADOnly/index.html +++ b/en/rules/Azure.SQLMI.AADOnly/index.html @@ -12135,6 +12135,7 @@

    Azure AD-only authenticationAzure.SQLMI.AADOnlyAZR-000366Error

    Security · SQL Managed Instance + · Rule · 2023_03

    Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.

    Description#

    diff --git a/en/rules/Azure.SQLMI.ManagedIdentity/index.html b/en/rules/Azure.SQLMI.ManagedIdentity/index.html index 086b8d1e4d..3f40e5fadf 100644 --- a/en/rules/Azure.SQLMI.ManagedIdentity/index.html +++ b/en/rules/Azure.SQLMI.ManagedIdentity/index.html @@ -12135,6 +12135,7 @@

    Managed identityAzure.SQLMI.ManagedIdentityAZR-000367Error

    Security · SQL Managed Instance + · Rule · 2023_03

    Ensure managed identity is used to allow support for Azure AD authentication.

    Description#

    diff --git a/en/rules/Azure.SQLMI.Name/index.html b/en/rules/Azure.SQLMI.Name/index.html index 33536123c2..aee7e83470 100644 --- a/en/rules/Azure.SQLMI.Name/index.html +++ b/en/rules/Azure.SQLMI.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid SQL Managed Instance nam

    Operational Excellence · SQL Managed Instance + · Rule · 2020_12

    SQL Managed Instance names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Search.IndexSLA/index.html b/en/rules/Azure.Search.IndexSLA/index.html index 0cf59c907f..a0d3ba5137 100644 --- a/en/rules/Azure.Search.IndexSLA/index.html +++ b/en/rules/Azure.Search.IndexSLA/index.html @@ -12121,6 +12121,7 @@

    Search index update SLA minimu

    Reliability · Cognitive Search + · Rule · 2021_06

    Use a minimum of 3 replicas to receive an SLA for query and index updates.

    Description#

    diff --git a/en/rules/Azure.Search.ManagedIdentity/index.html b/en/rules/Azure.Search.ManagedIdentity/index.html index 9232bb6633..bd4779e71d 100644 --- a/en/rules/Azure.Search.ManagedIdentity/index.html +++ b/en/rules/Azure.Search.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Search services uses a managed

    Security · Cognitive Search + · Rule · 2021_06

    Configure managed identities to access Azure resources.

    Description#

    diff --git a/en/rules/Azure.Search.Name/index.html b/en/rules/Azure.Search.Name/index.html index c893c2f2c9..dd248739ee 100644 --- a/en/rules/Azure.Search.Name/index.html +++ b/en/rules/Azure.Search.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid Cognitive Search ser

    Operational Excellence · Cognitive Search + · Rule · 2021_06

    Azure Cognitive Search service names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Search.QuerySLA/index.html b/en/rules/Azure.Search.QuerySLA/index.html index bd4282a74f..2af70233e1 100644 --- a/en/rules/Azure.Search.QuerySLA/index.html +++ b/en/rules/Azure.Search.QuerySLA/index.html @@ -12121,6 +12121,7 @@

    Search query SLA minimum replicasAzure.Search.QuerySLAAZR-000173Error

    Reliability · Cognitive Search + · Rule · 2021_06

    Use a minimum of 2 replicas to receive an SLA for index queries.

    Description#

    diff --git a/en/rules/Azure.Search.SKU/index.html b/en/rules/Azure.Search.SKU/index.html index 7d9852ba7d..553738df8c 100644 --- a/en/rules/Azure.Search.SKU/index.html +++ b/en/rules/Azure.Search.SKU/index.html @@ -12121,6 +12121,7 @@

    Cognitive Search minimum SKUAzure.Search.SKUAZR-000172Error

    Performance Efficiency · Cognitive Search + · Rule · 2021_06

    Use the basic and standard tiers for entry level workloads.

    Description#

    diff --git a/en/rules/Azure.ServiceBus.AuditLogs/index.html b/en/rules/Azure.ServiceBus.AuditLogs/index.html index 72cecdc415..588e572a2c 100644 --- a/en/rules/Azure.ServiceBus.AuditLogs/index.html +++ b/en/rules/Azure.ServiceBus.AuditLogs/index.html @@ -12135,6 +12135,7 @@

    Audit Service Bus data plane access

    Security · Service Bus + · Rule · 2023_03

    Ensure namespaces audit diagnostic logs are enabled.

    Description#

    diff --git a/en/rules/Azure.ServiceBus.DisableLocalAuth/index.html b/en/rules/Azure.ServiceBus.DisableLocalAuth/index.html index 4fc7c4a765..680d233d0d 100644 --- a/en/rules/Azure.ServiceBus.DisableLocalAuth/index.html +++ b/en/rules/Azure.ServiceBus.DisableLocalAuth/index.html @@ -12121,6 +12121,7 @@

    Use identi

    Security · Service Bus + · Rule · 2022_03

    Authenticate Service Bus publishers and consumers with Azure AD identities.

    Description#

    diff --git a/en/rules/Azure.ServiceBus.MinTLS/index.html b/en/rules/Azure.ServiceBus.MinTLS/index.html index 0afb98226c..cdb8453b06 100644 --- a/en/rules/Azure.ServiceBus.MinTLS/index.html +++ b/en/rules/Azure.ServiceBus.MinTLS/index.html @@ -12121,6 +12121,7 @@

    Enforce namespaces to

    Security · Service Bus + · Rule · 2022_12

    Enforce namespaces to require that clients send and receive data with TLS 1.2 version.

    Description#

    diff --git a/en/rules/Azure.ServiceBus.Usage/index.html b/en/rules/Azure.ServiceBus.Usage/index.html index 3c20620a95..1c4189c7c7 100644 --- a/en/rules/Azure.ServiceBus.Usage/index.html +++ b/en/rules/Azure.ServiceBus.Usage/index.html @@ -12081,6 +12081,7 @@

    Remove unused Service Bus namespac

    Cost Optimization · Service Bus + · Rule · 2022_03

    Regularly remove unused resources to reduce costs.

    Description#

    diff --git a/en/rules/Azure.ServiceFabric.AAD/index.html b/en/rules/Azure.ServiceFabric.AAD/index.html index 7360df1a8d..f229f55fec 100644 --- a/en/rules/Azure.ServiceFabric.AAD/index.html +++ b/en/rules/Azure.ServiceFabric.AAD/index.html @@ -12081,6 +12081,7 @@

    Use AAD authenticat

    Security · Service Fabric + · Rule · 2021_03

    Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.

    Description#

    diff --git a/en/rules/Azure.SignalR.ManagedIdentity/index.html b/en/rules/Azure.SignalR.ManagedIdentity/index.html index ab75c0a4ba..0ab149212e 100644 --- a/en/rules/Azure.SignalR.ManagedIdentity/index.html +++ b/en/rules/Azure.SignalR.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Use managed identities for

    Security · SignalR Service + · Rule · 2022_03

    Configure SignalR Services to use managed identities to access Azure resources securely.

    Description#

    diff --git a/en/rules/Azure.SignalR.Name/index.html b/en/rules/Azure.SignalR.Name/index.html index 17266ce7e7..d90075aef8 100644 --- a/en/rules/Azure.SignalR.Name/index.html +++ b/en/rules/Azure.SignalR.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid SignalR service namesAzure.SignalR.NameAZR-000180Error

    Operational Excellence · SignalR Service + · Rule · 2020_06

    SignalR service instance names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.SignalR.SLA/index.html b/en/rules/Azure.SignalR.SLA/index.html index af17370c9a..abea779fe3 100644 --- a/en/rules/Azure.SignalR.SLA/index.html +++ b/en/rules/Azure.SignalR.SLA/index.html @@ -12121,6 +12121,7 @@

    Use an SLA for SignalR ServicesAzure.SignalR.SLAAZR-000182Error

    Reliability · SignalR Service + · Rule · 2022_03

    Use SKUs that include an SLA when configuring SignalR Services.

    Description#

    diff --git a/en/rules/Azure.Storage.BlobAccessType/index.html b/en/rules/Azure.Storage.BlobAccessType/index.html index c429362ea9..13cbc8b6eb 100644 --- a/en/rules/Azure.Storage.BlobAccessType/index.html +++ b/en/rules/Azure.Storage.BlobAccessType/index.html @@ -12121,6 +12121,7 @@

    Use private blob containersAzure.Storage.BlobAccessTypeAZR-000199Error

    Security · Storage Account + · Rule · 2020_06

    Use containers configured with a private access type that requires authorization.

    Description#

    diff --git a/en/rules/Azure.Storage.BlobPublicAccess/index.html b/en/rules/Azure.Storage.BlobPublicAccess/index.html index 90ae130c4b..afdb1e9374 100644 --- a/en/rules/Azure.Storage.BlobPublicAccess/index.html +++ b/en/rules/Azure.Storage.BlobPublicAccess/index.html @@ -12121,6 +12121,7 @@

    Disallow anonymous access to

    Security · Storage Account + · Rule · 2020_09

    Storage Accounts should only accept authorized requests.

    Description#

    diff --git a/en/rules/Azure.Storage.ContainerSoftDelete/index.html b/en/rules/Azure.Storage.ContainerSoftDelete/index.html index de80e3a624..9e69032e09 100644 --- a/en/rules/Azure.Storage.ContainerSoftDelete/index.html +++ b/en/rules/Azure.Storage.ContainerSoftDelete/index.html @@ -12163,6 +12163,7 @@

    Use container soft deleteAzure.Storage.ContainerSoftDeleteAZR-000289Error

    Reliability · Storage Account + · Rule · 2022_09

    Enable container soft delete on Storage Accounts.

    Description#

    diff --git a/en/rules/Azure.Storage.DefenderCloud.MalwareScan/index.html b/en/rules/Azure.Storage.DefenderCloud.MalwareScan/index.html index 792bd1040c..4d9429e6cf 100644 --- a/en/rules/Azure.Storage.DefenderCloud.MalwareScan/index.html +++ b/en/rules/Azure.Storage.DefenderCloud.MalwareScan/index.html @@ -12135,6 +12135,7 @@

    Malware ScanningAzure.Storage.DefenderCloud.MalwareScanAZR-000384Error

    Security · Storage Account + · Rule · 2023_06

    Enable Malware Scanning in Microsoft Defender for Storage.

    Description#

    diff --git a/en/rules/Azure.Storage.DefenderCloud.SensitiveData/index.html b/en/rules/Azure.Storage.DefenderCloud.SensitiveData/index.html index bbf8c1415b..d1b167f70d 100644 --- a/en/rules/Azure.Storage.DefenderCloud.SensitiveData/index.html +++ b/en/rules/Azure.Storage.DefenderCloud.SensitiveData/index.html @@ -12135,6 +12135,7 @@

    Sensitive data threat detectionAzure.Storage.DefenderCloud.SensitiveDataAZR-000391Error

    Security · Storage Account + · Rule · 2023_06

    Enable sensitive data threat detection in Microsoft Defender for Storage.

    Description#

    diff --git a/en/rules/Azure.Storage.DefenderCloud/index.html b/en/rules/Azure.Storage.DefenderCloud/index.html index f59d4b6fed..0a9d1bf1af 100644 --- a/en/rules/Azure.Storage.DefenderCloud/index.html +++ b/en/rules/Azure.Storage.DefenderCloud/index.html @@ -12135,6 +12135,7 @@

    Enable Microsoft DefenderAzure.Storage.DefenderCloudAZR-000386Error

    Security · Storage Account + · Rule · 2023_06

    Enable Microsoft Defender for Storage for storage accounts.

    Description#

    diff --git a/en/rules/Azure.Storage.FileShareSoftDelete/index.html b/en/rules/Azure.Storage.FileShareSoftDelete/index.html index ffb01d2258..e7224b3386 100644 --- a/en/rules/Azure.Storage.FileShareSoftDelete/index.html +++ b/en/rules/Azure.Storage.FileShareSoftDelete/index.html @@ -12149,6 +12149,7 @@

    Use soft delete on files sharesAzure.Storage.FileShareSoftDeleteAZR-000298Error

    Reliability · Storage Account + · Rule · 2022_09

    Synopsis#

    Enable soft delete on Storage Accounts file shares.

    diff --git a/en/rules/Azure.Storage.Firewall/index.html b/en/rules/Azure.Storage.Firewall/index.html index a8c3b583f7..7c2a3e06dd 100644 --- a/en/rules/Azure.Storage.Firewall/index.html +++ b/en/rules/Azure.Storage.Firewall/index.html @@ -12135,6 +12135,7 @@

    Configure Azure Storage firewallAzure.Storage.FirewallAZR-000202Error

    Security · Storage Account + · Rule · 2021_09

    Storage Accounts should only accept explicitly allowed traffic.

    Description#

    diff --git a/en/rules/Azure.Storage.MinTLS/index.html b/en/rules/Azure.Storage.MinTLS/index.html index 49d25f44e0..426a6e562d 100644 --- a/en/rules/Azure.Storage.MinTLS/index.html +++ b/en/rules/Azure.Storage.MinTLS/index.html @@ -12121,6 +12121,7 @@

    Storage Account minimum TLS version

    Security · Storage Account + · Rule · 2020_09

    Storage Accounts should reject TLS versions older than 1.2.

    Description#

    diff --git a/en/rules/Azure.Storage.Name/index.html b/en/rules/Azure.Storage.Name/index.html index bccde26a49..bb6df3a161 100644 --- a/en/rules/Azure.Storage.Name/index.html +++ b/en/rules/Azure.Storage.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid storage account namesAzure.Storage.NameAZR-000201Error

    Operational Excellence · Storage Account + · Rule · 2020_06

    Storage Account names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.Storage.SecureTransfer/index.html b/en/rules/Azure.Storage.SecureTransfer/index.html index 9dd78aa53b..f7a5d6174d 100644 --- a/en/rules/Azure.Storage.SecureTransfer/index.html +++ b/en/rules/Azure.Storage.SecureTransfer/index.html @@ -12121,6 +12121,7 @@

    Enforce encrypted Storage connect

    Security · Storage Account + · Rule · 2020_06

    Storage accounts should only accept encrypted connections.

    Description#

    diff --git a/en/rules/Azure.Storage.SoftDelete/index.html b/en/rules/Azure.Storage.SoftDelete/index.html index df0b8bbc39..d41eed1ebc 100644 --- a/en/rules/Azure.Storage.SoftDelete/index.html +++ b/en/rules/Azure.Storage.SoftDelete/index.html @@ -12163,6 +12163,7 @@

    Use blob soft deleteAzure.Storage.SoftDeleteAZR-000197Error

    Reliability · Storage Account + · Rule · 2020_06

    Enable blob soft delete on Storage Accounts.

    Description#

    diff --git a/en/rules/Azure.Storage.UseReplication/index.html b/en/rules/Azure.Storage.UseReplication/index.html index 5654b660ed..0e4f13a6f5 100644 --- a/en/rules/Azure.Storage.UseReplication/index.html +++ b/en/rules/Azure.Storage.UseReplication/index.html @@ -12135,6 +12135,7 @@

    Use geo-replicated storageAzure.Storage.UseReplicationAZR-000195Error

    Reliability · Storage Account + · Rule · 2020_06

    Storage Accounts not using geo-replicated storage (GRS) may be at risk.

    Description#

    diff --git a/en/rules/Azure.Template.DebugDeployment/index.html b/en/rules/Azure.Template.DebugDeployment/index.html index 5cea7ddef7..918d8eaf48 100644 --- a/en/rules/Azure.Template.DebugDeployment/index.html +++ b/en/rules/Azure.Template.DebugDeployment/index.html @@ -12067,6 +12067,7 @@

    Disable debugging of nested dep

    Operational Excellence · All resources + · Rule · 2021_03

    Use default deployment detail level for nested deployments.

    Description#

    diff --git a/en/rules/Azure.Template.DefineParameters/index.html b/en/rules/Azure.Template.DefineParameters/index.html index e84afb9c25..c275c4a1e1 100644 --- a/en/rules/Azure.Template.DefineParameters/index.html +++ b/en/rules/Azure.Template.DefineParameters/index.html @@ -12121,6 +12121,7 @@

    Define template parametersAzure.Template.DefineParametersAZR-000218Error

    Operational Excellence · All resources + · Rule · 2021_03

    Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.

    Description#

    diff --git a/en/rules/Azure.Template.ExpressionLength/index.html b/en/rules/Azure.Template.ExpressionLength/index.html index 487aa5546d..6e1333aa5e 100644 --- a/en/rules/Azure.Template.ExpressionLength/index.html +++ b/en/rules/Azure.Template.ExpressionLength/index.html @@ -12081,6 +12081,7 @@

    Template expres

    Operational Excellence · All resources + · Rule · 2021_12

    Template expressions should not exceed the maximum length.

    Description#

    diff --git a/en/rules/Azure.Template.LocationDefault/index.html b/en/rules/Azure.Template.LocationDefault/index.html index 52e30a661f..15de3707d8 100644 --- a/en/rules/Azure.Template.LocationDefault/index.html +++ b/en/rules/Azure.Template.LocationDefault/index.html @@ -12135,6 +12135,7 @@

    Default to resource group locationAzure.Template.LocationDefaultAZR-000220Error

    Reliability · All resources + · Rule · 2021_03

    Set the default value for the location parameter within an ARM template to resource group location.

    Description#

    diff --git a/en/rules/Azure.Template.LocationType/index.html b/en/rules/Azure.Template.LocationType/index.html index d87b356a89..58a7415e00 100644 --- a/en/rules/Azure.Template.LocationType/index.html +++ b/en/rules/Azure.Template.LocationType/index.html @@ -12121,6 +12121,7 @@

    Use type string for location pa

    Operational Excellence · All resources + · Rule · 2021_03

    Location parameters should use a string value.

    Description#

    diff --git a/en/rules/Azure.Template.MetadataLink/index.html b/en/rules/Azure.Template.MetadataLink/index.html index 5a44647f9e..40c2d9ea63 100644 --- a/en/rules/Azure.Template.MetadataLink/index.html +++ b/en/rules/Azure.Template.MetadataLink/index.html @@ -12121,6 +12121,7 @@

    Use parameter file metadata linkAzure.Template.MetadataLinkAZR-000231Error

    Operational Excellence · All resources + · Rule · 2021_09

    Configure a metadata link for each parameter file.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterDataTypes/index.html b/en/rules/Azure.Template.ParameterDataTypes/index.html index 90a5b93530..2002441edc 100644 --- a/en/rules/Azure.Template.ParameterDataTypes/index.html +++ b/en/rules/Azure.Template.ParameterDataTypes/index.html @@ -12067,6 +12067,7 @@

    Default should match typeAzure.Template.ParameterDataTypesAZR-000226Error

    Operational Excellence · All resources + · Rule · 2021_03

    Set the parameter default value to a value of the same type.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterFile/index.html b/en/rules/Azure.Template.ParameterFile/index.html index 00ae19b62e..2bf578cd1f 100644 --- a/en/rules/Azure.Template.ParameterFile/index.html +++ b/en/rules/Azure.Template.ParameterFile/index.html @@ -12067,6 +12067,7 @@

    Use ARM parameter file structureAzure.Template.ParameterFileAZR-000229Error

    Operational Excellence · All resources + · Rule · 2020_06

    Use ARM template parameter files that are valid.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterMetadata/index.html b/en/rules/Azure.Template.ParameterMetadata/index.html index 7fef3d8bc9..b5d029dc4b 100644 --- a/en/rules/Azure.Template.ParameterMetadata/index.html +++ b/en/rules/Azure.Template.ParameterMetadata/index.html @@ -12067,6 +12067,7 @@

    Use template parameter descriptions

    Operational Excellence · All resources + · Rule · 2020_09

    Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterMinMaxValue/index.html b/en/rules/Azure.Template.ParameterMinMaxValue/index.html index 0d4a9d0ce6..99609283c3 100644 --- a/en/rules/Azure.Template.ParameterMinMaxValue/index.html +++ b/en/rules/Azure.Template.ParameterMinMaxValue/index.html @@ -12067,6 +12067,7 @@

    Use minValue and maxValue w

    Operational Excellence · All resources + · Rule · 2021_03

    Template parameters minValue and maxValue constraints must be valid.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterScheme/index.html b/en/rules/Azure.Template.ParameterScheme/index.html index 3f2d691c50..6b7a6fe96e 100644 --- a/en/rules/Azure.Template.ParameterScheme/index.html +++ b/en/rules/Azure.Template.ParameterScheme/index.html @@ -12107,6 +12107,7 @@

    Use a https template paramet

    Operational Excellence · All resources + · Rule · 2021_09

    Use an Azure template parameter file schema with the https scheme.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterStrongType/index.html b/en/rules/Azure.Template.ParameterStrongType/index.html index 036d1a1cf2..71a4a7bbc7 100644 --- a/en/rules/Azure.Template.ParameterStrongType/index.html +++ b/en/rules/Azure.Template.ParameterStrongType/index.html @@ -12067,6 +12067,7 @@

    Parameter value should match s

    Operational Excellence · All resources + · Rule · 2021_12

    Set the parameter value to a value that matches the specified strong type.

    Description#

    diff --git a/en/rules/Azure.Template.ParameterValue/index.html b/en/rules/Azure.Template.ParameterValue/index.html index 79af713836..2dcee80d2d 100644 --- a/en/rules/Azure.Template.ParameterValue/index.html +++ b/en/rules/Azure.Template.ParameterValue/index.html @@ -12107,6 +12107,7 @@

    Specify a value for each parameterAzure.Template.ParameterValueAZR-000232Error

    Operational Excellence · All resources + · Rule · 2021_09

    Specify a value for each parameter in template parameter files.

    Description#

    diff --git a/en/rules/Azure.Template.ResourceLocation/index.html b/en/rules/Azure.Template.ResourceLocation/index.html index 6c9c609053..a1059b9203 100644 --- a/en/rules/Azure.Template.ResourceLocation/index.html +++ b/en/rules/Azure.Template.ResourceLocation/index.html @@ -12067,6 +12067,7 @@

    Use a location paramete

    Operational Excellence · All resources + · Rule · 2021_03

    Template resource location should be an expression or global.

    Description#

    diff --git a/en/rules/Azure.Template.Resources/index.html b/en/rules/Azure.Template.Resources/index.html index e96a47df57..948e08a0a3 100644 --- a/en/rules/Azure.Template.Resources/index.html +++ b/en/rules/Azure.Template.Resources/index.html @@ -12067,6 +12067,7 @@

    Include a template resourceAzure.Template.ResourcesAZR-000216Error

    Operational Excellence · All resources + · Rule · 2020_09

    Each Azure Resource Manager (ARM) template file should deploy at least one resource.

    Description#

    diff --git a/en/rules/Azure.Template.TemplateFile/index.html b/en/rules/Azure.Template.TemplateFile/index.html index 57f84b5b23..20892ba1f7 100644 --- a/en/rules/Azure.Template.TemplateFile/index.html +++ b/en/rules/Azure.Template.TemplateFile/index.html @@ -12067,6 +12067,7 @@

    Use ARM template file structureAzure.Template.TemplateFileAZR-000212Error

    Operational Excellence · All resources + · Rule · 2020_06

    Use ARM template files that are valid.

    Description#

    diff --git a/en/rules/Azure.Template.TemplateSchema/index.html b/en/rules/Azure.Template.TemplateSchema/index.html index c4f73ec697..fe9a688da0 100644 --- a/en/rules/Azure.Template.TemplateSchema/index.html +++ b/en/rules/Azure.Template.TemplateSchema/index.html @@ -12107,6 +12107,7 @@

    Use a recent template schema versi

    Operational Excellence · All resources + · Rule · 2021_09

    Use a more recent version of the Azure template schema.

    Description#

    diff --git a/en/rules/Azure.Template.TemplateScheme/index.html b/en/rules/Azure.Template.TemplateScheme/index.html index 4604ae6997..5cac4ab704 100644 --- a/en/rules/Azure.Template.TemplateScheme/index.html +++ b/en/rules/Azure.Template.TemplateScheme/index.html @@ -12107,6 +12107,7 @@

    Use a https template file schemaAzure.Template.TemplateSchemeAZR-000214Error

    Operational Excellence · All resources + · Rule · 2021_09

    Use an Azure template file schema with the https scheme.

    Description#

    diff --git a/en/rules/Azure.Template.UseComments/index.html b/en/rules/Azure.Template.UseComments/index.html index 63d0e9f889..a65a863540 100644 --- a/en/rules/Azure.Template.UseComments/index.html +++ b/en/rules/Azure.Template.UseComments/index.html @@ -12107,6 +12107,7 @@

    Use comments for each ARM t

    Operational Excellence · All resources + · Rule · 2021_12

    Use comments for each resource in ARM template to communicate purpose.

    Description#

    diff --git a/en/rules/Azure.Template.UseDescriptions/index.html b/en/rules/Azure.Template.UseDescriptions/index.html index 06f17ecddd..b2b2b0f1c3 100644 --- a/en/rules/Azure.Template.UseDescriptions/index.html +++ b/en/rules/Azure.Template.UseDescriptions/index.html @@ -12107,6 +12107,7 @@

    Use comments for each

    Operational Excellence · All resources + · Rule · 2021_12

    Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.

    Description#

    diff --git a/en/rules/Azure.Template.UseLocationParameter/index.html b/en/rules/Azure.Template.UseLocationParameter/index.html index 69313acf56..e78fa47558 100644 --- a/en/rules/Azure.Template.UseLocationParameter/index.html +++ b/en/rules/Azure.Template.UseLocationParameter/index.html @@ -12121,6 +12121,7 @@

    Use a location pa

    Operational Excellence · All resources + · Rule · 2021_03

    Template should reference a location parameter to specify resource location.

    Description#

    diff --git a/en/rules/Azure.Template.UseParameters/index.html b/en/rules/Azure.Template.UseParameters/index.html index 08d965a94a..68975549d9 100644 --- a/en/rules/Azure.Template.UseParameters/index.html +++ b/en/rules/Azure.Template.UseParameters/index.html @@ -12067,6 +12067,7 @@

    Remove unused template parametersAzure.Template.UseParametersAZR-000217Error

    Operational Excellence · All resources + · Rule · 2020_09

    Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.

    Description#

    diff --git a/en/rules/Azure.Template.UseVariables/index.html b/en/rules/Azure.Template.UseVariables/index.html index bbd8d458d4..d683c274b7 100644 --- a/en/rules/Azure.Template.UseVariables/index.html +++ b/en/rules/Azure.Template.UseVariables/index.html @@ -12067,6 +12067,7 @@

    Remove unused template variablesAzure.Template.UseVariablesAZR-000219Error

    Operational Excellence · All resources + · Rule · 2020_09

    Each Azure Resource Manager (ARM) template variable should be used or removed from template files.

    Description#

    diff --git a/en/rules/Azure.Template.ValidSecretRef/index.html b/en/rules/Azure.Template.ValidSecretRef/index.html index d8542b30af..5d82951f97 100644 --- a/en/rules/Azure.Template.ValidSecretRef/index.html +++ b/en/rules/Azure.Template.ValidSecretRef/index.html @@ -12107,6 +12107,7 @@

    Use a valid secret referenceAzure.Template.ValidSecretRefAZR-000233Error

    Operational Excellence · All resources + · Rule · 2021_09

    Use a valid secret reference within parameter files.

    Description#

    diff --git a/en/rules/Azure.TrafficManager.Endpoints/index.html b/en/rules/Azure.TrafficManager.Endpoints/index.html index 92fe429596..ebae4bfdda 100644 --- a/en/rules/Azure.TrafficManager.Endpoints/index.html +++ b/en/rules/Azure.TrafficManager.Endpoints/index.html @@ -12067,6 +12067,7 @@

    Use at least two Traffic Man

    Reliability · Traffic Manager + · Rule · 2020_06

    Traffic Manager should use at lest two enabled endpoints.

    Description#

    diff --git a/en/rules/Azure.TrafficManager.Protocol/index.html b/en/rules/Azure.TrafficManager.Protocol/index.html index 0d00c8adb4..f58dafe51a 100644 --- a/en/rules/Azure.TrafficManager.Protocol/index.html +++ b/en/rules/Azure.TrafficManager.Protocol/index.html @@ -12067,6 +12067,7 @@

    Use HTTPS to monitor web-based

    Security · Traffic Manager + · Rule · 2020_06

    Monitor Traffic Manager web-based endpoints with HTTPS.

    Description#

    diff --git a/en/rules/Azure.VM.ADE/index.html b/en/rules/Azure.VM.ADE/index.html index 237a9cebd8..43afcf5f2c 100644 --- a/en/rules/Azure.VM.ADE/index.html +++ b/en/rules/Azure.VM.ADE/index.html @@ -12067,6 +12067,7 @@

    Use Azure Disk EncryptionAzure.VM.ADEAZR-000252Error

    Security · Virtual Machine + · Rule · 2020_06

    Use Azure Disk Encryption (ADE).

    Description#

    diff --git a/en/rules/Azure.VM.AMA/index.html b/en/rules/Azure.VM.AMA/index.html index a9d6c67b96..47f55c9766 100644 --- a/en/rules/Azure.VM.AMA/index.html +++ b/en/rules/Azure.VM.AMA/index.html @@ -12135,6 +12135,7 @@

    Use Azure Monitor AgentAzure.VM.AMAAZR-000345Error

    Operational Excellence · Virtual Machine + · Rule · 2022_12

    Use Azure Monitor Agent for collecting monitoring data.

    Description#

    diff --git a/en/rules/Azure.VM.ASAlignment/index.html b/en/rules/Azure.VM.ASAlignment/index.html index 9a24905e4c..79e744323a 100644 --- a/en/rules/Azure.VM.ASAlignment/index.html +++ b/en/rules/Azure.VM.ASAlignment/index.html @@ -12067,6 +12067,7 @@

    Use aligned availability setsAzure.VM.ASAlignmentAZR-000254Error

    Reliability · Virtual Machine + · Rule · 2020_06

    Use availability sets aligned with managed disks fault domains.

    Description#

    diff --git a/en/rules/Azure.VM.ASMinMembers/index.html b/en/rules/Azure.VM.ASMinMembers/index.html index c20360d06c..ed618a1fce 100644 --- a/en/rules/Azure.VM.ASMinMembers/index.html +++ b/en/rules/Azure.VM.ASMinMembers/index.html @@ -12081,6 +12081,7 @@

    Use availability sets w

    Reliability · Virtual Machine + · Rule · 2020_06

    Availability sets should be deployed with at least two virtual machines (VMs).

    Description#

    diff --git a/en/rules/Azure.VM.ASName/index.html b/en/rules/Azure.VM.ASName/index.html index c6c59554a3..b04fdd176a 100644 --- a/en/rules/Azure.VM.ASName/index.html +++ b/en/rules/Azure.VM.ASName/index.html @@ -12081,6 +12081,7 @@

    Use valid Availability Set namesAzure.VM.ASNameAZR-000256Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Availability Set names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VM.AcceleratedNetworking/index.html b/en/rules/Azure.VM.AcceleratedNetworking/index.html index 54cb834fde..94ef42212e 100644 --- a/en/rules/Azure.VM.AcceleratedNetworking/index.html +++ b/en/rules/Azure.VM.AcceleratedNetworking/index.html @@ -12067,6 +12067,7 @@

    Use accelerated networkingAzure.VM.AcceleratedNetworkingAZR-000244Error

    Performance Efficiency · Virtual Machine + · Rule · 2020_06

    Use accelerated networking for supported operating systems and VM types.

    Description#

    diff --git a/en/rules/Azure.VM.Agent/index.html b/en/rules/Azure.VM.Agent/index.html index 43a6c1c113..a2b550b603 100644 --- a/en/rules/Azure.VM.Agent/index.html +++ b/en/rules/Azure.VM.Agent/index.html @@ -12053,6 +12053,7 @@

    VM agent is provisioned automatic

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Ensure the VM agent is provisioned automatically.

    Description#

    diff --git a/en/rules/Azure.VM.BasicSku/index.html b/en/rules/Azure.VM.BasicSku/index.html index be6f2aa2ee..6000b70da8 100644 --- a/en/rules/Azure.VM.BasicSku/index.html +++ b/en/rules/Azure.VM.BasicSku/index.html @@ -12067,6 +12067,7 @@

    Avoid Basic VM SKUAzure.VM.BasicSkuAZR-000241Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Virtual machines (VMs) should not use Basic sizes.

    Description#

    diff --git a/en/rules/Azure.VM.ComputerName/index.html b/en/rules/Azure.VM.ComputerName/index.html index 55d8b3d119..ff60391ac1 100644 --- a/en/rules/Azure.VM.ComputerName/index.html +++ b/en/rules/Azure.VM.ComputerName/index.html @@ -12081,6 +12081,7 @@

    Use valid VM computer namesAzure.VM.ComputerNameAZR-000249Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Virtual Machine (VM) computer name should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VM.DiskAttached/index.html b/en/rules/Azure.VM.DiskAttached/index.html index 0f05ddec29..f755d916f8 100644 --- a/en/rules/Azure.VM.DiskAttached/index.html +++ b/en/rules/Azure.VM.DiskAttached/index.html @@ -12067,6 +12067,7 @@

    Remove unused managed disksAzure.VM.DiskAttachedAZR-000250Error

    Cost Optimization · Virtual Machine + · Rule · 2020_06

    Managed disks should be attached to virtual machines or removed.

    Description#

    diff --git a/en/rules/Azure.VM.DiskCaching/index.html b/en/rules/Azure.VM.DiskCaching/index.html index b62caae706..cecff76eb6 100644 --- a/en/rules/Azure.VM.DiskCaching/index.html +++ b/en/rules/Azure.VM.DiskCaching/index.html @@ -12053,6 +12053,7 @@

    Configure host cachingAzure.VM.DiskCachingAZR-000242Error

    Performance Efficiency · Virtual Machine + · Rule · 2020_06

    Check disk caching is configured correctly for the workload.

    Description#

    diff --git a/en/rules/Azure.VM.DiskName/index.html b/en/rules/Azure.VM.DiskName/index.html index f15db93638..1f6a65e472 100644 --- a/en/rules/Azure.VM.DiskName/index.html +++ b/en/rules/Azure.VM.DiskName/index.html @@ -12081,6 +12081,7 @@

    Use valid Managed Disk namesAzure.VM.DiskNameAZR-000253Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Managed Disk names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VM.DiskSizeAlignment/index.html b/en/rules/Azure.VM.DiskSizeAlignment/index.html index 47f5fe9626..fbdace556e 100644 --- a/en/rules/Azure.VM.DiskSizeAlignment/index.html +++ b/en/rules/Azure.VM.DiskSizeAlignment/index.html @@ -12067,6 +12067,7 @@

    Allocate VM disks aligned to

    Cost Optimization · Virtual Machine + · Rule · 2020_06

    Align to the Managed Disk billing model to improve cost efficiency.

    Description#

    diff --git a/en/rules/Azure.VM.MaintenanceConfig/index.html b/en/rules/Azure.VM.MaintenanceConfig/index.html index b547e498ba..f8b2d98145 100644 --- a/en/rules/Azure.VM.MaintenanceConfig/index.html +++ b/en/rules/Azure.VM.MaintenanceConfig/index.html @@ -12135,6 +12135,7 @@

    Associate a maintenance configura

    Operational Excellence · Virtual Machine + · Rule · 2023_06

    Use a maintenance configuration for virtual machines.

    Description#

    diff --git a/en/rules/Azure.VM.MigrateAMA/index.html b/en/rules/Azure.VM.MigrateAMA/index.html index 142b71f96e..ae7b32e4c4 100644 --- a/en/rules/Azure.VM.MigrateAMA/index.html +++ b/en/rules/Azure.VM.MigrateAMA/index.html @@ -12121,6 +12121,7 @@

    Migrate to Azure Monitor AgentAzure.VM.MigrateAMAAZR-000317Error

    Operational Excellence · Virtual Machine + · Rule · 2022_12

    Use Azure Monitor Agent as replacement for Log Analytics Agent.

    Description#

    diff --git a/en/rules/Azure.VM.NICAttached/index.html b/en/rules/Azure.VM.NICAttached/index.html index 1c73619d66..aacb1dbe95 100644 --- a/en/rules/Azure.VM.NICAttached/index.html +++ b/en/rules/Azure.VM.NICAttached/index.html @@ -12067,6 +12067,7 @@

    Attach NIC or clean upAzure.VM.NICAttachedAZR-000257Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Network interfaces (NICs) should be attached.

    Description#

    diff --git a/en/rules/Azure.VM.NICName/index.html b/en/rules/Azure.VM.NICName/index.html index c80dd4bfd7..a6e00970be 100644 --- a/en/rules/Azure.VM.NICName/index.html +++ b/en/rules/Azure.VM.NICName/index.html @@ -12081,6 +12081,7 @@

    Use valid NIC namesAzure.VM.NICNameAZR-000259Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Network Interface (NIC) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VM.Name/index.html b/en/rules/Azure.VM.Name/index.html index bde16886ac..f3a3a7fba9 100644 --- a/en/rules/Azure.VM.Name/index.html +++ b/en/rules/Azure.VM.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid VM namesAzure.VM.NameAZR-000248Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Virtual Machine (VM) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VM.PPGName/index.html b/en/rules/Azure.VM.PPGName/index.html index 525f29d0f3..fe68bcb67f 100644 --- a/en/rules/Azure.VM.PPGName/index.html +++ b/en/rules/Azure.VM.PPGName/index.html @@ -12081,6 +12081,7 @@

    Use valid PPG namesAzure.VM.PPGNameAZR-000260Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Proximity Placement Group (PPG) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VM.PromoSku/index.html b/en/rules/Azure.VM.PromoSku/index.html index bc4bb1f6c1..212a345066 100644 --- a/en/rules/Azure.VM.PromoSku/index.html +++ b/en/rules/Azure.VM.PromoSku/index.html @@ -12067,6 +12067,7 @@

    Use current VM SKUsAzure.VM.PromoSkuAZR-000240Error

    Cost Optimization · Virtual Machine + · Rule · 2020_06

    Virtual machines (VMs) should not use expired promotional SKU.

    Description#

    diff --git a/en/rules/Azure.VM.PublicKey/index.html b/en/rules/Azure.VM.PublicKey/index.html index f421d5406c..d6d0ed5508 100644 --- a/en/rules/Azure.VM.PublicKey/index.html +++ b/en/rules/Azure.VM.PublicKey/index.html @@ -12053,6 +12053,7 @@

    Use public keys for LinuxAzure.VM.PublicKeyAZR-000245Error

    Security · Virtual Machine + · Rule · 2020_06

    Linux virtual machines should use public keys.

    Description#

    diff --git a/en/rules/Azure.VM.SQLServerDisk/index.html b/en/rules/Azure.VM.SQLServerDisk/index.html index b17ddb28f1..3d95d0a0e4 100644 --- a/en/rules/Azure.VM.SQLServerDisk/index.html +++ b/en/rules/Azure.VM.SQLServerDisk/index.html @@ -12135,6 +12135,7 @@

    Configure Premium disks or aboveAzure.VM.SQLServerDiskAZR-000324Error

    Performance Efficiency · Virtual Machine + · Rule · 2022_12

    Use Premium SSD disks or greater for data and log files for production SQL Server workloads.

    Description#

    diff --git a/en/rules/Azure.VM.ScriptExtensions/index.html b/en/rules/Azure.VM.ScriptExtensions/index.html index a670f0b6d7..9591c6ac1e 100644 --- a/en/rules/Azure.VM.ScriptExtensions/index.html +++ b/en/rules/Azure.VM.ScriptExtensions/index.html @@ -12121,6 +12121,7 @@

    S

    Security · Virtual Machine + · Rule · 2022_12

    Custom Script Extensions scripts that reference secret values must use the protectedSettings.

    Description#

    diff --git a/en/rules/Azure.VM.ShouldNotBeStopped/index.html b/en/rules/Azure.VM.ShouldNotBeStopped/index.html index b8e8ea83af..2e56ac019f 100644 --- a/en/rules/Azure.VM.ShouldNotBeStopped/index.html +++ b/en/rules/Azure.VM.ShouldNotBeStopped/index.html @@ -12067,6 +12067,7 @@

    VMs should not be stopped stateAzure.VM.ShouldNotBeStoppedAZR-000351Error

    Cost Optimization · Virtual Machine + · Rule · 2023_03

    Azure VMs should be running or in a deallocated state.

    Description#

    diff --git a/en/rules/Azure.VM.Standalone/index.html b/en/rules/Azure.VM.Standalone/index.html index 62062bf67b..0c73344dca 100644 --- a/en/rules/Azure.VM.Standalone/index.html +++ b/en/rules/Azure.VM.Standalone/index.html @@ -12121,6 +12121,7 @@

    Standalone Virtual MachineAzure.VM.StandaloneAZR-000239Error

    Reliability · Virtual Machine + · Rule · 2020_06

    Use VM features to increase reliability and improve covered SLA for VM configurations.

    Description#

    diff --git a/en/rules/Azure.VM.UniqueDns/index.html b/en/rules/Azure.VM.UniqueDns/index.html index 6971fb310c..8a928d4874 100644 --- a/en/rules/Azure.VM.UniqueDns/index.html +++ b/en/rules/Azure.VM.UniqueDns/index.html @@ -12067,6 +12067,7 @@

    NICs with custom DNS settingsAzure.VM.UniqueDnsAZR-000258Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Network interfaces (NICs) should inherit DNS from virtual networks.

    Description#

    diff --git a/en/rules/Azure.VM.Updates/index.html b/en/rules/Azure.VM.Updates/index.html index f1946f39e4..fec1a811bc 100644 --- a/en/rules/Azure.VM.Updates/index.html +++ b/en/rules/Azure.VM.Updates/index.html @@ -12053,6 +12053,7 @@

    Automatic updates are enabledAzure.VM.UpdatesAZR-000247Error

    Operational Excellence · Virtual Machine + · Rule · 2020_06

    Ensure automatic updates are enabled at deployment.

    Description#

    diff --git a/en/rules/Azure.VM.UseHybridUseBenefit/index.html b/en/rules/Azure.VM.UseHybridUseBenefit/index.html index 37608dc65b..c4016cf3c1 100644 --- a/en/rules/Azure.VM.UseHybridUseBenefit/index.html +++ b/en/rules/Azure.VM.UseHybridUseBenefit/index.html @@ -12135,6 +12135,7 @@

    Use Azure Hybrid BenefitAzure.VM.UseHybridUseBenefitAZR-000243Error

    Cost Optimization · Virtual Machine + · Rule · 2020_06

    Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.

    Description#

    diff --git a/en/rules/Azure.VM.UseManagedDisks/index.html b/en/rules/Azure.VM.UseManagedDisks/index.html index fb96b3b87f..b0a83d54e0 100644 --- a/en/rules/Azure.VM.UseManagedDisks/index.html +++ b/en/rules/Azure.VM.UseManagedDisks/index.html @@ -12067,6 +12067,7 @@

    Use Managed DisksAzure.VM.UseManagedDisksAZR-000238Error

    Reliability · Virtual Machine + · Rule · 2020_06

    Virtual machines (VMs) should use managed disks.

    Description#

    diff --git a/en/rules/Azure.VMSS.AMA/index.html b/en/rules/Azure.VMSS.AMA/index.html index 04b9ee3c90..17deef5544 100644 --- a/en/rules/Azure.VMSS.AMA/index.html +++ b/en/rules/Azure.VMSS.AMA/index.html @@ -12135,6 +12135,7 @@

    Use Azure Monitor AgentAzure.VMSS.AMAAZR-000346Error

    Operational Excellence · Virtual Machine Scale Sets + · Rule · 2022_12

    Use Azure Monitor Agent for collecting monitoring data.

    Description#

    diff --git a/en/rules/Azure.VMSS.ComputerName/index.html b/en/rules/Azure.VMSS.ComputerName/index.html index c459902a15..c9b100d433 100644 --- a/en/rules/Azure.VMSS.ComputerName/index.html +++ b/en/rules/Azure.VMSS.ComputerName/index.html @@ -12081,6 +12081,7 @@

    Use valid VMSS computer namesAzure.VMSS.ComputerNameAZR-000262Error

    Operational Excellence · Virtual Machine Scale Sets + · Rule · 2020_06

    Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VMSS.MigrateAMA/index.html b/en/rules/Azure.VMSS.MigrateAMA/index.html index cf1da3196e..569fc6e309 100644 --- a/en/rules/Azure.VMSS.MigrateAMA/index.html +++ b/en/rules/Azure.VMSS.MigrateAMA/index.html @@ -12121,6 +12121,7 @@

    Migrate to Azure Monitor AgentAzure.VMSS.MigrateAMAAZR-000318Error

    Operational Excellence · Virtual Machine Scale Sets + · Rule · 2022_12

    Use Azure Monitor Agent as replacement for Log Analytics Agent.

    Description#

    diff --git a/en/rules/Azure.VMSS.Name/index.html b/en/rules/Azure.VMSS.Name/index.html index 78c162ed4d..dc26de0d6f 100644 --- a/en/rules/Azure.VMSS.Name/index.html +++ b/en/rules/Azure.VMSS.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid VMSS namesAzure.VMSS.NameAZR-000261Error

    Operational Excellence · Virtual Machine Scale Sets + · Rule · 2020_06

    Virtual Machine Scale Set (VMSS) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VMSS.PublicKey/index.html b/en/rules/Azure.VMSS.PublicKey/index.html index 425eaec910..705e8ec073 100644 --- a/en/rules/Azure.VMSS.PublicKey/index.html +++ b/en/rules/Azure.VMSS.PublicKey/index.html @@ -12121,6 +12121,7 @@

    Disable password authenticationAzure.VMSS.PublicKeyAZR-000288Error

    Security · Virtual Machine Scale Sets + · Rule · 2022_09

    Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.

    Description#

    diff --git a/en/rules/Azure.VMSS.ScriptExtensions/index.html b/en/rules/Azure.VMSS.ScriptExtensions/index.html index a32381c745..4828b11a34 100644 --- a/en/rules/Azure.VMSS.ScriptExtensions/index.html +++ b/en/rules/Azure.VMSS.ScriptExtensions/index.html @@ -12121,6 +12121,7 @@

    Azure.VMSS.ScriptExtensionsAZR-000333Error

    Security · Virtual Machine Scale Sets + · Rule · 2022_12

    Custom Script Extensions scripts that reference secret values must use the protectedSettings.

    Description#

    diff --git a/en/rules/Azure.VNET.BastionSubnet/index.html b/en/rules/Azure.VNET.BastionSubnet/index.html index 9f5c9dca35..13daedec66 100644 --- a/en/rules/Azure.VNET.BastionSubnet/index.html +++ b/en/rules/Azure.VNET.BastionSubnet/index.html @@ -12121,6 +12121,7 @@

    Configure VNETs with a

    Reliability · Virtual Network + · Rule · 2022_12

    VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.

    Description#

    diff --git a/en/rules/Azure.VNET.FirewallSubnet/index.html b/en/rules/Azure.VNET.FirewallSubnet/index.html index 08c9811a0f..242b942c6d 100644 --- a/en/rules/Azure.VNET.FirewallSubnet/index.html +++ b/en/rules/Azure.VNET.FirewallSubnet/index.html @@ -12121,6 +12121,7 @@

    Configure VNETs with

    Security · Virtual Network + · Rule · 2022_12

    Use Azure Firewall to filter network traffic to and from Azure resources.

    Description#

    diff --git a/en/rules/Azure.VNET.LocalDNS/index.html b/en/rules/Azure.VNET.LocalDNS/index.html index c2e507ed26..a0b9c4ddef 100644 --- a/en/rules/Azure.VNET.LocalDNS/index.html +++ b/en/rules/Azure.VNET.LocalDNS/index.html @@ -12135,6 +12135,7 @@

    Use local DNS serversAzure.VNET.LocalDNSAZR-000265Error

    Reliability · Virtual Network + · Rule · 2020_06

    Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.

    Description#

    diff --git a/en/rules/Azure.VNET.Name/index.html b/en/rules/Azure.VNET.Name/index.html index 78c1680fb8..b0440f95a8 100644 --- a/en/rules/Azure.VNET.Name/index.html +++ b/en/rules/Azure.VNET.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid VNET namesAzure.VNET.NameAZR-000268Error

    Operational Excellence · Virtual Network + · Rule · 2020_06

    Virtual Network (VNET) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VNET.PeerState/index.html b/en/rules/Azure.VNET.PeerState/index.html index ef60a103e9..fbe2b86b05 100644 --- a/en/rules/Azure.VNET.PeerState/index.html +++ b/en/rules/Azure.VNET.PeerState/index.html @@ -12135,6 +12135,7 @@

    VNET peer is not connectedAzure.VNET.PeerStateAZR-000266Error

    Operational Excellence · Virtual Network + · Rule · 2020_06

    VNET peering connections must be connected.

    Description#

    diff --git a/en/rules/Azure.VNET.SingleDNS/index.html b/en/rules/Azure.VNET.SingleDNS/index.html index 2a929eaff5..86caacf79a 100644 --- a/en/rules/Azure.VNET.SingleDNS/index.html +++ b/en/rules/Azure.VNET.SingleDNS/index.html @@ -12121,6 +12121,7 @@

    Use redundant DNS serversAzure.VNET.SingleDNSAZR-000264Error

    Reliability · Virtual Network + · Rule · 2020_06

    Virtual networks (VNETs) should have at least two DNS servers assigned.

    Description#

    diff --git a/en/rules/Azure.VNET.SubnetName/index.html b/en/rules/Azure.VNET.SubnetName/index.html index 72d0639bc7..ad8c3b35b2 100644 --- a/en/rules/Azure.VNET.SubnetName/index.html +++ b/en/rules/Azure.VNET.SubnetName/index.html @@ -12081,6 +12081,7 @@

    Use valid subnet namesAzure.VNET.SubnetNameAZR-000267Error

    Operational Excellence · Virtual Network + · Rule · 2020_06

    Subnet names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VNET.UseNSGs/index.html b/en/rules/Azure.VNET.UseNSGs/index.html index 5530795d91..1a848d91fd 100644 --- a/en/rules/Azure.VNET.UseNSGs/index.html +++ b/en/rules/Azure.VNET.UseNSGs/index.html @@ -12149,6 +12149,7 @@

    Use NSGs on subnetsAzure.VNET.UseNSGsAZR-000263Error

    Security · Virtual Network + · Rule · 2020_06

    Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.

    Description#

    diff --git a/en/rules/Azure.VNG.ConnectionName/index.html b/en/rules/Azure.VNG.ConnectionName/index.html index 81eacad586..1fe9601313 100644 --- a/en/rules/Azure.VNG.ConnectionName/index.html +++ b/en/rules/Azure.VNG.ConnectionName/index.html @@ -12081,6 +12081,7 @@

    Use valid connection namesAzure.VNG.ConnectionNameAZR-000275Error

    Operational Excellence · Virtual Network Gateway + · Rule · 2020_06

    Virtual Network Gateway (VNG) connection names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VNG.ERAvailabilityZoneSKU/index.html b/en/rules/Azure.VNG.ERAvailabilityZoneSKU/index.html index 829ee335b2..64277d6c33 100644 --- a/en/rules/Azure.VNG.ERAvailabilityZoneSKU/index.html +++ b/en/rules/Azure.VNG.ERAvailabilityZoneSKU/index.html @@ -12135,6 +12135,7 @@

    Use availability zo

    Reliability · Virtual Network Gateway + · Rule · 2021_12

    Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.

    Description#

    diff --git a/en/rules/Azure.VNG.ERLegacySKU/index.html b/en/rules/Azure.VNG.ERLegacySKU/index.html index 5ba4be8c13..92b7428e27 100644 --- a/en/rules/Azure.VNG.ERLegacySKU/index.html +++ b/en/rules/Azure.VNG.ERLegacySKU/index.html @@ -12067,6 +12067,7 @@

    Migrate from legacy ER gateway SKUs

    Operational Excellence · Virtual Network Gateway + · Rule · 2020_06

    Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.

    Description#

    diff --git a/en/rules/Azure.VNG.Name/index.html b/en/rules/Azure.VNG.Name/index.html index c126789b21..47278646fe 100644 --- a/en/rules/Azure.VNG.Name/index.html +++ b/en/rules/Azure.VNG.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid VNG namesAzure.VNG.NameAZR-000274Error

    Operational Excellence · Virtual Network Gateway + · Rule · 2020_06

    Virtual Network Gateway (VNG) names should meet naming requirements.

    Description#

    diff --git a/en/rules/Azure.VNG.VPNActiveActive/index.html b/en/rules/Azure.VNG.VPNActiveActive/index.html index 595a844d48..c14b14bd23 100644 --- a/en/rules/Azure.VNG.VPNActiveActive/index.html +++ b/en/rules/Azure.VNG.VPNActiveActive/index.html @@ -12081,6 +12081,7 @@

    Use Active-Active VPN gatewaysAzure.VNG.VPNActiveActiveAZR-000270Error

    Reliability · Virtual Network Gateway + · Rule · 2020_06

    Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.

    Description#

    diff --git a/en/rules/Azure.VNG.VPNAvailabilityZoneSKU/index.html b/en/rules/Azure.VNG.VPNAvailabilityZoneSKU/index.html index d51a8de9ac..42d3b57ee3 100644 --- a/en/rules/Azure.VNG.VPNAvailabilityZoneSKU/index.html +++ b/en/rules/Azure.VNG.VPNAvailabilityZoneSKU/index.html @@ -12135,6 +12135,7 @@

    Use availability zone SKU fo

    Reliability · Virtual Network Gateway + · Rule · 2021_12

    Use availability zone SKU for virtual network gateways deployed with VPN gateway type.

    Description#

    diff --git a/en/rules/Azure.VNG.VPNLegacySKU/index.html b/en/rules/Azure.VNG.VPNLegacySKU/index.html index 75fc8b0594..aab3fc747d 100644 --- a/en/rules/Azure.VNG.VPNLegacySKU/index.html +++ b/en/rules/Azure.VNG.VPNLegacySKU/index.html @@ -12067,6 +12067,7 @@

    Migrate from legacy VPN gateway SK

    Operational Excellence · Virtual Network Gateway + · Rule · 2020_06

    Migrate from legacy SKUs to improve reliability and performance of VPN gateways.

    Description#

    diff --git a/en/rules/Azure.WebPubSub.ManagedIdentity/index.html b/en/rules/Azure.WebPubSub.ManagedIdentity/index.html index 2a863be841..1e21f86a28 100644 --- a/en/rules/Azure.WebPubSub.ManagedIdentity/index.html +++ b/en/rules/Azure.WebPubSub.ManagedIdentity/index.html @@ -12121,6 +12121,7 @@

    Use managed identities f

    Security · Web PubSub Service + · Rule · 2022_03

    Configure Web PubSub Services to use managed identities to access Azure resources securely.

    Description#

    diff --git a/en/rules/Azure.WebPubSub.SLA/index.html b/en/rules/Azure.WebPubSub.SLA/index.html index 88aaf45503..6258e1a42e 100644 --- a/en/rules/Azure.WebPubSub.SLA/index.html +++ b/en/rules/Azure.WebPubSub.SLA/index.html @@ -12121,6 +12121,7 @@

    Use an SLA for Web PubSub ServicesAzure.WebPubSub.SLAAZR-000278Error

    Reliability · Web PubSub Service + · Rule · 2022_03

    Use SKUs that include an SLA when configuring Web PubSub Services.

    Description#

    diff --git a/en/rules/Azure.vWAN.Name/index.html b/en/rules/Azure.vWAN.Name/index.html index 4c5b2efe45..765191d569 100644 --- a/en/rules/Azure.vWAN.Name/index.html +++ b/en/rules/Azure.vWAN.Name/index.html @@ -12081,6 +12081,7 @@

    Use valid vWAN namesAzure.vWAN.NameAZR-000276Error

    Operational Excellence · Virtual WAN + · Rule · 2021_12

    Virtual WAN (vWAN) names should meet naming requirements.

    Description#

    diff --git a/en/rules/metadata.json b/en/rules/metadata.json index fa02896eaf..5038b36a91 100644 --- a/en/rules/metadata.json +++ b/en/rules/metadata.json @@ -1,325 +1,322 @@ { - "Azure.FrontDoorWAF.RuleGroups": { - "Name": "Azure.FrontDoorWAF.RuleGroups", + "Azure.MariaDB.UseSSL": { + "Name": "Azure.MariaDB.UseSSL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000308", + "Value": "PSRule.Rules.Azure\\AZR-000334", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000308" + "Name": "AZR-000334" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use Recommended Front Door WAF policy rule groups", - "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.", - "Recommendation": "Consider configuring Front Door WAF policy to use the recommended rule sets.", + "DisplayName": "Encrypted connections", + "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.", + "Recommendation": "Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.VM.AMA": { - "Name": "Azure.VM.AMA", + "Azure.VM.PPGName": { + "Name": "Azure.VM.PPGName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000345", + "Value": "PSRule.Rules.Azure\\AZR-000260", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000345" + "Name": "AZR-000260" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Azure Monitor Agent", - "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", - "Recommendation": "Virtual Machines should install Azure Monitor Agent.", + "DisplayName": "Use valid PPG names", + "Synopsis": "Proximity Placement Group (PPG) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.RBAC.UseRGDelegation": { - "Name": "Azure.RBAC.UseRGDelegation", + "Azure.Automation.PlatformLogs": { + "Name": "Azure.Automation.PlatformLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000207", + "Value": "PSRule.Rules.Azure\\AZR-000089", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000207" + "Name": "AZR-000089" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", - "Level": "Error", - "Method": null, - "DisplayName": "Use Resource Group delegation", - "Synopsis": "Use RBAC assignments on resource groups instead of individual resources.", - "Recommendation": "Consider using RBAC assignments on resource groups instead of individual resources.", - "Pillar": "Security", - "Control": null - }, - "Azure.ACR.Retention": { - "Name": "Azure.ACR.Retention", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000010", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000010" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "preview", - "RuleSet": "2020_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Configure ACR retention policies", - "Synopsis": "Use a retention policy to cleanup untagged manifests.", - "Recommendation": "Consider enabling a retention policy for untagged manifests.", - "Pillar": "Cost Optimization", - "Control": null + "DisplayName": "Automation accounts should collect platform diagnostic logs", + "Synopsis": "Ensure automation account platform diagnostic logs are enabled.", + "Recommendation": "Consider configuring diagnostic settings to capture platform logs from Automation accounts.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.AppGw.UseWAF": { - "Name": "Azure.AppGw.UseWAF", + "Azure.VNET.FirewallSubnet": { + "Name": "Azure.VNET.FirewallSubnet", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000063", + "Value": "PSRule.Rules.Azure\\AZR-000322", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000063" + "Name": "AZR-000322" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Application Gateway uses WAF SKU", - "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.", - "Recommendation": "Consider deploying Application Gateways with a WAF SKU to protect against common attacks.", + "DisplayName": "Configure VNETs with a AzureFirewallSubnet subnet", + "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.", + "Recommendation": "Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.EventHub.Usage": { - "Name": "Azure.EventHub.Usage", + "Azure.SQLMI.Name": { + "Name": "Azure.SQLMI.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000101", + "Value": "PSRule.Rules.Azure\\AZR-000194", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000101" + "Name": "AZR-000194" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Remove unused Event Hub namespaces", - "Synopsis": "Regularly remove unused resources to reduce costs.", - "Recommendation": "Consider removing Event Hub namespaces that are not used.", + "DisplayName": "Use valid SQL Managed Instance names", + "Synopsis": "SQL Managed Instance names should meet naming requirements.", + "Recommendation": "Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1" }, - "Azure.AppService.WebSecureFtp": { - "Name": "Azure.AppService.WebSecureFtp", + "Azure.AKS.MinNodeCount": { + "Name": "Azure.AKS.MinNodeCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000081", + "Value": "PSRule.Rules.Azure\\AZR-000024", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000081" + "Name": "AZR-000024" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Web apps disable insecure FTP", - "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.", - "Recommendation": "Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.", - "Pillar": "Security", - "Control": null + "DisplayName": "Azure.AKS.MinNodeCount", + "Synopsis": "AKS clusters should have minimum number of nodes for failover and updates.", + "Recommendation": "Use at least three (3) agent nodes. Consider deploying additional nodes as required to provide enough resiliency during nodes failures or planned maintenance.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.Template.DefineParameters": { - "Name": "Azure.Template.DefineParameters", + "Azure.VNET.BastionSubnet": { + "Name": "Azure.VNET.BastionSubnet", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000218", + "Value": "PSRule.Rules.Azure\\AZR-000314", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000218" + "Name": "AZR-000314" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Define template parameters", - "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.", - "Recommendation": "Consider defining a minimal number of parameters to make the template reusable.", - "Pillar": null, - "Control": null + "DisplayName": "Configure VNETs with a AzureBastionSubnet subnet", + "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.", + "Recommendation": "Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.VM.BasicSku": { - "Name": "Azure.VM.BasicSku", + "Azure.Defender.Api": { + "Name": "Azure.Defender.Api", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000241", + "Value": "PSRule.Rules.Azure\\AZR-000377", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000241" + "Name": "AZR-000377" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Avoid Basic VM SKU", - "Synopsis": "Virtual machines (VMs) should not use Basic sizes.", - "Recommendation": "Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Set Microsoft Defender for APIs to the Standard tier", + "Synopsis": "Enable Microsoft Defender for APIs.", + "Recommendation": "Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Storage.ContainerSoftDelete": { - "Name": "Azure.Storage.ContainerSoftDelete", + "Azure.DefenderCloud.Provisioning": { + "Name": "Azure.DefenderCloud.Provisioning", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000289", + "Value": "PSRule.Rules.Azure\\AZR-000210", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000289" + "Name": "AZR-000210" }, "Alias": [ - null + { + "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Provisioning", + "Scope": "PSRule.Rules.Azure", + "Name": "Azure.SecurityCenter.Provisioning" + } ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use container soft delete", - "Synopsis": "Enable container soft delete on Storage Accounts.", - "Recommendation": "Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Enable Microsoft Defender for Cloud auto-provisioning", + "Synopsis": "Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.", + "Recommendation": "Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.ContainerApp.Insecure": { - "Name": "Azure.ContainerApp.Insecure", + "Azure.APIM.Protocols": { + "Name": "Azure.APIM.Protocols", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000094", + "Value": "PSRule.Rules.Azure\\AZR-000054", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000094" + "Name": "AZR-000054" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Disable insecure container app ingress", - "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.", - "Recommendation": "Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.", + "DisplayName": "Use secure TLS versions for API Management", + "Synopsis": "API Management should only accept a minimum of TLS 1.2 for client and backend communication.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.Policy.ExemptionDescriptors": { - "Name": "Azure.Policy.ExemptionDescriptors", + "Azure.APIM.ProductSubscription": { + "Name": "Azure.APIM.ProductSubscription", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000145", + "Value": "PSRule.Rules.Azure\\AZR-000046", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000145" + "Name": "AZR-000046" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use descriptive policy exemptions", - "Synopsis": "Policy exemptions should use a display name and description.", - "Recommendation": "Consider setting a display name and description for each policy exemption.", - "Pillar": null, - "Control": null + "DisplayName": "Require a subscription for products", + "Synopsis": "Configure products to require a subscription.", + "Recommendation": "Consider configuring all API Management products to require a subscription.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.TemplateSchema": { - "Name": "Azure.Template.TemplateSchema", + "Azure.MySQL.ServerName": { + "Name": "Azure.MySQL.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000213", + "Value": "PSRule.Rules.Azure\\AZR-000136", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000213" + "Name": "AZR-000136" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use a recent template schema version", - "Synopsis": "Use a more recent version of the Azure template schema.", - "Recommendation": "Consider using a more recent schema version for Azure template files.", + "DisplayName": "Use valid MySQL DB server names", + "Synopsis": "Azure MySQL DB server names should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.DataFactory.Version": { - "Name": "Azure.DataFactory.Version", + "Azure.APIM.DefenderCloud": { + "Name": "Azure.APIM.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000097", + "Value": "PSRule.Rules.Azure\\AZR-000387", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000097" + "Name": "AZR-000387" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use Data Factory v2", - "Synopsis": "Consider migrating to DataFactory v2.", - "Recommendation": "Consider migrating to DataFactory v2.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Onboard Defender for APIs", + "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.", + "Recommendation": "Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.AKS.AuthorizedIPs": { - "Name": "Azure.AKS.AuthorizedIPs", + "Azure.AppService.AlwaysOn": { + "Name": "Azure.AppService.AlwaysOn", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000030", + "Value": "PSRule.Rules.Azure\\AZR-000077", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000030" + "Name": "AZR-000077" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Restrict access to AKS API server endpoints", - "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.", - "Recommendation": "Consider restricting network traffic to the API server endpoints to trusted IP addresses. Include output IP addresses for cluster nodes and any range where administration will occur from.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use App Service Always On", + "Synopsis": "Configure Always On for App Service apps.", + "Recommendation": "Consider enabling Always On for each App Services app.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.PublicIP.IsAttached": { - "Name": "Azure.PublicIP.IsAttached", + "Azure.LB.Name": { + "Name": "Azure.LB.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000154", + "Value": "PSRule.Rules.Azure\\AZR-000129", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000154" + "Name": "AZR-000129" }, "Alias": [ null @@ -329,39 +326,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Remove unused Public IP addresses", - "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.", - "Recommendation": "Consider removing Public IP addresses that are no longer required reduce complexity and costs.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Load Balancer names", + "Synopsis": "Load Balancer names should meet naming requirements.", + "Recommendation": "Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.yaml" }, - "Azure.Search.IndexSLA": { - "Name": "Azure.Search.IndexSLA", + "Azure.Template.ParameterDataTypes": { + "Name": "Azure.Template.ParameterDataTypes", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000174", + "Value": "PSRule.Rules.Azure\\AZR-000226", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000174" + "Name": "AZR-000226" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Search index update SLA minimum replicas", - "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.", - "Recommendation": "Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Default should match type", + "Synopsis": "Set the parameter default value to a value of the same type.", + "Recommendation": "Consider updating the parameter default value to a value of the same type.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ACR.GeoReplica": { - "Name": "Azure.ACR.GeoReplica", + "Azure.ACR.ContainerScan": { + "Name": "Azure.ACR.ContainerScan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000004", + "Value": "PSRule.Rules.Azure\\AZR-000002", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000004" + "Name": "AZR-000002" }, "Alias": [ null @@ -371,18 +370,19 @@ "RuleSet": "2020_12", "Level": "Error", "Method": "in-flight", - "DisplayName": "Geo-replicate container images", - "Synopsis": "Use geo-replicated container registries to compliment a multi-region container deployments.", - "Recommendation": "Consider using a geo-replicated container registry for multi-region deployments.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Scan Container Registry images", + "Synopsis": "Enable vulnerability scanning for container images.", + "Recommendation": "Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.Policy.Descriptors": { - "Name": "Azure.Policy.Descriptors", + "Azure.AppGw.WAFRules": { + "Name": "Azure.AppGw.WAFRules", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000142", + "Value": "PSRule.Rules.Azure\\AZR-000068", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000142" + "Name": "AZR-000068" }, "Alias": [ null @@ -392,249 +392,261 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use descriptive policies", - "Synopsis": "Policy and initiative definitions should use a display name, description, and category.", - "Recommendation": "Consider setting a display name, description and category for each policy and initiatives definition.", - "Pillar": null, - "Control": null + "DisplayName": "Application Gateway rules are enabled", + "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.", + "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.VM.MaintenanceConfig": { - "Name": "Azure.VM.MaintenanceConfig", + "Azure.Storage.UseReplication": { + "Name": "Azure.Storage.UseReplication", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000375", + "Value": "PSRule.Rules.Azure\\AZR-000195", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000375" + "Name": "AZR-000195" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Associate a maintenance configuration", - "Synopsis": "Use a maintenance configuration for virtual machines.", - "Recommendation": "Consider automatically managing and applying operating system updates by associating a maintenance configuration.", - "Pillar": null, - "Control": null + "DisplayName": "Use geo-replicated storage", + "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.", + "Recommendation": "Consider using GRS for storage accounts that contain data.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.ResourceGroup.Name": { - "Name": "Azure.ResourceGroup.Name", + "Azure.MariaDB.GeoRedundantBackup": { + "Name": "Azure.MariaDB.GeoRedundantBackup", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000168", + "Value": "PSRule.Rules.Azure\\AZR-000329", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000168" + "Name": "AZR-000329" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid resource group names", - "Synopsis": "Resource Group names should meet naming requirements.", - "Recommendation": "Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Configure geo-redundant backup", + "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.", + "Recommendation": "Configure geo-redundant backup for Azure Database for MariaDB.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.yaml" }, - "Azure.Arc.Kubernetes.Defender": { - "Name": "Azure.Arc.Kubernetes.Defender", + "Azure.AKS.ContainerInsights": { + "Name": "Azure.AKS.ContainerInsights", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000373", + "Value": "PSRule.Rules.Azure\\AZR-000041", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000373" + "Name": "AZR-000041" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use Microsoft Defender", - "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.", - "Recommendation": "Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.", - "Pillar": "Security", - "Control": null + "DisplayName": "Enable AKS Container insights", + "Synopsis": "Enable Container insights to monitor AKS cluster workloads.", + "Recommendation": "Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.MigrateAMA": { - "Name": "Azure.VM.MigrateAMA", + "Azure.EventGrid.ManagedIdentity": { + "Name": "Azure.EventGrid.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000317", + "Value": "PSRule.Rules.Azure\\AZR-000099", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000317" + "Name": "AZR-000099" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Migrate to Azure Monitor Agent", - "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", - "Recommendation": "Virtual Machines should migrate to Azure Monitor Agent.", - "Pillar": null, - "Control": null + "DisplayName": "Use Managed Identity for Event Grid Topics", + "Synopsis": "Use managed identities to deliver Event Grid Topic events.", + "Recommendation": "Consider configuring a managed identity for each Event Grid Topic.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml" }, - "Azure.Defender.AppServices": { - "Name": "Azure.Defender.AppServices", + "Azure.FrontDoor.ProbePath": { + "Name": "Azure.FrontDoor.ProbePath", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000295", + "Value": "PSRule.Rules.Azure\\AZR-000110", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000295" + "Name": "AZR-000110" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Configure Microsoft Defender for App Services to the Standard tier", - "Synopsis": "Enable Microsoft Defender for App Service.", - "Recommendation": "Consider using Microsoft Defender for App Service to protect your web apps and APIs.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use a Dedicated Health Endpoint for Front Door backends", + "Synopsis": "Configure a dedicated path for health probe requests.", + "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.Defender.CosmosDb": { - "Name": "Azure.Defender.CosmosDb", + "Azure.VNET.SubnetName": { + "Name": "Azure.VNET.SubnetName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000379", + "Value": "PSRule.Rules.Azure\\AZR-000267", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000379" + "Name": "AZR-000267" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for Cosmos DB to the Standard tier", - "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", - "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid subnet names", + "Synopsis": "Subnet names should meet naming requirements.", + "Recommendation": "Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.PostgreSQL.MinTLS": { - "Name": "Azure.PostgreSQL.MinTLS", + "Azure.Cosmos.AccountName": { + "Name": "Azure.Cosmos.AccountName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000148", + "Value": "PSRule.Rules.Azure\\AZR-000096", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000148" + "Name": "AZR-000096" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "PostgreSQL DB server minimum TLS version", - "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Cosmos DB account names", + "Synopsis": "Cosmos DB account names should meet naming requirements.", + "Recommendation": "Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml" }, - "Azure.MariaDB.MinTLS": { - "Name": "Azure.MariaDB.MinTLS", + "Azure.Template.ValidSecretRef": { + "Name": "Azure.Template.ValidSecretRef", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000335", + "Value": "PSRule.Rules.Azure\\AZR-000233", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000335" + "Name": "AZR-000233" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Minimum TLS version", - "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.", - "Recommendation": "Configure the minimum supported TLS version to be 1.2.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use a valid secret reference", + "Synopsis": "Use a valid secret reference within parameter files.", + "Recommendation": "Check the secret value Key Vault reference is valid.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Redis.MinTLS": { - "Name": "Azure.Redis.MinTLS", + "Azure.SQL.DBName": { + "Name": "Azure.SQL.DBName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000164", + "Value": "PSRule.Rules.Azure\\AZR-000192", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000164" + "Name": "AZR-000192" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Redis Cache minimum TLS version", - "Synopsis": "Redis Cache should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid SQL Database names", + "Synopsis": "Azure SQL Database names should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.Deployment.OutputSecretValue": { - "Name": "Azure.Deployment.OutputSecretValue", + "Azure.AppGw.WAFEnabled": { + "Name": "Azure.AppGw.WAFEnabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000279", + "Value": "PSRule.Rules.Azure\\AZR-000066", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000279" + "Name": "AZR-000066" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Secret value in deployment output", - "Synopsis": "Avoid outputting sensitive deployment values.", - "Recommendation": "Consider removing any output values that return secret values in code.", + "DisplayName": "Application Gateway WAF is enabled", + "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.", + "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.AppConfig.DisableLocalAuth": { - "Name": "Azure.AppConfig.DisableLocalAuth", + "Azure.Redis.MinSKU": { + "Name": "Azure.Redis.MinSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000291", + "Value": "PSRule.Rules.Azure\\AZR-000159", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000291" + "Name": "AZR-000159" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use identity-based authentication for App Configuration", - "Synopsis": "Authenticate App Configuration clients with Azure AD identities.", - "Recommendation": "Consider only using Azure AD identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use at least Standard C1 cache instances", + "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.", + "Recommendation": "Consider using a minimum of a Standard C1 instance for production workloads.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.CDN.HTTP": { - "Name": "Azure.CDN.HTTP", + "Azure.VM.AcceleratedNetworking": { + "Name": "Azure.VM.AcceleratedNetworking", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000093", + "Value": "PSRule.Rules.Azure\\AZR-000244", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000093" + "Name": "AZR-000244" }, "Alias": [ null @@ -644,102 +656,107 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use HTTPS client connections", - "Synopsis": "Enforce HTTPS for client connections.", - "Recommendation": "Consider disabling HTTP support on the CDN endpoint origin.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use accelerated networking", + "Synopsis": "Use accelerated networking for supported operating systems and VM types.", + "Recommendation": "Consider enabling accelerated networking for supported operating systems and VM types.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.LogicApp.LimitHTTPTrigger": { - "Name": "Azure.LogicApp.LimitHTTPTrigger", + "Azure.PublicIP.IsAttached": { + "Name": "Azure.PublicIP.IsAttached", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000130", + "Value": "PSRule.Rules.Azure\\AZR-000154", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000130" + "Name": "AZR-000154" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Limit Logic App HTTP request triggers", - "Synopsis": "Limit HTTP request trigger access to trusted IP addresses.", - "Recommendation": "Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.", - "Pillar": null, - "Control": null + "DisplayName": "Remove unused Public IP addresses", + "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.", + "Recommendation": "Consider removing Public IP addresses that are no longer required reduce complexity and costs.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.KeyVault.Firewall": { - "Name": "Azure.KeyVault.Firewall", + "Azure.AKS.LocalAccounts": { + "Name": "Azure.AKS.LocalAccounts", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000355", + "Value": "PSRule.Rules.Azure\\AZR-000031", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000355" + "Name": "AZR-000031" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2023_03", + "Release": "preview", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Configure Azure Key Vault firewall", - "Synopsis": "Key Vault should only accept explicitly allowed traffic.", - "Recommendation": "Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.", + "DisplayName": "Disable AKS local accounts", + "Synopsis": "Enforce named user accounts with RBAC assigned permissions.", + "Recommendation": "Consider enforcing usage of named accounts by disabling local Kubernetes account credentials.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.AKS.Name": { - "Name": "Azure.AKS.Name", + "Azure.Cosmos.DefenderCloud": { + "Name": "Azure.Cosmos.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000039", + "Value": "PSRule.Rules.Azure\\AZR-000382", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000039" + "Name": "AZR-000382" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid AKS cluster names", - "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.", - "Recommendation": "Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Enable Microsoft Defender", + "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", + "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1" }, - "Azure.FrontDoorWAF.Exclusions": { - "Name": "Azure.FrontDoorWAF.Exclusions", + "Azure.Storage.SecureTransfer": { + "Name": "Azure.Storage.SecureTransfer", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000307", + "Value": "PSRule.Rules.Azure\\AZR-000196", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000307" + "Name": "AZR-000196" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Avoid configuring Front Door WAF rule exclusions", - "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.", - "Recommendation": "Avoid configuring Front Door WAF rule exclusions.", + "DisplayName": "Enforce encrypted Storage connections", + "Synopsis": "Storage accounts should only accept encrypted connections.", + "Recommendation": "Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, - "Azure.Deployment.AdminUsername": { - "Name": "Azure.Deployment.AdminUsername", + "Azure.AppConfig.DisableLocalAuth": { + "Name": "Azure.AppConfig.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000284", + "Value": "PSRule.Rules.Azure\\AZR-000291", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000284" + "Name": "AZR-000291" }, "Alias": [ null @@ -749,144 +766,151 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Administrator Username Types", - "Synopsis": "Use secure parameters for sensitive resource properties.", - "Recommendation": "Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.", + "DisplayName": "Use identity-based authentication for App Configuration", + "Synopsis": "Authenticate App Configuration clients with Azure AD identities.", + "Recommendation": "Consider only using Azure AD identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml" }, - "Azure.VM.ASName": { - "Name": "Azure.VM.ASName", + "Azure.MariaDB.MinTLS": { + "Name": "Azure.MariaDB.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000256", + "Value": "PSRule.Rules.Azure\\AZR-000335", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000256" + "Name": "AZR-000335" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid Availability Set names", - "Synopsis": "Availability Set names should meet naming requirements.", - "Recommendation": "Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Minimum TLS version", + "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.", + "Recommendation": "Configure the minimum supported TLS version to be 1.2.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Storage.UseReplication": { - "Name": "Azure.Storage.UseReplication", + "Azure.APIM.MultiRegionGateway": { + "Name": "Azure.APIM.MultiRegionGateway", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000195", + "Value": "PSRule.Rules.Azure\\AZR-000341", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000195" + "Name": "AZR-000341" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use geo-replicated storage", - "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.", - "Recommendation": "Consider using GRS for storage accounts that contain data.", + "DisplayName": "Multi-region deployment gateways", + "Synopsis": "API Management instances should have multi-region deployment gateways enabled.", + "Recommendation": "Consider enabling each regional API gateway location for multi-region redundancy.", "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.SignalR.ManagedIdentity": { - "Name": "Azure.SignalR.ManagedIdentity", + "Azure.AppService.WebSecureFtp": { + "Name": "Azure.AppService.WebSecureFtp", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000181", + "Value": "PSRule.Rules.Azure\\AZR-000081", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000181" + "Name": "AZR-000081" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Use managed identities for SignalR Services", - "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.", - "Recommendation": "Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.", + "DisplayName": "Web apps disable insecure FTP", + "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.", + "Recommendation": "Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.Firewall.PolicyName": { - "Name": "Azure.Firewall.PolicyName", + "Azure.Defender.AppServices": { + "Name": "Azure.Defender.AppServices", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000104", + "Value": "PSRule.Rules.Azure\\AZR-000295", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000104" + "Name": "AZR-000295" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid Firewall policy names", - "Synopsis": "Firewall policy names should meet naming requirements.", - "Recommendation": "Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Configure Microsoft Defender for App Services to the Standard tier", + "Synopsis": "Enable Microsoft Defender for App Service.", + "Recommendation": "Consider using Microsoft Defender for App Service to protect your web apps and APIs.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.APIM.MultiRegionGateway": { - "Name": "Azure.APIM.MultiRegionGateway", + "Azure.KeyVault.SoftDelete": { + "Name": "Azure.KeyVault.SoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000341", + "Value": "PSRule.Rules.Azure\\AZR-000124", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000341" + "Name": "AZR-000124" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Multi-region deployment gateways", - "Synopsis": "API Management instances should have multi-region deployment gateways enabled.", - "Recommendation": "Consider enabling each regional API gateway location for multi-region redundancy.", + "DisplayName": "Use Key Vault Soft Delete", + "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.", + "Recommendation": "Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.", "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml" }, - "Azure.Template.DebugDeployment": { - "Name": "Azure.Template.DebugDeployment", + "Azure.VNG.Name": { + "Name": "Azure.VNG.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000225", + "Value": "PSRule.Rules.Azure\\AZR-000274", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000225" + "Name": "AZR-000274" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Disable debugging of nested deployments", - "Synopsis": "Use default deployment detail level for nested deployments.", - "Recommendation": "Consider disabling debugging of nested deployments before release.", + "DisplayName": "Use valid VNG names", + "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml" }, - "Azure.MariaDB.FirewallIPRange": { - "Name": "Azure.MariaDB.FirewallIPRange", + "Azure.Redis.Version": { + "Name": "Azure.Redis.Version", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000344", + "Value": "PSRule.Rules.Azure\\AZR-000347", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000344" + "Name": "AZR-000347" }, "Alias": [ null @@ -896,18 +920,19 @@ "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Review Azure MariaDB server firewall permitted public IP addresses", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", - "Recommendation": "Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.", - "Pillar": "Security", - "Control": null + "DisplayName": "Redis version for Azure Cache for Redis", + "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.", + "Recommendation": "Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (>=6.0).", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.VM.ComputerName": { - "Name": "Azure.VM.ComputerName", + "Azure.APIM.SampleProducts": { + "Name": "Azure.APIM.SampleProducts", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000249", + "Value": "PSRule.Rules.Azure\\AZR-000048", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000249" + "Name": "AZR-000048" }, "Alias": [ null @@ -917,39 +942,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid VM computer names", - "Synopsis": "Virtual Machine (VM) computer name should meet naming requirements.", - "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.", - "Pillar": null, - "Control": null + "DisplayName": "Remove default products", + "Synopsis": "Remove starter and unlimited sample products.", + "Recommendation": "Consider removing starter and unlimited sample products from API Management.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Storage.MinTLS": { - "Name": "Azure.Storage.MinTLS", + "Azure.KeyVault.Firewall": { + "Name": "Azure.KeyVault.Firewall", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000200", + "Value": "PSRule.Rules.Azure\\AZR-000355", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000200" + "Name": "AZR-000355" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Storage Account minimum TLS version", - "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.", + "DisplayName": "Configure Azure Key Vault firewall", + "Synopsis": "Key Vault should only accept explicitly allowed traffic.", + "Recommendation": "Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.VM.ASMinMembers": { - "Name": "Azure.VM.ASMinMembers", + "Azure.PostgreSQL.FirewallRuleCount": { + "Name": "Azure.PostgreSQL.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000255", + "Value": "PSRule.Rules.Azure\\AZR-000149", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000255" + "Name": "AZR-000149" }, "Alias": [ null @@ -959,39 +986,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use availability sets with at least two members", - "Synopsis": "Availability sets should be deployed with at least two virtual machines (VMs).", - "Recommendation": "Consider deploying at least two VMs within an availability set to gain availability benefits.", + "DisplayName": "Cleanup PostgreSQL server firewall rules", + "Synopsis": "Determine if there is an excessive number of firewall rules.", + "Recommendation": "The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.ACR.ContainerScan": { - "Name": "Azure.ACR.ContainerScan", + "Azure.RBAC.PIM": { + "Name": "Azure.RBAC.PIM", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000002", + "Value": "PSRule.Rules.Azure\\AZR-000208", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000002" + "Name": "AZR-000208" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_09", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Scan Container Registry images", - "Synopsis": "Enable vulnerability scanning for container images.", - "Recommendation": "Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.", + "Method": null, + "DisplayName": "Use JiT role activation with PIM", + "Synopsis": "Use just-in-time (JiT) activation of roles instead of persistent role assignment.", + "Recommendation": "Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.Template.ParameterDataTypes": { - "Name": "Azure.Template.ParameterDataTypes", + "Azure.KeyVault.SecretName": { + "Name": "Azure.KeyVault.SecretName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000226", + "Value": "PSRule.Rules.Azure\\AZR-000121", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000226" + "Name": "AZR-000121" }, "Alias": [ null @@ -1001,81 +1030,85 @@ "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Default should match type", - "Synopsis": "Set the parameter default value to a value of the same type.", - "Recommendation": "Consider updating the parameter default value to a value of the same type.", + "DisplayName": "Use valid Key Vault Secret names", + "Synopsis": "Key Vault Secret names should meet naming requirements.", + "Recommendation": "Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.Template.ParameterScheme": { - "Name": "Azure.Template.ParameterScheme", + "Azure.LogicApp.LimitHTTPTrigger": { + "Name": "Azure.LogicApp.LimitHTTPTrigger", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000230", + "Value": "PSRule.Rules.Azure\\AZR-000130", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000230" + "Name": "AZR-000130" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use a https template parameter file schema", - "Synopsis": "Use an Azure template parameter file schema with the https scheme.", - "Recommendation": "Consider using a schema with the https scheme.", + "DisplayName": "Limit Logic App HTTP request triggers", + "Synopsis": "Limit HTTP request trigger access to trusted IP addresses.", + "Recommendation": "Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1" }, - "Azure.Storage.BlobPublicAccess": { - "Name": "Azure.Storage.BlobPublicAccess", + "Azure.RSV.StorageType": { + "Name": "Azure.RSV.StorageType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000198", + "Value": "PSRule.Rules.Azure\\AZR-000170", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000198" + "Name": "AZR-000170" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Disallow anonymous access to blob service", - "Synopsis": "Storage Accounts should only accept authorized requests.", - "Recommendation": "Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use geo-replicated storage", + "Synopsis": "Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.", + "Recommendation": "Consider using GeoRedundant for recovery services vaults that contain data.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1" }, - "Azure.Search.QuerySLA": { - "Name": "Azure.Search.QuerySLA", + "Azure.MariaDB.FirewallIPRange": { + "Name": "Azure.MariaDB.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000173", + "Value": "PSRule.Rules.Azure\\AZR-000344", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000173" + "Name": "AZR-000344" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Search query SLA minimum replicas", - "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.", - "Recommendation": "Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Review Azure MariaDB server firewall permitted public IP addresses", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", + "Recommendation": "Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.MySQL.FirewallRuleCount": { - "Name": "Azure.MySQL.FirewallRuleCount", + "Azure.AppGw.MinInstance": { + "Name": "Azure.AppGw.MinInstance", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000133", + "Value": "PSRule.Rules.Azure\\AZR-000061", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000133" + "Name": "AZR-000061" }, "Alias": [ null @@ -1085,18 +1118,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Cleanup MySQL server firewall rules", - "Synopsis": "Determine if there is an excessive number of firewall rules.", - "Recommendation": "The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.", - "Pillar": null, - "Control": null + "DisplayName": "Use two or more Application Gateway instances", + "Synopsis": "Application Gateways should use a minimum of two instances.", + "Recommendation": "When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.AKS.NodeMinPods": { - "Name": "Azure.AKS.NodeMinPods", + "Azure.PublicIP.Name": { + "Name": "Azure.PublicIP.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000018", + "Value": "PSRule.Rules.Azure\\AZR-000155", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000018" + "Name": "AZR-000155" }, "Alias": [ null @@ -1106,207 +1140,195 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Nodes use a minimum number of pods", - "Synopsis": "Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.", - "Recommendation": "Consider deploying node pools with a minimum number of pods per node.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Use valid Public IP names", + "Synopsis": "Public IP names should meet naming requirements.", + "Recommendation": "Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.Cosmos.AccountName": { - "Name": "Azure.Cosmos.AccountName", + "Azure.Policy.ExemptionDescriptors": { + "Name": "Azure.Policy.ExemptionDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000096", + "Value": "PSRule.Rules.Azure\\AZR-000145", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000096" + "Name": "AZR-000145" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Cosmos DB account names", - "Synopsis": "Cosmos DB account names should meet naming requirements.", - "Recommendation": "Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use descriptive policy exemptions", + "Synopsis": "Policy exemptions should use a display name and description.", + "Recommendation": "Consider setting a display name and description for each policy exemption.", "Pillar": null, - "Control": null - }, - "Azure.MariaDB.DefenderCloud": { - "Name": "Azure.MariaDB.DefenderCloud", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000330", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000330" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2022_12", - "Level": "Error", - "Method": null, - "DisplayName": "Use Microsoft Defender", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.", - "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.", - "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.Template.UseParameters": { - "Name": "Azure.Template.UseParameters", + "Azure.AKS.AutoScaling": { + "Name": "Azure.AKS.AutoScaling", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000217", + "Value": "PSRule.Rules.Azure\\AZR-000019", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000217" + "Name": "AZR-000019" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Remove unused template parameters", - "Synopsis": "Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.", - "Recommendation": "Consider removing unused parameters from Azure template files.", - "Pillar": null, - "Control": null + "DisplayName": "Enable AKS cluster autoscaler", + "Synopsis": "Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present.", + "Recommendation": "Consider enabling autoscaling for AKS clusters deployed with virtual machine scale sets.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AppService.MinTLS": { - "Name": "Azure.AppService.MinTLS", + "Azure.FrontDoor.ManagedIdentity": { + "Name": "Azure.FrontDoor.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000073", + "Value": "PSRule.Rules.Azure\\AZR-000396", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000073" + "Name": "AZR-000396" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "App Service minimum TLS version", - "Synopsis": "App Service should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.", + "DisplayName": "Managed identity", + "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.", + "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.RBAC.PIM": { - "Name": "Azure.RBAC.PIM", + "Azure.MySQL.UseSSL": { + "Name": "Azure.MySQL.UseSSL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000208", + "Value": "PSRule.Rules.Azure\\AZR-000131", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000208" + "Name": "AZR-000131" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use JiT role activation with PIM", - "Synopsis": "Use just-in-time (JiT) activation of roles instead of persistent role assignment.", - "Recommendation": "Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.", + "DisplayName": "Enforce encrypted MySQL connections", + "Synopsis": "Enforce encrypted MySQL connections.", + "Recommendation": "Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml" }, - "Azure.AppGw.Prevention": { - "Name": "Azure.AppGw.Prevention", + "Azure.Template.UseLocationParameter": { + "Name": "Azure.Template.UseLocationParameter", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000065", + "Value": "PSRule.Rules.Azure\\AZR-000223", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000065" + "Name": "AZR-000223" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", - "Level": "Error", + "RuleSet": "2021_03", + "Level": "Warning", "Method": null, - "DisplayName": "Use WAF prevention mode", - "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.", - "Recommendation": "Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use a location parameter to specify resource location", + "Synopsis": "Template should reference a location parameter to specify resource location.", + "Recommendation": "Consider using parameters('location) instead of resourceGroup().location. Using a location parameter enabled users of the template to specify the location of deployed resources.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.VNG.ERAvailabilityZoneSKU": { - "Name": "Azure.VNG.ERAvailabilityZoneSKU", + "Azure.AppGwWAF.Exclusions": { + "Name": "Azure.AppGwWAF.Exclusions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000273", + "Value": "PSRule.Rules.Azure\\AZR-000303", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000273" + "Name": "AZR-000303" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use availability zone SKU for ExpressRoute gateways", - "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.", - "Recommendation": "Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.", + "DisplayName": "Application Gateway rules are enabled", + "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.", + "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.TrafficManager.Protocol": { - "Name": "Azure.TrafficManager.Protocol", + "Azure.Deployment.OutputSecretValue": { + "Name": "Azure.Deployment.OutputSecretValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000237", + "Value": "PSRule.Rules.Azure\\AZR-000279", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000237" + "Name": "AZR-000279" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Use HTTPS to monitor web-based endpoints", - "Synopsis": "Monitor Traffic Manager web-based endpoints with HTTPS.", - "Recommendation": "Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.", - "Pillar": null, - "Control": null + "DisplayName": "Secret value in deployment output", + "Synopsis": "Avoid outputting sensitive deployment values.", + "Recommendation": "Consider removing any output values that return secret values in code.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.Redis.MaxMemoryReserved": { - "Name": "Azure.Redis.MaxMemoryReserved", + "Azure.VMSS.Name": { + "Name": "Azure.VMSS.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000160", + "Value": "PSRule.Rules.Azure\\AZR-000261", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000160" + "Name": "AZR-000261" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure cache maxmemory-reserved setting", - "Synopsis": "Configure maxmemory-reserved to reserve memory for non-cache operations.", - "Recommendation": "Consider configuring maxmemory-reserved to at least 10% of available cache memory.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Use valid VMSS names", + "Synopsis": "Virtual Machine Scale Set (VMSS) names should meet naming requirements.", + "Recommendation": "Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.Firewall.Mode": { - "Name": "Azure.Firewall.Mode", + "Azure.APIM.HTTPEndpoint": { + "Name": "Azure.APIM.HTTPEndpoint", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000105", + "Value": "PSRule.Rules.Azure\\AZR-000042", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000105" + "Name": "AZR-000042" }, "Alias": [ null @@ -1316,18 +1338,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure deny on threat intel for classic managed Azure Firewalls", - "Synopsis": "Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.", - "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.", + "DisplayName": "Publish APIs through HTTPS connections", + "Synopsis": "Enforce HTTPS for communication to API clients.", + "Recommendation": "Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.RBAC.UseGroups": { - "Name": "Azure.RBAC.UseGroups", + "Azure.DataFactory.Version": { + "Name": "Azure.DataFactory.Version", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000203", + "Value": "PSRule.Rules.Azure\\AZR-000097", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000203" + "Name": "AZR-000097" }, "Alias": [ null @@ -1337,18 +1360,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use groups", - "Synopsis": "Use groups for assigning permissions instead of individual user accounts.", - "Recommendation": "Consider using groups for assigning permissions instead of individual user accounts.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use Data Factory v2", + "Synopsis": "Consider migrating to DataFactory v2.", + "Recommendation": "Consider migrating to DataFactory v2.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DataFactory.Rule.yaml" }, - "Azure.Template.UseComments": { - "Name": "Azure.Template.UseComments", + "Azure.Template.ParameterStrongType": { + "Name": "Azure.Template.ParameterStrongType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000234", + "Value": "PSRule.Rules.Azure\\AZR-000227", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000234" + "Name": "AZR-000227" }, "Alias": [ null @@ -1356,13 +1380,14 @@ "Flags": 0, "Release": "GA", "RuleSet": "2021_12", - "Level": "Information", + "Level": "Error", "Method": null, - "DisplayName": "Use comments for each ARM template resource", - "Synopsis": "Use comments for each resource in ARM template to communicate purpose.", - "Recommendation": "Specify comments for each resource in the template.", + "DisplayName": "Parameter value should match strong type", + "Synopsis": "Set the parameter value to a value that matches the specified strong type.", + "Recommendation": "Consider updating the parameter value to a value that matches the specifed strong type.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, "Azure.ServiceBus.MinTLS": { "Name": "Azure.ServiceBus.MinTLS", @@ -1383,98 +1408,125 @@ "Synopsis": "Enforce namespaces to require that clients send and receive data with TLS 1.2 version.", "Recommendation": "Consider namespaces to require that clients send and receive data with TLS 1.2 version.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1" }, - "Azure.Template.Resources": { - "Name": "Azure.Template.Resources", + "Azure.ACR.Quarantine": { + "Name": "Azure.ACR.Quarantine", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000216", + "Value": "PSRule.Rules.Azure\\AZR-000008", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000216" + "Name": "AZR-000008" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "preview", + "RuleSet": "2020_12", + "Level": "Error", + "Method": null, + "DisplayName": "Use container image quarantine pattern", + "Synopsis": "Enable container image quarantine, scan, and mark images as verified.", + "Recommendation": "Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" + }, + "Azure.VM.NICName": { + "Name": "Azure.VM.NICName", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000259", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000259" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Include a template resource", - "Synopsis": "Each Azure Resource Manager (ARM) template file should deploy at least one resource.", - "Recommendation": "Consider removing Azure template files that do not deploy any resources.", + "DisplayName": "Use valid NIC names", + "Synopsis": "Network Interface (NIC) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.MariaDB.FirewallRuleCount": { - "Name": "Azure.MariaDB.FirewallRuleCount", + "Azure.EventHub.DisableLocalAuth": { + "Name": "Azure.EventHub.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000343", + "Value": "PSRule.Rules.Azure\\AZR-000102", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000343" + "Name": "AZR-000102" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Review Azure MariaDB server firewall rules", - "Synopsis": "Determine if there is an excessive number of firewall rules.", - "Recommendation": "Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.", + "DisplayName": "Use identity-based authentication for Event Hub namespaces", + "Synopsis": "Authenticate Event Hub publishers and consumers with Azure AD identities.", + "Recommendation": "Consider only using Azure AD identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml" }, - "Azure.MariaDB.DatabaseName": { - "Name": "Azure.MariaDB.DatabaseName", + "Azure.NSG.Name": { + "Name": "Azure.NSG.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000337", + "Value": "PSRule.Rules.Azure\\AZR-000141", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000337" + "Name": "AZR-000141" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid database names", - "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use valid NSG names", + "Synopsis": "Network Security Group (NSG) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell (https://blog.tyang.org/2022/09/10/programmatically-generate-cloud-resource-names-part-1/) or Bicep (https://4bes.nl/2021/10/10/get-a-consistent-azure-naming-convention-with-bicep-modules/)", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml" }, - "Azure.Cognitive.ManagedIdentity": { - "Name": "Azure.Cognitive.ManagedIdentity", + "Azure.ContainerApp.ManagedIdentity": { + "Name": "Azure.ContainerApp.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000281", + "Value": "PSRule.Rules.Azure\\AZR-000361", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000281" + "Name": "AZR-000361" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use Managed Identity for Cognitive Services accounts", - "Synopsis": "Configure managed identities to access Azure resources.", - "Recommendation": "Consider configuring a managed identity for each Cognitive Services account.", + "DisplayName": "Use managed identity for authentication", + "Synopsis": "Ensure managed identity is used for authentication.", + "Recommendation": "Consider configure a managed identity for each container app.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Defender.Cspm": { - "Name": "Azure.Defender.Cspm", + "Azure.Defender.CosmosDb": { + "Name": "Azure.Defender.CosmosDb", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000372", + "Value": "PSRule.Rules.Azure\\AZR-000379", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000372" + "Name": "AZR-000379" }, "Alias": [ null @@ -1484,144 +1536,151 @@ "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender Cloud Security Posture Management to the Standard plan", - "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.", - "Recommendation": "Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.", + "DisplayName": "Set Microsoft Defender for Cosmos DB to the Standard tier", + "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", + "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Arc.Server.MaintenanceConfig": { - "Name": "Azure.Arc.Server.MaintenanceConfig", + "Azure.APIM.HTTPBackend": { + "Name": "Azure.APIM.HTTPBackend", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000374", + "Value": "PSRule.Rules.Azure\\AZR-000044", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000374" + "Name": "AZR-000044" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Associate a maintenance configuration", - "Synopsis": "Use a maintenance configuration for Arc-enabled servers.", - "Recommendation": "Consider automatically managing and applying operating system updates with a maintenance configuration.", - "Pillar": null, - "Control": null + "DisplayName": "Use HTTPS backend connections", + "Synopsis": "Use HTTPS for communication to backend services.", + "Recommendation": "Consider configuring only backend services configured with HTTPS-based URLs.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.SQL.AADOnly": { - "Name": "Azure.SQL.AADOnly", + "Azure.VNG.ERAvailabilityZoneSKU": { + "Name": "Azure.VNG.ERAvailabilityZoneSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000369", + "Value": "PSRule.Rules.Azure\\AZR-000273", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000369" + "Name": "AZR-000273" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure AD-only authentication", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.", - "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.", + "DisplayName": "Use availability zone SKU for ExpressRoute gateways", + "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.", + "Recommendation": "Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.AppService.UseHTTPS": { - "Name": "Azure.AppService.UseHTTPS", + "Azure.Search.Name": { + "Name": "Azure.Search.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000084", + "Value": "PSRule.Rules.Azure\\AZR-000176", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000084" + "Name": "AZR-000176" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Enforce encrypted App Service connections", - "Synopsis": "Azure App Service apps should only accept encrypted connections.", - "Recommendation": "When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Cognitive Search service names", + "Synopsis": "Azure Cognitive Search service names should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure Cognitive Search service naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.AppGwWAF.Exclusions": { - "Name": "Azure.AppGwWAF.Exclusions", + "Azure.Template.LocationDefault": { + "Name": "Azure.Template.LocationDefault", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000303", + "Value": "PSRule.Rules.Azure\\AZR-000220", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000303" + "Name": "AZR-000220" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Application Gateway rules are enabled", - "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.", - "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.", + "DisplayName": "Default to resource group location", + "Synopsis": "Set the default value for the location parameter within an ARM template to resource group location.", + "Recommendation": "Consider updating the location parameter to use [resourceGroup().location] as the default value.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AppGwWAF.PreventionMode": { - "Name": "Azure.AppGwWAF.PreventionMode", + "Azure.Defender.Cspm": { + "Name": "Azure.Defender.Cspm", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000302", + "Value": "PSRule.Rules.Azure\\AZR-000372", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000302" + "Name": "AZR-000372" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use Application Gateway WAF policy in prevention mode", - "Synopsis": "Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.", - "Recommendation": "Consider setting Application Gateway WAF policy to use protection mode.", - "Pillar": null, - "Control": null + "DisplayName": "Set Microsoft Defender Cloud Security Posture Management to the Standard plan", + "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.", + "Recommendation": "Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.SQL.FGName": { - "Name": "Azure.SQL.FGName", + "Azure.RSV.Immutable": { + "Name": "Azure.RSV.Immutable", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000193", + "Value": "PSRule.Rules.Azure\\AZR-000397", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000193" + "Name": "AZR-000397" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid SQL failover group names", - "Synopsis": "Azure SQL failover group names should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Immutability", + "Synopsis": "Ensure immutability is configured to protect backup data.", + "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml" }, - "Azure.VM.PPGName": { - "Name": "Azure.VM.PPGName", + "Azure.NSG.DenyAllInbound": { + "Name": "Azure.NSG.DenyAllInbound", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000260", + "Value": "PSRule.Rules.Azure\\AZR-000138", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000260" + "Name": "AZR-000138" }, "Alias": [ null @@ -1631,186 +1690,195 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid PPG names", - "Synopsis": "Proximity Placement Group (PPG) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Avoid denying all inbound traffic", + "Synopsis": "Avoid denying all inbound traffic.", + "Recommendation": "Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.Template.ExpressionLength": { - "Name": "Azure.Template.ExpressionLength", + "Azure.MariaDB.VNETRuleName": { + "Name": "Azure.MariaDB.VNETRuleName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000228", + "Value": "PSRule.Rules.Azure\\AZR-000339", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000228" + "Name": "AZR-000339" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Template expressions should not exceed a maximum length", - "Synopsis": "Template expressions should not exceed the maximum length.", - "Recommendation": "Consider updating the expression to reduce complexity and length.", - "Pillar": null, - "Control": null + "DisplayName": "Use valid VNET rule names", + "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Cosmos.DefenderCloud": { - "Name": "Azure.Cosmos.DefenderCloud", + "Azure.Storage.MinTLS": { + "Name": "Azure.Storage.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000382", + "Value": "PSRule.Rules.Azure\\AZR-000200", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000382" + "Name": "AZR-000200" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Enable Microsoft Defender", - "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", - "Recommendation": "Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.", + "DisplayName": "Storage Account minimum TLS version", + "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, - "Azure.ADX.SLA": { - "Name": "Azure.ADX.SLA", + "Azure.VM.MigrateAMA": { + "Name": "Azure.VM.MigrateAMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000014", + "Value": "PSRule.Rules.Azure\\AZR-000317", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000014" + "Name": "AZR-000317" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use an SLA for Azure Data Explorer clusters", - "Synopsis": "Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.", - "Recommendation": "Consider using a production ready SKU that includes a SLA.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Migrate to Azure Monitor Agent", + "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", + "Recommendation": "Virtual Machines should migrate to Azure Monitor Agent.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VMSS.PublicKey": { - "Name": "Azure.VMSS.PublicKey", + "Azure.KeyVault.RBAC": { + "Name": "Azure.KeyVault.RBAC", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000288", + "Value": "PSRule.Rules.Azure\\AZR-000388", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000288" + "Name": "AZR-000388" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", - "Level": "Error", + "RuleSet": "2023_06", + "Level": "Warning", "Method": null, - "DisplayName": "Disable password authentication", - "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.", - "Recommendation": "Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.", + "DisplayName": "Use Azure role-based access control", + "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.", + "Recommendation": "Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml" }, - "Azure.FrontDoor.State": { - "Name": "Azure.FrontDoor.State", + "Azure.AppGw.Name": { + "Name": "Azure.AppGw.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000112", + "Value": "PSRule.Rules.Azure\\AZR-000348", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000112" + "Name": "AZR-000348" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Enable Front Door Classic instance", - "Synopsis": "Enable Azure Front Door Classic instance.", - "Recommendation": "Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.", - "Pillar": "Cost Optimization", - "Control": null + "DisplayName": "Use valid names", + "Synopsis": "Application Gateways should meet naming requirements.", + "Recommendation": "Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1" }, - "Azure.MariaDB.GeoRedundantBackup": { - "Name": "Azure.MariaDB.GeoRedundantBackup", + "Azure.AppService.UseHTTPS": { + "Name": "Azure.AppService.UseHTTPS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000329", + "Value": "PSRule.Rules.Azure\\AZR-000084", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000329" + "Name": "AZR-000084" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure geo-redundant backup", - "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.", - "Recommendation": "Configure geo-redundant backup for Azure Database for MariaDB.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Enforce encrypted App Service connections", + "Synopsis": "Azure App Service apps should only accept encrypted connections.", + "Recommendation": "When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.AKS.CNISubnetSize": { - "Name": "Azure.AKS.CNISubnetSize", + "Azure.MariaDB.ServerName": { + "Name": "Azure.MariaDB.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000020", + "Value": "PSRule.Rules.Azure\\AZR-000336", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000020" + "Name": "AZR-000336" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters using Azure CNI should use large subnets", - "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.", - "Recommendation": "Consider allocating a larger subnet (/23 or bigger) to your AKS cluster.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid server names", + "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Search.SKU": { - "Name": "Azure.Search.SKU", + "Azure.FrontDoor.State": { + "Name": "Azure.FrontDoor.State", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000172", + "Value": "PSRule.Rules.Azure\\AZR-000112", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000172" + "Name": "AZR-000112" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Cognitive Search minimum SKU", - "Synopsis": "Use the basic and standard tiers for entry level workloads.", - "Recommendation": "Consider deploying Cognitive Search services using basic or higher tier.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Enable Front Door Classic instance", + "Synopsis": "Enable Azure Front Door Classic instance.", + "Recommendation": "Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.", + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.PublicIP.StandardSKU": { - "Name": "Azure.PublicIP.StandardSKU", + "Azure.Redis.AvailabilityZone": { + "Name": "Azure.Redis.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000158", + "Value": "PSRule.Rules.Azure\\AZR-000161", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000158" + "Name": "AZR-000161" }, "Alias": [ null @@ -1820,39 +1888,41 @@ "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Public IP addresses should use Standard SKU", - "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.", - "Recommendation": "Consider using Standard SKU for Public IP addresses deployed in production.", + "DisplayName": "Redis cache should use Availability zones in supported regions", + "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.", + "Recommendation": "Consider using availability zones for Premium Redis Cache deployed in supported regions.", "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.AKS.AvailabilityZone": { - "Name": "Azure.AKS.AvailabilityZone", + "Azure.Redis.FirewallRuleCount": { + "Name": "Azure.Redis.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000021", + "Value": "PSRule.Rules.Azure\\AZR-000299", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000021" + "Name": "AZR-000299" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters should use Availability zones in supported regions", - "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.", - "Recommendation": "Consider using availability zones for AKS clusters deployed with virtual machine scale sets.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Cleanup Redis cache firewall rules", + "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.", + "Recommendation": "The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.vWAN.Name": { - "Name": "Azure.vWAN.Name", + "Azure.Template.UseComments": { + "Name": "Azure.Template.UseComments", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000276", + "Value": "PSRule.Rules.Azure\\AZR-000234", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000276" + "Name": "AZR-000234" }, "Alias": [ null @@ -1860,125 +1930,131 @@ "Flags": 0, "Release": "GA", "RuleSet": "2021_12", - "Level": "Error", + "Level": "Information", "Method": null, - "DisplayName": "Use valid vWAN names", - "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use comments for each ARM template resource", + "Synopsis": "Use comments for each resource in ARM template to communicate purpose.", + "Recommendation": "Specify comments for each resource in the template.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AKS.DefenderProfile": { - "Name": "Azure.AKS.DefenderProfile", + "Azure.Template.UseDescriptions": { + "Name": "Azure.Template.UseDescriptions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000370", + "Value": "PSRule.Rules.Azure\\AZR-000235", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000370" + "Name": "AZR-000235" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", - "Level": "Error", + "RuleSet": "2021_12", + "Level": "Information", "Method": null, - "DisplayName": "Enable Defender profile", - "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.", - "Recommendation": "Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use comments for each generated template resource", + "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.", + "Recommendation": "Specify descriptions for each resource in the template.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.MySQL.GeoRedundantBackup": { - "Name": "Azure.MySQL.GeoRedundantBackup", + "Azure.AppService.PlanInstanceCount": { + "Name": "Azure.AppService.PlanInstanceCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000323", + "Value": "PSRule.Rules.Azure\\AZR-000071", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000323" + "Name": "AZR-000071" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure geo-redundant backup", - "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.", - "Recommendation": "Configure geo-redundant backup for Azure Database for MySQL.", - "Pillar": null, - "Control": null + "DisplayName": "Use two or more App Service Plan instances", + "Synopsis": "App Service Plan should use a minimum number of instances for failover.", + "Recommendation": "Consider using an App Service Plan with at least two (2) instances.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.ServiceBus.Usage": { - "Name": "Azure.ServiceBus.Usage", + "Azure.EventHub.MinTLS": { + "Name": "Azure.EventHub.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000177", + "Value": "PSRule.Rules.Azure\\AZR-000356", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000177" + "Name": "AZR-000356" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Remove unused Service Bus namespaces", - "Synopsis": "Regularly remove unused resources to reduce costs.", - "Recommendation": "Consider removing Service Bus namespaces that are not used.", - "Pillar": null, - "Control": null + "DisplayName": "Minimum TLS version", + "Synopsis": "Event Hub namespaces should reject TLS versions older than 1.2.", + "Recommendation": "Configure the minimum supported TLS version to be 1.2.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml" }, - "Azure.Defender.OssRdb": { - "Name": "Azure.Defender.OssRdb", + "Azure.ContainerApp.Name": { + "Name": "Azure.ContainerApp.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000381", + "Value": "PSRule.Rules.Azure\\AZR-000360", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000381" + "Name": "AZR-000360" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for open-source relational databases to the Standard tier", - "Synopsis": "Enable Microsoft Defender for open-source relational databases.", - "Recommendation": "Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid container app names", + "Synopsis": "Container Apps should meet naming requirements.", + "Recommendation": "Consider using container app names thas meets naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.SQL.FirewallIPRange": { - "Name": "Azure.SQL.FirewallIPRange", + "Azure.ContainerApp.RestrictIngress": { + "Name": "Azure.ContainerApp.RestrictIngress", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000185", + "Value": "PSRule.Rules.Azure\\AZR-000380", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000185" + "Name": "AZR-000380" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Limit SQL logical server firewall rule range", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).", - "Recommendation": "Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).", - "Pillar": null, - "Control": null + "DisplayName": "IP ingress restrictions mode", + "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.", + "Recommendation": "Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1" }, - "Azure.VM.NICName": { - "Name": "Azure.VM.NICName", + "Azure.RBAC.UseGroups": { + "Name": "Azure.RBAC.UseGroups", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000259", + "Value": "PSRule.Rules.Azure\\AZR-000203", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000259" + "Name": "AZR-000203" }, "Alias": [ null @@ -1988,165 +2064,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid NIC names", - "Synopsis": "Network Interface (NIC) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Use groups", + "Synopsis": "Use groups for assigning permissions instead of individual user accounts.", + "Recommendation": "Consider using groups for assigning permissions instead of individual user accounts.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.AppService.NETVersion": { - "Name": "Azure.AppService.NETVersion", + "Azure.AppGwWAF.Enabled": { + "Name": "Azure.AppGwWAF.Enabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000075", + "Value": "PSRule.Rules.Azure\\AZR-000309", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000075" + "Name": "AZR-000309" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use a newer .NET version", - "Synopsis": "Configure applications to use newer .NET versions.", - "Recommendation": "Consider updating the site to use a newer .NET version such as v6.0.", - "Pillar": "Security", - "Control": null + "DisplayName": "Application Gateway WAF is enabled", + "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.", + "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.AppService.WebProbe": { - "Name": "Azure.AppService.WebProbe", + "Azure.Template.Resources": { + "Name": "Azure.Template.Resources", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000079", + "Value": "PSRule.Rules.Azure\\AZR-000216", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000079" + "Name": "AZR-000216" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Web apps use health probes", - "Synopsis": "Configure and enable instance health probes.", - "Recommendation": "Consider configuring a health probe to monitor instance availability.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Include a template resource", + "Synopsis": "Each Azure Resource Manager (ARM) template file should deploy at least one resource.", + "Recommendation": "Consider removing Azure template files that do not deploy any resources.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ACR.AdminUser": { - "Name": "Azure.ACR.AdminUser", + "Azure.Firewall.Name": { + "Name": "Azure.Firewall.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000005", + "Value": "PSRule.Rules.Azure\\AZR-000103", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000005" + "Name": "AZR-000103" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Disable ACR admin user", - "Synopsis": "Use Azure AD identities instead of using the registry admin user.", - "Recommendation": "Consider disabling the admin user account and only use identity-based authentication for registry operations.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Firewall names", + "Synopsis": "Firewall names should meet naming requirements.", + "Recommendation": "Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.Storage.Name": { - "Name": "Azure.Storage.Name", + "Azure.PublicIP.MigrateStandard": { + "Name": "Azure.PublicIP.MigrateStandard", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000201", + "Value": "PSRule.Rules.Azure\\AZR-000395", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000201" + "Name": "AZR-000395" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid storage account names", - "Synopsis": "Storage Account names should meet naming requirements.", - "Recommendation": "Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Migrate to Standard SKU", + "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.", + "Recommendation": "Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml" }, - "Azure.KeyVault.Name": { - "Name": "Azure.KeyVault.Name", + "Azure.VM.SQLServerDisk": { + "Name": "Azure.VM.SQLServerDisk", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000120", + "Value": "PSRule.Rules.Azure\\AZR-000324", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000120" + "Name": "AZR-000324" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid Key Vault names", - "Synopsis": "Key Vault names should meet naming requirements.", - "Recommendation": "Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Configure Premium disks or above", + "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.", + "Recommendation": "Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.ACR.AnonymousAccess": { - "Name": "Azure.ACR.AnonymousAccess", + "Azure.Automation.ManagedIdentity": { + "Name": "Azure.Automation.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000401", + "Value": "PSRule.Rules.Azure\\AZR-000090", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000401" + "Name": "AZR-000090" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2023_09", + "Release": "GA", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Anonymous pull access", - "Synopsis": "Disable anonymous pull access.", - "Recommendation": "Consider disabling anonymous pull access in scenarios that require user authentication.", + "DisplayName": "Use managed identity for authentication", + "Synopsis": "Ensure Managed Identity is used for authentication.", + "Recommendation": "Consider configure a managed identity for each Automation Account.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.yaml" }, - "Azure.Cognitive.PrivateEndpoints": { - "Name": "Azure.Cognitive.PrivateEndpoints", + "Azure.AKS.HttpAppRouting": { + "Name": "Azure.AKS.HttpAppRouting", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000283", + "Value": "PSRule.Rules.Azure\\AZR-000035", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000283" + "Name": "AZR-000035" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use Cognitive Service Private Endpoints", - "Synopsis": "Use Private Endpoints to access Cognitive Services accounts.", - "Recommendation": "Consider accessing Cognitive Services accounts by Private Endpoints and disabling public endpoints.", + "DisplayName": "Disable HTTP application routing add-on", + "Synopsis": "Disable HTTP application routing add-on in AKS clusters.", + "Recommendation": "Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.NSG.DenyAllInbound": { - "Name": "Azure.NSG.DenyAllInbound", + "Azure.AKS.UseRBAC": { + "Name": "Azure.AKS.UseRBAC", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000138", + "Value": "PSRule.Rules.Azure\\AZR-000038", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000138" + "Name": "AZR-000038" }, "Alias": [ null @@ -2156,228 +2240,239 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Avoid denying all inbound traffic", - "Synopsis": "Avoid denying all inbound traffic.", - "Recommendation": "Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.", - "Pillar": null, - "Control": null + "DisplayName": "AKS clusters use RBAC", + "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.", + "Recommendation": "Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.\nRBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.APIM.Protocols": { - "Name": "Azure.APIM.Protocols", + "Azure.Defender.Dns": { + "Name": "Azure.Defender.Dns", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000054", + "Value": "PSRule.Rules.Azure\\AZR-000353", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000054" + "Name": "AZR-000353" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use secure TLS versions for API Management", - "Synopsis": "API Management should only accept a minimum of TLS 1.2 for client and backend communication.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.", + "DisplayName": "Set Microsoft Defender for DNS to the Standard tier", + "Synopsis": "Enable Microsoft Defender for DNS.", + "Recommendation": "Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.AppGwWAF.RuleGroups": { - "Name": "Azure.AppGwWAF.RuleGroups", + "Azure.FrontDoor.Logs": { + "Name": "Azure.FrontDoor.Logs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000304", + "Value": "PSRule.Rules.Azure\\AZR-000107", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000304" + "Name": "AZR-000107" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Recommended Application Gateway WAF policy rule groups", - "Synopsis": "Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.", - "Recommendation": "Consider configuring Application Gateway WAF policy to use the recommended rule sets.", + "DisplayName": "Audit Front Door Access", + "Synopsis": "Audit and monitor access through Front Door.", + "Recommendation": "Consider configuring diagnostics setting to log network activity through Front Door.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.ContainerApp.ExternalIngress": { - "Name": "Azure.ContainerApp.ExternalIngress", + "Azure.Storage.FileShareSoftDelete": { + "Name": "Azure.Storage.FileShareSoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000362", + "Value": "PSRule.Rules.Azure\\AZR-000298", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000362" + "Name": "AZR-000298" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Disable external ingress", - "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.", - "Recommendation": "Consider disabling external ingress.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use soft delete on files shares", + "Synopsis": "Enable soft delete on Storage Accounts file shares.", + "Recommendation": "Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Storage.DefenderCloud.SensitiveData": { - "Name": "Azure.Storage.DefenderCloud.SensitiveData", + "Azure.LB.AvailabilityZone": { + "Name": "Azure.LB.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000391", + "Value": "PSRule.Rules.Azure\\AZR-000127", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000391" + "Name": "AZR-000127" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Sensitive data threat detection", - "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", - "Recommendation": "Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.", - "Pillar": "Security", - "Control": null + "DisplayName": "Load balancers should be zone-redundant", + "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.", + "Recommendation": "Consider using zone-redundant load balancers deployed with Standard SKU.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1" }, - "Azure.KeyVault.AutoRotationPolicy": { - "Name": "Azure.KeyVault.AutoRotationPolicy", + "Azure.FrontDoor.MinTLS": { + "Name": "Azure.FrontDoor.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000123", + "Value": "PSRule.Rules.Azure\\AZR-000106", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000123" + "Name": "AZR-000106" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Enable Key Vault key auto-rotation", - "Synopsis": "Key Vault keys should have auto-rotation enabled.", - "Recommendation": "Consider enabling auto-rotation on Key Vault keys.", + "DisplayName": "Front Door Minimum TLS", + "Synopsis": "Front Door Classic instances should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.", "Pillar": "Security", - "Control": "IM-3" + "Control": "DP-3", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.RBAC.CoAdministrator": { - "Name": "Azure.RBAC.CoAdministrator", + "Azure.Identity.UserAssignedName": { + "Name": "Azure.Identity.UserAssignedName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000206", + "Value": "PSRule.Rules.Azure\\AZR-000117", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000206" + "Name": "AZR-000117" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use role-based access control", - "Synopsis": "Delegate access to manage Azure resources using role-based access control (RBAC).", - "Recommendation": "Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Managed Identity names", + "Synopsis": "Managed Identity names should meet naming requirements.", + "Recommendation": "Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Identity.Rule.yaml" }, - "Azure.AKS.DNSPrefix": { - "Name": "Azure.AKS.DNSPrefix", + "Azure.Deployment.OuterSecret": { + "Name": "Azure.Deployment.OuterSecret", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000040", + "Value": "PSRule.Rules.Azure\\AZR-000331", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000040" + "Name": "AZR-000331" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid AKS cluster DNS prefix", - "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.", - "Recommendation": "Consider using a DNS prefix that meets naming requirements.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Secret value in deployment output", + "Synopsis": "Do not use Outer deployments when references SecureString or SecureObject parameters.", + "Recommendation": "Consider using inner deployments to prevent secure values from being exposed.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.IoTHub.MinTLS": { - "Name": "Azure.IoTHub.MinTLS", + "Azure.FrontDoor.WAF.Enabled": { + "Name": "Azure.FrontDoor.WAF.Enabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000357", + "Value": "PSRule.Rules.Azure\\AZR-000115", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000357" + "Name": "AZR-000115" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Minimum TLS version", - "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.", - "Recommendation": "Configure the minimum supported TLS version to be 1.2.", + "DisplayName": "Enable Front Door WAF policy", + "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.", + "Recommendation": "Consider enabling WAF policy.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.SQLMI.ManagedIdentity": { - "Name": "Azure.SQLMI.ManagedIdentity", + "Azure.AKS.NetworkPolicy": { + "Name": "Azure.AKS.NetworkPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000367", + "Value": "PSRule.Rules.Azure\\AZR-000027", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000367" + "Name": "AZR-000027" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Managed identity", - "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.", - "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.", + "DisplayName": "AKS clusters use Network Policies", + "Synopsis": "Deploy AKS clusters with Network Policies enabled.", + "Recommendation": "Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.Standalone": { - "Name": "Azure.VM.Standalone", + "Azure.MariaDB.DefenderCloud": { + "Name": "Azure.MariaDB.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000239", + "Value": "PSRule.Rules.Azure\\AZR-000330", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000239" + "Name": "AZR-000330" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Standalone Virtual Machine", - "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.", - "Recommendation": "Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use Microsoft Defender", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.", + "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.ASG.Name": { - "Name": "Azure.ASG.Name", + "Azure.EventGrid.TopicPublicAccess": { + "Name": "Azure.EventGrid.TopicPublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000085", + "Value": "PSRule.Rules.Azure\\AZR-000098", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000085" + "Name": "AZR-000098" }, "Alias": [ null @@ -2387,39 +2482,41 @@ "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid ASG names", - "Synopsis": "Application Security Group (ASG) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use Event Grid Private Endpoints", + "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.", + "Recommendation": "Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml" }, - "Azure.ADX.Usage": { - "Name": "Azure.ADX.Usage", + "Azure.VNG.VPNActiveActive": { + "Name": "Azure.VNG.VPNActiveActive", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000011", + "Value": "PSRule.Rules.Azure\\AZR-000270", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000011" + "Name": "AZR-000270" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Remove unused Data Explorer clusters", - "Synopsis": "Regularly remove unused resources to reduce costs.", - "Recommendation": "Consider removing Data Explorer clusters that are not used.", + "Method": null, + "DisplayName": "Use Active-Active VPN gateways", + "Synopsis": "Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.", + "Recommendation": "Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.VM.UniqueDns": { - "Name": "Azure.VM.UniqueDns", + "Azure.VNET.LocalDNS": { + "Name": "Azure.VNET.LocalDNS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000258", + "Value": "PSRule.Rules.Azure\\AZR-000265", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000258" + "Name": "AZR-000265" }, "Alias": [ null @@ -2429,53 +2526,56 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "NICs with custom DNS settings", - "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.", - "Recommendation": "Consider updating NIC DNS server settings to inherit from virtual network.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use local DNS servers", + "Synopsis": "Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.", + "Recommendation": "Consider deploying redundant DNS services within a connected Azure VNET.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.FrontDoorWAF.PreventionMode": { - "Name": "Azure.FrontDoorWAF.PreventionMode", + "Azure.NSG.LateralTraversal": { + "Name": "Azure.NSG.LateralTraversal", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000306", + "Value": "PSRule.Rules.Azure\\AZR-000139", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000306" + "Name": "AZR-000139" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Front Door WAF policy in prevention mode", - "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.", - "Recommendation": "Consider setting Front Door WAF policy to use protection mode.", - "Pillar": "Security", - "Control": null + "DisplayName": "Limit lateral traversal within subnets", + "Synopsis": "Deny outbound management connections from non-management hosts.", + "Recommendation": "Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.AKS.UseRBAC": { - "Name": "Azure.AKS.UseRBAC", + "Azure.Storage.Firewall": { + "Name": "Azure.Storage.Firewall", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000038", + "Value": "PSRule.Rules.Azure\\AZR-000202", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000038" + "Name": "AZR-000202" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters use RBAC", - "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.", - "Recommendation": "Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.\nRBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.", + "DisplayName": "Configure Azure Storage firewall", + "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.", + "Recommendation": "Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, "Azure.AKS.PlatformLogs": { "Name": "Azure.AKS.PlatformLogs", @@ -2496,56 +2596,37 @@ "Synopsis": "AKS clusters should collect platform diagnostic logs to monitor the state of workloads.", "Recommendation": "Consider configuring diagnostic settings to capture platform logs from AKS clusters.", "Pillar": "Operational Excellence", - "Control": null - }, - "Azure.APIM.Ciphers": { - "Name": "Azure.APIM.Ciphers", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000055", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000055" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2022_03", - "Level": "Error", - "Method": null, - "DisplayName": "Use secure ciphers for API Management", - "Synopsis": "API Management should not accept weak or deprecated ciphers for client or backend communication.", - "Recommendation": "Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.", - "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.Defender.Dns": { - "Name": "Azure.Defender.Dns", + "Azure.VMSS.ComputerName": { + "Name": "Azure.VMSS.ComputerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000353", + "Value": "PSRule.Rules.Azure\\AZR-000262", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000353" + "Name": "AZR-000262" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for DNS to the Standard tier", - "Synopsis": "Enable Microsoft Defender for DNS.", - "Recommendation": "Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid VMSS computer names", + "Synopsis": "Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.", + "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.VMSS.Name": { - "Name": "Azure.VMSS.Name", + "Azure.AKS.Name": { + "Name": "Azure.AKS.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000261", + "Value": "PSRule.Rules.Azure\\AZR-000039", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000261" + "Name": "AZR-000039" }, "Alias": [ null @@ -2555,165 +2636,177 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid VMSS names", - "Synopsis": "Virtual Machine Scale Set (VMSS) names should meet naming requirements.", - "Recommendation": "Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.", - "Pillar": null, - "Control": null + "DisplayName": "Use valid AKS cluster names", + "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.", + "Recommendation": "Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.CDN.UseFrontDoor": { - "Name": "Azure.CDN.UseFrontDoor", + "Azure.DefenderCloud.Contact": { + "Name": "Azure.DefenderCloud.Contact", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000286", + "Value": "PSRule.Rules.Azure\\AZR-000209", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000286" + "Name": "AZR-000209" }, "Alias": [ - null + { + "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Contact", + "Scope": "PSRule.Rules.Azure", + "Name": "Azure.SecurityCenter.Contact" + } ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Front Door Standard Or Premium SKU", - "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.", - "Recommendation": "Consider using Front Door Standard or Premium SKU to improve performance.", + "DisplayName": "Set Security Center contact details", + "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set.", + "Recommendation": "Consider configuring Microsoft Defender for Cloud email and phone contact details.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.VM.ShouldNotBeStopped": { - "Name": "Azure.VM.ShouldNotBeStopped", + "Azure.FrontDoor.Probe": { + "Name": "Azure.FrontDoor.Probe", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000351", + "Value": "PSRule.Rules.Azure\\AZR-000108", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000351" + "Name": "AZR-000108" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "VMs should not be stopped state", - "Synopsis": "Azure VMs should be running or in a deallocated state.", - "Recommendation": "Consider fully deallocating VMs instead of stopping VMs to reduce cost.", - "Pillar": "Cost Optimization", - "Control": null + "DisplayName": "Use Health Probes for Front Door backends", + "Synopsis": "Use health probes to check the health of each backend.", + "Recommendation": "Consider configuring and enabling a health probe for each Front Door backend.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.Automation.AuditLogs": { - "Name": "Azure.Automation.AuditLogs", + "Azure.Template.UseVariables": { + "Name": "Azure.Template.UseVariables", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000088", + "Value": "PSRule.Rules.Azure\\AZR-000219", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000088" + "Name": "AZR-000219" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Audit Automation Account data access", - "Synopsis": "Ensure automation account audit diagnostic logs are enabled.", - "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.", - "Pillar": "Security", - "Control": null + "DisplayName": "Remove unused template variables", + "Synopsis": "Each Azure Resource Manager (ARM) template variable should be used or removed from template files.", + "Recommendation": "Consider removing unused variables from Azure template files.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.RSV.Name": { - "Name": "Azure.RSV.Name", + "Azure.AppService.RemoteDebug": { + "Name": "Azure.AppService.RemoteDebug", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000350", + "Value": "PSRule.Rules.Azure\\AZR-000074", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000350" + "Name": "AZR-000074" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid names", - "Synopsis": "Recovery Services vaults should meet naming requirements.", - "Recommendation": "Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Disable App Service remote debugging", + "Synopsis": "Disable remote debugging on App Service apps when not in use.", + "Recommendation": "Consider disabling remote debugging when not in use.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.ACR.Firewall": { - "Name": "Azure.ACR.Firewall", + "Azure.Template.UseParameters": { + "Name": "Azure.Template.UseParameters", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000402", + "Value": "PSRule.Rules.Azure\\AZR-000217", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000402" + "Name": "AZR-000217" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Restrict network access to container registries", - "Synopsis": "Limit network access of container registries to only trusted clients.", - "Recommendation": "Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.", - "Pillar": "Security", - "Control": null + "DisplayName": "Remove unused template parameters", + "Synopsis": "Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.", + "Recommendation": "Consider removing unused parameters from Azure template files.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.RSV.Immutable": { - "Name": "Azure.RSV.Immutable", + "Azure.AKS.NodeMinPods": { + "Name": "Azure.AKS.NodeMinPods", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000397", + "Value": "PSRule.Rules.Azure\\AZR-000018", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000397" + "Name": "AZR-000018" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Immutability", - "Synopsis": "Ensure immutability is configured to protect backup data.", - "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.", - "Pillar": "Security", - "Control": null + "DisplayName": "Nodes use a minimum number of pods", + "Synopsis": "Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.", + "Recommendation": "Consider deploying node pools with a minimum number of pods per node.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.VM.DiskAttached": { - "Name": "Azure.VM.DiskAttached", + "Azure.FrontDoorWAF.Enabled": { + "Name": "Azure.FrontDoorWAF.Enabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000250", + "Value": "PSRule.Rules.Azure\\AZR-000305", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000250" + "Name": "AZR-000305" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Remove unused managed disks", - "Synopsis": "Managed disks should be attached to virtual machines or removed.", - "Recommendation": "Consider removing managed disks that are no longer required to reduce complexity and costs.", + "DisplayName": "Enable Front Door WAF policy", + "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.", + "Recommendation": "Consider enabling WAF policy.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.VNG.ERLegacySKU": { - "Name": "Azure.VNG.ERLegacySKU", + "Azure.Resource.AllowedRegions": { + "Name": "Azure.Resource.AllowedRegions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000271", + "Value": "PSRule.Rules.Azure\\AZR-000167", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000271" + "Name": "AZR-000167" }, "Alias": [ null @@ -2723,81 +2816,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Migrate from legacy ER gateway SKUs", - "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.", - "Recommendation": "Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.", + "DisplayName": "Use allowed regions", + "Synopsis": "Resources should be deployed to allowed regions.", + "Recommendation": "Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1" }, - "Azure.VM.UseManagedDisks": { - "Name": "Azure.VM.UseManagedDisks", + "Azure.AKS.AuthorizedIPs": { + "Name": "Azure.AKS.AuthorizedIPs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000238", + "Value": "PSRule.Rules.Azure\\AZR-000030", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000238" + "Name": "AZR-000030" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use Managed Disks", - "Synopsis": "Virtual machines (VMs) should use managed disks.", - "Recommendation": "Consider using managed disks for virtual machine storage.", + "DisplayName": "Restrict access to AKS API server endpoints", + "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.", + "Recommendation": "Consider restricting network traffic to the API server endpoints to trusted IP addresses. Include output IP addresses for cluster nodes and any range where administration will occur from.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.KeyVault.PurgeProtect": { - "Name": "Azure.KeyVault.PurgeProtect", + "Azure.EventGrid.DisableLocalAuth": { + "Name": "Azure.EventGrid.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000125", + "Value": "PSRule.Rules.Azure\\AZR-000100", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000125" + "Name": "AZR-000100" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use Key Vault Purge Protection", - "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.", - "Recommendation": "Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use identity-based authentication for Event Grid topics", + "Synopsis": "Authenticate publishing clients with Azure AD identities.", + "Recommendation": "Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml" }, - "Azure.EventHub.DisableLocalAuth": { - "Name": "Azure.EventHub.DisableLocalAuth", + "Azure.ResourceGroup.Name": { + "Name": "Azure.ResourceGroup.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000102", + "Value": "PSRule.Rules.Azure\\AZR-000168", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000102" + "Name": "AZR-000168" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use identity-based authentication for Event Hub namespaces", - "Synopsis": "Authenticate Event Hub publishers and consumers with Azure AD identities.", - "Recommendation": "Consider only using Azure AD identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid resource group names", + "Synopsis": "Resource Group names should meet naming requirements.", + "Recommendation": "Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1" }, - "Azure.FrontDoor.Logs": { - "Name": "Azure.FrontDoor.Logs", + "Azure.RBAC.CoAdministrator": { + "Name": "Azure.RBAC.CoAdministrator", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000107", + "Value": "PSRule.Rules.Azure\\AZR-000206", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000107" + "Name": "AZR-000206" }, "Alias": [ null @@ -2807,186 +2904,195 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Audit Front Door Access", - "Synopsis": "Audit and monitor access through Front Door.", - "Recommendation": "Consider configuring diagnostics setting to log network activity through Front Door.", - "Pillar": null, - "Control": null + "DisplayName": "Use role-based access control", + "Synopsis": "Delegate access to manage Azure resources using role-based access control (RBAC).", + "Recommendation": "Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.Template.UseLocationParameter": { - "Name": "Azure.Template.UseLocationParameter", + "Azure.SignalR.SLA": { + "Name": "Azure.SignalR.SLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000223", + "Value": "PSRule.Rules.Azure\\AZR-000182", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000223" + "Name": "AZR-000182" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", - "Level": "Warning", + "RuleSet": "2022_03", + "Level": "Error", "Method": null, - "DisplayName": "Use a location parameter to specify resource location", - "Synopsis": "Template should reference a location parameter to specify resource location.", - "Recommendation": "Consider using parameters('location) instead of resourceGroup().location. Using a location parameter enabled users of the template to specify the location of deployed resources.", + "DisplayName": "Use an SLA for SignalR Services", + "Synopsis": "Use SKUs that include an SLA when configuring SignalR Services.", + "Recommendation": "Consider using a Standard or Premium SKU that includes an SLA.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml" }, - "Azure.VNET.SubnetName": { - "Name": "Azure.VNET.SubnetName", + "Azure.Policy.WaiverExpiry": { + "Name": "Azure.Policy.WaiverExpiry", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000267", + "Value": "PSRule.Rules.Azure\\AZR-000146", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000267" + "Name": "AZR-000146" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid subnet names", - "Synopsis": "Subnet names should meet naming requirements.", - "Recommendation": "Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Policy waiver exemptions must expire", + "Synopsis": "Configure policy waiver exemptions to expire.", + "Recommendation": "Consider configuring an expiry for policy exemption waivers within the maximum threshold.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.NSG.Associated": { - "Name": "Azure.NSG.Associated", + "Azure.APIM.AvailabilityZone": { + "Name": "Azure.APIM.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000140", + "Value": "PSRule.Rules.Azure\\AZR-000052", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000140" + "Name": "AZR-000052" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Associate NSGs or clean them up", - "Synopsis": "Network Security Groups (NSGs) should be associated to a subnet or network interface.", - "Recommendation": "Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads\nTo find orphaned NSG's run the following Azure CLI command", - "Pillar": "Security", - "Control": null + "DisplayName": "API management services should use Availability zones in supported regions", + "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.", + "Recommendation": "Consider using availability zones for API management services deployed with Premium SKU.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.PostgreSQL.UseSSL": { - "Name": "Azure.PostgreSQL.UseSSL", + "Azure.Defender.SQL": { + "Name": "Azure.Defender.SQL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000147", + "Value": "PSRule.Rules.Azure\\AZR-000294", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000147" + "Name": "AZR-000294" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Enforce encrypted PostgreSQL connections", - "Synopsis": "Enforce encrypted PostgreSQL connections.", - "Recommendation": "Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.", + "DisplayName": "Configure Microsoft Defender for SQL to the Standard tier", + "Synopsis": "Enable Microsoft Defender for SQL servers.", + "Recommendation": "Consider using Microsoft Defender for SQL to protect your SQL databases.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Template.UseDescriptions": { - "Name": "Azure.Template.UseDescriptions", + "Azure.PostgreSQL.AllowAzureAccess": { + "Name": "Azure.PostgreSQL.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000235", + "Value": "PSRule.Rules.Azure\\AZR-000150", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000235" + "Name": "AZR-000150" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", - "Level": "Information", + "RuleSet": "2020_06", + "Level": "Error", "Method": null, - "DisplayName": "Use comments for each generated template resource", - "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.", - "Recommendation": "Specify descriptions for each resource in the template.", + "DisplayName": "Disable PostgreSQL Allow Azure access firewall rule", + "Synopsis": "Determine if access from Azure services is required.", + "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.APIM.PolicyBase": { - "Name": "Azure.APIM.PolicyBase", + "Azure.VM.ASMinMembers": { + "Name": "Azure.VM.ASMinMembers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000371", + "Value": "PSRule.Rules.Azure\\AZR-000255", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000371" + "Name": "AZR-000255" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Base element", - "Synopsis": "Base element for any policy element in a section should be configured.", - "Recommendation": "Consider configuring the base element for any policy element in a section.", + "DisplayName": "Use availability sets with at least two members", + "Synopsis": "Availability sets should be deployed with at least two virtual machines (VMs).", + "Recommendation": "Consider deploying at least two VMs within an availability set to gain availability benefits.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Redis.Version": { - "Name": "Azure.Redis.Version", + "Azure.SQL.FGName": { + "Name": "Azure.SQL.FGName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000347", + "Value": "PSRule.Rules.Azure\\AZR-000193", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000347" + "Name": "AZR-000193" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Redis version for Azure Cache for Redis", - "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.", - "Recommendation": "Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (>=6.0).", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid SQL failover group names", + "Synopsis": "Azure SQL failover group names should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.MySQL.AAD": { - "Name": "Azure.MySQL.AAD", + "Azure.PublicIP.StandardSKU": { + "Name": "Azure.PublicIP.StandardSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000392", + "Value": "PSRule.Rules.Azure\\AZR-000158", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000392" + "Name": "AZR-000158" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use AAD authentication with MySQL databases", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.", - "Recommendation": "Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.", - "Pillar": "Security", - "Control": null + "DisplayName": "Public IP addresses should use Standard SKU", + "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.", + "Recommendation": "Consider using Standard SKU for Public IP addresses deployed in production.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml" }, - "Azure.Template.ParameterMinMaxValue": { - "Name": "Azure.Template.ParameterMinMaxValue", + "Azure.Template.LocationType": { + "Name": "Azure.Template.LocationType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000224", + "Value": "PSRule.Rules.Azure\\AZR-000221", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000224" + "Name": "AZR-000221" }, "Alias": [ null @@ -2996,53 +3102,56 @@ "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use minValue and maxValue with correct type", - "Synopsis": "Template parameters minValue and maxValue constraints must be valid.", - "Recommendation": "Consider updating parameter definitions using minValue or maxValue. When using minValue or maxValue these values must be integers and only apply to int parameters.", + "DisplayName": "Use type string for location parameters", + "Synopsis": "Location parameters should use a string value.", + "Recommendation": "Consider updating the location parameter to be of type string.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Firewall.Name": { - "Name": "Azure.Firewall.Name", + "Azure.AKS.UptimeSLA": { + "Name": "Azure.AKS.UptimeSLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000103", + "Value": "PSRule.Rules.Azure\\AZR-000285", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000103" + "Name": "AZR-000285" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid Firewall names", - "Synopsis": "Firewall names should meet naming requirements.", - "Recommendation": "Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use AKS Uptime SLA", + "Synopsis": "AKS clusters should have Uptime SLA enabled for a financially backed SLA.", + "Recommendation": "Consider enabling Uptime SLA for a financially backed SLA.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.PostgreSQL.AllowAzureAccess": { - "Name": "Azure.PostgreSQL.AllowAzureAccess", + "Azure.VM.MaintenanceConfig": { + "Name": "Azure.VM.MaintenanceConfig", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000150", + "Value": "PSRule.Rules.Azure\\AZR-000375", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000150" + "Name": "AZR-000375" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Disable PostgreSQL Allow Azure access firewall rule", - "Synopsis": "Determine if access from Azure services is required.", - "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.", + "DisplayName": "Associate a maintenance configuration", + "Synopsis": "Use a maintenance configuration for virtual machines.", + "Recommendation": "Consider automatically managing and applying operating system updates by associating a maintenance configuration.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, "Azure.AppInsights.Name": { "Name": "Azure.AppInsights.Name", @@ -3063,119 +3172,169 @@ "Synopsis": "Azure Application Insights resources names should meet naming requirements.", "Recommendation": "Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml" }, - "Azure.KeyVault.KeyName": { - "Name": "Azure.KeyVault.KeyName", + "Azure.Search.IndexSLA": { + "Name": "Azure.Search.IndexSLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000122", + "Value": "PSRule.Rules.Azure\\AZR-000174", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000122" + "Name": "AZR-000174" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Key Vault Key names", - "Synopsis": "Key Vault Key names should meet naming requirements.", - "Recommendation": "Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Search index update SLA minimum replicas", + "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.", + "Recommendation": "Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.PostgreSQL.AADOnly": { - "Name": "Azure.PostgreSQL.AADOnly", + "Azure.ACR.Usage": { + "Name": "Azure.ACR.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000390", + "Value": "PSRule.Rules.Azure\\AZR-000001", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000390" + "Name": "AZR-000001" }, "Alias": [ null ], "Flags": 0, "Release": "GA", + "RuleSet": "2020_12", + "Level": "Error", + "Method": "in-flight", + "DisplayName": "Container registry storage usage", + "Synopsis": "Regularly remove deprecated and unneeded images to reduce storage usage.", + "Recommendation": "Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.", + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" + }, + "Azure.AppConfig.GeoReplica": { + "Name": "Azure.AppConfig.GeoReplica", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000312", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000312" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "Preview", + "RuleSet": "2022_09", + "Level": "Error", + "Method": null, + "DisplayName": "Geo-replicate app configuration store", + "Synopsis": "Consider replication for app configuration store to ensure resiliency to region outages.", + "Recommendation": "Consider replication for app configuration store to ensure resiliency to region outages.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1" + }, + "Azure.Storage.DefenderCloud.MalwareScan": { + "Name": "Azure.Storage.DefenderCloud.MalwareScan", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000384", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000384" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "Preview", "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure AD-only authentication", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.", - "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.", + "DisplayName": "Malware Scanning", + "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", + "Recommendation": "Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.BV.Immutable": { - "Name": "Azure.BV.Immutable", + "Azure.MySQL.DefenderCloud": { + "Name": "Azure.MySQL.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000398", + "Value": "PSRule.Rules.Azure\\AZR-000328", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000398" + "Name": "AZR-000328" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Immutability", - "Synopsis": "Ensure immutability is configured to protect backup data.", - "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use Microsoft Defender", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.", + "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.SQLMI.Name": { - "Name": "Azure.SQLMI.Name", + "Azure.APIM.APIDescriptors": { + "Name": "Azure.APIM.APIDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000194", + "Value": "PSRule.Rules.Azure\\AZR-000043", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000194" + "Name": "AZR-000043" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", - "Level": "Error", + "RuleSet": "2020_09", + "Level": "Warning", "Method": null, - "DisplayName": "Use valid SQL Managed Instance names", - "Synopsis": "SQL Managed Instance names should meet naming requirements.", - "Recommendation": "Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Use API descriptors", + "Synopsis": "API Management APIs should have a display name and description.", + "Recommendation": "Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.MySQL.FirewallIPRange": { - "Name": "Azure.MySQL.FirewallIPRange", + "Azure.ServiceBus.Usage": { + "Name": "Azure.ServiceBus.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000135", + "Value": "PSRule.Rules.Azure\\AZR-000177", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000135" + "Name": "AZR-000177" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Limit MySQL server firewall rule range", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", - "Recommendation": "The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.", + "DisplayName": "Remove unused Service Bus namespaces", + "Synopsis": "Regularly remove unused resources to reduce costs.", + "Recommendation": "Consider removing Service Bus namespaces that are not used.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1" }, - "Azure.APIM.MinAPIVersion": { - "Name": "Azure.APIM.MinAPIVersion", + "Azure.VMSS.ScriptExtensions": { + "Name": "Azure.VMSS.ScriptExtensions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000321", + "Value": "PSRule.Rules.Azure\\AZR-000333", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000321" + "Name": "AZR-000333" }, "Alias": [ null @@ -3185,39 +3344,41 @@ "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "API Management API versions prior to 2021-08-01 will be retired", - "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.", - "Recommendation": "Limit control plane API calls to API Management with version '2021-08-01' or newer.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets", + "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.", + "Recommendation": "Consider specifying secure values within properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.PrivateEndpoint.Name": { - "Name": "Azure.PrivateEndpoint.Name", + "Azure.Policy.Descriptors": { + "Name": "Azure.Policy.Descriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000153", + "Value": "PSRule.Rules.Azure\\AZR-000142", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000153" + "Name": "AZR-000142" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Private Endpoint names", - "Synopsis": "Private Endpoint names should meet naming requirements.", - "Recommendation": "Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use descriptive policies", + "Synopsis": "Policy and initiative definitions should use a display name, description, and category.", + "Recommendation": "Consider setting a display name, description and category for each policy and initiatives definition.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.ADX.DiskEncryption": { - "Name": "Azure.ADX.DiskEncryption", + "Azure.EventHub.Usage": { + "Name": "Azure.EventHub.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000013", + "Value": "PSRule.Rules.Azure\\AZR-000101", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000013" + "Name": "AZR-000101" }, "Alias": [ null @@ -3227,81 +3388,85 @@ "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Use disk encryption for Azure Data Explorer clusters", - "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.", - "Recommendation": "Consider enabling disk encryption on Azure Data Explorer clusters.", - "Pillar": "Security", - "Control": null + "DisplayName": "Remove unused Event Hub namespaces", + "Synopsis": "Regularly remove unused resources to reduce costs.", + "Recommendation": "Consider removing Event Hub namespaces that are not used.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1" }, - "Azure.PublicIP.DNSLabel": { - "Name": "Azure.PublicIP.DNSLabel", + "Azure.AKS.AzurePolicyAddOn": { + "Name": "Azure.AKS.AzurePolicyAddOn", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000156", + "Value": "PSRule.Rules.Azure\\AZR-000028", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000156" + "Name": "AZR-000028" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid Public IP DNS labels", - "Synopsis": "Public IP domain name labels should meet naming requirements.", - "Recommendation": "Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use Azure Policy Add-on with AKS clusters", + "Synopsis": "Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.", + "Recommendation": "Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.AppConfig.GeoReplica": { - "Name": "Azure.AppConfig.GeoReplica", + "Azure.NSG.AKSRules": { + "Name": "Azure.NSG.AKSRules", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000312", + "Value": "PSRule.Rules.Azure\\AZR-000292", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000312" + "Name": "AZR-000292" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", + "Release": "GA", "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Geo-replicate app configuration store", - "Synopsis": "Consider replication for app configuration store to ensure resiliency to region outages.", - "Recommendation": "Consider replication for app configuration store to ensure resiliency to region outages.", + "DisplayName": "No custom NSG rules for AKS managed NSGs", + "Synopsis": "AKS Network Security Group (NSG) should not have custom rules.", + "Recommendation": "Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml" }, - "Azure.SignalR.Name": { - "Name": "Azure.SignalR.Name", + "Azure.MySQL.MinTLS": { + "Name": "Azure.MySQL.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000180", + "Value": "PSRule.Rules.Azure\\AZR-000132", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000180" + "Name": "AZR-000132" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid SignalR service names", - "Synopsis": "SignalR service instance names should meet naming requirements.", - "Recommendation": "Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "MySQL DB server minimum TLS version", + "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml" }, - "Azure.APIM.ProductApproval": { - "Name": "Azure.APIM.ProductApproval", + "Azure.Storage.BlobAccessType": { + "Name": "Azure.Storage.BlobAccessType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000047", + "Value": "PSRule.Rules.Azure\\AZR-000199", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000047" + "Name": "AZR-000199" }, "Alias": [ null @@ -3311,186 +3476,195 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Require approval for products", - "Synopsis": "Configure products to require approval.", - "Recommendation": "Consider configuring all API Management products to require approval.", + "DisplayName": "Use private blob containers", + "Synopsis": "Use containers configured with a private access type that requires authorization.", + "Recommendation": "To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Redis.MinSKU": { - "Name": "Azure.Redis.MinSKU", + "Azure.KeyVault.Name": { + "Name": "Azure.KeyVault.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000159", + "Value": "PSRule.Rules.Azure\\AZR-000120", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000159" + "Name": "AZR-000120" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use at least Standard C1 cache instances", - "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.", - "Recommendation": "Consider using a minimum of a Standard C1 instance for production workloads.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Use valid Key Vault names", + "Synopsis": "Key Vault names should meet naming requirements.", + "Recommendation": "Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.VM.Updates": { - "Name": "Azure.VM.Updates", + "Azure.MariaDB.DatabaseName": { + "Name": "Azure.MariaDB.DatabaseName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000247", + "Value": "PSRule.Rules.Azure\\AZR-000337", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000247" + "Name": "AZR-000337" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Automatic updates are enabled", - "Synopsis": "Ensure automatic updates are enabled at deployment.", - "Recommendation": "Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid database names", + "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Template.LocationType": { - "Name": "Azure.Template.LocationType", + "Azure.KeyVault.PurgeProtect": { + "Name": "Azure.KeyVault.PurgeProtect", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000221", + "Value": "PSRule.Rules.Azure\\AZR-000125", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000221" + "Name": "AZR-000125" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use type string for location parameters", - "Synopsis": "Location parameters should use a string value.", - "Recommendation": "Consider updating the location parameter to be of type string.", - "Pillar": null, - "Control": null + "DisplayName": "Use Key Vault Purge Protection", + "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.", + "Recommendation": "Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml" }, - "Azure.Search.Name": { - "Name": "Azure.Search.Name", + "Azure.Deployment.Name": { + "Name": "Azure.Deployment.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000176", + "Value": "PSRule.Rules.Azure\\AZR-000359", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000176" + "Name": "AZR-000359" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use valid Cognitive Search service names", - "Synopsis": "Azure Cognitive Search service names should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure Cognitive Search service naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use valid nested deployments names", + "Synopsis": "Nested deployments should meet naming requirements of deployments.", + "Recommendation": "Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.yaml" }, - "Azure.PostgreSQL.GeoRedundantBackup": { - "Name": "Azure.PostgreSQL.GeoRedundantBackup", + "Azure.RedisEnterprise.MinTLS": { + "Name": "Azure.RedisEnterprise.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000326", + "Value": "PSRule.Rules.Azure\\AZR-000301", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000326" + "Name": "AZR-000301" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Configure geo-redundant backup", - "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.", - "Recommendation": "Configure geo-redundant backup for Azure Database for PostgreSQL.", - "Pillar": null, - "Control": null + "DisplayName": "Redis Cache minimum TLS version", + "Synopsis": "Redis Cache should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml" }, - "Azure.FrontDoor.UseCaching": { - "Name": "Azure.FrontDoor.UseCaching", + "Azure.PostgreSQL.ServerName": { + "Name": "Azure.PostgreSQL.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000320", + "Value": "PSRule.Rules.Azure\\AZR-000152", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000320" + "Name": "AZR-000152" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use caching", - "Synopsis": "Use caching to reduce retrieving contents from origins.", - "Recommendation": "Use caching to reduce retrieving contents from origins and improve overall performance.", + "DisplayName": "Use valid PostgreSQL DB server names", + "Synopsis": "Azure PostgreSQL DB server names should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.ContainerApp.Storage": { - "Name": "Azure.ContainerApp.Storage", + "Azure.ACR.Name": { + "Name": "Azure.ACR.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000364", + "Value": "PSRule.Rules.Azure\\AZR-000007", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000364" + "Name": "AZR-000007" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Persistant storage", - "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.", - "Recommendation": "Consider using Azure File volume mounts to persistent storage across containers and replicas.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid registry names", + "Synopsis": "Container registry names should meet naming requirements.", + "Recommendation": "Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.AppGw.MinSku": { - "Name": "Azure.AppGw.MinSku", + "Azure.RSV.Name": { + "Name": "Azure.RSV.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000062", + "Value": "PSRule.Rules.Azure\\AZR-000350", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000062" + "Name": "AZR-000350" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use production Application Gateway SKU", - "Synopsis": "Application Gateway should use a minimum instance size of Medium.", - "Recommendation": "Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.", + "DisplayName": "Use valid names", + "Synopsis": "Recovery Services vaults should meet naming requirements.", + "Recommendation": "Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml" }, - "Azure.LB.Probe": { - "Name": "Azure.LB.Probe", + "Azure.Redis.NonSslPort": { + "Name": "Azure.Redis.NonSslPort", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000126", + "Value": "PSRule.Rules.Azure\\AZR-000163", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000126" + "Name": "AZR-000163" }, "Alias": [ null @@ -3500,18 +3674,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use specific load balancer probe", - "Synopsis": "Use a specific probe for web protocols.", - "Recommendation": "Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.", - "Pillar": null, - "Control": null + "DisplayName": "Use secure connections to Redis instances", + "Synopsis": "Azure Cache for Redis should only accept secure connections.", + "Recommendation": "Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.AppGwWAF.Enabled": { - "Name": "Azure.AppGwWAF.Enabled", + "Azure.Cognitive.PublicAccess": { + "Name": "Azure.Cognitive.PublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000309", + "Value": "PSRule.Rules.Azure\\AZR-000280", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000309" + "Name": "AZR-000280" }, "Alias": [ null @@ -3521,102 +3696,107 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Application Gateway WAF is enabled", - "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.", - "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.", - "Pillar": null, - "Control": null + "DisplayName": "Restrict Cognitive Service endpoints", + "Synopsis": "Restrict access of Cognitive Services accounts to authorized virtual networks.", + "Recommendation": "Consider configuring network access restrictions for Cognitive Services accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.MariaDB.VNETRuleName": { - "Name": "Azure.MariaDB.VNETRuleName", + "Azure.vWAN.Name": { + "Name": "Azure.vWAN.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000339", + "Value": "PSRule.Rules.Azure\\AZR-000276", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000339" + "Name": "AZR-000276" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid VNET rule names", - "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use valid vWAN names", + "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml" }, - "Azure.Template.UseVariables": { - "Name": "Azure.Template.UseVariables", + "Azure.SQL.ServerName": { + "Name": "Azure.SQL.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000219", + "Value": "PSRule.Rules.Azure\\AZR-000190", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000219" + "Name": "AZR-000190" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Remove unused template variables", - "Synopsis": "Each Azure Resource Manager (ARM) template variable should be used or removed from template files.", - "Recommendation": "Consider removing unused variables from Azure template files.", + "DisplayName": "Use valid SQL logical server names", + "Synopsis": "Azure SQL logical server names should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.EventGrid.ManagedIdentity": { - "Name": "Azure.EventGrid.ManagedIdentity", + "Azure.VM.AMA": { + "Name": "Azure.VM.AMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000099", + "Value": "PSRule.Rules.Azure\\AZR-000345", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000099" + "Name": "AZR-000345" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use Managed Identity for Event Grid Topics", - "Synopsis": "Use managed identities to deliver Event Grid Topic events.", - "Recommendation": "Consider configuring a managed identity for each Event Grid Topic.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use Azure Monitor Agent", + "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", + "Recommendation": "Virtual Machines should install Azure Monitor Agent.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AppGw.WAFEnabled": { - "Name": "Azure.AppGw.WAFEnabled", + "Azure.Deployment.AdminUsername": { + "Name": "Azure.Deployment.AdminUsername", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000066", + "Value": "PSRule.Rules.Azure\\AZR-000284", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000066" + "Name": "AZR-000284" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Application Gateway WAF is enabled", - "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.", - "Recommendation": "Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.", + "DisplayName": "Administrator Username Types", + "Synopsis": "Use secure parameters for sensitive resource properties.", + "Recommendation": "Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.PostgreSQL.FirewallRuleCount": { - "Name": "Azure.PostgreSQL.FirewallRuleCount", + "Azure.Template.TemplateFile": { + "Name": "Azure.Template.TemplateFile", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000149", + "Value": "PSRule.Rules.Azure\\AZR-000212", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000149" + "Name": "AZR-000212" }, "Alias": [ null @@ -3626,18 +3806,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Cleanup PostgreSQL server firewall rules", - "Synopsis": "Determine if there is an excessive number of firewall rules.", - "Recommendation": "The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.", + "DisplayName": "Use ARM template file structure", + "Synopsis": "Use ARM template files that are valid.", + "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Cosmos.DisableMetadataWrite": { - "Name": "Azure.Cosmos.DisableMetadataWrite", + "Azure.Template.ParameterValue": { + "Name": "Azure.Template.ParameterValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000095", + "Value": "PSRule.Rules.Azure\\AZR-000232", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000095" + "Name": "AZR-000232" }, "Alias": [ null @@ -3647,207 +3828,195 @@ "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Restrict user access to data operations in Azure Cosmos DB", - "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.", - "Recommendation": "Consider limiting key and resource tokens to data plane operations only. Use Azure AD identities for authorizing account and resource management operations.", - "Pillar": "Security", - "Control": null - }, - "Azure.Template.ParameterStrongType": { - "Name": "Azure.Template.ParameterStrongType", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000227", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000227" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2021_12", - "Level": "Error", - "Method": null, - "DisplayName": "Parameter value should match strong type", - "Synopsis": "Set the parameter value to a value that matches the specified strong type.", - "Recommendation": "Consider updating the parameter value to a value that matches the specifed strong type.", + "DisplayName": "Specify a value for each parameter", + "Synopsis": "Specify a value for each parameter in template parameter files.", + "Recommendation": "Consider defining a value for each parameter in the template parameter file.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.SQLMI.AADOnly": { - "Name": "Azure.SQLMI.AADOnly", + "Azure.ServiceBus.DisableLocalAuth": { + "Name": "Azure.ServiceBus.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000366", + "Value": "PSRule.Rules.Azure\\AZR-000178", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000366" + "Name": "AZR-000178" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure AD-only authentication", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.", - "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.", - "Pillar": null, - "Control": null + "DisplayName": "Use identity-based authentication for Service Bus namespaces", + "Synopsis": "Authenticate Service Bus publishers and consumers with Azure AD identities.", + "Recommendation": "Consider only using Azure AD identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml" }, - "Azure.ADX.ManagedIdentity": { - "Name": "Azure.ADX.ManagedIdentity", + "Azure.APIM.PolicyBase": { + "Name": "Azure.APIM.PolicyBase", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000012", + "Value": "PSRule.Rules.Azure\\AZR-000371", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000012" + "Name": "AZR-000371" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use managed identities for Data Explorer clusters", - "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.", - "Recommendation": "Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.", - "Pillar": "Security", - "Control": null + "DisplayName": "Base element", + "Synopsis": "Base element for any policy element in a section should be configured.", + "Recommendation": "Consider configuring the base element for any policy element in a section.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Defender.Containers": { - "Name": "Azure.Defender.Containers", + "Azure.ACR.ContentTrust": { + "Name": "Azure.ACR.ContentTrust", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000290", + "Value": "PSRule.Rules.Azure\\AZR-000009", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000290" + "Name": "AZR-000009" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for Containers to the Standard tier", - "Synopsis": "Enable Microsoft Defender for Containers.", - "Recommendation": "Consider using Microsoft Defender for Containers to protect your container-based workloads.", + "DisplayName": "Use trusted container images", + "Synopsis": "Use container images signed by a trusted image publisher.", + "Recommendation": "Consider enabling content trust on registries, clients, and sign container images.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.MySQL.DefenderCloud": { - "Name": "Azure.MySQL.DefenderCloud", + "Azure.AKS.AvailabilityZone": { + "Name": "Azure.AKS.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000328", + "Value": "PSRule.Rules.Azure\\AZR-000021", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000328" + "Name": "AZR-000021" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use Microsoft Defender", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.", - "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.", - "Pillar": null, - "Control": null + "DisplayName": "AKS clusters should use Availability zones in supported regions", + "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.", + "Recommendation": "Consider using availability zones for AKS clusters deployed with virtual machine scale sets.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.Automation.EncryptVariables": { - "Name": "Azure.Automation.EncryptVariables", + "Azure.AppConfig.Name": { + "Name": "Azure.AppConfig.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000086", + "Value": "PSRule.Rules.Azure\\AZR-000058", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000086" + "Name": "AZR-000058" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Encrypt automation variables", - "Synopsis": "Azure Automation variables should be encrypted.", - "Recommendation": "Consider encrypting all automation account variables.\nAdditionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid App Configuration store names", + "Synopsis": "App Configuration store names should meet naming requirements.", + "Recommendation": "Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml" }, - "Azure.AKS.LocalAccounts": { - "Name": "Azure.AKS.LocalAccounts", + "Azure.ContainerApp.PublicAccess": { + "Name": "Azure.ContainerApp.PublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000031", + "Value": "PSRule.Rules.Azure\\AZR-000363", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000031" + "Name": "AZR-000363" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2021_06", + "Release": "GA", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Disable AKS local accounts", - "Synopsis": "Enforce named user accounts with RBAC assigned permissions.", - "Recommendation": "Consider enforcing usage of named accounts by disabling local Kubernetes account credentials.", + "DisplayName": "Disable public access", + "Synopsis": "Ensure public network access for Container Apps environment is disabled.", + "Recommendation": "Consider disabling public network access.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Storage.SecureTransfer": { - "Name": "Azure.Storage.SecureTransfer", + "Azure.MariaDB.FirewallRuleCount": { + "Name": "Azure.MariaDB.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000196", + "Value": "PSRule.Rules.Azure\\AZR-000343", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000196" + "Name": "AZR-000343" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Enforce encrypted Storage connections", - "Synopsis": "Storage accounts should only accept encrypted connections.", - "Recommendation": "Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.", + "DisplayName": "Review Azure MariaDB server firewall rules", + "Synopsis": "Determine if there is an excessive number of firewall rules.", + "Recommendation": "Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.AppConfig.Name": { - "Name": "Azure.AppConfig.Name", + "Azure.CDN.EndpointName": { + "Name": "Azure.CDN.EndpointName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000058", + "Value": "PSRule.Rules.Azure\\AZR-000091", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000058" + "Name": "AZR-000091" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid App Configuration store names", - "Synopsis": "App Configuration store names should meet naming requirements.", - "Recommendation": "Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use valid CDN endpoint names", + "Synopsis": "Azure CDN Endpoint names should meet naming requirements.", + "Recommendation": "Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1" }, - "Azure.APIM.EncryptValues": { - "Name": "Azure.APIM.EncryptValues", + "Azure.Storage.DefenderCloud": { + "Name": "Azure.Storage.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000045", + "Value": "PSRule.Rules.Azure\\AZR-000386", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000045" + "Name": "AZR-000386" }, "Alias": [ null @@ -3857,32 +4026,34 @@ "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use encrypted named values", - "Synopsis": "Encrypt all API Management named values with Key Vault secrets.", - "Recommendation": "Consider encrypting all API Management named values with Key Vault secrets.", + "DisplayName": "Enable Microsoft Defender", + "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.", + "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Policy.WaiverExpiry": { - "Name": "Azure.Policy.WaiverExpiry", + "Azure.Defender.Servers": { + "Name": "Azure.Defender.Servers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000146", + "Value": "PSRule.Rules.Azure\\AZR-000293", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000146" + "Name": "AZR-000293" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Policy waiver exemptions must expire", - "Synopsis": "Configure policy waiver exemptions to expire.", - "Recommendation": "Consider configuring an expiry for policy exemption waivers within the maximum threshold.", - "Pillar": null, - "Control": null + "DisplayName": "Configure Microsoft Defender for Servers to the Standard tier and P2", + "Synopsis": "Enable Microsoft Defender for Servers.", + "Recommendation": "Consider using Microsoft Defender for Servers P2 to protect your virtual machines.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, "Azure.FrontDoor.WAF.Name": { "Name": "Azure.FrontDoor.WAF.Name", @@ -3903,77 +4074,81 @@ "Synopsis": "Front Door WAF policy names should meet naming requirements.", "Recommendation": "Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.ContainerApp.PublicAccess": { - "Name": "Azure.ContainerApp.PublicAccess", + "Azure.PublicIP.AvailabilityZone": { + "Name": "Azure.PublicIP.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000363", + "Value": "PSRule.Rules.Azure\\AZR-000157", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000363" + "Name": "AZR-000157" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Disable public access", - "Synopsis": "Ensure public network access for Container Apps environment is disabled.", - "Recommendation": "Consider disabling public network access.", - "Pillar": "Security", - "Control": null + "DisplayName": "Public IP addresses should use availability zones", + "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.", + "Recommendation": "Consider using zone-redundant Public IP addresses deployed with Standard SKU.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.Defender.Storage.SensitiveData": { - "Name": "Azure.Defender.Storage.SensitiveData", + "Azure.AKS.ManagedAAD": { + "Name": "Azure.AKS.ManagedAAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000385", + "Value": "PSRule.Rules.Azure\\AZR-000029", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000385" + "Name": "AZR-000029" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Sensitive data threat detection", - "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", - "Recommendation": "Consider using sensitive data threat detection in Microsoft Defender for Storage.", + "DisplayName": "Enable AKS-managed Azure AD", + "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.", + "Recommendation": "Consider configuring AKS-managed Azure AD integration for AKS clusters.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.EventGrid.DisableLocalAuth": { - "Name": "Azure.EventGrid.DisableLocalAuth", + "Azure.RSV.ReplicationAlert": { + "Name": "Azure.RSV.ReplicationAlert", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000100", + "Value": "PSRule.Rules.Azure\\AZR-000171", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000100" + "Name": "AZR-000171" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Use identity-based authentication for Event Grid topics", - "Synopsis": "Authenticate publishing clients with Azure AD identities.", - "Recommendation": "Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use geo-replicated storage", + "Synopsis": "Recovery Services Vaults (RSV) without replication alerts configured may be at risk.", + "Recommendation": "Configure replication alerts for Recovery Service Vaults that are performing replication tasks.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1" }, - "Azure.VMSS.ComputerName": { - "Name": "Azure.VMSS.ComputerName", + "Azure.RBAC.UseRGDelegation": { + "Name": "Azure.RBAC.UseRGDelegation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000262", + "Value": "PSRule.Rules.Azure\\AZR-000207", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000262" + "Name": "AZR-000207" }, "Alias": [ null @@ -3983,400 +4158,393 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid VMSS computer names", - "Synopsis": "Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.", - "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.", - "Pillar": null, - "Control": null + "DisplayName": "Use Resource Group delegation", + "Synopsis": "Use RBAC assignments on resource groups instead of individual resources.", + "Recommendation": "Consider using RBAC assignments on resource groups instead of individual resources.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.NSG.AKSRules": { - "Name": "Azure.NSG.AKSRules", + "Azure.Policy.AssignmentAssignedBy": { + "Name": "Azure.Policy.AssignmentAssignedBy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000292", + "Value": "PSRule.Rules.Azure\\AZR-000144", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000292" + "Name": "AZR-000144" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "No custom NSG rules for AKS managed NSGs", - "Synopsis": "AKS Network Security Group (NSG) should not have custom rules.", - "Recommendation": "Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.", + "DisplayName": "Use assigned by for policy assignments", + "Synopsis": "Policy assignments should use assignedBy metadata.", + "Recommendation": "Consider setting assignedBy metadata for each policy assignment.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.FrontDoor.MinTLS": { - "Name": "Azure.FrontDoor.MinTLS", + "Azure.Defender.SQLOnVM": { + "Name": "Azure.Defender.SQLOnVM", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000106", + "Value": "PSRule.Rules.Azure\\AZR-000297", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000106" + "Name": "AZR-000297" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Front Door Minimum TLS", - "Synopsis": "Front Door Classic instances should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.", + "DisplayName": "Configure Microsoft Defender for SQL Servers on machines to the Standard tier", + "Synopsis": "Enable Microsoft Defender for SQL servers on machines.", + "Recommendation": "Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.", "Pillar": "Security", - "Control": "DP-3" + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.DefenderCloud.Provisioning": { - "Name": "Azure.DefenderCloud.Provisioning", + "Azure.AppGw.UseWAF": { + "Name": "Azure.AppGw.UseWAF", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000210", + "Value": "PSRule.Rules.Azure\\AZR-000063", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000210" + "Name": "AZR-000063" }, "Alias": [ - { - "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Provisioning", - "Scope": "PSRule.Rules.Azure", - "Name": "Azure.SecurityCenter.Provisioning" - } + null ], "Flags": 0, "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Enable Microsoft Defender for Cloud auto-provisioning", - "Synopsis": "Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.", - "Recommendation": "Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.", + "DisplayName": "Application Gateway uses WAF SKU", + "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.", + "Recommendation": "Consider deploying Application Gateways with a WAF SKU to protect against common attacks.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.VM.ScriptExtensions": { - "Name": "Azure.VM.ScriptExtensions", + "Azure.Template.TemplateSchema": { + "Name": "Azure.Template.TemplateSchema", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000332", + "Value": "PSRule.Rules.Azure\\AZR-000213", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000332" + "Name": "AZR-000213" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine", - "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.", - "Recommendation": "Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.", + "DisplayName": "Use a recent template schema version", + "Synopsis": "Use a more recent version of the Azure template schema.", + "Recommendation": "Consider using a more recent schema version for Azure template files.", "Pillar": null, - "Control": null - }, - "Azure.APIM.ProductTerms": { - "Name": "Azure.APIM.ProductTerms", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000050", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000050" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2020_09", - "Level": "Error", - "Method": null, - "DisplayName": "Use API product legal terms", - "Synopsis": "Set legal terms for each product registered in API Management.", - "Recommendation": "Consider configuring legal terms for all products to declare acceptable use of included APIs.", - "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.CDN.EndpointName": { - "Name": "Azure.CDN.EndpointName", + "Azure.AppGwWAF.PreventionMode": { + "Name": "Azure.AppGwWAF.PreventionMode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000091", + "Value": "PSRule.Rules.Azure\\AZR-000302", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000091" + "Name": "AZR-000302" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid CDN endpoint names", - "Synopsis": "Azure CDN Endpoint names should meet naming requirements.", - "Recommendation": "Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use Application Gateway WAF policy in prevention mode", + "Synopsis": "Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.", + "Recommendation": "Consider setting Application Gateway WAF policy to use protection mode.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.NSG.Name": { - "Name": "Azure.NSG.Name", + "Azure.ACR.ImageHealth": { + "Name": "Azure.ACR.ImageHealth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000141", + "Value": "PSRule.Rules.Azure\\AZR-000003", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000141" + "Name": "AZR-000003" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", - "Method": null, - "DisplayName": "Use valid NSG names", - "Synopsis": "Network Security Group (NSG) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell (https://blog.tyang.org/2022/09/10/programmatically-generate-cloud-resource-names-part-1/) or Bicep (https://4bes.nl/2021/10/10/get-a-consistent-azure-naming-convention-with-bicep-modules/)", - "Pillar": null, - "Control": null + "Method": "in-flight", + "DisplayName": "Remove vulnerable container images", + "Synopsis": "Remove container images with known vulnerabilities.", + "Recommendation": "Consider using removing container images with known vulnerabilities.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.Deployment.Name": { - "Name": "Azure.Deployment.Name", + "Azure.PostgreSQL.FirewallIPRange": { + "Name": "Azure.PostgreSQL.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000359", + "Value": "PSRule.Rules.Azure\\AZR-000151", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000359" + "Name": "AZR-000151" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid nested deployments names", - "Synopsis": "Nested deployments should meet naming requirements of deployments.", - "Recommendation": "Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Limit PostgreSQL server firewall rule range", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", + "Recommendation": "The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.VNET.LocalDNS": { - "Name": "Azure.VNET.LocalDNS", + "Azure.MySQL.AADOnly": { + "Name": "Azure.MySQL.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000265", + "Value": "PSRule.Rules.Azure\\AZR-000394", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000265" + "Name": "AZR-000394" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Use local DNS servers", - "Synopsis": "Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.", - "Recommendation": "Consider deploying redundant DNS services within a connected Azure VNET.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Azure AD-only authentication", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.", + "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.VM.UseHybridUseBenefit": { - "Name": "Azure.VM.UseHybridUseBenefit", + "Azure.SQLMI.AAD": { + "Name": "Azure.SQLMI.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000243", + "Value": "PSRule.Rules.Azure\\AZR-000368", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000243" + "Name": "AZR-000368" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use Azure Hybrid Benefit", - "Synopsis": "Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.", - "Recommendation": "Consider using Azure Hybrid Benefit for eligible workloads.", - "Pillar": null, - "Control": null + "DisplayName": "Use AAD authentication with SQL Managed Instance", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.", + "Recommendation": "Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1" }, - "Azure.Template.MetadataLink": { - "Name": "Azure.Template.MetadataLink", + "Azure.AKS.ManagedIdentity": { + "Name": "Azure.AKS.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000231", + "Value": "PSRule.Rules.Azure\\AZR-000025", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000231" + "Name": "AZR-000025" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use parameter file metadata link", - "Synopsis": "Configure a metadata link for each parameter file.", - "Recommendation": "Consider setting metadata for each parameter file linking to the deployment template.", - "Pillar": null, - "Control": null + "DisplayName": "Use managed identities for AKS cluster authentication", + "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.", + "Recommendation": "Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.PromoSku": { - "Name": "Azure.VM.PromoSku", + "Azure.Search.ManagedIdentity": { + "Name": "Azure.Search.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000240", + "Value": "PSRule.Rules.Azure\\AZR-000175", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000240" + "Name": "AZR-000175" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use current VM SKUs", - "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.", - "Recommendation": "Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Consider moving from promotional SKUs to the regular SKU once the promotional period has expired.", - "Pillar": "Cost Optimization", - "Control": null + "DisplayName": "Search services uses a managed identity", + "Synopsis": "Configure managed identities to access Azure resources.", + "Recommendation": "Consider configuring a managed identity for each Cognitive Search service. Also consider using managed identities to authenticate to related Azure services.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.VNG.VPNActiveActive": { - "Name": "Azure.VNG.VPNActiveActive", + "Azure.PostgreSQL.MinTLS": { + "Name": "Azure.PostgreSQL.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000270", + "Value": "PSRule.Rules.Azure\\AZR-000148", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000270" + "Name": "AZR-000148" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Use Active-Active VPN gateways", - "Synopsis": "Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.", - "Recommendation": "Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.", - "Pillar": null, - "Control": null + "DisplayName": "PostgreSQL DB server minimum TLS version", + "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml" }, - "Azure.AppInsights.Workspace": { - "Name": "Azure.AppInsights.Workspace", + "Azure.ACR.Firewall": { + "Name": "Azure.ACR.Firewall", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000069", + "Value": "PSRule.Rules.Azure\\AZR-000402", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000069" + "Name": "AZR-000402" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Use workspace-based App Insights resources", - "Synopsis": "Configure Application Insights resources to store data in workspaces.", - "Recommendation": "Consider using workspace-based Application Insights resources to collect telemetry in shared storage.", - "Pillar": null, - "Control": null + "DisplayName": "Restrict network access to container registries", + "Synopsis": "Limit network access of container registries to only trusted clients.", + "Recommendation": "Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.Deployment.SecureValue": { - "Name": "Azure.Deployment.SecureValue", + "Azure.Search.SKU": { + "Name": "Azure.Search.SKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000316", + "Value": "PSRule.Rules.Azure\\AZR-000172", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000316" + "Name": "AZR-000172" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use secure resource values", - "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.", - "Recommendation": "Consider using secure parameters for sensitive resource properties.", - "Pillar": "Security", - "Control": null + "DisplayName": "Cognitive Search minimum SKU", + "Synopsis": "Use the basic and standard tiers for entry level workloads.", + "Recommendation": "Consider deploying Cognitive Search services using basic or higher tier.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.Defender.Api": { - "Name": "Azure.Defender.Api", + "Azure.SQL.MinTLS": { + "Name": "Azure.SQL.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000377", + "Value": "PSRule.Rules.Azure\\AZR-000189", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000377" + "Name": "AZR-000189" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for APIs to the Standard tier", - "Synopsis": "Enable Microsoft Defender for APIs.", - "Recommendation": "Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.", + "DisplayName": "Azure SQL DB server minimum TLS version", + "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.yaml" }, - "Azure.Template.TemplateScheme": { - "Name": "Azure.Template.TemplateScheme", + "Azure.Template.DefineParameters": { + "Name": "Azure.Template.DefineParameters", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000214", + "Value": "PSRule.Rules.Azure\\AZR-000218", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000214" + "Name": "AZR-000218" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use a https template file schema", - "Synopsis": "Use an Azure template file schema with the https scheme.", - "Recommendation": "Consider using a schema with the https scheme.", + "DisplayName": "Define template parameters", + "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.", + "Recommendation": "Consider defining a minimal number of parameters to make the template reusable.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.RSV.StorageType": { - "Name": "Azure.RSV.StorageType", + "Azure.Automation.EncryptVariables": { + "Name": "Azure.Automation.EncryptVariables", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000170", + "Value": "PSRule.Rules.Azure\\AZR-000086", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000170" + "Name": "AZR-000086" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use geo-replicated storage", - "Synopsis": "Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.", - "Recommendation": "Consider using GeoRedundant for recovery services vaults that contain data.", - "Pillar": null, - "Control": null + "DisplayName": "Encrypt automation variables", + "Synopsis": "Azure Automation variables should be encrypted.", + "Recommendation": "Consider encrypting all automation account variables.\nAdditionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.VNET.Name": { - "Name": "Azure.VNET.Name", + "Azure.AppGw.SSLPolicy": { + "Name": "Azure.AppGw.SSLPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000268", + "Value": "PSRule.Rules.Azure\\AZR-000064", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000268" + "Name": "AZR-000064" }, "Alias": [ null @@ -4386,81 +4554,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid VNET names", - "Synopsis": "Virtual Network (VNET) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Application Gateways use a minimum TLS 1.2", + "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.", + "Recommendation": "Consider configuring Application Gateway to accept a minimum of TLS 1.2.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.SQL.AAD": { - "Name": "Azure.SQL.AAD", + "Azure.Defender.Arm": { + "Name": "Azure.Defender.Arm", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000188", + "Value": "PSRule.Rules.Azure\\AZR-000354", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000188" + "Name": "AZR-000354" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use AAD authentication with SQL databases", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL databases.", - "Recommendation": "Consider using Azure Active Directory (AAD) authentication with SQL databases. Additionally, consider disabling SQL authentication.", + "DisplayName": "Set Microsoft Defender for ARM to the Standard tier", + "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).", + "Recommendation": "Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.VNET.FirewallSubnet": { - "Name": "Azure.VNET.FirewallSubnet", + "Azure.AppService.WebProbe": { + "Name": "Azure.AppService.WebProbe", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000322", + "Value": "PSRule.Rules.Azure\\AZR-000079", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000322" + "Name": "AZR-000079" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Configure VNETs with a AzureFirewallSubnet subnet", - "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.", - "Recommendation": "Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.", - "Pillar": "Security", - "Control": null + "DisplayName": "Web apps use health probes", + "Synopsis": "Configure and enable instance health probes.", + "Recommendation": "Consider configuring a health probe to monitor instance availability.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.FrontDoor.ProbeMethod": { - "Name": "Azure.FrontDoor.ProbeMethod", + "Azure.SQL.AADOnly": { + "Name": "Azure.SQL.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000109", + "Value": "PSRule.Rules.Azure\\AZR-000369", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000109" + "Name": "AZR-000369" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use HEAD health probes for Front Door backends", - "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.", - "Recommendation": "Consider configuring health probes to query backend health endpoints using HEAD requests to reduce performance overhead.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Azure AD-only authentication", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.", + "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.VM.ADE": { - "Name": "Azure.VM.ADE", + "Azure.Firewall.Mode": { + "Name": "Azure.Firewall.Mode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000252", + "Value": "PSRule.Rules.Azure\\AZR-000105", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000252" + "Name": "AZR-000105" }, "Alias": [ null @@ -4470,39 +4642,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Azure Disk Encryption", - "Synopsis": "Use Azure Disk Encryption (ADE).", - "Recommendation": "Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.", + "DisplayName": "Configure deny on threat intel for classic managed Azure Firewalls", + "Synopsis": "Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.", + "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.VNG.Name": { - "Name": "Azure.VNG.Name", + "Azure.FrontDoor.ProbeMethod": { + "Name": "Azure.FrontDoor.ProbeMethod", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000274", + "Value": "PSRule.Rules.Azure\\AZR-000109", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000274" + "Name": "AZR-000109" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use valid VNG names", - "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.", - "Recommendation": "Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Use HEAD health probes for Front Door backends", + "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.", + "Recommendation": "Consider configuring health probes to query backend health endpoints using HEAD requests to reduce performance overhead.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.MariaDB.AllowAzureAccess": { - "Name": "Azure.MariaDB.AllowAzureAccess", + "Azure.PostgreSQL.DefenderCloud": { + "Name": "Azure.PostgreSQL.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000342", + "Value": "PSRule.Rules.Azure\\AZR-000327", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000342" + "Name": "AZR-000327" }, "Alias": [ null @@ -4512,144 +4686,151 @@ "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Disable MariaDB Allow access to Azure services firewall rule", - "Synopsis": "Determine if access from Azure services is required.", - "Recommendation": "Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use Microsoft Defender", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.", + "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.APIM.HTTPBackend": { - "Name": "Azure.APIM.HTTPBackend", + "Azure.AKS.DefenderProfile": { + "Name": "Azure.AKS.DefenderProfile", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000044", + "Value": "PSRule.Rules.Azure\\AZR-000370", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000044" + "Name": "AZR-000370" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use HTTPS backend connections", - "Synopsis": "Use HTTPS for communication to backend services.", - "Recommendation": "Consider configuring only backend services configured with HTTPS-based URLs.", + "DisplayName": "Enable Defender profile", + "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.", + "Recommendation": "Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.APIM.DefenderCloud": { - "Name": "Azure.APIM.DefenderCloud", + "Azure.AppService.PHPVersion": { + "Name": "Azure.AppService.PHPVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000387", + "Value": "PSRule.Rules.Azure\\AZR-000076", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000387" + "Name": "AZR-000076" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Onboard Defender for APIs", - "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.", - "Recommendation": "Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.", + "DisplayName": "Use a newer PHP runtime version", + "Synopsis": "Configure applications to use newer PHP runtime versions.", + "Recommendation": "Consider updating the site to use a newer PHP runtime version such as 7.4.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.Defender.KeyVault": { - "Name": "Azure.Defender.KeyVault", + "Azure.MySQL.FirewallRuleCount": { + "Name": "Azure.MySQL.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000352", + "Value": "PSRule.Rules.Azure\\AZR-000133", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000352" + "Name": "AZR-000133" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for Key Vault to the Standard tier", - "Synopsis": "Enable Microsoft Defender for Key Vault.", - "Recommendation": "Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.", - "Pillar": "Security", - "Control": null + "DisplayName": "Cleanup MySQL server firewall rules", + "Synopsis": "Determine if there is an excessive number of firewall rules.", + "Recommendation": "The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.RedisEnterprise.Zones": { - "Name": "Azure.RedisEnterprise.Zones", + "Azure.APIM.ProductApproval": { + "Name": "Azure.APIM.ProductApproval", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000162", + "Value": "PSRule.Rules.Azure\\AZR-000047", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000162" + "Name": "AZR-000047" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Enterprise Redis cache should use Availability zones in supported regions", - "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.", - "Recommendation": "Consider using availability zones for Enterprise Redis Cache deployed in supported regions.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Require approval for products", + "Synopsis": "Configure products to require approval.", + "Recommendation": "Consider configuring all API Management products to require approval.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Firewall.PolicyMode": { - "Name": "Azure.Firewall.PolicyMode", + "Azure.CDN.MinTLS": { + "Name": "Azure.CDN.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000399", + "Value": "PSRule.Rules.Azure\\AZR-000092", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000399" + "Name": "AZR-000092" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Threat intelligence-based filtering", - "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.", - "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.", + "DisplayName": "Azure CDN endpoint minimum TLS version", + "Synopsis": "Azure CDN endpoints should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.", "Pillar": "Security", - "Control": null + "Control": "DP-3", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1" }, - "Azure.APIM.CORSPolicy": { - "Name": "Azure.APIM.CORSPolicy", + "Azure.APIM.EncryptValues": { + "Name": "Azure.APIM.EncryptValues", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000365", + "Value": "PSRule.Rules.Azure\\AZR-000045", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000365" + "Name": "AZR-000045" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Avoid wildcards in APIM CORS policies", - "Synopsis": "Avoid using wildcard for any configuration option in CORS policies.", - "Recommendation": "Consider configuring the CORS policy by specifying explicit values for each property.", - "Pillar": null, - "Control": null + "DisplayName": "Use encrypted named values", + "Synopsis": "Encrypt all API Management named values with Key Vault secrets.", + "Recommendation": "Consider encrypting all API Management named values with Key Vault secrets.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.VNG.VPNLegacySKU": { - "Name": "Azure.VNG.VPNLegacySKU", + "Azure.Storage.Name": { + "Name": "Azure.Storage.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000269", + "Value": "PSRule.Rules.Azure\\AZR-000201", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000269" + "Name": "AZR-000201" }, "Alias": [ null @@ -4659,123 +4840,129 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Migrate from legacy VPN gateway SKUs", - "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of VPN gateways.", - "Recommendation": "Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.", - "Pillar": null, - "Control": null + "DisplayName": "Use valid storage account names", + "Synopsis": "Storage Account names should meet naming requirements.", + "Recommendation": "Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.KeyVault.SecretName": { - "Name": "Azure.KeyVault.SecretName", + "Azure.Defender.Storage.MalwareScan": { + "Name": "Azure.Defender.Storage.MalwareScan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000121", + "Value": "PSRule.Rules.Azure\\AZR-000383", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000121" + "Name": "AZR-000383" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2021_03", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Key Vault Secret names", - "Synopsis": "Key Vault Secret names should meet naming requirements.", - "Recommendation": "Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Malware Scanning", + "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", + "Recommendation": "Consider using Malware Scanning in Microsoft Defender for Storage.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1" }, - "Azure.APIM.ManagedIdentity": { - "Name": "Azure.APIM.ManagedIdentity", + "Azure.AKS.AuditLogs": { + "Name": "Azure.AKS.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000053", + "Value": "PSRule.Rules.Azure\\AZR-000022", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000053" + "Name": "AZR-000022" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "API Management uses a managed identity", - "Synopsis": "Configure managed identities to access Azure resources.", - "Recommendation": "Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.", + "DisplayName": "AKS clusters should collect security-based audit logs", + "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.", + "Recommendation": "Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AppConfig.PurgeProtect": { - "Name": "Azure.AppConfig.PurgeProtect", + "Azure.AppService.HTTP2": { + "Name": "Azure.AppService.HTTP2", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000313", + "Value": "PSRule.Rules.Azure\\AZR-000078", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000313" + "Name": "AZR-000078" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Purge Protect App Configuration Stores", - "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.", - "Recommendation": "Consider enabling purge protection for app configuration stores.", - "Pillar": null, - "Control": null + "DisplayName": "Use HTTP/2 connections for App Service apps", + "Synopsis": "Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.", + "Recommendation": "Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.PostgreSQL.AAD": { - "Name": "Azure.PostgreSQL.AAD", + "Azure.PrivateEndpoint.Name": { + "Name": "Azure.PrivateEndpoint.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000389", + "Value": "PSRule.Rules.Azure\\AZR-000153", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000389" + "Name": "AZR-000153" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use AAD authentication with PostgreSQL databases", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.", - "Recommendation": "Consider using Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Private Endpoint names", + "Synopsis": "Private Endpoint names should meet naming requirements.", + "Recommendation": "Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PrivateEndpoint.Rule.yaml" }, - "Azure.RSV.ReplicationAlert": { - "Name": "Azure.RSV.ReplicationAlert", + "Azure.BV.Immutable": { + "Name": "Azure.BV.Immutable", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000171", + "Value": "PSRule.Rules.Azure\\AZR-000398", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000171" + "Name": "AZR-000398" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Use geo-replicated storage", - "Synopsis": "Recovery Services Vaults (RSV) without replication alerts configured may be at risk.", - "Recommendation": "Configure replication alerts for Recovery Service Vaults that are performing replication tasks.", - "Pillar": null, - "Control": null + "DisplayName": "Immutability", + "Synopsis": "Ensure immutability is configured to protect backup data.", + "Recommendation": "Consider configuring immutability to protect backup data from accidental or malicious deletion.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml" }, - "Azure.VM.Agent": { - "Name": "Azure.VM.Agent", + "Azure.Automation.WebHookExpiry": { + "Name": "Azure.Automation.WebHookExpiry", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000246", + "Value": "PSRule.Rules.Azure\\AZR-000087", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000246" + "Name": "AZR-000087" }, "Alias": [ null @@ -4785,39 +4972,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "VM agent is provisioned automatically", - "Synopsis": "Ensure the VM agent is provisioned automatically.", - "Recommendation": "Automatically provision the VM agent for all supported operating systems, this is the default.", + "DisplayName": "Use short lived web hooks", + "Synopsis": "Do not create webhooks with an expiry time greater than 1 year (default).", + "Recommendation": "An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.ACR.SoftDelete": { - "Name": "Azure.ACR.SoftDelete", + "Azure.Template.TemplateScheme": { + "Name": "Azure.Template.TemplateScheme", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000310", + "Value": "PSRule.Rules.Azure\\AZR-000214", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000310" + "Name": "AZR-000214" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2022_09", + "Release": "GA", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use ACR soft delete policy", - "Synopsis": "Azure Container Registries should have soft delete policy enabled.", - "Recommendation": "Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use a https template file schema", + "Synopsis": "Use an Azure template file schema with the https scheme.", + "Recommendation": "Consider using a schema with the https scheme.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.MySQL.UseSSL": { - "Name": "Azure.MySQL.UseSSL", + "Azure.SQL.FirewallRuleCount": { + "Name": "Azure.SQL.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000131", + "Value": "PSRule.Rules.Azure\\AZR-000183", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000131" + "Name": "AZR-000183" }, "Alias": [ null @@ -4827,39 +5016,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Enforce encrypted MySQL connections", - "Synopsis": "Enforce encrypted MySQL connections.", - "Recommendation": "Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.", - "Pillar": "Security", - "Control": null + "DisplayName": "Cleanup SQL logical server firewall rules", + "Synopsis": "Determine if there is an excessive number of firewall rules.", + "Recommendation": "The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.VNG.ConnectionName": { - "Name": "Azure.VNG.ConnectionName", + "Azure.VMSS.PublicKey": { + "Name": "Azure.VMSS.PublicKey", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000275", + "Value": "PSRule.Rules.Azure\\AZR-000288", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000275" + "Name": "AZR-000288" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid connection names", - "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.", - "Recommendation": "Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Disable password authentication", + "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.", + "Recommendation": "Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.AppGw.SSLPolicy": { - "Name": "Azure.AppGw.SSLPolicy", + "Azure.VM.DiskAttached": { + "Name": "Azure.VM.DiskAttached", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000064", + "Value": "PSRule.Rules.Azure\\AZR-000250", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000064" + "Name": "AZR-000250" }, "Alias": [ null @@ -4869,18 +5060,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Application Gateways use a minimum TLS 1.2", - "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.", - "Recommendation": "Consider configuring Application Gateway to accept a minimum of TLS 1.2.", + "DisplayName": "Remove unused managed disks", + "Synopsis": "Managed disks should be attached to virtual machines or removed.", + "Recommendation": "Consider removing managed disks that are no longer required to reduce complexity and costs.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VM.NICAttached": { - "Name": "Azure.VM.NICAttached", + "Azure.SQL.AAD": { + "Name": "Azure.SQL.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000257", + "Value": "PSRule.Rules.Azure\\AZR-000188", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000257" + "Name": "AZR-000188" }, "Alias": [ null @@ -4890,60 +5082,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Attach NIC or clean up", - "Synopsis": "Network interfaces (NICs) should be attached.", - "Recommendation": "Consider cleaning up NICs that are not required to reduce management complexity. Also consider using Resource Groups to help manage the lifecycle of related resources together.", - "Pillar": null, - "Control": null + "DisplayName": "Use AAD authentication with SQL databases", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL databases.", + "Recommendation": "Consider using Azure Active Directory (AAD) authentication with SQL databases. Additionally, consider disabling SQL authentication.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.AKS.ManagedAAD": { - "Name": "Azure.AKS.ManagedAAD", + "Azure.ACR.AnonymousAccess": { + "Name": "Azure.ACR.AnonymousAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000029", + "Value": "PSRule.Rules.Azure\\AZR-000401", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000029" + "Name": "AZR-000401" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2021_06", + "Release": "preview", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Enable AKS-managed Azure AD", - "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.", - "Recommendation": "Consider configuring AKS-managed Azure AD integration for AKS clusters.", + "DisplayName": "Anonymous pull access", + "Synopsis": "Disable anonymous pull access.", + "Recommendation": "Consider disabling anonymous pull access in scenarios that require user authentication.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.Redis.NonSslPort": { - "Name": "Azure.Redis.NonSslPort", + "Azure.AKS.CNISubnetSize": { + "Name": "Azure.AKS.CNISubnetSize", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000163", + "Value": "PSRule.Rules.Azure\\AZR-000020", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000163" + "Name": "AZR-000020" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use secure connections to Redis instances", - "Synopsis": "Azure Cache for Redis should only accept secure connections.", - "Recommendation": "Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.", - "Pillar": "Security", - "Control": null + "DisplayName": "AKS clusters using Azure CNI should use large subnets", + "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.", + "Recommendation": "Consider allocating a larger subnet (/23 or bigger) to your AKS cluster.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.Template.TemplateFile": { - "Name": "Azure.Template.TemplateFile", + "Azure.KeyVault.Logs": { + "Name": "Azure.KeyVault.Logs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000212", + "Value": "PSRule.Rules.Azure\\AZR-000119", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000212" + "Name": "AZR-000119" }, "Alias": [ null @@ -4953,102 +5148,107 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use ARM template file structure", - "Synopsis": "Use ARM template files that are valid.", - "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.", + "DisplayName": "Audit Key Vault Data Access", + "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.", + "Recommendation": "Configure audit diagnostics logs to audit Key Vault access.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.Defender.Storage.MalwareScan": { - "Name": "Azure.Defender.Storage.MalwareScan", + "Azure.Search.QuerySLA": { + "Name": "Azure.Search.QuerySLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000383", + "Value": "PSRule.Rules.Azure\\AZR-000173", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000383" + "Name": "AZR-000173" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Malware Scanning", - "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", - "Recommendation": "Consider using Malware Scanning in Microsoft Defender for Storage.", - "Pillar": "Security", - "Control": null + "DisplayName": "Search query SLA minimum replicas", + "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.", + "Recommendation": "Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.SQL.TDE": { - "Name": "Azure.SQL.TDE", + "Azure.Storage.ContainerSoftDelete": { + "Name": "Azure.Storage.ContainerSoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000191", + "Value": "PSRule.Rules.Azure\\AZR-000289", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000191" + "Name": "AZR-000289" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use SQL database TDE", - "Synopsis": "Use Transparent Data Encryption (TDE) with Azure SQL Database.", - "Recommendation": "Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use container soft delete", + "Synopsis": "Enable container soft delete on Storage Accounts.", + "Recommendation": "Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.ACR.ImageHealth": { - "Name": "Azure.ACR.ImageHealth", + "Azure.Template.ParameterScheme": { + "Name": "Azure.Template.ParameterScheme", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000003", + "Value": "PSRule.Rules.Azure\\AZR-000230", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000003" + "Name": "AZR-000230" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_09", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Remove vulnerable container images", - "Synopsis": "Remove container images with known vulnerabilities.", - "Recommendation": "Consider using removing container images with known vulnerabilities.", - "Pillar": "Security", - "Control": null + "Method": null, + "DisplayName": "Use a https template parameter file schema", + "Synopsis": "Use an Azure template parameter file schema with the https scheme.", + "Recommendation": "Consider using a schema with the https scheme.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.VMSS.AMA": { - "Name": "Azure.VMSS.AMA", + "Azure.AppGw.Prevention": { + "Name": "Azure.AppGw.Prevention", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000346", + "Value": "PSRule.Rules.Azure\\AZR-000065", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000346" + "Name": "AZR-000065" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Azure Monitor Agent", - "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", - "Recommendation": "Consider monitoring Virtual Machine Scale Sets using the Azure Monitor Agent.", - "Pillar": null, - "Control": null + "DisplayName": "Use WAF prevention mode", + "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.", + "Recommendation": "Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.AKS.AuditLogs": { - "Name": "Azure.AKS.AuditLogs", + "Azure.AppGw.AvailabilityZone": { + "Name": "Azure.AppGw.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000022", + "Value": "PSRule.Rules.Azure\\AZR-000060", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000022" + "Name": "AZR-000060" }, "Alias": [ null @@ -5058,81 +5258,85 @@ "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters should collect security-based audit logs", - "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.", - "Recommendation": "Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.", - "Pillar": "Security", - "Control": null + "DisplayName": "Application gateways should use Availability zones in supported regions", + "Synopsis": "Application gateways should use availability zones in supported regions for high availability.", + "Recommendation": "Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1" }, - "Azure.APIM.APIDescriptors": { - "Name": "Azure.APIM.APIDescriptors", + "Azure.AKS.StandardLB": { + "Name": "Azure.AKS.StandardLB", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000043", + "Value": "PSRule.Rules.Azure\\AZR-000026", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000043" + "Name": "AZR-000026" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", - "Level": "Warning", + "RuleSet": "2020_06", + "Level": "Error", "Method": null, - "DisplayName": "Use API descriptors", - "Synopsis": "API Management APIs should have a display name and description.", - "Recommendation": "Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use the Standard load balancer SKU", + "Synopsis": "Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.", + "Recommendation": "Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.Redis.PublicNetworkAccess": { - "Name": "Azure.Redis.PublicNetworkAccess", + "Azure.FrontDoorWAF.PreventionMode": { + "Name": "Azure.FrontDoorWAF.PreventionMode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000165", + "Value": "PSRule.Rules.Azure\\AZR-000306", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000165" + "Name": "AZR-000306" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use private endpoints with Azure Cache for Redis", - "Synopsis": "Redis cache should disable public network access.", - "Recommendation": "Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.", + "DisplayName": "Use Front Door WAF policy in prevention mode", + "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.", + "Recommendation": "Consider setting Front Door WAF policy to use protection mode.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.AKS.MinNodeCount": { - "Name": "Azure.AKS.MinNodeCount", + "Azure.ContainerApp.ExternalIngress": { + "Name": "Azure.ContainerApp.ExternalIngress", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000024", + "Value": "PSRule.Rules.Azure\\AZR-000362", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000024" + "Name": "AZR-000362" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.MinNodeCount", - "Synopsis": "AKS clusters should have minimum number of nodes for failover and updates.", - "Recommendation": "Use at least three (3) agent nodes. Consider deploying additional nodes as required to provide enough resiliency during nodes failures or planned maintenance.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Disable external ingress", + "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.", + "Recommendation": "Consider disabling external ingress.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.AppService.MinPlan": { - "Name": "Azure.AppService.MinPlan", + "Azure.VM.ADE": { + "Name": "Azure.VM.ADE", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000072", + "Value": "PSRule.Rules.Azure\\AZR-000252", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000072" + "Name": "AZR-000252" }, "Alias": [ null @@ -5142,39 +5346,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use App Service production SKU", - "Synopsis": "Use at least a Standard App Service Plan.", - "Recommendation": "Consider using a standard or premium plan for hosting apps on Azure App Service.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Use Azure Disk Encryption", + "Synopsis": "Use Azure Disk Encryption (ADE).", + "Recommendation": "Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Resource.AllowedRegions": { - "Name": "Azure.Resource.AllowedRegions", + "Azure.Cosmos.DisableMetadataWrite": { + "Name": "Azure.Cosmos.DisableMetadataWrite", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000167", + "Value": "PSRule.Rules.Azure\\AZR-000095", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000167" + "Name": "AZR-000095" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use allowed regions", - "Synopsis": "Resources should be deployed to allowed regions.", - "Recommendation": "Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions.", - "Pillar": null, - "Control": null + "DisplayName": "Restrict user access to data operations in Azure Cosmos DB", + "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.", + "Recommendation": "Consider limiting key and resource tokens to data plane operations only. Use Azure AD identities for authorizing account and resource management operations.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml" }, - "Azure.AKS.PoolScaleSet": { - "Name": "Azure.AKS.PoolScaleSet", + "Azure.VM.DiskCaching": { + "Name": "Azure.VM.DiskCaching", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000017", + "Value": "PSRule.Rules.Azure\\AZR-000242", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000017" + "Name": "AZR-000242" }, "Alias": [ null @@ -5184,81 +5390,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters use VM scale sets", - "Synopsis": "Deploy AKS clusters with nodes pools based on VM scale sets.", - "Recommendation": "Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.\nUsing VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Configure host caching", + "Synopsis": "Check disk caching is configured correctly for the workload.", + "Recommendation": "Check disk caching is configured correctly for the workload.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AKS.AzureRBAC": { - "Name": "Azure.AKS.AzureRBAC", + "Azure.Template.ResourceLocation": { + "Name": "Azure.Template.ResourceLocation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000032", + "Value": "PSRule.Rules.Azure\\AZR-000222", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000032" + "Name": "AZR-000222" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use Azure RBAC for Kubernetes Authorization", - "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.", - "Recommendation": "Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use a location parameter for regional resources", + "Synopsis": "Template resource location should be an expression or global.", + "Recommendation": "Consider updating the resource location property to use [parameters('location)].", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Cognitive.DisableLocalAuth": { - "Name": "Azure.Cognitive.DisableLocalAuth", + "Azure.VM.ShouldNotBeStopped": { + "Name": "Azure.VM.ShouldNotBeStopped", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000282", + "Value": "PSRule.Rules.Azure\\AZR-000351", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000282" + "Name": "AZR-000351" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use identity-based authentication for Cogitive Services accounts", - "Synopsis": "Authenticate requests to Cognitive Services with Azure AD identities.", - "Recommendation": "Consider only using Azure AD identities to authenticate requests to Cogitive Services accounts. Once configured, disable authentication based on access keys.", - "Pillar": "Security", - "Control": null + "DisplayName": "VMs should not be stopped state", + "Synopsis": "Azure VMs should be running or in a deallocated state.", + "Recommendation": "Consider fully deallocating VMs instead of stopping VMs to reduce cost.", + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.MySQL.ServerName": { - "Name": "Azure.MySQL.ServerName", + "Azure.ADX.DiskEncryption": { + "Name": "Azure.ADX.DiskEncryption", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000136", + "Value": "PSRule.Rules.Azure\\AZR-000013", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000136" + "Name": "AZR-000013" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Use valid MySQL DB server names", - "Synopsis": "Azure MySQL DB server names should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Use disk encryption for Azure Data Explorer clusters", + "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.", + "Recommendation": "Consider enabling disk encryption on Azure Data Explorer clusters.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml" }, - "Azure.TrafficManager.Endpoints": { - "Name": "Azure.TrafficManager.Endpoints", + "Azure.AKS.PoolScaleSet": { + "Name": "Azure.AKS.PoolScaleSet", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000236", + "Value": "PSRule.Rules.Azure\\AZR-000017", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000236" + "Name": "AZR-000017" }, "Alias": [ null @@ -5268,18 +5478,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use at least two Traffic Manager endpoints", - "Synopsis": "Traffic Manager should use at lest two enabled endpoints.", - "Recommendation": "Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.", - "Pillar": null, - "Control": null + "DisplayName": "AKS clusters use VM scale sets", + "Synopsis": "Deploy AKS clusters with nodes pools based on VM scale sets.", + "Recommendation": "Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.\nUsing VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AKS.NetworkPolicy": { - "Name": "Azure.AKS.NetworkPolicy", + "Azure.AppService.ARRAffinity": { + "Name": "Azure.AppService.ARRAffinity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000027", + "Value": "PSRule.Rules.Azure\\AZR-000083", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000027" + "Name": "AZR-000083" }, "Alias": [ null @@ -5289,81 +5500,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters use Network Policies", - "Synopsis": "Deploy AKS clusters with Network Policies enabled.", - "Recommendation": "Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.", - "Pillar": "Security", - "Control": null + "DisplayName": "Disable Application Request Routing", + "Synopsis": "Disable client affinity for stateless services.", + "Recommendation": "Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.KeyVault.RBAC": { - "Name": "Azure.KeyVault.RBAC", + "Azure.AKS.AzureRBAC": { + "Name": "Azure.AKS.AzureRBAC", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000388", + "Value": "PSRule.Rules.Azure\\AZR-000032", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000388" + "Name": "AZR-000032" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", - "Level": "Warning", + "RuleSet": "2021_06", + "Level": "Error", "Method": null, - "DisplayName": "Use Azure role-based access control", - "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.", - "Recommendation": "Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.", + "DisplayName": "Use Azure RBAC for Kubernetes Authorization", + "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.", + "Recommendation": "Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.SQL.DBName": { - "Name": "Azure.SQL.DBName", + "Azure.VM.Agent": { + "Name": "Azure.VM.Agent", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000192", + "Value": "PSRule.Rules.Azure\\AZR-000246", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000192" + "Name": "AZR-000246" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid SQL Database names", - "Synopsis": "Azure SQL Database names should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "VM agent is provisioned automatically", + "Synopsis": "Ensure the VM agent is provisioned automatically.", + "Recommendation": "Automatically provision the VM agent for all supported operating systems, this is the default.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.PublicIP.AvailabilityZone": { - "Name": "Azure.PublicIP.AvailabilityZone", + "Azure.PostgreSQL.GeoRedundantBackup": { + "Name": "Azure.PostgreSQL.GeoRedundantBackup", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000157", + "Value": "PSRule.Rules.Azure\\AZR-000326", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000157" + "Name": "AZR-000326" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Public IP addresses should use availability zones", - "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.", - "Recommendation": "Consider using zone-redundant Public IP addresses deployed with Standard SKU.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Configure geo-redundant backup", + "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.", + "Recommendation": "Configure geo-redundant backup for Azure Database for PostgreSQL.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.Resource.UseTags": { - "Name": "Azure.Resource.UseTags", + "Azure.VM.UseManagedDisks": { + "Name": "Azure.VM.UseManagedDisks", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000166", + "Value": "PSRule.Rules.Azure\\AZR-000238", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000166" + "Name": "AZR-000238" }, "Alias": [ null @@ -5373,60 +5588,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use resource tags", - "Synopsis": "Azure resources should be tagged using a standard convention.", - "Recommendation": "Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.\nAlso consider using Azure Policy to enforce mandatory tags.", - "Pillar": "Cost Optimization", - "Control": null + "DisplayName": "Use Managed Disks", + "Synopsis": "Virtual machines (VMs) should use managed disks.", + "Recommendation": "Consider using managed disks for virtual machine storage.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AKS.EphemeralOSDisk": { - "Name": "Azure.AKS.EphemeralOSDisk", + "Azure.APIM.MultiRegion": { + "Name": "Azure.APIM.MultiRegion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000287", + "Value": "PSRule.Rules.Azure\\AZR-000340", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000287" + "Name": "AZR-000340" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", - "Level": "Warning", + "RuleSet": "2022_12", + "Level": "Error", "Method": null, - "DisplayName": "Use AKS Ephemeral OS disk", - "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.", - "Recommendation": "AKS clusters should use ephemeral OS disks.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Multi-region deployment", + "Synopsis": "API Management instances should use multi-region deployment to improve service availability.", + "Recommendation": "Consider deploying an API Management service across multiple regions to improve service availability.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.ResourceLocation": { - "Name": "Azure.Template.ResourceLocation", + "Azure.PostgreSQL.AADOnly": { + "Name": "Azure.PostgreSQL.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000222", + "Value": "PSRule.Rules.Azure\\AZR-000390", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000222" + "Name": "AZR-000390" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use a location parameter for regional resources", - "Synopsis": "Template resource location should be an expression or global.", - "Recommendation": "Consider updating the resource location property to use [parameters('location)].", - "Pillar": null, - "Control": null + "DisplayName": "Azure AD-only authentication", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.", + "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml" }, - "Azure.SQL.AllowAzureAccess": { - "Name": "Azure.SQL.AllowAzureAccess", + "Azure.CDN.HTTP": { + "Name": "Azure.CDN.HTTP", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000184", + "Value": "PSRule.Rules.Azure\\AZR-000093", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000184" + "Name": "AZR-000093" }, "Alias": [ null @@ -5436,11 +5654,12 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Limit SQL database network access to trusted IP addresses", - "Synopsis": "Determine if access from Azure services is required.", - "Recommendation": "Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.", - "Pillar": null, - "Control": null + "DisplayName": "Use HTTPS client connections", + "Synopsis": "Enforce HTTPS for client connections.", + "Recommendation": "Consider disabling HTTP support on the CDN endpoint origin.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml" }, "Azure.SQL.Auditing": { "Name": "Azure.SQL.Auditing", @@ -5461,56 +5680,59 @@ "Synopsis": "Enable auditing for Azure SQL logical server.", "Recommendation": "Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.APIM.SampleProducts": { - "Name": "Azure.APIM.SampleProducts", + "Azure.Defender.KeyVault": { + "Name": "Azure.Defender.KeyVault", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000048", + "Value": "PSRule.Rules.Azure\\AZR-000352", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000048" + "Name": "AZR-000352" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Remove default products", - "Synopsis": "Remove starter and unlimited sample products.", - "Recommendation": "Consider removing starter and unlimited sample products from API Management.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Set Microsoft Defender for Key Vault to the Standard tier", + "Synopsis": "Enable Microsoft Defender for Key Vault.", + "Recommendation": "Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Storage.FileShareSoftDelete": { - "Name": "Azure.Storage.FileShareSoftDelete", + "Azure.FrontDoor.UseCaching": { + "Name": "Azure.FrontDoor.UseCaching", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000298", + "Value": "PSRule.Rules.Azure\\AZR-000320", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000298" + "Name": "AZR-000320" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use soft delete on files shares", - "Synopsis": "Enable soft delete on Storage Accounts file shares.", - "Recommendation": "Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use caching", + "Synopsis": "Use caching to reduce retrieving contents from origins.", + "Recommendation": "Use caching to reduce retrieving contents from origins and improve overall performance.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.ACR.Name": { - "Name": "Azure.ACR.Name", + "Azure.VM.UniqueDns": { + "Name": "Azure.VM.UniqueDns", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000007", + "Value": "PSRule.Rules.Azure\\AZR-000258", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000007" + "Name": "AZR-000258" }, "Alias": [ null @@ -5520,18 +5742,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid registry names", - "Synopsis": "Container registry names should meet naming requirements.", - "Recommendation": "Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "NICs with custom DNS settings", + "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.", + "Recommendation": "Consider updating NIC DNS server settings to inherit from virtual network.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.AppGw.WAFRules": { - "Name": "Azure.AppGw.WAFRules", + "Azure.VM.PublicKey": { + "Name": "Azure.VM.PublicKey", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000068", + "Value": "PSRule.Rules.Azure\\AZR-000245", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000068" + "Name": "AZR-000245" }, "Alias": [ null @@ -5541,106 +5764,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Application Gateway rules are enabled", - "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.", - "Recommendation": "Consider enabling all OWASP rules within Application Gateway instances.\nBefore disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use public keys for Linux", + "Synopsis": "Linux virtual machines should use public keys.", + "Recommendation": "Consider using public key based authentication instead of passwords.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AppService.ManagedIdentity": { - "Name": "Azure.AppService.ManagedIdentity", + "Azure.FrontDoorWAF.RuleGroups": { + "Name": "Azure.FrontDoorWAF.RuleGroups", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000082", + "Value": "PSRule.Rules.Azure\\AZR-000308", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000082" + "Name": "AZR-000308" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "App Service apps uses a managed identity", - "Synopsis": "Configure managed identities to access Azure resources.", - "Recommendation": "Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.", + "DisplayName": "Use Recommended Front Door WAF policy rule groups", + "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.", + "Recommendation": "Consider configuring Front Door WAF policy to use the recommended rule sets.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.Automation.PlatformLogs": { - "Name": "Azure.Automation.PlatformLogs", + "Azure.APIM.Ciphers": { + "Name": "Azure.APIM.Ciphers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000089", + "Value": "PSRule.Rules.Azure\\AZR-000055", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000089" + "Name": "AZR-000055" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Automation accounts should collect platform diagnostic logs", - "Synopsis": "Ensure automation account platform diagnostic logs are enabled.", - "Recommendation": "Consider configuring diagnostic settings to capture platform logs from Automation accounts.", - "Pillar": null, - "Control": null + "DisplayName": "Use secure ciphers for API Management", + "Synopsis": "API Management should not accept weak or deprecated ciphers for client or backend communication.", + "Recommendation": "Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.VMSS.ScriptExtensions": { - "Name": "Azure.VMSS.ScriptExtensions", + "Azure.RBAC.LimitOwner": { + "Name": "Azure.RBAC.LimitOwner", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000333", + "Value": "PSRule.Rules.Azure\\AZR-000204", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000333" + "Name": "AZR-000204" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", - "Level": "Error", - "Method": null, - "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets", - "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.", - "Recommendation": "Consider specifying secure values within properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.", - "Pillar": null, - "Control": null - }, - "Azure.SQL.DefenderCloud": { - "Name": "Azure.SQL.DefenderCloud", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000186", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000186" - }, - "Alias": [ - { - "Value": "PSRule.Rules.Azure\\Azure.SQL.ThreatDetection", - "Scope": "PSRule.Rules.Azure", - "Name": "Azure.SQL.ThreatDetection" - } - ], - "Flags": 0, - "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Advanced Threat Protection", - "Synopsis": "Enable Microsoft Defender for Azure SQL logical server.", - "Recommendation": "Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.", + "DisplayName": "Limit use of subscription scoped Owner role", + "Synopsis": "Limit the number of subscription Owners.", + "Recommendation": "Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.LB.Name": { - "Name": "Azure.LB.Name", + "Azure.VM.BasicSku": { + "Name": "Azure.VM.BasicSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000129", + "Value": "PSRule.Rules.Azure\\AZR-000241", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000129" + "Name": "AZR-000241" }, "Alias": [ null @@ -5650,60 +5852,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Load Balancer names", - "Synopsis": "Load Balancer names should meet naming requirements.", - "Recommendation": "Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Avoid Basic VM SKU", + "Synopsis": "Virtual machines (VMs) should not use Basic sizes.", + "Recommendation": "Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.Route.Name": { - "Name": "Azure.Route.Name", + "Azure.VNG.VPNAvailabilityZoneSKU": { + "Name": "Azure.VNG.VPNAvailabilityZoneSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000169", + "Value": "PSRule.Rules.Azure\\AZR-000272", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000169" + "Name": "AZR-000272" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid Route table names", - "Synopsis": "Route table names should meet naming requirements.", - "Recommendation": "Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use availability zone SKU for VPN gateways", + "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type.", + "Recommendation": "Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.ACR.ContentTrust": { - "Name": "Azure.ACR.ContentTrust", + "Azure.Storage.BlobPublicAccess": { + "Name": "Azure.Storage.BlobPublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000009", + "Value": "PSRule.Rules.Azure\\AZR-000198", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000009" + "Name": "AZR-000198" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Use trusted container images", - "Synopsis": "Use container images signed by a trusted image publisher.", - "Recommendation": "Consider enabling content trust on registries, clients, and sign container images.", + "DisplayName": "Disallow anonymous access to blob service", + "Synopsis": "Storage Accounts should only accept authorized requests.", + "Recommendation": "Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, - "Azure.VM.DiskCaching": { - "Name": "Azure.VM.DiskCaching", + "Azure.VM.Updates": { + "Name": "Azure.VM.Updates", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000242", + "Value": "PSRule.Rules.Azure\\AZR-000247", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000242" + "Name": "AZR-000247" }, "Alias": [ null @@ -5713,18 +5918,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure host caching", - "Synopsis": "Check disk caching is configured correctly for the workload.", - "Recommendation": "Check disk caching is configured correctly for the workload.", - "Pillar": null, - "Control": null + "DisplayName": "Automatic updates are enabled", + "Synopsis": "Ensure automatic updates are enabled at deployment.", + "Recommendation": "Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.FrontDoor.Name": { - "Name": "Azure.FrontDoor.Name", + "Azure.FrontDoor.UseWAF": { + "Name": "Azure.FrontDoor.UseWAF", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000113", + "Value": "PSRule.Rules.Azure\\AZR-000111", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000113" + "Name": "AZR-000111" }, "Alias": [ null @@ -5734,102 +5940,107 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Front Door names", - "Synopsis": "Front Door names should meet naming requirements.", - "Recommendation": "Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Front Door endpoints should use WAF", + "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.", + "Recommendation": "Consider enabling a WAF policy on each Front Door endpoint.", + "Pillar": "Security", + "Control": "NS-6", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.VM.ASAlignment": { - "Name": "Azure.VM.ASAlignment", + "Azure.Policy.AssignmentDescriptors": { + "Name": "Azure.Policy.AssignmentDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000254", + "Value": "PSRule.Rules.Azure\\AZR-000143", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000254" + "Name": "AZR-000143" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use aligned availability sets", - "Synopsis": "Use availability sets aligned with managed disks fault domains.", - "Recommendation": "Consider deploying VMs with managed disks into aligned availability sets.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use descriptive policy assignments", + "Synopsis": "Policy assignments should use a display name and description.", + "Recommendation": "Consider setting a display name and description for each policy assignment.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.NSG.AnyInboundSource": { - "Name": "Azure.NSG.AnyInboundSource", + "Azure.ContainerApp.DisableAffinity": { + "Name": "Azure.ContainerApp.DisableAffinity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000137", + "Value": "PSRule.Rules.Azure\\AZR-000378", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000137" + "Name": "AZR-000378" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Avoid rules that allow any as an inbound source", - "Synopsis": "Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.", - "Recommendation": "Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.", - "Pillar": null, - "Control": null + "DisplayName": "Disable session affinity", + "Synopsis": "Disable session affinity to prevent unbalanced distribution.", + "Recommendation": "Consider disabling session affinity to evenly distribute requests across each replica.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Deployment.OuterSecret": { - "Name": "Azure.Deployment.OuterSecret", + "Azure.AKS.SecretStoreRotation": { + "Name": "Azure.AKS.SecretStoreRotation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000331", + "Value": "PSRule.Rules.Azure\\AZR-000034", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000331" + "Name": "AZR-000034" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Secret value in deployment output", - "Synopsis": "Do not use Outer deployments when references SecureString or SecureObject parameters.", - "Recommendation": "Consider using inner deployments to prevent secure values from being exposed.", + "DisplayName": "AKS clusters refresh secrets from Key Vault", + "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.", + "Recommendation": "Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.KeyVault.AccessPolicy": { - "Name": "Azure.KeyVault.AccessPolicy", + "Azure.Template.ParameterMetadata": { + "Name": "Azure.Template.ParameterMetadata", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000118", + "Value": "PSRule.Rules.Azure\\AZR-000215", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000118" + "Name": "AZR-000215" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Limit access to Key Vault data", - "Synopsis": "Use the principal of least privilege when assigning access to Key Vault.", - "Recommendation": "Consider assigning access to Key Vault data based on the principle of least privilege.", + "DisplayName": "Use template parameter descriptions", + "Synopsis": "Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.", + "Recommendation": "Consider defining a metadata description for each template parameter.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.APIM.ProductSubscription": { - "Name": "Azure.APIM.ProductSubscription", + "Azure.AppService.MinTLS": { + "Name": "Azure.AppService.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000046", + "Value": "PSRule.Rules.Azure\\AZR-000073", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000046" + "Name": "AZR-000073" }, "Alias": [ null @@ -5839,39 +6050,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Require a subscription for products", - "Synopsis": "Configure products to require a subscription.", - "Recommendation": "Consider configuring all API Management products to require a subscription.", + "DisplayName": "App Service minimum TLS version", + "Synopsis": "App Service should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.VMSS.MigrateAMA": { - "Name": "Azure.VMSS.MigrateAMA", + "Azure.VM.ASName": { + "Name": "Azure.VM.ASName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000318", + "Value": "PSRule.Rules.Azure\\AZR-000256", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000318" + "Name": "AZR-000256" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Migrate to Azure Monitor Agent", - "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", - "Recommendation": "Virtual Machine Scale Sets should migrate to Azure Monitor Agent.", + "DisplayName": "Use valid Availability Set names", + "Synopsis": "Availability Set names should meet naming requirements.", + "Recommendation": "Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.SQL.FirewallRuleCount": { - "Name": "Azure.SQL.FirewallRuleCount", + "Azure.SQL.TDE": { + "Name": "Azure.SQL.TDE", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000183", + "Value": "PSRule.Rules.Azure\\AZR-000191", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000183" + "Name": "AZR-000191" }, "Alias": [ null @@ -5881,39 +6094,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Cleanup SQL logical server firewall rules", - "Synopsis": "Determine if there is an excessive number of firewall rules.", - "Recommendation": "The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.", - "Pillar": null, - "Control": null + "DisplayName": "Use SQL database TDE", + "Synopsis": "Use Transparent Data Encryption (TDE) with Azure SQL Database.", + "Recommendation": "Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.Defender.Arm": { - "Name": "Azure.Defender.Arm", + "Azure.VM.ASAlignment": { + "Name": "Azure.VM.ASAlignment", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000354", + "Value": "PSRule.Rules.Azure\\AZR-000254", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000354" + "Name": "AZR-000254" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Set Microsoft Defender for ARM to the Standard tier", - "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).", - "Recommendation": "Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use aligned availability sets", + "Synopsis": "Use availability sets aligned with managed disks fault domains.", + "Recommendation": "Consider deploying VMs with managed disks into aligned availability sets.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.SQL.ServerName": { - "Name": "Azure.SQL.ServerName", + "Azure.AppService.NETVersion": { + "Name": "Azure.AppService.NETVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000190", + "Value": "PSRule.Rules.Azure\\AZR-000075", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000190" + "Name": "AZR-000075" }, "Alias": [ null @@ -5923,18 +6138,19 @@ "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid SQL logical server names", - "Synopsis": "Azure SQL logical server names should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": null, - "Control": null + "DisplayName": "Use a newer .NET version", + "Synopsis": "Configure applications to use newer .NET versions.", + "Recommendation": "Consider updating the site to use a newer .NET version such as v6.0.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.VM.AcceleratedNetworking": { - "Name": "Azure.VM.AcceleratedNetworking", + "Azure.ACR.MinSku": { + "Name": "Azure.ACR.MinSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000244", + "Value": "PSRule.Rules.Azure\\AZR-000006", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000244" + "Name": "AZR-000006" }, "Alias": [ null @@ -5944,60 +6160,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use accelerated networking", - "Synopsis": "Use accelerated networking for supported operating systems and VM types.", - "Recommendation": "Consider enabling accelerated networking for supported operating systems and VM types.", - "Pillar": null, - "Control": null + "DisplayName": "Use ACR production SKU", + "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.", + "Recommendation": "Consider using the Premium Container Registry SKU for production deployments.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.PublicIP.Name": { - "Name": "Azure.PublicIP.Name", + "Azure.VMSS.AMA": { + "Name": "Azure.VMSS.AMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000155", + "Value": "PSRule.Rules.Azure\\AZR-000346", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000155" + "Name": "AZR-000346" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid Public IP names", - "Synopsis": "Public IP names should meet naming requirements.", - "Recommendation": "Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use Azure Monitor Agent", + "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", + "Recommendation": "Consider monitoring Virtual Machine Scale Sets using the Azure Monitor Agent.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.RBAC.LimitMGDelegation": { - "Name": "Azure.RBAC.LimitMGDelegation", + "Azure.Arc.Server.MaintenanceConfig": { + "Name": "Azure.Arc.Server.MaintenanceConfig", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000205", + "Value": "PSRule.Rules.Azure\\AZR-000374", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000205" + "Name": "AZR-000374" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Limit Management Group delegation", - "Synopsis": "Limit Role-Base Access Control (RBAC) inheritance from Management Groups.", - "Recommendation": "Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.\nAzure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.", - "Pillar": "Security", - "Control": null + "DisplayName": "Associate a maintenance configuration", + "Synopsis": "Use a maintenance configuration for Arc-enabled servers.", + "Recommendation": "Consider automatically managing and applying operating system updates with a maintenance configuration.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1" + }, + "Azure.APIM.ProductDescriptors": { + "Name": "Azure.APIM.ProductDescriptors", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000049", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000049" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "GA", + "RuleSet": "2020_09", + "Level": "Warning", + "Method": null, + "DisplayName": "Use product descriptors", + "Synopsis": "API Management products should have a display name and description.", + "Recommendation": "Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.ParameterFile": { - "Name": "Azure.Template.ParameterFile", + "Azure.SQL.AllowAzureAccess": { + "Name": "Azure.SQL.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000229", + "Value": "PSRule.Rules.Azure\\AZR-000184", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000229" + "Name": "AZR-000184" }, "Alias": [ null @@ -6007,81 +6248,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use ARM parameter file structure", - "Synopsis": "Use ARM template parameter files that are valid.", - "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.", + "DisplayName": "Limit SQL database network access to trusted IP addresses", + "Synopsis": "Determine if access from Azure services is required.", + "Recommendation": "Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.Search.ManagedIdentity": { - "Name": "Azure.Search.ManagedIdentity", + "Azure.Cognitive.PrivateEndpoints": { + "Name": "Azure.Cognitive.PrivateEndpoints", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000175", + "Value": "PSRule.Rules.Azure\\AZR-000283", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000175" + "Name": "AZR-000283" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Search services uses a managed identity", - "Synopsis": "Configure managed identities to access Azure resources.", - "Recommendation": "Consider configuring a managed identity for each Cognitive Search service. Also consider using managed identities to authenticate to related Azure services.", + "DisplayName": "Use Cognitive Service Private Endpoints", + "Synopsis": "Use Private Endpoints to access Cognitive Services accounts.", + "Recommendation": "Consider accessing Cognitive Services accounts by Private Endpoints and disabling public endpoints.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.PostgreSQL.ServerName": { - "Name": "Azure.PostgreSQL.ServerName", + "Azure.Template.DebugDeployment": { + "Name": "Azure.Template.DebugDeployment", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000152", + "Value": "PSRule.Rules.Azure\\AZR-000225", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000152" + "Name": "AZR-000225" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use valid PostgreSQL DB server names", - "Synopsis": "Azure PostgreSQL DB server names should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Disable debugging of nested deployments", + "Synopsis": "Use default deployment detail level for nested deployments.", + "Recommendation": "Consider disabling debugging of nested deployments before release.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ServiceBus.DisableLocalAuth": { - "Name": "Azure.ServiceBus.DisableLocalAuth", + "Azure.LB.Probe": { + "Name": "Azure.LB.Probe", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000178", + "Value": "PSRule.Rules.Azure\\AZR-000126", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000178" + "Name": "AZR-000126" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use identity-based authentication for Service Bus namespaces", - "Synopsis": "Authenticate Service Bus publishers and consumers with Azure AD identities.", - "Recommendation": "Consider only using Azure AD identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use specific load balancer probe", + "Synopsis": "Use a specific probe for web protocols.", + "Recommendation": "Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1" }, - "Azure.AppService.PlanInstanceCount": { - "Name": "Azure.AppService.PlanInstanceCount", + "Azure.NSG.AnyInboundSource": { + "Name": "Azure.NSG.AnyInboundSource", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000071", + "Value": "PSRule.Rules.Azure\\AZR-000137", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000071" + "Name": "AZR-000137" }, "Alias": [ null @@ -6091,207 +6336,217 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use two or more App Service Plan instances", - "Synopsis": "App Service Plan should use a minimum number of instances for failover.", - "Recommendation": "Consider using an App Service Plan with at least two (2) instances.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Avoid rules that allow any as an inbound source", + "Synopsis": "Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.", + "Recommendation": "Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.APIM.ProductDescriptors": { - "Name": "Azure.APIM.ProductDescriptors", + "Azure.PostgreSQL.AAD": { + "Name": "Azure.PostgreSQL.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000049", + "Value": "PSRule.Rules.Azure\\AZR-000389", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000049" + "Name": "AZR-000389" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", - "Level": "Warning", + "RuleSet": "2023_06", + "Level": "Error", "Method": null, - "DisplayName": "Use product descriptors", - "Synopsis": "API Management products should have a display name and description.", - "Recommendation": "Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use AAD authentication with PostgreSQL databases", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.", + "Recommendation": "Consider using Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.MySQL.AllowAzureAccess": { - "Name": "Azure.MySQL.AllowAzureAccess", + "Azure.VM.ScriptExtensions": { + "Name": "Azure.VM.ScriptExtensions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000134", + "Value": "PSRule.Rules.Azure\\AZR-000332", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000134" + "Name": "AZR-000332" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Disable MySQL Allow Azure access firewall rule", - "Synopsis": "Determine if access from Azure services is required.", - "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.", + "DisplayName": "Securely pass secrets to Custom Script Extensions for Virtual Machine", + "Synopsis": "Custom Script Extensions scripts that reference secret values must use the protectedSettings.", + "Recommendation": "Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.SQLMI.AAD": { - "Name": "Azure.SQLMI.AAD", + "Azure.SQL.FirewallIPRange": { + "Name": "Azure.SQL.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000368", + "Value": "PSRule.Rules.Azure\\AZR-000185", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000368" + "Name": "AZR-000185" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use AAD authentication with SQL Managed Instance", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.", - "Recommendation": "Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.", - "Pillar": "Security", - "Control": null + "DisplayName": "Limit SQL logical server firewall rule range", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).", + "Recommendation": "Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.LB.StandardSKU": { - "Name": "Azure.LB.StandardSKU", + "Azure.ADX.Usage": { + "Name": "Azure.ADX.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000128", + "Value": "PSRule.Rules.Azure\\AZR-000011", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000128" + "Name": "AZR-000011" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_03", "Level": "Error", - "Method": null, - "DisplayName": "Load balancers should use Standard SKU", - "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.", - "Recommendation": "Consider using Standard SKU for load balancers deployed in production.", + "Method": "in-flight", + "DisplayName": "Remove unused Data Explorer clusters", + "Synopsis": "Regularly remove unused resources to reduce costs.", + "Recommendation": "Consider removing Data Explorer clusters that are not used.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1" }, - "Azure.AKS.AutoUpgrade": { - "Name": "Azure.AKS.AutoUpgrade", + "Azure.VM.PromoSku": { + "Name": "Azure.VM.PromoSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000036", + "Value": "PSRule.Rules.Azure\\AZR-000240", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000036" + "Name": "AZR-000240" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Set AKS auto-upgrade channel", - "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.", - "Recommendation": "Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use current VM SKUs", + "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.", + "Recommendation": "Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Consider moving from promotional SKUs to the regular SKU once the promotional period has expired.", + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.Identity.UserAssignedName": { - "Name": "Azure.Identity.UserAssignedName", + "Azure.MariaDB.FirewallRuleName": { + "Name": "Azure.MariaDB.FirewallRuleName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000117", + "Value": "PSRule.Rules.Azure\\AZR-000338", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000117" + "Name": "AZR-000338" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use valid Managed Identity names", - "Synopsis": "Managed Identity names should meet naming requirements.", - "Recommendation": "Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use valid firewall rule names", + "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.", + "Recommendation": "Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.VNET.PeerState": { - "Name": "Azure.VNET.PeerState", + "Azure.ContainerApp.Storage": { + "Name": "Azure.ContainerApp.Storage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000266", + "Value": "PSRule.Rules.Azure\\AZR-000364", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000266" + "Name": "AZR-000364" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "VNET peer is not connected", - "Synopsis": "VNET peering connections must be connected.", - "Recommendation": "Consider removing peering connections that are not longer required or complete peering connections.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Persistant storage", + "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.", + "Recommendation": "Consider using Azure File volume mounts to persistent storage across containers and replicas.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Databricks.SecureConnectivity": { - "Name": "Azure.Databricks.SecureConnectivity", + "Azure.SignalR.ManagedIdentity": { + "Name": "Azure.SignalR.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000393", + "Value": "PSRule.Rules.Azure\\AZR-000181", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000393" + "Name": "AZR-000181" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Enable secure connectivity for Databricks workspaces", - "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.", - "Recommendation": "Consider configuring Databricks workspaces to use secure cluster connectivity.", + "DisplayName": "Use managed identities for SignalR Services", + "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.", + "Recommendation": "Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml" }, - "Azure.PublicIP.MigrateStandard": { - "Name": "Azure.PublicIP.MigrateStandard", + "Azure.APIM.CORSPolicy": { + "Name": "Azure.APIM.CORSPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000395", + "Value": "PSRule.Rules.Azure\\AZR-000365", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000395" + "Name": "AZR-000365" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Migrate to Standard SKU", - "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.", - "Recommendation": "Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Avoid wildcards in APIM CORS policies", + "Synopsis": "Avoid using wildcard for any configuration option in CORS policies.", + "Recommendation": "Consider configuring the CORS policy by specifying explicit values for each property.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.APIM.HTTPEndpoint": { - "Name": "Azure.APIM.HTTPEndpoint", + "Azure.APIM.ManagedIdentity": { + "Name": "Azure.APIM.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000042", + "Value": "PSRule.Rules.Azure\\AZR-000053", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000042" + "Name": "AZR-000053" }, "Alias": [ null @@ -6301,18 +6556,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Publish APIs through HTTPS connections", - "Synopsis": "Enforce HTTPS for communication to API clients.", - "Recommendation": "Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.", + "DisplayName": "API Management uses a managed identity", + "Synopsis": "Configure managed identities to access Azure resources.", + "Recommendation": "Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.KeyVault.Logs": { - "Name": "Azure.KeyVault.Logs", + "Azure.Template.ParameterFile": { + "Name": "Azure.Template.ParameterFile", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000119", + "Value": "PSRule.Rules.Azure\\AZR-000229", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000119" + "Name": "AZR-000229" }, "Alias": [ null @@ -6322,186 +6578,217 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Audit Key Vault Data Access", - "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.", - "Recommendation": "Configure audit diagnostics logs to audit Key Vault access.", + "DisplayName": "Use ARM parameter file structure", + "Synopsis": "Use ARM template parameter files that are valid.", + "Recommendation": "Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AKS.PoolVersion": { - "Name": "Azure.AKS.PoolVersion", + "Azure.ASG.Name": { + "Name": "Azure.ASG.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000016", + "Value": "PSRule.Rules.Azure\\AZR-000085", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000016" + "Name": "AZR-000085" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Upgrade AKS node pool version", - "Synopsis": "AKS node pools should match Kubernetes control plane version.", - "Recommendation": "Consider upgrading node pools to match AKS control plan version.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid ASG names", + "Synopsis": "Application Security Group (ASG) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASG.Rule.yaml" }, - "Azure.Template.LocationDefault": { - "Name": "Azure.Template.LocationDefault", + "Azure.APIM.CertificateExpiry": { + "Name": "Azure.APIM.CertificateExpiry", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000220", + "Value": "PSRule.Rules.Azure\\AZR-000051", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000220" + "Name": "AZR-000051" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Default to resource group location", - "Synopsis": "Set the default value for the location parameter within an ARM template to resource group location.", - "Recommendation": "Consider updating the location parameter to use [resourceGroup().location] as the default value.", - "Pillar": null, - "Control": null + "DisplayName": "API Management uses current certificates", + "Synopsis": "Renew certificates used for custom domain bindings.", + "Recommendation": "Consider renewing certificates before expiry to prevent service issues.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.CDN.MinTLS": { - "Name": "Azure.CDN.MinTLS", + "Azure.RedisEnterprise.Zones": { + "Name": "Azure.RedisEnterprise.Zones", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000092", + "Value": "PSRule.Rules.Azure\\AZR-000162", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000092" + "Name": "AZR-000162" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure CDN endpoint minimum TLS version", - "Synopsis": "Azure CDN endpoints should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.", - "Pillar": "Security", - "Control": "DP-3" + "DisplayName": "Enterprise Redis cache should use Availability zones in supported regions", + "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.", + "Recommendation": "Consider using availability zones for Enterprise Redis Cache deployed in supported regions.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.Policy.AssignmentDescriptors": { - "Name": "Azure.Policy.AssignmentDescriptors", + "Azure.AppConfig.SKU": { + "Name": "Azure.AppConfig.SKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000143", + "Value": "PSRule.Rules.Azure\\AZR-000057", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000143" + "Name": "AZR-000057" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use descriptive policy assignments", - "Synopsis": "Policy assignments should use a display name and description.", - "Recommendation": "Consider setting a display name and description for each policy assignment.", - "Pillar": null, - "Control": null + "DisplayName": "Use production App Configuration SKU", + "Synopsis": "App Configuration should use a minimum size of Standard.", + "Recommendation": "Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml" }, - "Azure.MySQL.AADOnly": { - "Name": "Azure.MySQL.AADOnly", + "Azure.Arc.Kubernetes.Defender": { + "Name": "Azure.Arc.Kubernetes.Defender", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000394", + "Value": "PSRule.Rules.Azure\\AZR-000373", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000394" + "Name": "AZR-000373" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2023_09", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure AD-only authentication", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.", - "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.", + "DisplayName": "Use Microsoft Defender", + "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.", + "Recommendation": "Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1" }, - "Azure.AppGw.MinInstance": { - "Name": "Azure.AppGw.MinInstance", + "Azure.MySQL.UseFlexible": { + "Name": "Azure.MySQL.UseFlexible", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000061", + "Value": "PSRule.Rules.Azure\\AZR-000325", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000061" + "Name": "AZR-000325" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", + "Level": "Warning", + "Method": null, + "DisplayName": "Use Azure Database for MySQL Flexible Server", + "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.", + "Recommendation": "Migrate to Azure Database for MySQL Flexible Server deployment model.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" + }, + "Azure.Defender.Storage.SensitiveData": { + "Name": "Azure.Defender.Storage.SensitiveData", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000385", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000385" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use two or more Application Gateway instances", - "Synopsis": "Application Gateways should use a minimum of two instances.", - "Recommendation": "When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Sensitive data threat detection", + "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", + "Recommendation": "Consider using sensitive data threat detection in Microsoft Defender for Storage.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1" }, - "Azure.AKS.HttpAppRouting": { - "Name": "Azure.AKS.HttpAppRouting", + "Azure.APIM.Name": { + "Name": "Azure.APIM.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000035", + "Value": "PSRule.Rules.Azure\\AZR-000056", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000035" + "Name": "AZR-000056" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Disable HTTP application routing add-on", - "Synopsis": "Disable HTTP application routing add-on in AKS clusters.", - "Recommendation": "Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid API Management service names", + "Synopsis": "API Management service names should meet naming requirements.", + "Recommendation": "Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.Storage.DefenderCloud.MalwareScan": { - "Name": "Azure.Storage.DefenderCloud.MalwareScan", + "Azure.MySQL.GeoRedundantBackup": { + "Name": "Azure.MySQL.GeoRedundantBackup", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000384", + "Value": "PSRule.Rules.Azure\\AZR-000323", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000384" + "Name": "AZR-000323" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Malware Scanning", - "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", - "Recommendation": "Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.", - "Pillar": "Security", - "Control": null + "DisplayName": "Configure geo-redundant backup", + "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.", + "Recommendation": "Configure geo-redundant backup for Azure Database for MySQL.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.RBAC.LimitOwner": { - "Name": "Azure.RBAC.LimitOwner", + "Azure.KeyVault.AccessPolicy": { + "Name": "Azure.KeyVault.AccessPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000204", + "Value": "PSRule.Rules.Azure\\AZR-000118", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000204" + "Name": "AZR-000118" }, "Alias": [ null @@ -6511,165 +6798,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Limit use of subscription scoped Owner role", - "Synopsis": "Limit the number of subscription Owners.", - "Recommendation": "Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.", - "Pillar": "Security", - "Control": null + "DisplayName": "Limit access to Key Vault data", + "Synopsis": "Use the principal of least privilege when assigning access to Key Vault.", + "Recommendation": "Consider assigning access to Key Vault data based on the principle of least privilege.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.VNET.UseNSGs": { - "Name": "Azure.VNET.UseNSGs", + "Azure.VMSS.MigrateAMA": { + "Name": "Azure.VMSS.MigrateAMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000263", + "Value": "PSRule.Rules.Azure\\AZR-000318", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000263" + "Name": "AZR-000318" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use NSGs on subnets", - "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.", - "Recommendation": "Consider assigning a network security group (NSG) to each virtual network subnet.", - "Pillar": "Security", - "Control": "NS-1" + "DisplayName": "Migrate to Azure Monitor Agent", + "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", + "Recommendation": "Virtual Machine Scale Sets should migrate to Azure Monitor Agent.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.AKS.UptimeSLA": { - "Name": "Azure.AKS.UptimeSLA", + "Azure.AppGw.MinSku": { + "Name": "Azure.AppGw.MinSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000285", + "Value": "PSRule.Rules.Azure\\AZR-000062", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000285" + "Name": "AZR-000062" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use AKS Uptime SLA", - "Synopsis": "AKS clusters should have Uptime SLA enabled for a financially backed SLA.", - "Recommendation": "Consider enabling Uptime SLA for a financially backed SLA.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use production Application Gateway SKU", + "Synopsis": "Application Gateway should use a minimum instance size of Medium.", + "Recommendation": "Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.ContainerApp.ManagedIdentity": { - "Name": "Azure.ContainerApp.ManagedIdentity", + "Azure.ASE.MigrateV3": { + "Name": "Azure.ASE.MigrateV3", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000361", + "Value": "PSRule.Rules.Azure\\AZR-000319", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000361" + "Name": "AZR-000319" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use managed identity for authentication", - "Synopsis": "Ensure managed identity is used for authentication.", - "Recommendation": "Consider configure a managed identity for each container app.", - "Pillar": "Security", - "Control": null + "DisplayName": "Migrate to App Service Environment v3", + "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.", + "Recommendation": "Classic App Service Environments should migrate to App Service Environment v3.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASE.Rule.ps1" }, - "Azure.Defender.SQLOnVM": { - "Name": "Azure.Defender.SQLOnVM", + "Azure.Storage.DefenderCloud.SensitiveData": { + "Name": "Azure.Storage.DefenderCloud.SensitiveData", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000297", + "Value": "PSRule.Rules.Azure\\AZR-000391", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000297" + "Name": "AZR-000391" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2022_09", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Configure Microsoft Defender for SQL Servers on machines to the Standard tier", - "Synopsis": "Enable Microsoft Defender for SQL servers on machines.", - "Recommendation": "Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.", + "DisplayName": "Sensitive data threat detection", + "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", + "Recommendation": "Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Cognitive.PublicAccess": { - "Name": "Azure.Cognitive.PublicAccess", + "Azure.AppService.ManagedIdentity": { + "Name": "Azure.AppService.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000280", + "Value": "PSRule.Rules.Azure\\AZR-000082", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000280" + "Name": "AZR-000082" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Restrict Cognitive Service endpoints", - "Synopsis": "Restrict access of Cognitive Services accounts to authorized virtual networks.", - "Recommendation": "Consider configuring network access restrictions for Cognitive Services accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.", + "DisplayName": "App Service apps uses a managed identity", + "Synopsis": "Configure managed identities to access Azure resources.", + "Recommendation": "Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.AKS.SecretStoreRotation": { - "Name": "Azure.AKS.SecretStoreRotation", + "Azure.CDN.UseFrontDoor": { + "Name": "Azure.CDN.UseFrontDoor", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000034", + "Value": "PSRule.Rules.Azure\\AZR-000286", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000034" + "Name": "AZR-000286" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters refresh secrets from Key Vault", - "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.", - "Recommendation": "Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use Front Door Standard Or Premium SKU", + "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.", + "Recommendation": "Consider using Front Door Standard or Premium SKU to improve performance.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1" }, - "Azure.Storage.BlobAccessType": { - "Name": "Azure.Storage.BlobAccessType", + "Azure.Cognitive.ManagedIdentity": { + "Name": "Azure.Cognitive.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000199", + "Value": "PSRule.Rules.Azure\\AZR-000281", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000199" + "Name": "AZR-000281" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use private blob containers", - "Synopsis": "Use containers configured with a private access type that requires authorization.", - "Recommendation": "To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.", + "DisplayName": "Use Managed Identity for Cognitive Services accounts", + "Synopsis": "Configure managed identities to access Azure resources.", + "Recommendation": "Consider configuring a managed identity for each Cognitive Services account.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.AppConfig.AuditLogs": { - "Name": "Azure.AppConfig.AuditLogs", + "Azure.Defender.Containers": { + "Name": "Azure.Defender.Containers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000311", + "Value": "PSRule.Rules.Azure\\AZR-000290", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000311" + "Name": "AZR-000290" }, "Alias": [ null @@ -6679,81 +6974,85 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Audit App Configuration Store", - "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.", - "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.", - "Pillar": null, - "Control": null + "DisplayName": "Set Microsoft Defender for Containers to the Standard tier", + "Synopsis": "Enable Microsoft Defender for Containers.", + "Recommendation": "Consider using Microsoft Defender for Containers to protect your container-based workloads.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.AppService.PHPVersion": { - "Name": "Azure.AppService.PHPVersion", + "Azure.PublicIP.DNSLabel": { + "Name": "Azure.PublicIP.DNSLabel", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000076", + "Value": "PSRule.Rules.Azure\\AZR-000156", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000076" + "Name": "AZR-000156" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use a newer PHP runtime version", - "Synopsis": "Configure applications to use newer PHP runtime versions.", - "Recommendation": "Consider updating the site to use a newer PHP runtime version such as 7.4.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Public IP DNS labels", + "Synopsis": "Public IP domain name labels should meet naming requirements.", + "Recommendation": "Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.LB.AvailabilityZone": { - "Name": "Azure.LB.AvailabilityZone", + "Azure.VNET.Name": { + "Name": "Azure.VNET.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000127", + "Value": "PSRule.Rules.Azure\\AZR-000268", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000127" + "Name": "AZR-000268" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Load balancers should be zone-redundant", - "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.", - "Recommendation": "Consider using zone-redundant load balancers deployed with Standard SKU.", - "Pillar": null, - "Control": null + "DisplayName": "Use valid VNET names", + "Synopsis": "Virtual Network (VNET) names should meet naming requirements.", + "Recommendation": "Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.yaml" }, - "Azure.FrontDoorWAF.Enabled": { - "Name": "Azure.FrontDoorWAF.Enabled", + "Azure.AppGw.UseHTTPS": { + "Name": "Azure.AppGw.UseHTTPS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000305", + "Value": "PSRule.Rules.Azure\\AZR-000059", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000305" + "Name": "AZR-000059" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Enable Front Door WAF policy", - "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.", - "Recommendation": "Consider enabling WAF policy.", + "DisplayName": "Expose frontend HTTP endpoints over HTTPS", + "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.", + "Recommendation": "Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1" }, - "Azure.Redis.AvailabilityZone": { - "Name": "Azure.Redis.AvailabilityZone", + "Azure.Template.ExpressionLength": { + "Name": "Azure.Template.ExpressionLength", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000161", + "Value": "PSRule.Rules.Azure\\AZR-000228", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000161" + "Name": "AZR-000228" }, "Alias": [ null @@ -6763,39 +7062,41 @@ "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Redis cache should use Availability zones in supported regions", - "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.", - "Recommendation": "Consider using availability zones for Premium Redis Cache deployed in supported regions.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Template expressions should not exceed a maximum length", + "Synopsis": "Template expressions should not exceed the maximum length.", + "Recommendation": "Consider updating the expression to reduce complexity and length.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.NSG.LateralTraversal": { - "Name": "Azure.NSG.LateralTraversal", + "Azure.Template.ParameterMinMaxValue": { + "Name": "Azure.Template.ParameterMinMaxValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000139", + "Value": "PSRule.Rules.Azure\\AZR-000224", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000139" + "Name": "AZR-000224" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Limit lateral traversal within subnets", - "Synopsis": "Deny outbound management connections from non-management hosts.", - "Recommendation": "Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.", + "DisplayName": "Use minValue and maxValue with correct type", + "Synopsis": "Template parameters minValue and maxValue constraints must be valid.", + "Recommendation": "Consider updating parameter definitions using minValue or maxValue. When using minValue or maxValue these values must be integers and only apply to int parameters.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AppService.HTTP2": { - "Name": "Azure.AppService.HTTP2", + "Azure.Redis.MaxMemoryReserved": { + "Name": "Azure.Redis.MaxMemoryReserved", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000078", + "Value": "PSRule.Rules.Azure\\AZR-000160", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000078" + "Name": "AZR-000160" }, "Alias": [ null @@ -6805,102 +7106,85 @@ "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use HTTP/2 connections for App Service apps", - "Synopsis": "Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.", - "Recommendation": "Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.", + "DisplayName": "Configure cache maxmemory-reserved setting", + "Synopsis": "Configure maxmemory-reserved to reserve memory for non-cache operations.", + "Recommendation": "Consider configuring maxmemory-reserved to at least 10% of available cache memory.", "Pillar": "Performance Efficiency", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.VM.Name": { - "Name": "Azure.VM.Name", + "Azure.Defender.OssRdb": { + "Name": "Azure.Defender.OssRdb", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000248", + "Value": "PSRule.Rules.Azure\\AZR-000381", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000248" + "Name": "AZR-000381" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid VM names", - "Synopsis": "Virtual Machine (VM) names should meet naming requirements.", - "Recommendation": "Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.", - "Pillar": null, - "Control": null + "DisplayName": "Set Microsoft Defender for open-source relational databases to the Standard tier", + "Synopsis": "Enable Microsoft Defender for open-source relational databases.", + "Recommendation": "Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.VM.DiskName": { - "Name": "Azure.VM.DiskName", + "Azure.AppInsights.Workspace": { + "Name": "Azure.AppInsights.Workspace", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000253", + "Value": "PSRule.Rules.Azure\\AZR-000069", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000253" + "Name": "AZR-000069" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid Managed Disk names", - "Synopsis": "Managed Disk names should meet naming requirements.", - "Recommendation": "Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Use workspace-based App Insights resources", + "Synopsis": "Configure Application Insights resources to store data in workspaces.", + "Recommendation": "Consider using workspace-based Application Insights resources to collect telemetry in shared storage.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml" }, - "Azure.FrontDoor.Probe": { - "Name": "Azure.FrontDoor.Probe", + "Azure.VM.Standalone": { + "Name": "Azure.VM.Standalone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000108", + "Value": "PSRule.Rules.Azure\\AZR-000239", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000108" + "Name": "AZR-000239" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Health Probes for Front Door backends", - "Synopsis": "Use health probes to check the health of each backend.", - "Recommendation": "Consider configuring and enabling a health probe for each Front Door backend.", + "DisplayName": "Standalone Virtual Machine", + "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.", + "Recommendation": "Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.", "Pillar": "Reliability", - "Control": null - }, - "Azure.ACR.Usage": { - "Name": "Azure.ACR.Usage", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000001", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000001" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2020_12", - "Level": "Error", - "Method": "in-flight", - "DisplayName": "Container registry storage usage", - "Synopsis": "Regularly remove deprecated and unneeded images to reduce storage usage.", - "Recommendation": "Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.", - "Pillar": "Cost Optimization", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.AKS.ManagedIdentity": { - "Name": "Azure.AKS.ManagedIdentity", + "Azure.FrontDoor.WAF.Mode": { + "Name": "Azure.FrontDoor.WAF.Mode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000025", + "Value": "PSRule.Rules.Azure\\AZR-000114", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000025" + "Name": "AZR-000114" }, "Alias": [ null @@ -6910,74 +7194,78 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use managed identities for AKS cluster authentication", - "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.", - "Recommendation": "Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.", + "DisplayName": "Use Front Door WAF policy in prevention mode", + "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.", + "Recommendation": "Consider setting Front Door WAF policy to use protection mode.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.VM.PublicKey": { - "Name": "Azure.VM.PublicKey", + "Azure.Firewall.PolicyMode": { + "Name": "Azure.Firewall.PolicyMode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000245", + "Value": "PSRule.Rules.Azure\\AZR-000399", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000245" + "Name": "AZR-000399" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Use public keys for Linux", - "Synopsis": "Linux virtual machines should use public keys.", - "Recommendation": "Consider using public key based authentication instead of passwords.", - "Pillar": null, - "Control": null + "DisplayName": "Threat intelligence-based filtering", + "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.", + "Recommendation": "Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.Redis.FirewallRuleCount": { - "Name": "Azure.Redis.FirewallRuleCount", + "Azure.ACR.SoftDelete": { + "Name": "Azure.ACR.SoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000299", + "Value": "PSRule.Rules.Azure\\AZR-000310", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000299" + "Name": "AZR-000310" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", + "Release": "preview", "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Cleanup Redis cache firewall rules", - "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.", - "Recommendation": "The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use ACR soft delete policy", + "Synopsis": "Azure Container Registries should have soft delete policy enabled.", + "Recommendation": "Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.VNET.BastionSubnet": { - "Name": "Azure.VNET.BastionSubnet", + "Azure.AKS.EphemeralOSDisk": { + "Name": "Azure.AKS.EphemeralOSDisk", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000314", + "Value": "PSRule.Rules.Azure\\AZR-000287", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000314" + "Name": "AZR-000287" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", - "Level": "Error", + "RuleSet": "2022_09", + "Level": "Warning", "Method": null, - "DisplayName": "Configure VNETs with a AzureBastionSubnet subnet", - "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.", - "Recommendation": "Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use AKS Ephemeral OS disk", + "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.", + "Recommendation": "AKS clusters should use ephemeral OS disks.", + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, "Azure.VM.DiskSizeAlignment": { "Name": "Azure.VM.DiskSizeAlignment", @@ -6998,312 +7286,367 @@ "Synopsis": "Align to the Managed Disk billing model to improve cost efficiency.", "Recommendation": "Consider resizing or optimizing storage to reduce waste by using disk sizes that align to the billing model for Managed Disks. Also consider, sizing and striping disks to optimize performance.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AppConfig.SKU": { - "Name": "Azure.AppConfig.SKU", + "Azure.AKS.PoolVersion": { + "Name": "Azure.AKS.PoolVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000057", + "Value": "PSRule.Rules.Azure\\AZR-000016", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000057" + "Name": "AZR-000016" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use production App Configuration SKU", - "Synopsis": "App Configuration should use a minimum size of Standard.", - "Recommendation": "Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.", + "DisplayName": "Upgrade AKS node pool version", + "Synopsis": "AKS node pools should match Kubernetes control plane version.", + "Recommendation": "Consider upgrading node pools to match AKS control plan version.", "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AppGw.UseHTTPS": { - "Name": "Azure.AppGw.UseHTTPS", + "Azure.Databricks.SecureConnectivity": { + "Name": "Azure.Databricks.SecureConnectivity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000059", + "Value": "PSRule.Rules.Azure\\AZR-000393", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000059" + "Name": "AZR-000393" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Expose frontend HTTP endpoints over HTTPS", - "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.", - "Recommendation": "Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.", + "DisplayName": "Enable secure connectivity for Databricks workspaces", + "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.", + "Recommendation": "Consider configuring Databricks workspaces to use secure cluster connectivity.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml" }, - "Azure.AKS.StandardLB": { - "Name": "Azure.AKS.StandardLB", + "Azure.MariaDB.AllowAzureAccess": { + "Name": "Azure.MariaDB.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000026", + "Value": "PSRule.Rules.Azure\\AZR-000342", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000026" + "Name": "AZR-000342" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use the Standard load balancer SKU", - "Synopsis": "Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.", - "Recommendation": "Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Disable MariaDB Allow access to Azure services firewall rule", + "Synopsis": "Determine if access from Azure services is required.", + "Recommendation": "Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.APIM.MultiRegion": { - "Name": "Azure.APIM.MultiRegion", + "Azure.ADX.SLA": { + "Name": "Azure.ADX.SLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000340", + "Value": "PSRule.Rules.Azure\\AZR-000014", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000340" + "Name": "AZR-000014" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Multi-region deployment", - "Synopsis": "API Management instances should use multi-region deployment to improve service availability.", - "Recommendation": "Consider deploying an API Management service across multiple regions to improve service availability.", + "DisplayName": "Use an SLA for Azure Data Explorer clusters", + "Synopsis": "Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.", + "Recommendation": "Consider using a production ready SKU that includes a SLA.", "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml" }, - "Azure.AppService.RemoteDebug": { - "Name": "Azure.AppService.RemoteDebug", + "Azure.MySQL.AAD": { + "Name": "Azure.MySQL.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000074", + "Value": "PSRule.Rules.Azure\\AZR-000392", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000074" + "Name": "AZR-000392" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Disable App Service remote debugging", - "Synopsis": "Disable remote debugging on App Service apps when not in use.", - "Recommendation": "Consider disabling remote debugging when not in use.", + "DisplayName": "Use AAD authentication with MySQL databases", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.", + "Recommendation": "Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.DefenderCloud.Contact": { - "Name": "Azure.DefenderCloud.Contact", + "Azure.APIM.MinAPIVersion": { + "Name": "Azure.APIM.MinAPIVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000209", + "Value": "PSRule.Rules.Azure\\AZR-000321", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000209" + "Name": "AZR-000321" }, "Alias": [ - { - "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Contact", - "Scope": "PSRule.Rules.Azure", - "Name": "Azure.SecurityCenter.Contact" - } + null + ], + "Flags": 0, + "Release": "GA", + "RuleSet": "2022_12", + "Level": "Error", + "Method": null, + "DisplayName": "API Management API versions prior to 2021-08-01 will be retired", + "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.", + "Recommendation": "Limit control plane API calls to API Management with version '2021-08-01' or newer.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" + }, + "Azure.VM.UseHybridUseBenefit": { + "Name": "Azure.VM.UseHybridUseBenefit", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000243", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000243" + }, + "Alias": [ + null ], "Flags": 0, "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Set Security Center contact details", - "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set.", - "Recommendation": "Consider configuring Microsoft Defender for Cloud email and phone contact details.", + "DisplayName": "Use Azure Hybrid Benefit", + "Synopsis": "Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.", + "Recommendation": "Consider using Azure Hybrid Benefit for eligible workloads.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.MySQL.MinTLS": { - "Name": "Azure.MySQL.MinTLS", + "Azure.Resource.UseTags": { + "Name": "Azure.Resource.UseTags", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000132", + "Value": "PSRule.Rules.Azure\\AZR-000166", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000132" + "Name": "AZR-000166" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "MySQL DB server minimum TLS version", - "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use resource tags", + "Synopsis": "Azure resources should be tagged using a standard convention.", + "Recommendation": "Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.\nAlso consider using Azure Policy to enforce mandatory tags.", + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1" }, - "Azure.AppGw.Name": { - "Name": "Azure.AppGw.Name", + "Azure.LB.StandardSKU": { + "Name": "Azure.LB.StandardSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000348", + "Value": "PSRule.Rules.Azure\\AZR-000128", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000348" + "Name": "AZR-000128" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid names", - "Synopsis": "Application Gateways should meet naming requirements.", - "Recommendation": "Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "Load balancers should use Standard SKU", + "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.", + "Recommendation": "Consider using Standard SKU for load balancers deployed in production.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1" }, - "Azure.AKS.AzurePolicyAddOn": { - "Name": "Azure.AKS.AzurePolicyAddOn", + "Azure.Automation.AuditLogs": { + "Name": "Azure.Automation.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000028", + "Value": "PSRule.Rules.Azure\\AZR-000088", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000028" + "Name": "AZR-000088" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Use Azure Policy Add-on with AKS clusters", - "Synopsis": "Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.", - "Recommendation": "Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.", + "DisplayName": "Audit Automation Account data access", + "Synopsis": "Ensure automation account audit diagnostic logs are enabled.", + "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" + }, + "Azure.SQLMI.AADOnly": { + "Name": "Azure.SQLMI.AADOnly", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000366", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000366" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "GA", + "RuleSet": "2023_03", + "Level": "Error", + "Method": null, + "DisplayName": "Azure AD-only authentication", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.", + "Recommendation": "Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1" }, - "Azure.WebPubSub.SLA": { - "Name": "Azure.WebPubSub.SLA", + "Azure.AppGw.MigrateV2": { + "Name": "Azure.AppGw.MigrateV2", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000278", + "Value": "PSRule.Rules.Azure\\AZR-000376", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000278" + "Name": "AZR-000376" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use an SLA for Web PubSub Services", - "Synopsis": "Use SKUs that include an SLA when configuring Web PubSub Services.", - "Recommendation": "Consider using a Standard SKU that includes an SLA.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Migrate to Application Gateway v2", + "Synopsis": "Use a Application Gateway v2 SKU.", + "Recommendation": "Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.Policy.AssignmentAssignedBy": { - "Name": "Azure.Policy.AssignmentAssignedBy", + "Azure.Bastion.Name": { + "Name": "Azure.Bastion.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000144", + "Value": "PSRule.Rules.Azure\\AZR-000349", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000144" + "Name": "AZR-000349" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Use assigned by for policy assignments", - "Synopsis": "Policy assignments should use assignedBy metadata.", - "Recommendation": "Consider setting assignedBy metadata for each policy assignment.", - "Pillar": null, - "Control": null + "DisplayName": "Use valid names", + "Synopsis": "Bastion hosts should meet naming requirements.", + "Recommendation": "Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Bastion.Rule.yaml" }, - "Azure.AppGw.AvailabilityZone": { - "Name": "Azure.AppGw.AvailabilityZone", + "Azure.ContainerApp.Insecure": { + "Name": "Azure.ContainerApp.Insecure", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000060", + "Value": "PSRule.Rules.Azure\\AZR-000094", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000060" + "Name": "AZR-000094" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Application gateways should use Availability zones in supported regions", - "Synopsis": "Application gateways should use availability zones in supported regions for high availability.", - "Recommendation": "Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).", - "Pillar": null, - "Control": null + "DisplayName": "Disable insecure container app ingress", + "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.", + "Recommendation": "Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.AppGw.MigrateV2": { - "Name": "Azure.AppGw.MigrateV2", + "Azure.Cognitive.DisableLocalAuth": { + "Name": "Azure.Cognitive.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000376", + "Value": "PSRule.Rules.Azure\\AZR-000282", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000376" + "Name": "AZR-000282" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Migrate to Application Gateway v2", - "Synopsis": "Use a Application Gateway v2 SKU.", - "Recommendation": "Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use identity-based authentication for Cogitive Services accounts", + "Synopsis": "Authenticate requests to Cognitive Services with Azure AD identities.", + "Recommendation": "Consider only using Azure AD identities to authenticate requests to Cogitive Services accounts. Once configured, disable authentication based on access keys.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.ContainerApp.RestrictIngress": { - "Name": "Azure.ContainerApp.RestrictIngress", + "Azure.AKS.DNSPrefix": { + "Name": "Azure.AKS.DNSPrefix", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000380", + "Value": "PSRule.Rules.Azure\\AZR-000040", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000380" + "Name": "AZR-000040" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "IP ingress restrictions mode", - "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.", - "Recommendation": "Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid AKS cluster DNS prefix", + "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.", + "Recommendation": "Consider using a DNS prefix that meets naming requirements.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.SignalR.SLA": { - "Name": "Azure.SignalR.SLA", + "Azure.WebPubSub.ManagedIdentity": { + "Name": "Azure.WebPubSub.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000182", + "Value": "PSRule.Rules.Azure\\AZR-000277", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000182" + "Name": "AZR-000277" }, "Alias": [ null @@ -7313,165 +7656,173 @@ "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Use an SLA for SignalR Services", - "Synopsis": "Use SKUs that include an SLA when configuring SignalR Services.", - "Recommendation": "Consider using a Standard or Premium SKU that includes an SLA.", - "Pillar": null, - "Control": null + "DisplayName": "Use managed identities for Web PubSub Services", + "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.", + "Recommendation": "Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml" }, - "Azure.MariaDB.FirewallRuleName": { - "Name": "Azure.MariaDB.FirewallRuleName", + "Azure.FrontDoorWAF.Exclusions": { + "Name": "Azure.FrontDoorWAF.Exclusions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000338", + "Value": "PSRule.Rules.Azure\\AZR-000307", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000338" + "Name": "AZR-000307" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid firewall rule names", - "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Avoid configuring Front Door WAF rule exclusions", + "Synopsis": "Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.", + "Recommendation": "Avoid configuring Front Door WAF rule exclusions.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.RedisEnterprise.MinTLS": { - "Name": "Azure.RedisEnterprise.MinTLS", + "Azure.VNET.SingleDNS": { + "Name": "Azure.VNET.SingleDNS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000301", + "Value": "PSRule.Rules.Azure\\AZR-000264", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000301" + "Name": "AZR-000264" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Redis Cache minimum TLS version", - "Synopsis": "Redis Cache should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use redundant DNS servers", + "Synopsis": "Virtual networks (VNETs) should have at least two DNS servers assigned.", + "Recommendation": "Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.ServiceBus.AuditLogs": { - "Name": "Azure.ServiceBus.AuditLogs", + "Azure.PostgreSQL.UseSSL": { + "Name": "Azure.PostgreSQL.UseSSL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000358", + "Value": "PSRule.Rules.Azure\\AZR-000147", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000358" + "Name": "AZR-000147" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Audit Service Bus data plane access", - "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.", - "Recommendation": "Consider configuring diagnostic settings to record interactions with data of the Service Bus.", - "Pillar": null, - "Control": null + "DisplayName": "Enforce encrypted PostgreSQL connections", + "Synopsis": "Enforce encrypted PostgreSQL connections.", + "Recommendation": "Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml" }, - "Azure.AKS.AutoScaling": { - "Name": "Azure.AKS.AutoScaling", + "Azure.MySQL.FirewallIPRange": { + "Name": "Azure.MySQL.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000019", + "Value": "PSRule.Rules.Azure\\AZR-000135", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000019" + "Name": "AZR-000135" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Enable AKS cluster autoscaler", - "Synopsis": "Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present.", - "Recommendation": "Consider enabling autoscaling for AKS clusters deployed with virtual machine scale sets.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Limit MySQL server firewall rule range", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", + "Recommendation": "The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.APIM.Name": { - "Name": "Azure.APIM.Name", + "Azure.MySQL.AllowAzureAccess": { + "Name": "Azure.MySQL.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000056", + "Value": "PSRule.Rules.Azure\\AZR-000134", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000056" + "Name": "AZR-000134" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid API Management service names", - "Synopsis": "API Management service names should meet naming requirements.", - "Recommendation": "Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Disable MySQL Allow Azure access firewall rule", + "Synopsis": "Determine if access from Azure services is required.", + "Recommendation": "Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.\nDetermine if access from Azure services is required for the services connecting to the hosted databases.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.MariaDB.UseSSL": { - "Name": "Azure.MariaDB.UseSSL", + "Azure.VM.DiskName": { + "Name": "Azure.VM.DiskName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000334", + "Value": "PSRule.Rules.Azure\\AZR-000253", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000334" + "Name": "AZR-000253" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Encrypted connections", - "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.", - "Recommendation": "Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.\nAlso consider using Azure Policy to audit or enforce this configuration.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Managed Disk names", + "Synopsis": "Managed Disk names should meet naming requirements.", + "Recommendation": "Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Storage.Firewall": { - "Name": "Azure.Storage.Firewall", + "Azure.VNG.ConnectionName": { + "Name": "Azure.VNG.ConnectionName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000202", + "Value": "PSRule.Rules.Azure\\AZR-000275", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000202" + "Name": "AZR-000275" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure Azure Storage firewall", - "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.", - "Recommendation": "Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid connection names", + "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.", + "Recommendation": "Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml" }, - "Azure.FrontDoor.UseWAF": { - "Name": "Azure.FrontDoor.UseWAF", + "Azure.VM.Name": { + "Name": "Azure.VM.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000111", + "Value": "PSRule.Rules.Azure\\AZR-000248", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000111" + "Name": "AZR-000248" }, "Alias": [ null @@ -7481,18 +7832,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Front Door endpoints should use WAF", - "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.", - "Recommendation": "Consider enabling a WAF policy on each Front Door endpoint.", - "Pillar": "Security", - "Control": "NS-6" + "DisplayName": "Use valid VM names", + "Synopsis": "Virtual Machine (VM) names should meet naming requirements.", + "Recommendation": "Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Automation.WebHookExpiry": { - "Name": "Azure.Automation.WebHookExpiry", + "Azure.FrontDoor.Name": { + "Name": "Azure.FrontDoor.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000087", + "Value": "PSRule.Rules.Azure\\AZR-000113", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000087" + "Name": "AZR-000113" }, "Alias": [ null @@ -7502,312 +7854,331 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use short lived web hooks", - "Synopsis": "Do not create webhooks with an expiry time greater than 1 year (default).", - "Recommendation": "An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.", - "Pillar": null, - "Control": null + "DisplayName": "Use valid Front Door names", + "Synopsis": "Front Door names should meet naming requirements.", + "Recommendation": "Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.PostgreSQL.DefenderCloud": { - "Name": "Azure.PostgreSQL.DefenderCloud", + "Azure.ACR.GeoReplica": { + "Name": "Azure.ACR.GeoReplica", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000327", + "Value": "PSRule.Rules.Azure\\AZR-000004", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000327" + "Name": "AZR-000004" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", - "Method": null, - "DisplayName": "Use Microsoft Defender", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.", - "Recommendation": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.", - "Pillar": null, - "Control": null + "Method": "in-flight", + "DisplayName": "Geo-replicate container images", + "Synopsis": "Use geo-replicated container registries to compliment a multi-region container deployments.", + "Recommendation": "Consider using a geo-replicated container registry for multi-region deployments.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.AKS.ContainerInsights": { - "Name": "Azure.AKS.ContainerInsights", + "Azure.Firewall.PolicyName": { + "Name": "Azure.Firewall.PolicyName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000041", + "Value": "PSRule.Rules.Azure\\AZR-000104", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000041" + "Name": "AZR-000104" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Enable AKS Container insights", - "Synopsis": "Enable Container insights to monitor AKS cluster workloads.", - "Recommendation": "Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.", + "DisplayName": "Use valid Firewall policy names", + "Synopsis": "Firewall policy names should meet naming requirements.", + "Recommendation": "Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.Template.ValidSecretRef": { - "Name": "Azure.Template.ValidSecretRef", + "Azure.Redis.PublicNetworkAccess": { + "Name": "Azure.Redis.PublicNetworkAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000233", + "Value": "PSRule.Rules.Azure\\AZR-000165", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000233" + "Name": "AZR-000165" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Use a valid secret reference", - "Synopsis": "Use a valid secret reference within parameter files.", - "Recommendation": "Check the secret value Key Vault reference is valid.", - "Pillar": null, - "Control": null + "DisplayName": "Use private endpoints with Azure Cache for Redis", + "Synopsis": "Redis cache should disable public network access.", + "Recommendation": "Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.ServiceFabric.AAD": { - "Name": "Azure.ServiceFabric.AAD", + "Azure.SQL.DefenderCloud": { + "Name": "Azure.SQL.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000179", + "Value": "PSRule.Rules.Azure\\AZR-000186", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000179" + "Name": "AZR-000186" }, "Alias": [ - null + { + "Value": "PSRule.Rules.Azure\\Azure.SQL.ThreatDetection", + "Scope": "PSRule.Rules.Azure", + "Name": "Azure.SQL.ThreatDetection" + } ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use AAD authentication with Service Fabric clusters", - "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.", - "Recommendation": "Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.", + "DisplayName": "Use Advanced Threat Protection", + "Synopsis": "Enable Microsoft Defender for Azure SQL logical server.", + "Recommendation": "Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.ContainerApp.APIVersion": { - "Name": "Azure.ContainerApp.APIVersion", + "Azure.Storage.SoftDelete": { + "Name": "Azure.Storage.SoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000400", + "Value": "PSRule.Rules.Azure\\AZR-000197", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000400" + "Name": "AZR-000197" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Retired API version", - "Synopsis": "Migrate from retired API version to a supported version.", - "Recommendation": "Consider migrating from retired API version to a supported version.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use blob soft delete", + "Synopsis": "Enable blob soft delete on Storage Accounts.", + "Recommendation": "Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.FrontDoor.WAF.Mode": { - "Name": "Azure.FrontDoor.WAF.Mode", + "Azure.KeyVault.AutoRotationPolicy": { + "Name": "Azure.KeyVault.AutoRotationPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000114", + "Value": "PSRule.Rules.Azure\\AZR-000123", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000114" + "Name": "AZR-000123" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use Front Door WAF policy in prevention mode", - "Synopsis": "Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.", - "Recommendation": "Consider setting Front Door WAF policy to use protection mode.", + "DisplayName": "Enable Key Vault key auto-rotation", + "Synopsis": "Key Vault keys should have auto-rotation enabled.", + "Recommendation": "Consider enabling auto-rotation on Key Vault keys.", "Pillar": "Security", - "Control": null + "Control": "IM-3", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.ContainerApp.DisableAffinity": { - "Name": "Azure.ContainerApp.DisableAffinity", + "Azure.TrafficManager.Endpoints": { + "Name": "Azure.TrafficManager.Endpoints", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000378", + "Value": "PSRule.Rules.Azure\\AZR-000236", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000378" + "Name": "AZR-000236" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Disable session affinity", - "Synopsis": "Disable session affinity to prevent unbalanced distribution.", - "Recommendation": "Consider disabling session affinity to evenly distribute requests across each replica.", - "Pillar": "Performance Efficiency", - "Control": null + "DisplayName": "Use at least two Traffic Manager endpoints", + "Synopsis": "Traffic Manager should use at lest two enabled endpoints.", + "Recommendation": "Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1" }, - "Azure.SQL.MinTLS": { - "Name": "Azure.SQL.MinTLS", + "Azure.ContainerApp.APIVersion": { + "Name": "Azure.ContainerApp.APIVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000189", + "Value": "PSRule.Rules.Azure\\AZR-000400", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000189" + "Name": "AZR-000400" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure SQL DB server minimum TLS version", - "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.", - "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2.", - "Pillar": "Security", - "Control": null + "DisplayName": "Retired API version", + "Synopsis": "Migrate from retired API version to a supported version.", + "Recommendation": "Consider migrating from retired API version to a supported version.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.VM.SQLServerDisk": { - "Name": "Azure.VM.SQLServerDisk", + "Azure.VNET.UseNSGs": { + "Name": "Azure.VNET.UseNSGs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000324", + "Value": "PSRule.Rules.Azure\\AZR-000263", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000324" + "Name": "AZR-000263" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure Premium disks or above", - "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.", - "Recommendation": "Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.", - "Pillar": null, - "Control": null + "DisplayName": "Use NSGs on subnets", + "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.", + "Recommendation": "Consider assigning a network security group (NSG) to each virtual network subnet.", + "Pillar": "Security", + "Control": "NS-1", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.Redis.FirewallIPRange": { - "Name": "Azure.Redis.FirewallIPRange", + "Azure.Deployment.SecureValue": { + "Name": "Azure.Deployment.SecureValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000300", + "Value": "PSRule.Rules.Azure\\AZR-000316", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000300" + "Name": "AZR-000316" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Limit Redis cache number of IP addresses", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.", - "Recommendation": "The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.", + "DisplayName": "Use secure resource values", + "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.", + "Recommendation": "Consider using secure parameters for sensitive resource properties.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.EventHub.MinTLS": { - "Name": "Azure.EventHub.MinTLS", + "Azure.AKS.SecretStore": { + "Name": "Azure.AKS.SecretStore", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000356", + "Value": "PSRule.Rules.Azure\\AZR-000033", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000356" + "Name": "AZR-000033" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Minimum TLS version", - "Synopsis": "Event Hub namespaces should reject TLS versions older than 1.2.", - "Recommendation": "Configure the minimum supported TLS version to be 1.2.", + "DisplayName": "AKS clusters use Key Vault to store secrets", + "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.", + "Recommendation": "Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.WebPubSub.ManagedIdentity": { - "Name": "Azure.WebPubSub.ManagedIdentity", + "Azure.IoTHub.MinTLS": { + "Name": "Azure.IoTHub.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000277", + "Value": "PSRule.Rules.Azure\\AZR-000357", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000277" + "Name": "AZR-000357" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use managed identities for Web PubSub Services", - "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.", - "Recommendation": "Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.", + "DisplayName": "Minimum TLS version", + "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.", + "Recommendation": "Configure the minimum supported TLS version to be 1.2.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.IoTHub.Rule.yaml" }, - "Azure.AppService.WebProbePath": { - "Name": "Azure.AppService.WebProbePath", + "Azure.VM.ComputerName": { + "Name": "Azure.VM.ComputerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000080", + "Value": "PSRule.Rules.Azure\\AZR-000249", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000080" + "Name": "AZR-000249" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Web apps use a dedicated health probe path", - "Synopsis": "Configure a dedicated path for health probe requests.", - "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid VM computer names", + "Synopsis": "Virtual Machine (VM) computer name should meet naming requirements.", + "Recommendation": "Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AppService.AlwaysOn": { - "Name": "Azure.AppService.AlwaysOn", + "Azure.Redis.FirewallIPRange": { + "Name": "Azure.Redis.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000077", + "Value": "PSRule.Rules.Azure\\AZR-000300", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000077" + "Name": "AZR-000300" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Use App Service Always On", - "Synopsis": "Configure Always On for App Service apps.", - "Recommendation": "Consider enabling Always On for each App Services app.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Limit Redis cache number of IP addresses", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.", + "Recommendation": "The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.ACR.MinSku": { - "Name": "Azure.ACR.MinSku", + "Azure.SignalR.Name": { + "Name": "Azure.SignalR.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000006", + "Value": "PSRule.Rules.Azure\\AZR-000180", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000006" + "Name": "AZR-000180" }, "Alias": [ null @@ -7817,39 +8188,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use ACR production SKU", - "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.", - "Recommendation": "Consider using the Premium Container Registry SKU for production deployments.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid SignalR service names", + "Synopsis": "SignalR service instance names should meet naming requirements.", + "Recommendation": "Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.ps1" }, - "Azure.Defender.SQL": { - "Name": "Azure.Defender.SQL", + "Azure.Monitor.ServiceHealth": { + "Name": "Azure.Monitor.ServiceHealth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000294", + "Value": "PSRule.Rules.Azure\\AZR-000211", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000294" + "Name": "AZR-000211" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure Microsoft Defender for SQL to the Standard tier", - "Synopsis": "Enable Microsoft Defender for SQL servers.", - "Recommendation": "Consider using Microsoft Defender for SQL to protect your SQL databases.", + "DisplayName": "Alert on service events", + "Synopsis": "Configure Service Health alerts to notify administrators.", + "Recommendation": "Consider configuring an alert to notify administrators when services you are using are potentially impacted.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.KeyVault.SoftDelete": { - "Name": "Azure.KeyVault.SoftDelete", + "Azure.AKS.Version": { + "Name": "Azure.AKS.Version", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000124", + "Value": "PSRule.Rules.Azure\\AZR-000015", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000124" + "Name": "AZR-000015" }, "Alias": [ null @@ -7859,39 +8232,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use Key Vault Soft Delete", - "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.", - "Recommendation": "Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.", + "DisplayName": "Upgrade Kubernetes version", + "Synopsis": "AKS control plane and nodes pools should use a current stable release.", + "Recommendation": "Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.", "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.ASE.MigrateV3": { - "Name": "Azure.ASE.MigrateV3", + "Azure.APIM.ProductTerms": { + "Name": "Azure.APIM.ProductTerms", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000319", + "Value": "PSRule.Rules.Azure\\AZR-000050", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000319" + "Name": "AZR-000050" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Migrate to App Service Environment v3", - "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.", - "Recommendation": "Classic App Service Environments should migrate to App Service Environment v3.", - "Pillar": null, - "Control": null + "DisplayName": "Use API product legal terms", + "Synopsis": "Set legal terms for each product registered in API Management.", + "Recommendation": "Consider configuring legal terms for all products to declare acceptable use of included APIs.", + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.FrontDoor.WAF.Enabled": { - "Name": "Azure.FrontDoor.WAF.Enabled", + "Azure.VNG.ERLegacySKU": { + "Name": "Azure.VNG.ERLegacySKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000115", + "Value": "PSRule.Rules.Azure\\AZR-000271", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000115" + "Name": "AZR-000271" }, "Alias": [ null @@ -7901,60 +8276,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Enable Front Door WAF policy", - "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.", - "Recommendation": "Consider enabling WAF policy.", - "Pillar": "Security", - "Control": null + "DisplayName": "Migrate from legacy ER gateway SKUs", + "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.", + "Recommendation": "Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.VNET.SingleDNS": { - "Name": "Azure.VNET.SingleDNS", + "Azure.KeyVault.KeyName": { + "Name": "Azure.KeyVault.KeyName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000264", + "Value": "PSRule.Rules.Azure\\AZR-000122", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000264" + "Name": "AZR-000122" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Use redundant DNS servers", - "Synopsis": "Virtual networks (VNETs) should have at least two DNS servers assigned.", - "Recommendation": "Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use valid Key Vault Key names", + "Synopsis": "Key Vault Key names should meet naming requirements.", + "Recommendation": "Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.Storage.SoftDelete": { - "Name": "Azure.Storage.SoftDelete", + "Azure.ServiceBus.AuditLogs": { + "Name": "Azure.ServiceBus.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000197", + "Value": "PSRule.Rules.Azure\\AZR-000358", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000197" + "Name": "AZR-000358" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Use blob soft delete", - "Synopsis": "Enable blob soft delete on Storage Accounts.", - "Recommendation": "Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Audit Service Bus data plane access", + "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.", + "Recommendation": "Consider configuring diagnostic settings to record interactions with data of the Service Bus.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1" }, - "Azure.AppService.ARRAffinity": { - "Name": "Azure.AppService.ARRAffinity", + "Azure.AppService.MinPlan": { + "Name": "Azure.AppService.MinPlan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000083", + "Value": "PSRule.Rules.Azure\\AZR-000072", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000083" + "Name": "AZR-000072" }, "Alias": [ null @@ -7964,60 +8342,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Disable Application Request Routing", - "Synopsis": "Disable client affinity for stateless services.", - "Recommendation": "Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.", + "DisplayName": "Use App Service production SKU", + "Synopsis": "Use at least a Standard App Service Plan.", + "Recommendation": "Consider using a standard or premium plan for hosting apps on Azure App Service.", "Pillar": "Performance Efficiency", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.Template.ParameterMetadata": { - "Name": "Azure.Template.ParameterMetadata", + "Azure.AppService.WebProbePath": { + "Name": "Azure.AppService.WebProbePath", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000215", + "Value": "PSRule.Rules.Azure\\AZR-000080", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000215" + "Name": "AZR-000080" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Use template parameter descriptions", - "Synopsis": "Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.", - "Recommendation": "Consider defining a metadata description for each template parameter.", - "Pillar": null, - "Control": null + "DisplayName": "Web apps use a dedicated health probe path", + "Synopsis": "Configure a dedicated path for health probe requests.", + "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.EventGrid.TopicPublicAccess": { - "Name": "Azure.EventGrid.TopicPublicAccess", + "Azure.WebPubSub.SLA": { + "Name": "Azure.WebPubSub.SLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000098", + "Value": "PSRule.Rules.Azure\\AZR-000278", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000098" + "Name": "AZR-000278" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Use Event Grid Private Endpoints", - "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.", - "Recommendation": "Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use an SLA for Web PubSub Services", + "Synopsis": "Use SKUs that include an SLA when configuring Web PubSub Services.", + "Recommendation": "Consider using a Standard SKU that includes an SLA.", + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml" }, - "Azure.PostgreSQL.FirewallIPRange": { - "Name": "Azure.PostgreSQL.FirewallIPRange", + "Azure.NSG.Associated": { + "Name": "Azure.NSG.Associated", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000151", + "Value": "PSRule.Rules.Azure\\AZR-000140", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000151" + "Name": "AZR-000140" }, "Alias": [ null @@ -8027,249 +8408,261 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Limit PostgreSQL server firewall rule range", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", - "Recommendation": "The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.", - "Pillar": null, - "Control": null + "DisplayName": "Associate NSGs or clean them up", + "Synopsis": "Network Security Groups (NSGs) should be associated to a subnet or network interface.", + "Recommendation": "Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads\nTo find orphaned NSG's run the following Azure CLI command", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.FrontDoor.ManagedIdentity": { - "Name": "Azure.FrontDoor.ManagedIdentity", + "Azure.Route.Name": { + "Name": "Azure.Route.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000396", + "Value": "PSRule.Rules.Azure\\AZR-000169", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000396" + "Name": "AZR-000169" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Managed identity", - "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.", - "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use valid Route table names", + "Synopsis": "Route table names should meet naming requirements.", + "Recommendation": "Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Route.Rule.yaml" }, - "Azure.Template.ParameterValue": { - "Name": "Azure.Template.ParameterValue", + "Azure.AppGw.OWASP": { + "Name": "Azure.AppGw.OWASP", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000232", + "Value": "PSRule.Rules.Azure\\AZR-000067", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000232" + "Name": "AZR-000067" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Specify a value for each parameter", - "Synopsis": "Specify a value for each parameter in template parameter files.", - "Recommendation": "Consider defining a value for each parameter in the template parameter file.", - "Pillar": null, - "Control": null + "DisplayName": "Use OWASP 3.x rules", + "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.", + "Recommendation": "Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.Bastion.Name": { - "Name": "Azure.Bastion.Name", + "Azure.TrafficManager.Protocol": { + "Name": "Azure.TrafficManager.Protocol", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000349", + "Value": "PSRule.Rules.Azure\\AZR-000237", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000349" + "Name": "AZR-000237" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid names", - "Synopsis": "Bastion hosts should meet naming requirements.", - "Recommendation": "Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use HTTPS to monitor web-based endpoints", + "Synopsis": "Monitor Traffic Manager web-based endpoints with HTTPS.", + "Recommendation": "Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1" }, - "Azure.AppGw.OWASP": { - "Name": "Azure.AppGw.OWASP", + "Azure.ACR.Retention": { + "Name": "Azure.ACR.Retention", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000067", + "Value": "PSRule.Rules.Azure\\AZR-000010", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000067" + "Name": "AZR-000010" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "preview", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Use OWASP 3.x rules", - "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.", - "Recommendation": "Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.", - "Pillar": "Security", - "Control": null + "DisplayName": "Configure ACR retention policies", + "Synopsis": "Use a retention policy to cleanup untagged manifests.", + "Recommendation": "Consider enabling a retention policy for untagged manifests.", + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.VNG.VPNAvailabilityZoneSKU": { - "Name": "Azure.VNG.VPNAvailabilityZoneSKU", + "Azure.VNG.VPNLegacySKU": { + "Name": "Azure.VNG.VPNLegacySKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000272", + "Value": "PSRule.Rules.Azure\\AZR-000269", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000272" + "Name": "AZR-000269" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use availability zone SKU for VPN gateways", - "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type.", - "Recommendation": "Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.", + "DisplayName": "Migrate from legacy VPN gateway SKUs", + "Synopsis": "Migrate from legacy SKUs to improve reliability and performance of VPN gateways.", + "Recommendation": "Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.AKS.SecretStore": { - "Name": "Azure.AKS.SecretStore", + "Azure.AppGwWAF.RuleGroups": { + "Name": "Azure.AppGwWAF.RuleGroups", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000033", + "Value": "PSRule.Rules.Azure\\AZR-000304", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000033" + "Name": "AZR-000304" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "AKS clusters use Key Vault to store secrets", - "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.", - "Recommendation": "Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.", - "Pillar": "Security", - "Control": null + "DisplayName": "Use Recommended Application Gateway WAF policy rule groups", + "Synopsis": "Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.", + "Recommendation": "Consider configuring Application Gateway WAF policy to use the recommended rule sets.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.ACR.Quarantine": { - "Name": "Azure.ACR.Quarantine", + "Azure.ACR.AdminUser": { + "Name": "Azure.ACR.AdminUser", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000008", + "Value": "PSRule.Rules.Azure\\AZR-000005", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000008" + "Name": "AZR-000005" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2020_12", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use container image quarantine pattern", - "Synopsis": "Enable container image quarantine, scan, and mark images as verified.", - "Recommendation": "Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.", + "DisplayName": "Disable ACR admin user", + "Synopsis": "Use Azure AD identities instead of using the registry admin user.", + "Recommendation": "Consider disabling the admin user account and only use identity-based authentication for registry operations.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.MariaDB.ServerName": { - "Name": "Azure.MariaDB.ServerName", + "Azure.Template.MetadataLink": { + "Name": "Azure.Template.MetadataLink", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000336", + "Value": "PSRule.Rules.Azure\\AZR-000231", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000336" + "Name": "AZR-000231" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Use valid server names", - "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.", - "Recommendation": "Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.", - "Pillar": "Operational Excellence", - "Control": null + "DisplayName": "Use parameter file metadata link", + "Synopsis": "Configure a metadata link for each parameter file.", + "Recommendation": "Consider setting metadata for each parameter file linking to the deployment template.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Defender.Storage": { - "Name": "Azure.Defender.Storage", + "Azure.RBAC.LimitMGDelegation": { + "Name": "Azure.RBAC.LimitMGDelegation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000296", + "Value": "PSRule.Rules.Azure\\AZR-000205", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000296" + "Name": "AZR-000205" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Configure Microsoft Defender for Storage to the Standard tier", - "Synopsis": "Enable Microsoft Defender for Storage.", - "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.", + "DisplayName": "Limit Management Group delegation", + "Synopsis": "Limit Role-Base Access Control (RBAC) inheritance from Management Groups.", + "Recommendation": "Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.\nAzure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.Storage.DefenderCloud": { - "Name": "Azure.Storage.DefenderCloud", + "Azure.AKS.AutoUpgrade": { + "Name": "Azure.AKS.AutoUpgrade", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000386", + "Value": "PSRule.Rules.Azure\\AZR-000036", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000386" + "Name": "AZR-000036" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Enable Microsoft Defender", - "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.", - "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.", + "DisplayName": "Set AKS auto-upgrade channel", + "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.", + "Recommendation": "Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.ContainerApp.Name": { - "Name": "Azure.ContainerApp.Name", + "Azure.VNET.PeerState": { + "Name": "Azure.VNET.PeerState", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000360", + "Value": "PSRule.Rules.Azure\\AZR-000266", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000360" + "Name": "AZR-000266" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use valid container app names", - "Synopsis": "Container Apps should meet naming requirements.", - "Recommendation": "Consider using container app names thas meets naming requirements. Additionally consider naming resources with a standard naming convention.", + "DisplayName": "VNET peer is not connected", + "Synopsis": "VNET peering connections must be connected.", + "Recommendation": "Consider removing peering connections that are not longer required or complete peering connections.", "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.Monitor.ServiceHealth": { - "Name": "Azure.Monitor.ServiceHealth", + "Azure.VM.NICAttached": { + "Name": "Azure.VM.NICAttached", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000211", + "Value": "PSRule.Rules.Azure\\AZR-000257", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000211" + "Name": "AZR-000257" }, "Alias": [ null @@ -8279,123 +8672,129 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Alert on service events", - "Synopsis": "Configure Service Health alerts to notify administrators.", - "Recommendation": "Consider configuring an alert to notify administrators when services you are using are potentially impacted.", - "Pillar": "Security", - "Control": null + "DisplayName": "Attach NIC or clean up", + "Synopsis": "Network interfaces (NICs) should be attached.", + "Recommendation": "Consider cleaning up NICs that are not required to reduce management complexity. Also consider using Resource Groups to help manage the lifecycle of related resources together.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Automation.ManagedIdentity": { - "Name": "Azure.Automation.ManagedIdentity", + "Azure.Redis.MinTLS": { + "Name": "Azure.Redis.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000090", + "Value": "PSRule.Rules.Azure\\AZR-000164", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000090" + "Name": "AZR-000164" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Use managed identity for authentication", - "Synopsis": "Ensure Managed Identity is used for authentication.", - "Recommendation": "Consider configure a managed identity for each Automation Account.", + "DisplayName": "Redis Cache minimum TLS version", + "Synopsis": "Redis Cache should reject TLS versions older than 1.2.", + "Recommendation": "Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.AKS.Version": { - "Name": "Azure.AKS.Version", + "Azure.ServiceFabric.AAD": { + "Name": "Azure.ServiceFabric.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000015", + "Value": "PSRule.Rules.Azure\\AZR-000179", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000015" + "Name": "AZR-000179" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Upgrade Kubernetes version", - "Synopsis": "AKS control plane and nodes pools should use a current stable release.", - "Recommendation": "Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use AAD authentication with Service Fabric clusters", + "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.", + "Recommendation": "Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1" }, - "Azure.APIM.AvailabilityZone": { - "Name": "Azure.APIM.AvailabilityZone", + "Azure.ADX.ManagedIdentity": { + "Name": "Azure.ADX.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000052", + "Value": "PSRule.Rules.Azure\\AZR-000012", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000052" + "Name": "AZR-000012" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "API management services should use Availability zones in supported regions", - "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.", - "Recommendation": "Consider using availability zones for API management services deployed with Premium SKU.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Use managed identities for Data Explorer clusters", + "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.", + "Recommendation": "Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml" }, - "Azure.FrontDoor.ProbePath": { - "Name": "Azure.FrontDoor.ProbePath", + "Azure.Defender.Storage": { + "Name": "Azure.Defender.Storage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000110", + "Value": "PSRule.Rules.Azure\\AZR-000296", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000110" + "Name": "AZR-000296" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Use a Dedicated Health Endpoint for Front Door backends", - "Synopsis": "Configure a dedicated path for health probe requests.", - "Recommendation": "Consider using a dedicated health probe endpoint that implements functional checks.", - "Pillar": "Reliability", - "Control": null + "DisplayName": "Configure Microsoft Defender for Storage to the Standard tier", + "Synopsis": "Enable Microsoft Defender for Storage.", + "Recommendation": "Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.", + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.APIM.CertificateExpiry": { - "Name": "Azure.APIM.CertificateExpiry", + "Azure.SQLMI.ManagedIdentity": { + "Name": "Azure.SQLMI.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000051", + "Value": "PSRule.Rules.Azure\\AZR-000367", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000051" + "Name": "AZR-000367" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "API Management uses current certificates", - "Synopsis": "Renew certificates used for custom domain bindings.", - "Recommendation": "Consider renewing certificates before expiry to prevent service issues.", + "DisplayName": "Managed identity", + "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.", + "Recommendation": "Consider configure a managed identity to allow support for Azure AD authentication.", "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml" }, - "Azure.Defender.Servers": { - "Name": "Azure.Defender.Servers", + "Azure.AppConfig.AuditLogs": { + "Name": "Azure.AppConfig.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000293", + "Value": "PSRule.Rules.Azure\\AZR-000311", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000293" + "Name": "AZR-000311" }, "Alias": [ null @@ -8405,18 +8804,19 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Configure Microsoft Defender for Servers to the Standard tier and P2", - "Synopsis": "Enable Microsoft Defender for Servers.", - "Recommendation": "Consider using Microsoft Defender for Servers P2 to protect your virtual machines.", - "Pillar": "Security", - "Control": null + "DisplayName": "Audit App Configuration Store", + "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.", + "Recommendation": "Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.", + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1" }, - "Azure.MySQL.UseFlexible": { - "Name": "Azure.MySQL.UseFlexible", + "Azure.AppConfig.PurgeProtect": { + "Name": "Azure.AppConfig.PurgeProtect", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000325", + "Value": "PSRule.Rules.Azure\\AZR-000313", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000325" + "Name": "AZR-000313" }, "Alias": [ null @@ -8424,12 +8824,13 @@ "Flags": 0, "Release": "GA", "RuleSet": "2022_12", - "Level": "Warning", + "Level": "Error", "Method": null, - "DisplayName": "Use Azure Database for MySQL Flexible Server", - "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.", - "Recommendation": "Migrate to Azure Database for MySQL Flexible Server deployment model.", + "DisplayName": "Purge Protect App Configuration Stores", + "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.", + "Recommendation": "Consider enabling purge protection for app configuration stores.", "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1" } } diff --git a/es/rules/Azure.ACR.AdminUser/index.html b/es/rules/Azure.ACR.AdminUser/index.html index 8c9fa1e993..7e52d5a477 100644 --- a/es/rules/Azure.ACR.AdminUser/index.html +++ b/es/rules/Azure.ACR.AdminUser/index.html @@ -12163,6 +12163,7 @@

    Deshabilitar el usuario a

    Seguridad · Container Registry + · Rule · 2020_06

    Sinopsis#

    Usar identidades de Azure AD en lugar de usar el usuario administrador del registro.

    diff --git a/es/rules/Azure.ACR.ContainerScan/index.html b/es/rules/Azure.ACR.ContainerScan/index.html index 3329b6b65a..512d32ff37 100644 --- a/es/rules/Azure.ACR.ContainerScan/index.html +++ b/es/rules/Azure.ACR.ContainerScan/index.html @@ -12177,6 +12177,7 @@

    Examen de imágenes del registroAzure.ACR.ContainerScanAZR-000002Error

    Seguridad · Container Registry + · Rule · 2020_12

    Sinopsis#

    Habilite el análisis de vulnerabilidades para imágenes de contenedores.

    diff --git a/es/rules/Azure.ACR.ContentTrust/index.html b/es/rules/Azure.ACR.ContentTrust/index.html index 3d61686104..a695becf05 100644 --- a/es/rules/Azure.ACR.ContentTrust/index.html +++ b/es/rules/Azure.ACR.ContentTrust/index.html @@ -12135,6 +12135,7 @@

    Utilica imágenes de cont

    Seguridad · Container Registry + · Rule · 2020_12

    Sinopsis#

    Utilica imágenes de contenedores firmadas por un publicador de imágenes de confianza. diff --git a/es/rules/Azure.ACR.GeoReplica/index.html b/es/rules/Azure.ACR.GeoReplica/index.html index bb5fa25414..75e2932833 100644 --- a/es/rules/Azure.ACR.GeoReplica/index.html +++ b/es/rules/Azure.ACR.GeoReplica/index.html @@ -12149,6 +12149,7 @@

    Geo-replicar imágenes de contene

    Confiabilidad · Container Registry + · Rule · 2020_12

    Sinopsis#

    Utilice registros de contenedores replicados geográficamente para complementar las implementaciones de contenedores en varias regiones.

    diff --git a/es/rules/Azure.ACR.ImageHealth/index.html b/es/rules/Azure.ACR.ImageHealth/index.html index 0ff7623167..5f7aa1f4a5 100644 --- a/es/rules/Azure.ACR.ImageHealth/index.html +++ b/es/rules/Azure.ACR.ImageHealth/index.html @@ -12095,6 +12095,7 @@

    Eliminar imágenes de con

    Seguridad · Container Registry + · Rule · 2020_12

    Sinopsis#

    Eliminar imágenes de contenedores con vulnerabilidades conocidas.

    diff --git a/es/rules/Azure.ACR.MinSku/index.html b/es/rules/Azure.ACR.MinSku/index.html index 98db919e3a..1795d84c29 100644 --- a/es/rules/Azure.ACR.MinSku/index.html +++ b/es/rules/Azure.ACR.MinSku/index.html @@ -12135,6 +12135,7 @@

    Utilice el SKU de producción de AC

    Confiabilidad · Container Registry + · Rule · 2020_06

    Sinopsis#

    ACR debe usar el SKU Premium o Estándar para las implementaciones de producción.

    diff --git a/es/rules/Azure.ACR.Name/index.html b/es/rules/Azure.ACR.Name/index.html index 073c4ccc97..7dee7304a2 100644 --- a/es/rules/Azure.ACR.Name/index.html +++ b/es/rules/Azure.ACR.Name/index.html @@ -12149,6 +12149,7 @@

    Utilice nombres de registro válido

    Excelencia operativa · Container Registry + · Rule · 2020_06

    Sinopsis#

    Los nombres de registro de contenedores deben cumplir con los requisitos de denominación.

    diff --git a/es/rules/Azure.ACR.Quarantine/index.html b/es/rules/Azure.ACR.Quarantine/index.html index 1ef02dbb93..c1e8637d1f 100644 --- a/es/rules/Azure.ACR.Quarantine/index.html +++ b/es/rules/Azure.ACR.Quarantine/index.html @@ -12149,6 +12149,7 @@

    Utilice patrón de

    Seguridad · Container Registry + · Rule · Preview · 2020_12

    Sinopsis#

    diff --git a/es/rules/Azure.ACR.Retention/index.html b/es/rules/Azure.ACR.Retention/index.html index 763cdba32e..a68faba3f9 100644 --- a/es/rules/Azure.ACR.Retention/index.html +++ b/es/rules/Azure.ACR.Retention/index.html @@ -12149,6 +12149,7 @@

    Configurar directiva de retenc

    Optimización de costos · Container Registry + · Rule · Preview · 2020_12

    Sinopsis#

    diff --git a/es/rules/Azure.ACR.Usage/index.html b/es/rules/Azure.ACR.Usage/index.html index 31d8a4057b..072330a37d 100644 --- a/es/rules/Azure.ACR.Usage/index.html +++ b/es/rules/Azure.ACR.Usage/index.html @@ -12095,6 +12095,7 @@

    Uso del almacenamie

    Optimización de costos · Container Registry + · Rule · 2020_12

    Sinopsis#

    Elimine periódicamente las imágenes obsoletas e innecesarias para reducir el uso del almacenamiento.

    diff --git a/es/rules/metadata.json b/es/rules/metadata.json index 5a9a0f35b1..57f34d5161 100644 --- a/es/rules/metadata.json +++ b/es/rules/metadata.json @@ -1,325 +1,322 @@ { - "Azure.FrontDoorWAF.RuleGroups": { - "Name": "Azure.FrontDoorWAF.RuleGroups", + "Azure.MariaDB.UseSSL": { + "Name": "Azure.MariaDB.UseSSL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000308", + "Value": "PSRule.Rules.Azure\\AZR-000334", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000308" + "Name": "AZR-000334" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoorWAF.RuleGroups", - "Synopsis": "FrontDoor WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.", + "DisplayName": "Azure.MariaDB.UseSSL", + "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.VM.AMA": { - "Name": "Azure.VM.AMA", + "Azure.VM.PPGName": { + "Name": "Azure.VM.PPGName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000345", + "Value": "PSRule.Rules.Azure\\AZR-000260", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000345" + "Name": "AZR-000260" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.AMA", - "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", + "DisplayName": "Azure.VM.PPGName", + "Synopsis": "Use Proximity Placement Groups naming requirements", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.RBAC.UseRGDelegation": { - "Name": "Azure.RBAC.UseRGDelegation", + "Azure.Automation.PlatformLogs": { + "Name": "Azure.Automation.PlatformLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000207", + "Value": "PSRule.Rules.Azure\\AZR-000089", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000207" + "Name": "AZR-000089" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", - "Level": "Error", - "Method": null, - "DisplayName": "Azure.RBAC.UseRGDelegation", - "Synopsis": "Use RBAC assignments on resource groups instead of individual resources", - "Recommendation": null, - "Pillar": "Security", - "Control": null - }, - "Azure.ACR.Retention": { - "Name": "Azure.ACR.Retention", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000010", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000010" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "preview", - "RuleSet": "2020_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.Retention", - "Synopsis": "Use a retention policy to cleanup untagged manifests.", + "DisplayName": "Azure.Automation.PlatformLogs", + "Synopsis": "Ensure automation account platform diagnostic logs are enabled.", "Recommendation": null, - "Pillar": "Cost Optimization", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.AppGw.UseWAF": { - "Name": "Azure.AppGw.UseWAF", + "Azure.VNET.FirewallSubnet": { + "Name": "Azure.VNET.FirewallSubnet", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000063", + "Value": "PSRule.Rules.Azure\\AZR-000322", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000063" + "Name": "AZR-000322" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.UseWAF", - "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.", + "DisplayName": "Azure.VNET.FirewallSubnet", + "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.EventHub.Usage": { - "Name": "Azure.EventHub.Usage", + "Azure.SQLMI.Name": { + "Name": "Azure.SQLMI.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000101", + "Value": "PSRule.Rules.Azure\\AZR-000194", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000101" + "Name": "AZR-000194" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.EventHub.Usage", - "Synopsis": "Regularly remove unused resources to reduce costs.", + "DisplayName": "Azure.SQLMI.Name", + "Synopsis": "SQL Managed Instance names should meet naming requirements.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1" }, - "Azure.AppService.WebSecureFtp": { - "Name": "Azure.AppService.WebSecureFtp", + "Azure.AKS.MinNodeCount": { + "Name": "Azure.AKS.MinNodeCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000081", + "Value": "PSRule.Rules.Azure\\AZR-000024", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000081" + "Name": "AZR-000024" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.WebSecureFtp", - "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.", + "DisplayName": "Azure.AKS.MinNodeCount", + "Synopsis": "AKS clusters should have minimum number of nodes for failover and updates", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.Template.DefineParameters": { - "Name": "Azure.Template.DefineParameters", + "Azure.VNET.BastionSubnet": { + "Name": "Azure.VNET.BastionSubnet", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000218", + "Value": "PSRule.Rules.Azure\\AZR-000314", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000218" + "Name": "AZR-000314" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.DefineParameters", - "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.", + "DisplayName": "Azure.VNET.BastionSubnet", + "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.VM.BasicSku": { - "Name": "Azure.VM.BasicSku", + "Azure.Defender.Api": { + "Name": "Azure.Defender.Api", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000241", + "Value": "PSRule.Rules.Azure\\AZR-000377", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000241" + "Name": "AZR-000377" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.BasicSku", - "Synopsis": "Virtual machines (VMs) should not use Basic sizes.", + "DisplayName": "Azure.Defender.Api", + "Synopsis": "Enable Microsoft Defender for APIs.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Storage.ContainerSoftDelete": { - "Name": "Azure.Storage.ContainerSoftDelete", + "Azure.DefenderCloud.Provisioning": { + "Name": "Azure.DefenderCloud.Provisioning", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000289", + "Value": "PSRule.Rules.Azure\\AZR-000210", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000289" + "Name": "AZR-000210" }, "Alias": [ - null + { + "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Provisioning", + "Scope": "PSRule.Rules.Azure", + "Name": "Azure.SecurityCenter.Provisioning" + } ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.ContainerSoftDelete", - "Synopsis": "Enable container soft delete on Storage Accounts.", + "DisplayName": "Azure.DefenderCloud.Provisioning", + "Synopsis": "Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.ContainerApp.Insecure": { - "Name": "Azure.ContainerApp.Insecure", + "Azure.APIM.Protocols": { + "Name": "Azure.APIM.Protocols", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000094", + "Value": "PSRule.Rules.Azure\\AZR-000054", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000094" + "Name": "AZR-000054" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.Insecure", - "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.", + "DisplayName": "Azure.APIM.Protocols", + "Synopsis": "API Management should only accept a minimum of TLS 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.Policy.ExemptionDescriptors": { - "Name": "Azure.Policy.ExemptionDescriptors", + "Azure.APIM.ProductSubscription": { + "Name": "Azure.APIM.ProductSubscription", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000145", + "Value": "PSRule.Rules.Azure\\AZR-000046", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000145" + "Name": "AZR-000046" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Policy.ExemptionDescriptors", - "Synopsis": "Policy exemptions require a display name, and description.", + "DisplayName": "Azure.APIM.ProductSubscription", + "Synopsis": "Require subscription for products", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.TemplateSchema": { - "Name": "Azure.Template.TemplateSchema", + "Azure.MySQL.ServerName": { + "Name": "Azure.MySQL.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000213", + "Value": "PSRule.Rules.Azure\\AZR-000136", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000213" + "Name": "AZR-000136" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.TemplateSchema", - "Synopsis": "Use a more recent version of the Azure template schema.", + "DisplayName": "Azure.MySQL.ServerName", + "Synopsis": "Azure SQL logical server names should meet naming requirements.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.DataFactory.Version": { - "Name": "Azure.DataFactory.Version", + "Azure.APIM.DefenderCloud": { + "Name": "Azure.APIM.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000097", + "Value": "PSRule.Rules.Azure\\AZR-000387", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000097" + "Name": "AZR-000387" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.DataFactory.Version", - "Synopsis": "Consider migrating to DataFactory v2.", + "DisplayName": "Azure.APIM.DefenderCloud", + "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.AKS.AuthorizedIPs": { - "Name": "Azure.AKS.AuthorizedIPs", + "Azure.AppService.AlwaysOn": { + "Name": "Azure.AppService.AlwaysOn", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000030", + "Value": "PSRule.Rules.Azure\\AZR-000077", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000030" + "Name": "AZR-000077" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AuthorizedIPs", - "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.", + "DisplayName": "Azure.AppService.AlwaysOn", + "Synopsis": "Configure Always On for App Service apps.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.PublicIP.IsAttached": { - "Name": "Azure.PublicIP.IsAttached", + "Azure.LB.Name": { + "Name": "Azure.LB.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000154", + "Value": "PSRule.Rules.Azure\\AZR-000129", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000154" + "Name": "AZR-000129" }, "Alias": [ null @@ -329,39 +326,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.PublicIP.IsAttached", - "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.", + "DisplayName": "Azure.LB.Name", + "Synopsis": "Application Security Group (ASG) names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.yaml" }, - "Azure.Search.IndexSLA": { - "Name": "Azure.Search.IndexSLA", + "Azure.Template.ParameterDataTypes": { + "Name": "Azure.Template.ParameterDataTypes", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000174", + "Value": "PSRule.Rules.Azure\\AZR-000226", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000174" + "Name": "AZR-000226" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Search.IndexSLA", - "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.", + "DisplayName": "Azure.Template.ParameterDataTypes", + "Synopsis": "Set the parameter default value to a value of the same type.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ACR.GeoReplica": { - "Name": "Azure.ACR.GeoReplica", + "Azure.ACR.ContainerScan": { + "Name": "Azure.ACR.ContainerScan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000004", + "Value": "PSRule.Rules.Azure\\AZR-000002", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000004" + "Name": "AZR-000002" }, "Alias": [ null @@ -371,18 +370,19 @@ "RuleSet": "2020_12", "Level": "Error", "Method": "in-flight", - "DisplayName": "Azure.ACR.GeoReplica", - "Synopsis": "Consider geo-replicating container images.", + "DisplayName": "Azure.ACR.ContainerScan", + "Synopsis": "Consider enabling vulnerability scanning for container images.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.Policy.Descriptors": { - "Name": "Azure.Policy.Descriptors", + "Azure.AppGw.WAFRules": { + "Name": "Azure.AppGw.WAFRules", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000142", + "Value": "PSRule.Rules.Azure\\AZR-000068", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000142" + "Name": "AZR-000068" }, "Alias": [ null @@ -392,249 +392,261 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Policy.Descriptors", - "Synopsis": "Policy and initiative definitions require a display name, description, and category.", + "DisplayName": "Azure.AppGw.WAFRules", + "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.VM.MaintenanceConfig": { - "Name": "Azure.VM.MaintenanceConfig", + "Azure.Storage.UseReplication": { + "Name": "Azure.Storage.UseReplication", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000375", + "Value": "PSRule.Rules.Azure\\AZR-000195", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000375" + "Name": "AZR-000195" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.MaintenanceConfig", - "Synopsis": "Use a maintenance configuration for virtual machines. ", + "DisplayName": "Azure.Storage.UseReplication", + "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.ResourceGroup.Name": { - "Name": "Azure.ResourceGroup.Name", + "Azure.MariaDB.GeoRedundantBackup": { + "Name": "Azure.MariaDB.GeoRedundantBackup", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000168", + "Value": "PSRule.Rules.Azure\\AZR-000329", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000168" + "Name": "AZR-000329" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ResourceGroup.Name", - "Synopsis": "Use Resource Group naming requirements", + "DisplayName": "Azure.MariaDB.GeoRedundantBackup", + "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.yaml" }, - "Azure.Arc.Kubernetes.Defender": { - "Name": "Azure.Arc.Kubernetes.Defender", + "Azure.AKS.ContainerInsights": { + "Name": "Azure.AKS.ContainerInsights", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000373", + "Value": "PSRule.Rules.Azure\\AZR-000041", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000373" + "Name": "AZR-000041" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Arc.Kubernetes.Defender", - "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.", + "DisplayName": "Azure.AKS.ContainerInsights", + "Synopsis": "Enable Container insights to monitor AKS cluster workloads.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.MigrateAMA": { - "Name": "Azure.VM.MigrateAMA", + "Azure.EventGrid.ManagedIdentity": { + "Name": "Azure.EventGrid.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000317", + "Value": "PSRule.Rules.Azure\\AZR-000099", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000317" + "Name": "AZR-000099" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.MigrateAMA", - "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", + "DisplayName": "Azure.EventGrid.ManagedIdentity", + "Synopsis": "Use managed identities to deliver Event Grid Topic events.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml" }, - "Azure.Defender.AppServices": { - "Name": "Azure.Defender.AppServices", + "Azure.FrontDoor.ProbePath": { + "Name": "Azure.FrontDoor.ProbePath", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000295", + "Value": "PSRule.Rules.Azure\\AZR-000110", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000295" + "Name": "AZR-000110" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.AppServices", - "Synopsis": "Consider enabling Defender for App Service", + "DisplayName": "Azure.FrontDoor.ProbePath", + "Synopsis": "Configure a dedicated path for health probe requests.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.Defender.CosmosDb": { - "Name": "Azure.Defender.CosmosDb", + "Azure.VNET.SubnetName": { + "Name": "Azure.VNET.SubnetName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000379", + "Value": "PSRule.Rules.Azure\\AZR-000267", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000379" + "Name": "AZR-000267" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.CosmosDb", - "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", + "DisplayName": "Azure.VNET.SubnetName", + "Synopsis": "Subnet names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.PostgreSQL.MinTLS": { - "Name": "Azure.PostgreSQL.MinTLS", + "Azure.Cosmos.AccountName": { + "Name": "Azure.Cosmos.AccountName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000148", + "Value": "PSRule.Rules.Azure\\AZR-000096", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000148" + "Name": "AZR-000096" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.MinTLS", - "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.", + "DisplayName": "Azure.Cosmos.AccountName", + "Synopsis": "Cosmos DB account names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml" }, - "Azure.MariaDB.MinTLS": { - "Name": "Azure.MariaDB.MinTLS", + "Azure.Template.ValidSecretRef": { + "Name": "Azure.Template.ValidSecretRef", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000335", + "Value": "PSRule.Rules.Azure\\AZR-000233", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000335" + "Name": "AZR-000233" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.MinTLS", - "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.", + "DisplayName": "Azure.Template.ValidSecretRef", + "Synopsis": "Use a valid secret reference within parameter files.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Redis.MinTLS": { - "Name": "Azure.Redis.MinTLS", + "Azure.SQL.DBName": { + "Name": "Azure.SQL.DBName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000164", + "Value": "PSRule.Rules.Azure\\AZR-000192", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000164" + "Name": "AZR-000192" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.MinTLS", - "Synopsis": "Redis Cache should reject TLS versions older than 1.2.", + "DisplayName": "Azure.SQL.DBName", + "Synopsis": "Azure SQL Database names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.Deployment.OutputSecretValue": { - "Name": "Azure.Deployment.OutputSecretValue", + "Azure.AppGw.WAFEnabled": { + "Name": "Azure.AppGw.WAFEnabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000279", + "Value": "PSRule.Rules.Azure\\AZR-000066", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000279" + "Name": "AZR-000066" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Deployment.OutputSecretValue", - "Synopsis": "Avoid outputting sensitive deployment values.", + "DisplayName": "Azure.AppGw.WAFEnabled", + "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.AppConfig.DisableLocalAuth": { - "Name": "Azure.AppConfig.DisableLocalAuth", + "Azure.Redis.MinSKU": { + "Name": "Azure.Redis.MinSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000291", + "Value": "PSRule.Rules.Azure\\AZR-000159", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000291" + "Name": "AZR-000159" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppConfig.DisableLocalAuth", - "Synopsis": "Use identity-based authentication for App Configuration.", + "DisplayName": "Azure.Redis.MinSKU", + "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.CDN.HTTP": { - "Name": "Azure.CDN.HTTP", + "Azure.VM.AcceleratedNetworking": { + "Name": "Azure.VM.AcceleratedNetworking", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000093", + "Value": "PSRule.Rules.Azure\\AZR-000244", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000093" + "Name": "AZR-000244" }, "Alias": [ null @@ -644,102 +656,107 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.CDN.HTTP", - "Synopsis": "Enforce HTTPS for client connections.", + "DisplayName": "Azure.VM.AcceleratedNetworking", + "Synopsis": "Use accelerated networking for supported operating systems and VM types.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.LogicApp.LimitHTTPTrigger": { - "Name": "Azure.LogicApp.LimitHTTPTrigger", + "Azure.PublicIP.IsAttached": { + "Name": "Azure.PublicIP.IsAttached", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000130", + "Value": "PSRule.Rules.Azure\\AZR-000154", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000130" + "Name": "AZR-000154" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.LogicApp.LimitHTTPTrigger", - "Synopsis": "Access IPs should be limited for HTTP triggers", + "DisplayName": "Azure.PublicIP.IsAttached", + "Synopsis": "Public IP addresses should be attached or cleaned up if not in use.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.KeyVault.Firewall": { - "Name": "Azure.KeyVault.Firewall", + "Azure.AKS.LocalAccounts": { + "Name": "Azure.AKS.LocalAccounts", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000355", + "Value": "PSRule.Rules.Azure\\AZR-000031", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000355" + "Name": "AZR-000031" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2023_03", + "Release": "preview", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.Firewall", - "Synopsis": "KeyVaults should only accept explicitly allowed traffic.", + "DisplayName": "Azure.AKS.LocalAccounts", + "Synopsis": "Enforce named user accounts with RBAC assigned permissions.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.AKS.Name": { - "Name": "Azure.AKS.Name", + "Azure.Cosmos.DefenderCloud": { + "Name": "Azure.Cosmos.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000039", + "Value": "PSRule.Rules.Azure\\AZR-000382", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000039" + "Name": "AZR-000382" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.Name", - "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.", + "DisplayName": "Azure.Cosmos.DefenderCloud", + "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1" }, - "Azure.FrontDoorWAF.Exclusions": { - "Name": "Azure.FrontDoorWAF.Exclusions", + "Azure.Storage.SecureTransfer": { + "Name": "Azure.Storage.SecureTransfer", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000307", + "Value": "PSRule.Rules.Azure\\AZR-000196", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000307" + "Name": "AZR-000196" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoorWAF.Exclusions", - "Synopsis": "FrontDoor WAF should have no exclusions.", + "DisplayName": "Azure.Storage.SecureTransfer", + "Synopsis": "Storage accounts should only accept encrypted connections.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, - "Azure.Deployment.AdminUsername": { - "Name": "Azure.Deployment.AdminUsername", + "Azure.AppConfig.DisableLocalAuth": { + "Name": "Azure.AppConfig.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000284", + "Value": "PSRule.Rules.Azure\\AZR-000291", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000284" + "Name": "AZR-000291" }, "Alias": [ null @@ -749,144 +766,151 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Deployment.AdminUsername", - "Synopsis": "Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string)", + "DisplayName": "Azure.AppConfig.DisableLocalAuth", + "Synopsis": "Use identity-based authentication for App Configuration.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml" }, - "Azure.VM.ASName": { - "Name": "Azure.VM.ASName", + "Azure.MariaDB.MinTLS": { + "Name": "Azure.MariaDB.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000256", + "Value": "PSRule.Rules.Azure\\AZR-000335", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000256" + "Name": "AZR-000335" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ASName", - "Synopsis": "Use Availability Set naming requirements", + "DisplayName": "Azure.MariaDB.MinTLS", + "Synopsis": "Azure Database for MariaDB servers should reject TLS versions older than 1.2.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Storage.UseReplication": { - "Name": "Azure.Storage.UseReplication", + "Azure.APIM.MultiRegionGateway": { + "Name": "Azure.APIM.MultiRegionGateway", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000195", + "Value": "PSRule.Rules.Azure\\AZR-000341", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000195" + "Name": "AZR-000341" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.UseReplication", - "Synopsis": "Storage Accounts not using geo-replicated storage (GRS) may be at risk.", + "DisplayName": "Azure.APIM.MultiRegionGateway", + "Synopsis": "API Management instances should have multi-region deployment gateways enabled.", "Recommendation": null, "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.SignalR.ManagedIdentity": { - "Name": "Azure.SignalR.ManagedIdentity", + "Azure.AppService.WebSecureFtp": { + "Name": "Azure.AppService.WebSecureFtp", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000181", + "Value": "PSRule.Rules.Azure\\AZR-000081", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000181" + "Name": "AZR-000081" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SignalR.ManagedIdentity", - "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.", + "DisplayName": "Azure.AppService.WebSecureFtp", + "Synopsis": "Web apps should disable insecure FTP and configure SFTP when required.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.Firewall.PolicyName": { - "Name": "Azure.Firewall.PolicyName", + "Azure.Defender.AppServices": { + "Name": "Azure.Defender.AppServices", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000104", + "Value": "PSRule.Rules.Azure\\AZR-000295", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000104" + "Name": "AZR-000295" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Firewall.PolicyName", - "Synopsis": "Firewall policy names should meet naming requirements.", + "DisplayName": "Azure.Defender.AppServices", + "Synopsis": "Consider enabling Defender for App Service", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.APIM.MultiRegionGateway": { - "Name": "Azure.APIM.MultiRegionGateway", + "Azure.KeyVault.SoftDelete": { + "Name": "Azure.KeyVault.SoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000341", + "Value": "PSRule.Rules.Azure\\AZR-000124", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000341" + "Name": "AZR-000124" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.MultiRegionGateway", - "Synopsis": "API Management instances should have multi-region deployment gateways enabled.", + "DisplayName": "Azure.KeyVault.SoftDelete", + "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.", "Recommendation": null, "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml" }, - "Azure.Template.DebugDeployment": { - "Name": "Azure.Template.DebugDeployment", + "Azure.VNG.Name": { + "Name": "Azure.VNG.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000225", + "Value": "PSRule.Rules.Azure\\AZR-000274", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000225" + "Name": "AZR-000274" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.DebugDeployment", - "Synopsis": "Use default deployment detail level for nested deployments.", + "DisplayName": "Azure.VNG.Name", + "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml" }, - "Azure.MariaDB.FirewallIPRange": { - "Name": "Azure.MariaDB.FirewallIPRange", + "Azure.Redis.Version": { + "Name": "Azure.Redis.Version", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000344", + "Value": "PSRule.Rules.Azure\\AZR-000347", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000344" + "Name": "AZR-000347" }, "Alias": [ null @@ -896,18 +920,19 @@ "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.FirewallIPRange", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", + "DisplayName": "Azure.Redis.Version", + "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.VM.ComputerName": { - "Name": "Azure.VM.ComputerName", + "Azure.APIM.SampleProducts": { + "Name": "Azure.APIM.SampleProducts", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000249", + "Value": "PSRule.Rules.Azure\\AZR-000048", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000249" + "Name": "AZR-000048" }, "Alias": [ null @@ -917,39 +942,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ComputerName", - "Synopsis": "Use VM naming requirements", + "DisplayName": "Azure.APIM.SampleProducts", + "Synopsis": "Remove sample products", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Storage.MinTLS": { - "Name": "Azure.Storage.MinTLS", + "Azure.KeyVault.Firewall": { + "Name": "Azure.KeyVault.Firewall", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000200", + "Value": "PSRule.Rules.Azure\\AZR-000355", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000200" + "Name": "AZR-000355" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.MinTLS", - "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.", + "DisplayName": "Azure.KeyVault.Firewall", + "Synopsis": "KeyVaults should only accept explicitly allowed traffic.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.VM.ASMinMembers": { - "Name": "Azure.VM.ASMinMembers", + "Azure.PostgreSQL.FirewallRuleCount": { + "Name": "Azure.PostgreSQL.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000255", + "Value": "PSRule.Rules.Azure\\AZR-000149", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000255" + "Name": "AZR-000149" }, "Alias": [ null @@ -959,39 +986,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ASMinMembers", - "Synopsis": "Availability sets should be deployed with at least two members", + "DisplayName": "Azure.PostgreSQL.FirewallRuleCount", + "Synopsis": "Determine if there is an excessive number of firewall rules", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.ACR.ContainerScan": { - "Name": "Azure.ACR.ContainerScan", + "Azure.RBAC.PIM": { + "Name": "Azure.RBAC.PIM", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000002", + "Value": "PSRule.Rules.Azure\\AZR-000208", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000002" + "Name": "AZR-000208" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_09", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Azure.ACR.ContainerScan", - "Synopsis": "Consider enabling vulnerability scanning for container images.", + "Method": null, + "DisplayName": "Azure.RBAC.PIM", + "Synopsis": "Use JiT role activation with PIM", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.Template.ParameterDataTypes": { - "Name": "Azure.Template.ParameterDataTypes", + "Azure.KeyVault.SecretName": { + "Name": "Azure.KeyVault.SecretName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000226", + "Value": "PSRule.Rules.Azure\\AZR-000121", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000226" + "Name": "AZR-000121" }, "Alias": [ null @@ -1001,102 +1030,85 @@ "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterDataTypes", - "Synopsis": "Set the parameter default value to a value of the same type.", + "DisplayName": "Azure.KeyVault.SecretName", + "Synopsis": "Key Vault Secret names should meet naming requirements.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.Template.ParameterScheme": { - "Name": "Azure.Template.ParameterScheme", + "Azure.LogicApp.LimitHTTPTrigger": { + "Name": "Azure.LogicApp.LimitHTTPTrigger", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000230", + "Value": "PSRule.Rules.Azure\\AZR-000130", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000230" + "Name": "AZR-000130" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterScheme", - "Synopsis": "Use a Azure template parameter schema with the https scheme.", + "DisplayName": "Azure.LogicApp.LimitHTTPTrigger", + "Synopsis": "Access IPs should be limited for HTTP triggers", "Recommendation": null, "Pillar": null, - "Control": null - }, - "Azure.Storage.BlobPublicAccess": { - "Name": "Azure.Storage.BlobPublicAccess", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000198", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000198" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2020_09", - "Level": "Error", - "Method": null, - "DisplayName": "Azure.Storage.BlobPublicAccess", - "Synopsis": "Disallow blob containers with public access types.", - "Recommendation": null, - "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1" }, - "Azure.Search.QuerySLA": { - "Name": "Azure.Search.QuerySLA", + "Azure.RSV.StorageType": { + "Name": "Azure.RSV.StorageType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000173", + "Value": "PSRule.Rules.Azure\\AZR-000170", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000173" + "Name": "AZR-000170" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Search.QuerySLA", - "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.", + "DisplayName": "Azure.RSV.StorageType", + "Synopsis": "Recovery Services Vault (RSV) not using geo-replicated storage (GRS) may be at risk.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1" }, - "Azure.MySQL.FirewallRuleCount": { - "Name": "Azure.MySQL.FirewallRuleCount", + "Azure.MariaDB.FirewallIPRange": { + "Name": "Azure.MariaDB.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000133", + "Value": "PSRule.Rules.Azure\\AZR-000344", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000133" + "Name": "AZR-000344" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.FirewallRuleCount", - "Synopsis": "Determine if there is an excessive number of firewall rules", + "DisplayName": "Azure.MariaDB.FirewallIPRange", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.AKS.NodeMinPods": { - "Name": "Azure.AKS.NodeMinPods", + "Azure.AppGw.MinInstance": { + "Name": "Azure.AppGw.MinInstance", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000018", + "Value": "PSRule.Rules.Azure\\AZR-000061", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000018" + "Name": "AZR-000061" }, "Alias": [ null @@ -1106,207 +1118,217 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.NodeMinPods", - "Synopsis": "AKS nodes should use a minimum number of pods", + "DisplayName": "Azure.AppGw.MinInstance", + "Synopsis": "Application Gateways should use a minimum of two instances.", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.Cosmos.AccountName": { - "Name": "Azure.Cosmos.AccountName", + "Azure.PublicIP.Name": { + "Name": "Azure.PublicIP.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000096", + "Value": "PSRule.Rules.Azure\\AZR-000155", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000096" + "Name": "AZR-000155" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cosmos.AccountName", - "Synopsis": "Cosmos DB account names should meet naming requirements.", + "DisplayName": "Azure.PublicIP.Name", + "Synopsis": "Use public IP address naming requirements", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.MariaDB.DefenderCloud": { - "Name": "Azure.MariaDB.DefenderCloud", + "Azure.Policy.ExemptionDescriptors": { + "Name": "Azure.Policy.ExemptionDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000330", + "Value": "PSRule.Rules.Azure\\AZR-000145", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000330" + "Name": "AZR-000145" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.DefenderCloud", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.", + "DisplayName": "Azure.Policy.ExemptionDescriptors", + "Synopsis": "Policy exemptions require a display name, and description.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.Template.UseParameters": { - "Name": "Azure.Template.UseParameters", + "Azure.AKS.AutoScaling": { + "Name": "Azure.AKS.AutoScaling", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000217", + "Value": "PSRule.Rules.Azure\\AZR-000019", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000217" + "Name": "AZR-000019" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.UseParameters", - "Synopsis": "ARM template parameters should be used at least once.", + "DisplayName": "Azure.AKS.AutoScaling", + "Synopsis": "Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AppService.MinTLS": { - "Name": "Azure.AppService.MinTLS", + "Azure.FrontDoor.ManagedIdentity": { + "Name": "Azure.FrontDoor.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000073", + "Value": "PSRule.Rules.Azure\\AZR-000396", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000073" + "Name": "AZR-000396" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.MinTLS", - "Synopsis": "App Service should reject TLS versions older than 1.2.", + "DisplayName": "Azure.FrontDoor.ManagedIdentity", + "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.RBAC.PIM": { - "Name": "Azure.RBAC.PIM", + "Azure.MySQL.UseSSL": { + "Name": "Azure.MySQL.UseSSL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000208", + "Value": "PSRule.Rules.Azure\\AZR-000131", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000208" + "Name": "AZR-000131" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.RBAC.PIM", - "Synopsis": "Use JiT role activation with PIM", + "DisplayName": "Azure.MySQL.UseSSL", + "Synopsis": "Enforce encrypted MySQL connections.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml" }, - "Azure.AppGw.Prevention": { - "Name": "Azure.AppGw.Prevention", + "Azure.Template.UseLocationParameter": { + "Name": "Azure.Template.UseLocationParameter", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000065", + "Value": "PSRule.Rules.Azure\\AZR-000223", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000065" + "Name": "AZR-000223" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", - "Level": "Error", + "RuleSet": "2021_03", + "Level": "Warning", "Method": null, - "DisplayName": "Azure.AppGw.Prevention", - "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.", + "DisplayName": "Azure.Template.UseLocationParameter", + "Synopsis": "Template should reference a location parameter to specify resource location.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.VNG.ERAvailabilityZoneSKU": { - "Name": "Azure.VNG.ERAvailabilityZoneSKU", + "Azure.AppGwWAF.Exclusions": { + "Name": "Azure.AppGwWAF.Exclusions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000273", + "Value": "PSRule.Rules.Azure\\AZR-000303", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000273" + "Name": "AZR-000303" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.ERAvailabilityZoneSKU", - "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type", + "DisplayName": "Azure.AppGwWAF.Exclusions", + "Synopsis": "Application Gateways WAF should have no exclusions.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.TrafficManager.Protocol": { - "Name": "Azure.TrafficManager.Protocol", + "Azure.Deployment.OutputSecretValue": { + "Name": "Azure.Deployment.OutputSecretValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000237", + "Value": "PSRule.Rules.Azure\\AZR-000279", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000237" + "Name": "AZR-000279" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.TrafficManager.Protocol", - "Synopsis": "Monitor Traffic Manager endpoints with HTTPS", + "DisplayName": "Azure.Deployment.OutputSecretValue", + "Synopsis": "Avoid outputting sensitive deployment values.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.Redis.MaxMemoryReserved": { - "Name": "Azure.Redis.MaxMemoryReserved", + "Azure.VMSS.Name": { + "Name": "Azure.VMSS.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000160", + "Value": "PSRule.Rules.Azure\\AZR-000261", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000160" + "Name": "AZR-000261" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.MaxMemoryReserved", - "Synopsis": "Configure `maxmemory-reserved` to reserve memory for non-cache operations.", + "DisplayName": "Azure.VMSS.Name", + "Synopsis": "Use VM naming requirements", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.Firewall.Mode": { - "Name": "Azure.Firewall.Mode", + "Azure.APIM.HTTPEndpoint": { + "Name": "Azure.APIM.HTTPEndpoint", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000105", + "Value": "PSRule.Rules.Azure\\AZR-000042", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000105" + "Name": "AZR-000042" }, "Alias": [ null @@ -1316,18 +1338,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Firewall.Mode", - "Synopsis": "Deny high confidence malicious IP addresses and domains.", + "DisplayName": "Azure.APIM.HTTPEndpoint", + "Synopsis": "Enforce HTTPS for communication to API clients.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.RBAC.UseGroups": { - "Name": "Azure.RBAC.UseGroups", + "Azure.DataFactory.Version": { + "Name": "Azure.DataFactory.Version", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000203", + "Value": "PSRule.Rules.Azure\\AZR-000097", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000203" + "Name": "AZR-000097" }, "Alias": [ null @@ -1337,18 +1360,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.RBAC.UseGroups", - "Synopsis": "Use groups for assigning permissions instead of individual user accounts", + "DisplayName": "Azure.DataFactory.Version", + "Synopsis": "Consider migrating to DataFactory v2.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.DataFactory.Rule.yaml" }, - "Azure.Template.UseComments": { - "Name": "Azure.Template.UseComments", + "Azure.Template.ParameterStrongType": { + "Name": "Azure.Template.ParameterStrongType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000234", + "Value": "PSRule.Rules.Azure\\AZR-000227", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000234" + "Name": "AZR-000227" }, "Alias": [ null @@ -1356,13 +1380,14 @@ "Flags": 0, "Release": "GA", "RuleSet": "2021_12", - "Level": "Information", + "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.UseComments", - "Synopsis": "Use comments for each resource in ARM template to communicate purpose.", + "DisplayName": "Azure.Template.ParameterStrongType", + "Synopsis": "Set the parameter value to a value that matches the specified strong type.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, "Azure.ServiceBus.MinTLS": { "Name": "Azure.ServiceBus.MinTLS", @@ -1383,98 +1408,125 @@ "Synopsis": "Enforce namespaces to require that clients send and receive data with TLS 1.2 version.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1" }, - "Azure.Template.Resources": { - "Name": "Azure.Template.Resources", + "Azure.ACR.Quarantine": { + "Name": "Azure.ACR.Quarantine", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000216", + "Value": "PSRule.Rules.Azure\\AZR-000008", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000216" + "Name": "AZR-000008" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "preview", + "RuleSet": "2020_12", + "Level": "Error", + "Method": null, + "DisplayName": "Azure.ACR.Quarantine", + "Synopsis": "Enable container image quarantine, scan, and mark images as verified.", + "Recommendation": null, + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" + }, + "Azure.VM.NICName": { + "Name": "Azure.VM.NICName", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000259", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000259" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.Resources", - "Synopsis": "ARM templates should include at least one resource.", + "DisplayName": "Azure.VM.NICName", + "Synopsis": "Use NIC naming requirements", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.MariaDB.FirewallRuleCount": { - "Name": "Azure.MariaDB.FirewallRuleCount", + "Azure.EventHub.DisableLocalAuth": { + "Name": "Azure.EventHub.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000343", + "Value": "PSRule.Rules.Azure\\AZR-000102", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000343" + "Name": "AZR-000102" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.FirewallRuleCount", - "Synopsis": "Determine if there is an excessive number of firewall rules.", + "DisplayName": "Azure.EventHub.DisableLocalAuth", + "Synopsis": "Authenticate Event Hub publishers and consumers with Azure AD identities.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml" }, - "Azure.MariaDB.DatabaseName": { - "Name": "Azure.MariaDB.DatabaseName", + "Azure.NSG.Name": { + "Name": "Azure.NSG.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000337", + "Value": "PSRule.Rules.Azure\\AZR-000141", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000337" + "Name": "AZR-000141" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.DatabaseName", - "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.", + "DisplayName": "Azure.NSG.Name", + "Synopsis": "Network Security Group (NSG) names should meet naming requirements.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml" }, - "Azure.Cognitive.ManagedIdentity": { - "Name": "Azure.Cognitive.ManagedIdentity", + "Azure.ContainerApp.ManagedIdentity": { + "Name": "Azure.ContainerApp.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000281", + "Value": "PSRule.Rules.Azure\\AZR-000361", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000281" + "Name": "AZR-000361" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cognitive.ManagedIdentity", - "Synopsis": "Configure managed identities to access Azure resources.", + "DisplayName": "Azure.ContainerApp.ManagedIdentity", + "Synopsis": "Ensure managed identity is used for authentication.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Defender.Cspm": { - "Name": "Azure.Defender.Cspm", + "Azure.Defender.CosmosDb": { + "Name": "Azure.Defender.CosmosDb", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000372", + "Value": "PSRule.Rules.Azure\\AZR-000379", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000372" + "Name": "AZR-000379" }, "Alias": [ null @@ -1484,144 +1536,151 @@ "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Cspm", - "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.", + "DisplayName": "Azure.Defender.CosmosDb", + "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Arc.Server.MaintenanceConfig": { - "Name": "Azure.Arc.Server.MaintenanceConfig", + "Azure.APIM.HTTPBackend": { + "Name": "Azure.APIM.HTTPBackend", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000374", + "Value": "PSRule.Rules.Azure\\AZR-000044", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000374" + "Name": "AZR-000044" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Arc.Server.MaintenanceConfig", - "Synopsis": "Use a maintenance configuration for Arc-enabled servers. ", + "DisplayName": "Azure.APIM.HTTPBackend", + "Synopsis": "Use HTTPS for communication to backend services.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.SQL.AADOnly": { - "Name": "Azure.SQL.AADOnly", + "Azure.VNG.ERAvailabilityZoneSKU": { + "Name": "Azure.VNG.ERAvailabilityZoneSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000369", + "Value": "PSRule.Rules.Azure\\AZR-000273", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000369" + "Name": "AZR-000273" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.AADOnly", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.", + "DisplayName": "Azure.VNG.ERAvailabilityZoneSKU", + "Synopsis": "Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.AppService.UseHTTPS": { - "Name": "Azure.AppService.UseHTTPS", + "Azure.Search.Name": { + "Name": "Azure.Search.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000084", + "Value": "PSRule.Rules.Azure\\AZR-000176", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000084" + "Name": "AZR-000176" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.UseHTTPS", - "Synopsis": "Azure App Service apps should only accept encrypted connections.", + "DisplayName": "Azure.Search.Name", + "Synopsis": "Use Cognitive Search naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.AppGwWAF.Exclusions": { - "Name": "Azure.AppGwWAF.Exclusions", + "Azure.Template.LocationDefault": { + "Name": "Azure.Template.LocationDefault", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000303", + "Value": "PSRule.Rules.Azure\\AZR-000220", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000303" + "Name": "AZR-000220" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGwWAF.Exclusions", - "Synopsis": "Application Gateways WAF should have no exclusions.", + "DisplayName": "Azure.Template.LocationDefault", + "Synopsis": "Set the default value for location parameters within ARM template to the default value to `[resourceGroup().location]`.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AppGwWAF.PreventionMode": { - "Name": "Azure.AppGwWAF.PreventionMode", + "Azure.Defender.Cspm": { + "Name": "Azure.Defender.Cspm", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000302", + "Value": "PSRule.Rules.Azure\\AZR-000372", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000302" + "Name": "AZR-000372" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGwWAF.PreventionMode", - "Synopsis": "Application Gateways WAF should be in prevention mode.", + "DisplayName": "Azure.Defender.Cspm", + "Synopsis": "Enable Microsoft Defender Cloud Security Posture Management Standard plan.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.SQL.FGName": { - "Name": "Azure.SQL.FGName", + "Azure.RSV.Immutable": { + "Name": "Azure.RSV.Immutable", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000193", + "Value": "PSRule.Rules.Azure\\AZR-000397", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000193" + "Name": "AZR-000397" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.FGName", - "Synopsis": "Azure SQL failover group names should meet naming requirements.", + "DisplayName": "Azure.RSV.Immutable", + "Synopsis": "Ensure immutability is configured to protect backup data.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml" }, - "Azure.VM.PPGName": { - "Name": "Azure.VM.PPGName", + "Azure.NSG.DenyAllInbound": { + "Name": "Azure.NSG.DenyAllInbound", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000260", + "Value": "PSRule.Rules.Azure\\AZR-000138", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000260" + "Name": "AZR-000138" }, "Alias": [ null @@ -1631,186 +1690,195 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.PPGName", - "Synopsis": "Use Proximity Placement Groups naming requirements", + "DisplayName": "Azure.NSG.DenyAllInbound", + "Synopsis": "Avoid blocking all inbound network traffic", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.Template.ExpressionLength": { - "Name": "Azure.Template.ExpressionLength", + "Azure.MariaDB.VNETRuleName": { + "Name": "Azure.MariaDB.VNETRuleName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000228", + "Value": "PSRule.Rules.Azure\\AZR-000339", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000228" + "Name": "AZR-000339" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ExpressionLength", - "Synopsis": "Template expressions should not exceed the maximum length.", + "DisplayName": "Azure.MariaDB.VNETRuleName", + "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Cosmos.DefenderCloud": { - "Name": "Azure.Cosmos.DefenderCloud", + "Azure.Storage.MinTLS": { + "Name": "Azure.Storage.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000382", + "Value": "PSRule.Rules.Azure\\AZR-000200", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000382" + "Name": "AZR-000200" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cosmos.DefenderCloud", - "Synopsis": "Enable Microsoft Defender for Azure Cosmos DB.", + "DisplayName": "Azure.Storage.MinTLS", + "Synopsis": "Storage Accounts should reject TLS versions older than 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, - "Azure.ADX.SLA": { - "Name": "Azure.ADX.SLA", + "Azure.VM.MigrateAMA": { + "Name": "Azure.VM.MigrateAMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000014", + "Value": "PSRule.Rules.Azure\\AZR-000317", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000014" + "Name": "AZR-000317" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ADX.SLA", - "Synopsis": "Use SKUs that include a SLA when configuring Azure Data Explorer (ADX) clusters.", + "DisplayName": "Azure.VM.MigrateAMA", + "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VMSS.PublicKey": { - "Name": "Azure.VMSS.PublicKey", + "Azure.KeyVault.RBAC": { + "Name": "Azure.KeyVault.RBAC", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000288", + "Value": "PSRule.Rules.Azure\\AZR-000388", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000288" + "Name": "AZR-000388" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", - "Level": "Error", + "RuleSet": "2023_06", + "Level": "Warning", "Method": null, - "DisplayName": "Azure.VMSS.PublicKey", - "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.", + "DisplayName": "Azure.KeyVault.RBAC", + "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml" }, - "Azure.FrontDoor.State": { - "Name": "Azure.FrontDoor.State", + "Azure.AppGw.Name": { + "Name": "Azure.AppGw.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000112", + "Value": "PSRule.Rules.Azure\\AZR-000348", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000112" + "Name": "AZR-000348" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.State", - "Synopsis": "Enable Azure Front Door Classic instance.", + "DisplayName": "Azure.AppGw.Name", + "Synopsis": "Application Gateways should meet naming requirements.", "Recommendation": null, - "Pillar": "Cost Optimization", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1" }, - "Azure.MariaDB.GeoRedundantBackup": { - "Name": "Azure.MariaDB.GeoRedundantBackup", + "Azure.AppService.UseHTTPS": { + "Name": "Azure.AppService.UseHTTPS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000329", + "Value": "PSRule.Rules.Azure\\AZR-000084", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000329" + "Name": "AZR-000084" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.GeoRedundantBackup", - "Synopsis": "Azure Database for MariaDB should store backups in a geo-redundant storage.", + "DisplayName": "Azure.AppService.UseHTTPS", + "Synopsis": "Azure App Service apps should only accept encrypted connections.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.AKS.CNISubnetSize": { - "Name": "Azure.AKS.CNISubnetSize", + "Azure.MariaDB.ServerName": { + "Name": "Azure.MariaDB.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000020", + "Value": "PSRule.Rules.Azure\\AZR-000336", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000020" + "Name": "AZR-000336" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.CNISubnetSize", - "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.", + "DisplayName": "Azure.MariaDB.ServerName", + "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Search.SKU": { - "Name": "Azure.Search.SKU", + "Azure.FrontDoor.State": { + "Name": "Azure.FrontDoor.State", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000172", + "Value": "PSRule.Rules.Azure\\AZR-000112", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000172" + "Name": "AZR-000112" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Search.SKU", - "Synopsis": "Use a minimum of a basic SKU.", + "DisplayName": "Azure.FrontDoor.State", + "Synopsis": "Enable Azure Front Door Classic instance.", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.PublicIP.StandardSKU": { - "Name": "Azure.PublicIP.StandardSKU", + "Azure.Redis.AvailabilityZone": { + "Name": "Azure.Redis.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000158", + "Value": "PSRule.Rules.Azure\\AZR-000161", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000158" + "Name": "AZR-000161" }, "Alias": [ null @@ -1820,39 +1888,41 @@ "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.PublicIP.StandardSKU", - "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.", + "DisplayName": "Azure.Redis.AvailabilityZone", + "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.", "Recommendation": null, "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.AKS.AvailabilityZone": { - "Name": "Azure.AKS.AvailabilityZone", + "Azure.Redis.FirewallRuleCount": { + "Name": "Azure.Redis.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000021", + "Value": "PSRule.Rules.Azure\\AZR-000299", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000021" + "Name": "AZR-000299" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AvailabilityZone", - "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.", + "DisplayName": "Azure.Redis.FirewallRuleCount", + "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.vWAN.Name": { - "Name": "Azure.vWAN.Name", + "Azure.Template.UseComments": { + "Name": "Azure.Template.UseComments", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000276", + "Value": "PSRule.Rules.Azure\\AZR-000234", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000276" + "Name": "AZR-000234" }, "Alias": [ null @@ -1860,125 +1930,131 @@ "Flags": 0, "Release": "GA", "RuleSet": "2021_12", - "Level": "Error", + "Level": "Information", "Method": null, - "DisplayName": "Azure.vWAN.Name", - "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.", + "DisplayName": "Azure.Template.UseComments", + "Synopsis": "Use comments for each resource in ARM template to communicate purpose.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AKS.DefenderProfile": { - "Name": "Azure.AKS.DefenderProfile", + "Azure.Template.UseDescriptions": { + "Name": "Azure.Template.UseDescriptions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000370", + "Value": "PSRule.Rules.Azure\\AZR-000235", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000370" + "Name": "AZR-000235" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", - "Level": "Error", + "RuleSet": "2021_12", + "Level": "Information", "Method": null, - "DisplayName": "Azure.AKS.DefenderProfile", - "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.", + "DisplayName": "Azure.Template.UseDescriptions", + "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.MySQL.GeoRedundantBackup": { - "Name": "Azure.MySQL.GeoRedundantBackup", + "Azure.AppService.PlanInstanceCount": { + "Name": "Azure.AppService.PlanInstanceCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000323", + "Value": "PSRule.Rules.Azure\\AZR-000071", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000323" + "Name": "AZR-000071" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.GeoRedundantBackup", - "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.", + "DisplayName": "Azure.AppService.PlanInstanceCount", + "Synopsis": "App Service Plan should use a minimum number of instances for failover.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.ServiceBus.Usage": { - "Name": "Azure.ServiceBus.Usage", + "Azure.EventHub.MinTLS": { + "Name": "Azure.EventHub.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000177", + "Value": "PSRule.Rules.Azure\\AZR-000356", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000177" + "Name": "AZR-000356" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.ServiceBus.Usage", - "Synopsis": "Regularly remove unused resources to reduce costs.", + "DisplayName": "Azure.EventHub.MinTLS", + "Synopsis": "Event Hubs namespaces should reject TLS versions older than 1.2.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.yaml" }, - "Azure.Defender.OssRdb": { - "Name": "Azure.Defender.OssRdb", + "Azure.ContainerApp.Name": { + "Name": "Azure.ContainerApp.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000381", + "Value": "PSRule.Rules.Azure\\AZR-000360", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000381" + "Name": "AZR-000360" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.OssRdb", - "Synopsis": "Enable Microsoft Defender for open-source relational databases.", + "DisplayName": "Azure.ContainerApp.Name", + "Synopsis": "Container Apps should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.SQL.FirewallIPRange": { - "Name": "Azure.SQL.FirewallIPRange", + "Azure.ContainerApp.RestrictIngress": { + "Name": "Azure.ContainerApp.RestrictIngress", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000185", + "Value": "PSRule.Rules.Azure\\AZR-000380", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000185" + "Name": "AZR-000380" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.FirewallIPRange", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses", + "DisplayName": "Azure.ContainerApp.RestrictIngress", + "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1" }, - "Azure.VM.NICName": { - "Name": "Azure.VM.NICName", + "Azure.RBAC.UseGroups": { + "Name": "Azure.RBAC.UseGroups", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000259", + "Value": "PSRule.Rules.Azure\\AZR-000203", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000259" + "Name": "AZR-000203" }, "Alias": [ null @@ -1988,165 +2064,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.NICName", - "Synopsis": "Use NIC naming requirements", + "DisplayName": "Azure.RBAC.UseGroups", + "Synopsis": "Use groups for assigning permissions instead of individual user accounts", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.AppService.NETVersion": { - "Name": "Azure.AppService.NETVersion", + "Azure.AppGwWAF.Enabled": { + "Name": "Azure.AppGwWAF.Enabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000075", + "Value": "PSRule.Rules.Azure\\AZR-000309", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000075" + "Name": "AZR-000309" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.NETVersion", - "Synopsis": "Configure applications to use newer .NET Framework versions.", + "DisplayName": "Azure.AppGwWAF.Enabled", + "Synopsis": "Application Gateways should use a WAF.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.AppService.WebProbe": { - "Name": "Azure.AppService.WebProbe", + "Azure.Template.Resources": { + "Name": "Azure.Template.Resources", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000079", + "Value": "PSRule.Rules.Azure\\AZR-000216", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000079" + "Name": "AZR-000216" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.WebProbe", - "Synopsis": "Configure and enable instance health probes.", + "DisplayName": "Azure.Template.Resources", + "Synopsis": "ARM templates should include at least one resource.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ACR.AdminUser": { - "Name": "Azure.ACR.AdminUser", + "Azure.Firewall.Name": { + "Name": "Azure.Firewall.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000005", + "Value": "PSRule.Rules.Azure\\AZR-000103", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000005" + "Name": "AZR-000103" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.AdminUser", - "Synopsis": "Use Azure AD identities instead of using the registry admin user.", + "DisplayName": "Azure.Firewall.Name", + "Synopsis": "Firewall names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.Storage.Name": { - "Name": "Azure.Storage.Name", + "Azure.PublicIP.MigrateStandard": { + "Name": "Azure.PublicIP.MigrateStandard", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000201", + "Value": "PSRule.Rules.Azure\\AZR-000395", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000201" + "Name": "AZR-000395" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.Name", - "Synopsis": "Use Storage naming requirements", + "DisplayName": "Azure.PublicIP.MigrateStandard", + "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml" }, - "Azure.KeyVault.Name": { - "Name": "Azure.KeyVault.Name", + "Azure.VM.SQLServerDisk": { + "Name": "Azure.VM.SQLServerDisk", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000120", + "Value": "PSRule.Rules.Azure\\AZR-000324", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000120" + "Name": "AZR-000324" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.Name", - "Synopsis": "Key Vault names should meet naming requirements.", + "DisplayName": "Azure.VM.SQLServerDisk", + "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.ACR.AnonymousAccess": { - "Name": "Azure.ACR.AnonymousAccess", + "Azure.Automation.ManagedIdentity": { + "Name": "Azure.Automation.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000401", + "Value": "PSRule.Rules.Azure\\AZR-000090", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000401" + "Name": "AZR-000090" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2023_09", + "Release": "GA", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.AnonymousAccess", - "Synopsis": "Disable anonymous pull access.", + "DisplayName": "Azure.Automation.ManagedIdentity", + "Synopsis": "Ensure managed identity is used for authentication.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.yaml" }, - "Azure.Cognitive.PrivateEndpoints": { - "Name": "Azure.Cognitive.PrivateEndpoints", + "Azure.AKS.HttpAppRouting": { + "Name": "Azure.AKS.HttpAppRouting", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000283", + "Value": "PSRule.Rules.Azure\\AZR-000035", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000283" + "Name": "AZR-000035" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cognitive.PrivateEndpoints", - "Synopsis": "Use Private Endpoints to access Cognitive Services accounts.", + "DisplayName": "Azure.AKS.HttpAppRouting", + "Synopsis": "Disable HTTP application routing add-on in AKS clusters.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.NSG.DenyAllInbound": { - "Name": "Azure.NSG.DenyAllInbound", + "Azure.AKS.UseRBAC": { + "Name": "Azure.AKS.UseRBAC", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000138", + "Value": "PSRule.Rules.Azure\\AZR-000038", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000138" + "Name": "AZR-000038" }, "Alias": [ null @@ -2156,228 +2240,239 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.NSG.DenyAllInbound", - "Synopsis": "Avoid blocking all inbound network traffic", + "DisplayName": "Azure.AKS.UseRBAC", + "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.APIM.Protocols": { - "Name": "Azure.APIM.Protocols", + "Azure.Defender.Dns": { + "Name": "Azure.Defender.Dns", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000054", + "Value": "PSRule.Rules.Azure\\AZR-000353", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000054" + "Name": "AZR-000353" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.Protocols", - "Synopsis": "API Management should only accept a minimum of TLS 1.2.", + "DisplayName": "Azure.Defender.Dns", + "Synopsis": "Enable Microsoft Defender for DNS.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.AppGwWAF.RuleGroups": { - "Name": "Azure.AppGwWAF.RuleGroups", + "Azure.FrontDoor.Logs": { + "Name": "Azure.FrontDoor.Logs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000304", + "Value": "PSRule.Rules.Azure\\AZR-000107", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000304" + "Name": "AZR-000107" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGwWAF.RuleGroups", - "Synopsis": "Application Gateways WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.", + "DisplayName": "Azure.FrontDoor.Logs", + "Synopsis": "Use diagnostics to audit Front Door access", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.ContainerApp.ExternalIngress": { - "Name": "Azure.ContainerApp.ExternalIngress", + "Azure.Storage.FileShareSoftDelete": { + "Name": "Azure.Storage.FileShareSoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000362", + "Value": "PSRule.Rules.Azure\\AZR-000298", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000362" + "Name": "AZR-000298" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.ExternalIngress", - "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.", + "DisplayName": "Azure.Storage.FileShareSoftDelete", + "Synopsis": "Enable soft delete on Storage Accounts file shares.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Storage.DefenderCloud.SensitiveData": { - "Name": "Azure.Storage.DefenderCloud.SensitiveData", + "Azure.LB.AvailabilityZone": { + "Name": "Azure.LB.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000391", + "Value": "PSRule.Rules.Azure\\AZR-000127", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000391" + "Name": "AZR-000127" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.DefenderCloud.SensitiveData", - "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", + "DisplayName": "Azure.LB.AvailabilityZone", + "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1" }, - "Azure.KeyVault.AutoRotationPolicy": { - "Name": "Azure.KeyVault.AutoRotationPolicy", + "Azure.FrontDoor.MinTLS": { + "Name": "Azure.FrontDoor.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000123", + "Value": "PSRule.Rules.Azure\\AZR-000106", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000123" + "Name": "AZR-000106" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.AutoRotationPolicy", - "Synopsis": "Key Vault keys should have auto-rotation enabled.", + "DisplayName": "Azure.FrontDoor.MinTLS", + "Synopsis": "Front Door should reject TLS versions older than 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": "IM-3" + "Control": "DP-3", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.RBAC.CoAdministrator": { - "Name": "Azure.RBAC.CoAdministrator", + "Azure.Identity.UserAssignedName": { + "Name": "Azure.Identity.UserAssignedName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000206", + "Value": "PSRule.Rules.Azure\\AZR-000117", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000206" + "Name": "AZR-000117" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.RBAC.CoAdministrator", - "Synopsis": "Avoid using classic co-administrator roles", + "DisplayName": "Azure.Identity.UserAssignedName", + "Synopsis": "User Assigned Managed Identity names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Identity.Rule.yaml" }, - "Azure.AKS.DNSPrefix": { - "Name": "Azure.AKS.DNSPrefix", + "Azure.Deployment.OuterSecret": { + "Name": "Azure.Deployment.OuterSecret", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000040", + "Value": "PSRule.Rules.Azure\\AZR-000331", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000040" + "Name": "AZR-000331" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.DNSPrefix", - "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.", + "DisplayName": "Azure.Deployment.OuterSecret", + "Synopsis": "Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.IoTHub.MinTLS": { - "Name": "Azure.IoTHub.MinTLS", + "Azure.FrontDoor.WAF.Enabled": { + "Name": "Azure.FrontDoor.WAF.Enabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000357", + "Value": "PSRule.Rules.Azure\\AZR-000115", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000357" + "Name": "AZR-000115" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.IoTHub.MinTLS", - "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.", + "DisplayName": "Azure.FrontDoor.WAF.Enabled", + "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.SQLMI.ManagedIdentity": { - "Name": "Azure.SQLMI.ManagedIdentity", + "Azure.AKS.NetworkPolicy": { + "Name": "Azure.AKS.NetworkPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000367", + "Value": "PSRule.Rules.Azure\\AZR-000027", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000367" + "Name": "AZR-000027" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQLMI.ManagedIdentity", - "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.", + "DisplayName": "Azure.AKS.NetworkPolicy", + "Synopsis": "Deploy AKS clusters with Network Policies enabled.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.Standalone": { - "Name": "Azure.VM.Standalone", + "Azure.MariaDB.DefenderCloud": { + "Name": "Azure.MariaDB.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000239", + "Value": "PSRule.Rules.Azure\\AZR-000330", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000239" + "Name": "AZR-000330" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.Standalone", - "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.", + "DisplayName": "Azure.MariaDB.DefenderCloud", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MariaDB.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.ASG.Name": { - "Name": "Azure.ASG.Name", + "Azure.EventGrid.TopicPublicAccess": { + "Name": "Azure.EventGrid.TopicPublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000085", + "Value": "PSRule.Rules.Azure\\AZR-000098", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000085" + "Name": "AZR-000098" }, "Alias": [ null @@ -2387,39 +2482,41 @@ "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ASG.Name", - "Synopsis": "Application Security Group (ASG) names should meet naming requirements.", + "DisplayName": "Azure.EventGrid.TopicPublicAccess", + "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml" }, - "Azure.ADX.Usage": { - "Name": "Azure.ADX.Usage", + "Azure.VNG.VPNActiveActive": { + "Name": "Azure.VNG.VPNActiveActive", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000011", + "Value": "PSRule.Rules.Azure\\AZR-000270", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000011" + "Name": "AZR-000270" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Azure.ADX.Usage", - "Synopsis": "Regularly remove unused resources to reduce costs.", + "Method": null, + "DisplayName": "Azure.VNG.VPNActiveActive", + "Synopsis": "Use Active-Active configuration", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.VM.UniqueDns": { - "Name": "Azure.VM.UniqueDns", + "Azure.VNET.LocalDNS": { + "Name": "Azure.VNET.LocalDNS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000258", + "Value": "PSRule.Rules.Azure\\AZR-000265", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000258" + "Name": "AZR-000265" }, "Alias": [ null @@ -2429,53 +2526,56 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.UniqueDns", - "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.", + "DisplayName": "Azure.VNET.LocalDNS", + "Synopsis": "Virtual networks (VNETs) should use Azure local DNS servers.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.FrontDoorWAF.PreventionMode": { - "Name": "Azure.FrontDoorWAF.PreventionMode", + "Azure.NSG.LateralTraversal": { + "Name": "Azure.NSG.LateralTraversal", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000306", + "Value": "PSRule.Rules.Azure\\AZR-000139", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000306" + "Name": "AZR-000139" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoorWAF.PreventionMode", - "Synopsis": "FrontDoor WAF should be in prevention mode.", + "DisplayName": "Azure.NSG.LateralTraversal", + "Synopsis": "Lateral traversal from application servers should be blocked", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.AKS.UseRBAC": { - "Name": "Azure.AKS.UseRBAC", + "Azure.Storage.Firewall": { + "Name": "Azure.Storage.Firewall", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000038", + "Value": "PSRule.Rules.Azure\\AZR-000202", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000038" + "Name": "AZR-000202" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.UseRBAC", - "Synopsis": "Deploy AKS cluster with role-based access control (RBAC) enabled.", + "DisplayName": "Azure.Storage.Firewall", + "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, "Azure.AKS.PlatformLogs": { "Name": "Azure.AKS.PlatformLogs", @@ -2496,203 +2596,217 @@ "Synopsis": "AKS clusters should collect platform diagnostic logs to monitor the state of workloads.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.APIM.Ciphers": { - "Name": "Azure.APIM.Ciphers", + "Azure.VMSS.ComputerName": { + "Name": "Azure.VMSS.ComputerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000055", + "Value": "PSRule.Rules.Azure\\AZR-000262", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000055" + "Name": "AZR-000262" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.Ciphers", - "Synopsis": "API Management should not accept weak or deprecated ciphers.", + "DisplayName": "Azure.VMSS.ComputerName", + "Synopsis": "Use VM naming requirements", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.Defender.Dns": { - "Name": "Azure.Defender.Dns", + "Azure.AKS.Name": { + "Name": "Azure.AKS.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000353", + "Value": "PSRule.Rules.Azure\\AZR-000039", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000353" + "Name": "AZR-000039" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Dns", - "Synopsis": "Enable Microsoft Defender for DNS.", + "DisplayName": "Azure.AKS.Name", + "Synopsis": "Azure Kubernetes Service (AKS) cluster names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VMSS.Name": { - "Name": "Azure.VMSS.Name", + "Azure.DefenderCloud.Contact": { + "Name": "Azure.DefenderCloud.Contact", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000261", + "Value": "PSRule.Rules.Azure\\AZR-000209", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000261" + "Name": "AZR-000209" }, "Alias": [ - null + { + "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Contact", + "Scope": "PSRule.Rules.Azure", + "Name": "Azure.SecurityCenter.Contact" + } ], "Flags": 0, "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VMSS.Name", - "Synopsis": "Use VM naming requirements", + "DisplayName": "Azure.DefenderCloud.Contact", + "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.CDN.UseFrontDoor": { - "Name": "Azure.CDN.UseFrontDoor", + "Azure.FrontDoor.Probe": { + "Name": "Azure.FrontDoor.Probe", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000286", + "Value": "PSRule.Rules.Azure\\AZR-000108", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000286" + "Name": "AZR-000108" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.CDN.UseFrontDoor", - "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.", + "DisplayName": "Azure.FrontDoor.Probe", + "Synopsis": "Configure and enable health probes for each backend pool.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.VM.ShouldNotBeStopped": { - "Name": "Azure.VM.ShouldNotBeStopped", + "Azure.Template.UseVariables": { + "Name": "Azure.Template.UseVariables", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000351", + "Value": "PSRule.Rules.Azure\\AZR-000219", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000351" + "Name": "AZR-000219" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ShouldNotBeStopped", - "Synopsis": "VMs should be deallocated instead of stopped.", + "DisplayName": "Azure.Template.UseVariables", + "Synopsis": "ARM template variables should be used at least once.", "Recommendation": null, - "Pillar": "Cost Optimization", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Automation.AuditLogs": { - "Name": "Azure.Automation.AuditLogs", + "Azure.AppService.RemoteDebug": { + "Name": "Azure.AppService.RemoteDebug", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000088", + "Value": "PSRule.Rules.Azure\\AZR-000074", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000088" + "Name": "AZR-000074" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Automation.AuditLogs", - "Synopsis": "Ensure automation account audit diagnostic logs are enabled.", + "DisplayName": "Azure.AppService.RemoteDebug", + "Synopsis": "Disable remote debugging", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.RSV.Name": { - "Name": "Azure.RSV.Name", + "Azure.Template.UseParameters": { + "Name": "Azure.Template.UseParameters", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000350", + "Value": "PSRule.Rules.Azure\\AZR-000217", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000350" + "Name": "AZR-000217" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.RSV.Name", - "Synopsis": "Recovery Services vaults should meet naming requirements.", + "DisplayName": "Azure.Template.UseParameters", + "Synopsis": "ARM template parameters should be used at least once.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ACR.Firewall": { - "Name": "Azure.ACR.Firewall", + "Azure.AKS.NodeMinPods": { + "Name": "Azure.AKS.NodeMinPods", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000402", + "Value": "PSRule.Rules.Azure\\AZR-000018", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000402" + "Name": "AZR-000018" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.Firewall", - "Synopsis": "Limit network access of container registries to only trusted clients.", + "DisplayName": "Azure.AKS.NodeMinPods", + "Synopsis": "AKS nodes should use a minimum number of pods", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.RSV.Immutable": { - "Name": "Azure.RSV.Immutable", + "Azure.FrontDoorWAF.Enabled": { + "Name": "Azure.FrontDoorWAF.Enabled", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000397", + "Value": "PSRule.Rules.Azure\\AZR-000305", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000397" + "Name": "AZR-000305" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.RSV.Immutable", - "Synopsis": "Ensure immutability is configured to protect backup data.", + "DisplayName": "Azure.FrontDoorWAF.Enabled", + "Synopsis": "FrontDoor should use a WAF.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.VM.DiskAttached": { - "Name": "Azure.VM.DiskAttached", + "Azure.Resource.AllowedRegions": { + "Name": "Azure.Resource.AllowedRegions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000250", + "Value": "PSRule.Rules.Azure\\AZR-000167", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000250" + "Name": "AZR-000167" }, "Alias": [ null @@ -2702,60 +2816,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.DiskAttached", - "Synopsis": "Managed disks should be attached to virtual machines", + "DisplayName": "Azure.Resource.AllowedRegions", + "Synopsis": "Resources should be deployed to allowed regions.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1" }, - "Azure.VNG.ERLegacySKU": { - "Name": "Azure.VNG.ERLegacySKU", + "Azure.AKS.AuthorizedIPs": { + "Name": "Azure.AKS.AuthorizedIPs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000271", + "Value": "PSRule.Rules.Azure\\AZR-000030", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000271" + "Name": "AZR-000030" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.ERLegacySKU", - "Synopsis": "Migrate from legacy ExpressRoute gateway SKUs", + "DisplayName": "Azure.AKS.AuthorizedIPs", + "Synopsis": "Restrict access to API server endpoints to authorized IP addresses.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.UseManagedDisks": { - "Name": "Azure.VM.UseManagedDisks", + "Azure.EventGrid.DisableLocalAuth": { + "Name": "Azure.EventGrid.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000238", + "Value": "PSRule.Rules.Azure\\AZR-000100", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000238" + "Name": "AZR-000100" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.UseManagedDisks", - "Synopsis": "Virtual machines should use managed disks", + "DisplayName": "Azure.EventGrid.DisableLocalAuth", + "Synopsis": "Authenticate publishing clients with Azure AD identities.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml" }, - "Azure.KeyVault.PurgeProtect": { - "Name": "Azure.KeyVault.PurgeProtect", + "Azure.ResourceGroup.Name": { + "Name": "Azure.ResourceGroup.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000125", + "Value": "PSRule.Rules.Azure\\AZR-000168", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000125" + "Name": "AZR-000168" }, "Alias": [ null @@ -2765,228 +2882,217 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.PurgeProtect", - "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.", + "DisplayName": "Azure.ResourceGroup.Name", + "Synopsis": "Use Resource Group naming requirements", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1" }, - "Azure.EventHub.DisableLocalAuth": { - "Name": "Azure.EventHub.DisableLocalAuth", + "Azure.RBAC.CoAdministrator": { + "Name": "Azure.RBAC.CoAdministrator", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000102", + "Value": "PSRule.Rules.Azure\\AZR-000206", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000102" + "Name": "AZR-000206" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.EventHub.DisableLocalAuth", - "Synopsis": "Authenticate Event Hub publishers and consumers with Azure AD identities.", + "DisplayName": "Azure.RBAC.CoAdministrator", + "Synopsis": "Avoid using classic co-administrator roles", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.FrontDoor.Logs": { - "Name": "Azure.FrontDoor.Logs", + "Azure.SignalR.SLA": { + "Name": "Azure.SignalR.SLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000107", + "Value": "PSRule.Rules.Azure\\AZR-000182", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000107" + "Name": "AZR-000182" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.Logs", - "Synopsis": "Use diagnostics to audit Front Door access", - "Recommendation": null, - "Pillar": null, - "Control": null - }, - "Azure.Template.UseLocationParameter": { - "Name": "Azure.Template.UseLocationParameter", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000223", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000223" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2021_03", - "Level": "Warning", - "Method": null, - "DisplayName": "Azure.Template.UseLocationParameter", - "Synopsis": "Template should reference a location parameter to specify resource location.", + "DisplayName": "Azure.SignalR.SLA", + "Synopsis": "Use SKUs that includes a SLA when configuring a SignalR Service.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml" }, - "Azure.VNET.SubnetName": { - "Name": "Azure.VNET.SubnetName", + "Azure.Policy.WaiverExpiry": { + "Name": "Azure.Policy.WaiverExpiry", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000267", + "Value": "PSRule.Rules.Azure\\AZR-000146", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000267" + "Name": "AZR-000146" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.SubnetName", - "Synopsis": "Subnet names should meet naming requirements.", + "DisplayName": "Azure.Policy.WaiverExpiry", + "Synopsis": "Policy exceptions must be less then 2 years.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.NSG.Associated": { - "Name": "Azure.NSG.Associated", + "Azure.APIM.AvailabilityZone": { + "Name": "Azure.APIM.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000140", + "Value": "PSRule.Rules.Azure\\AZR-000052", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000140" + "Name": "AZR-000052" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.NSG.Associated", - "Synopsis": "Network security groups should be associated to either a subnet or network interface", + "DisplayName": "Azure.APIM.AvailabilityZone", + "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.PostgreSQL.UseSSL": { - "Name": "Azure.PostgreSQL.UseSSL", + "Azure.Defender.SQL": { + "Name": "Azure.Defender.SQL", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000147", + "Value": "PSRule.Rules.Azure\\AZR-000294", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000147" + "Name": "AZR-000294" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.UseSSL", - "Synopsis": "Enforce encrypted PostgreSQL connections.", + "DisplayName": "Azure.Defender.SQL", + "Synopsis": "Consider enabling Defender for SQL", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Template.UseDescriptions": { - "Name": "Azure.Template.UseDescriptions", + "Azure.PostgreSQL.AllowAzureAccess": { + "Name": "Azure.PostgreSQL.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000235", + "Value": "PSRule.Rules.Azure\\AZR-000150", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000235" + "Name": "AZR-000150" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", - "Level": "Information", + "RuleSet": "2020_06", + "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.UseDescriptions", - "Synopsis": "Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.", + "DisplayName": "Azure.PostgreSQL.AllowAzureAccess", + "Synopsis": "Determine if access from Azure services is required", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.APIM.PolicyBase": { - "Name": "Azure.APIM.PolicyBase", + "Azure.VM.ASMinMembers": { + "Name": "Azure.VM.ASMinMembers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000371", + "Value": "PSRule.Rules.Azure\\AZR-000255", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000371" + "Name": "AZR-000255" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.PolicyBase", - "Synopsis": "Base element for any policy element in a section should be configured.", + "DisplayName": "Azure.VM.ASMinMembers", + "Synopsis": "Availability sets should be deployed with at least two members", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Redis.Version": { - "Name": "Azure.Redis.Version", + "Azure.SQL.FGName": { + "Name": "Azure.SQL.FGName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000347", + "Value": "PSRule.Rules.Azure\\AZR-000193", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000347" + "Name": "AZR-000193" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.Version", - "Synopsis": "Azure Cache for Redis should use the latest supported version of Redis.", + "DisplayName": "Azure.SQL.FGName", + "Synopsis": "Azure SQL failover group names should meet naming requirements.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.MySQL.AAD": { - "Name": "Azure.MySQL.AAD", + "Azure.PublicIP.StandardSKU": { + "Name": "Azure.PublicIP.StandardSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000392", + "Value": "PSRule.Rules.Azure\\AZR-000158", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000392" + "Name": "AZR-000158" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.AAD", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.", + "DisplayName": "Azure.PublicIP.StandardSKU", + "Synopsis": "Public IP addresses should be deployed with Standard SKU for production workloads.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.yaml" }, - "Azure.Template.ParameterMinMaxValue": { - "Name": "Azure.Template.ParameterMinMaxValue", + "Azure.Template.LocationType": { + "Name": "Azure.Template.LocationType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000224", + "Value": "PSRule.Rules.Azure\\AZR-000221", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000224" + "Name": "AZR-000221" }, "Alias": [ null @@ -2996,53 +3102,56 @@ "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterMinMaxValue", - "Synopsis": "Template parameters `minValue` and `maxValue` constraints must be valid.", + "DisplayName": "Azure.Template.LocationType", + "Synopsis": "Location parameters should use a string value.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Firewall.Name": { - "Name": "Azure.Firewall.Name", + "Azure.AKS.UptimeSLA": { + "Name": "Azure.AKS.UptimeSLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000103", + "Value": "PSRule.Rules.Azure\\AZR-000285", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000103" + "Name": "AZR-000285" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Firewall.Name", - "Synopsis": "Firewall names should meet naming requirements.", + "DisplayName": "Azure.AKS.UptimeSLA", + "Synopsis": "AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.PostgreSQL.AllowAzureAccess": { - "Name": "Azure.PostgreSQL.AllowAzureAccess", + "Azure.VM.MaintenanceConfig": { + "Name": "Azure.VM.MaintenanceConfig", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000150", + "Value": "PSRule.Rules.Azure\\AZR-000375", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000150" + "Name": "AZR-000375" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.AllowAzureAccess", - "Synopsis": "Determine if access from Azure services is required", + "DisplayName": "Azure.VM.MaintenanceConfig", + "Synopsis": "Use a maintenance configuration for virtual machines. ", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, "Azure.AppInsights.Name": { "Name": "Azure.AppInsights.Name", @@ -3063,119 +3172,169 @@ "Synopsis": "Azure Application Insights resources names should meet naming requirements.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml" }, - "Azure.KeyVault.KeyName": { - "Name": "Azure.KeyVault.KeyName", + "Azure.Search.IndexSLA": { + "Name": "Azure.Search.IndexSLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000122", + "Value": "PSRule.Rules.Azure\\AZR-000174", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000122" + "Name": "AZR-000174" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.KeyName", - "Synopsis": "Key Vault Key names should meet naming requirements.", + "DisplayName": "Azure.Search.IndexSLA", + "Synopsis": "Use a minimum of 3 replicas to receive an SLA for query and index updates.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.PostgreSQL.AADOnly": { - "Name": "Azure.PostgreSQL.AADOnly", + "Azure.ACR.Usage": { + "Name": "Azure.ACR.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000390", + "Value": "PSRule.Rules.Azure\\AZR-000001", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000390" + "Name": "AZR-000001" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_12", + "Level": "Error", + "Method": "in-flight", + "DisplayName": "Azure.ACR.Usage", + "Synopsis": "Consider freeing up registry space.", + "Recommendation": null, + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" + }, + "Azure.AppConfig.GeoReplica": { + "Name": "Azure.AppConfig.GeoReplica", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000312", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000312" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "Preview", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.AADOnly", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.", + "DisplayName": "Azure.AppConfig.GeoReplica", + "Synopsis": "Consider replication for app configuration store to ensure resiliency to region outages.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1" }, - "Azure.BV.Immutable": { - "Name": "Azure.BV.Immutable", + "Azure.Storage.DefenderCloud.MalwareScan": { + "Name": "Azure.Storage.DefenderCloud.MalwareScan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000398", + "Value": "PSRule.Rules.Azure\\AZR-000384", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000398" + "Name": "AZR-000384" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2023_09", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.BV.Immutable", - "Synopsis": "Ensure immutability is configured to protect backup data.", + "DisplayName": "Azure.Storage.DefenderCloud.MalwareScan", + "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.SQLMI.Name": { - "Name": "Azure.SQLMI.Name", + "Azure.MySQL.DefenderCloud": { + "Name": "Azure.MySQL.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000194", + "Value": "PSRule.Rules.Azure\\AZR-000328", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000194" + "Name": "AZR-000328" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQLMI.Name", - "Synopsis": "SQL Managed Instance names should meet naming requirements.", + "DisplayName": "Azure.MySQL.DefenderCloud", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.MySQL.FirewallIPRange": { - "Name": "Azure.MySQL.FirewallIPRange", + "Azure.APIM.APIDescriptors": { + "Name": "Azure.APIM.APIDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000135", + "Value": "PSRule.Rules.Azure\\AZR-000043", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000043" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "GA", + "RuleSet": "2020_09", + "Level": "Warning", + "Method": null, + "DisplayName": "Azure.APIM.APIDescriptors", + "Synopsis": "APIs should have descriptors set", + "Recommendation": null, + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" + }, + "Azure.ServiceBus.Usage": { + "Name": "Azure.ServiceBus.Usage", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000177", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000135" + "Name": "AZR-000177" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.FirewallIPRange", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses", + "DisplayName": "Azure.ServiceBus.Usage", + "Synopsis": "Regularly remove unused resources to reduce costs.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1" }, - "Azure.APIM.MinAPIVersion": { - "Name": "Azure.APIM.MinAPIVersion", + "Azure.VMSS.ScriptExtensions": { + "Name": "Azure.VMSS.ScriptExtensions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000321", + "Value": "PSRule.Rules.Azure\\AZR-000333", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000321" + "Name": "AZR-000333" }, "Alias": [ null @@ -3185,39 +3344,41 @@ "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.MinAPIVersion", - "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.", + "DisplayName": "Azure.VMSS.ScriptExtensions", + "Synopsis": "Protect Custom Script Extensions commands", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.PrivateEndpoint.Name": { - "Name": "Azure.PrivateEndpoint.Name", + "Azure.Policy.Descriptors": { + "Name": "Azure.Policy.Descriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000153", + "Value": "PSRule.Rules.Azure\\AZR-000142", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000153" + "Name": "AZR-000142" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.PrivateEndpoint.Name", - "Synopsis": "Private Endpoint names should meet naming requirements.", + "DisplayName": "Azure.Policy.Descriptors", + "Synopsis": "Policy and initiative definitions require a display name, description, and category.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.ADX.DiskEncryption": { - "Name": "Azure.ADX.DiskEncryption", + "Azure.EventHub.Usage": { + "Name": "Azure.EventHub.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000013", + "Value": "PSRule.Rules.Azure\\AZR-000101", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000013" + "Name": "AZR-000101" }, "Alias": [ null @@ -3227,81 +3388,85 @@ "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.ADX.DiskEncryption", - "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.", + "DisplayName": "Azure.EventHub.Usage", + "Synopsis": "Regularly remove unused resources to reduce costs.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1" }, - "Azure.PublicIP.DNSLabel": { - "Name": "Azure.PublicIP.DNSLabel", + "Azure.AKS.AzurePolicyAddOn": { + "Name": "Azure.AKS.AzurePolicyAddOn", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000156", + "Value": "PSRule.Rules.Azure\\AZR-000028", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000156" + "Name": "AZR-000028" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.PublicIP.DNSLabel", - "Synopsis": "Use public IP DNS label naming requirements", + "DisplayName": "Azure.AKS.AzurePolicyAddOn", + "Synopsis": "AKS clusters should use Azure Policy add-on.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.AppConfig.GeoReplica": { - "Name": "Azure.AppConfig.GeoReplica", + "Azure.NSG.AKSRules": { + "Name": "Azure.NSG.AKSRules", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000312", + "Value": "PSRule.Rules.Azure\\AZR-000292", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000312" + "Name": "AZR-000292" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", + "Release": "GA", "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppConfig.GeoReplica", - "Synopsis": "Consider replication for app configuration store to ensure resiliency to region outages.", + "DisplayName": "Azure.NSG.AKSRules", + "Synopsis": "AKS Network Security Groups (NSG) shouldn't contain custom rules", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.yaml" }, - "Azure.SignalR.Name": { - "Name": "Azure.SignalR.Name", + "Azure.MySQL.MinTLS": { + "Name": "Azure.MySQL.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000180", + "Value": "PSRule.Rules.Azure\\AZR-000132", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000180" + "Name": "AZR-000132" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.SignalR.Name", - "Synopsis": "Use SignalR naming requirements", + "DisplayName": "Azure.MySQL.MinTLS", + "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.yaml" }, - "Azure.APIM.ProductApproval": { - "Name": "Azure.APIM.ProductApproval", + "Azure.Storage.BlobAccessType": { + "Name": "Azure.Storage.BlobAccessType", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000047", + "Value": "PSRule.Rules.Azure\\AZR-000199", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000047" + "Name": "AZR-000199" }, "Alias": [ null @@ -3311,165 +3476,151 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.ProductApproval", - "Synopsis": "Require approval for products", + "DisplayName": "Azure.Storage.BlobAccessType", + "Synopsis": "Use containers configured with a private access type that requires authorization.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Redis.MinSKU": { - "Name": "Azure.Redis.MinSKU", + "Azure.KeyVault.Name": { + "Name": "Azure.KeyVault.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000159", + "Value": "PSRule.Rules.Azure\\AZR-000120", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000159" + "Name": "AZR-000120" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.MinSKU", - "Synopsis": "Use Azure Cache for Redis instances of at least Standard C1.", + "DisplayName": "Azure.KeyVault.Name", + "Synopsis": "Key Vault names should meet naming requirements.", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.VM.Updates": { - "Name": "Azure.VM.Updates", + "Azure.MariaDB.DatabaseName": { + "Name": "Azure.MariaDB.DatabaseName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000247", + "Value": "PSRule.Rules.Azure\\AZR-000337", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000247" + "Name": "AZR-000337" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.Updates", - "Synopsis": "Ensure automatic updates are enabled at deployment", + "DisplayName": "Azure.MariaDB.DatabaseName", + "Synopsis": "Azure Database for MariaDB databases should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.Template.LocationType": { - "Name": "Azure.Template.LocationType", + "Azure.KeyVault.PurgeProtect": { + "Name": "Azure.KeyVault.PurgeProtect", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000221", + "Value": "PSRule.Rules.Azure\\AZR-000125", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000221" + "Name": "AZR-000125" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.LocationType", - "Synopsis": "Location parameters should use a string value.", + "DisplayName": "Azure.KeyVault.PurgeProtect", + "Synopsis": "Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.yaml" }, - "Azure.Search.Name": { - "Name": "Azure.Search.Name", + "Azure.Deployment.Name": { + "Name": "Azure.Deployment.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000176", + "Value": "PSRule.Rules.Azure\\AZR-000359", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000176" + "Name": "AZR-000359" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Search.Name", - "Synopsis": "Use Cognitive Search naming requirements.", + "DisplayName": "Azure.Deployment.Name", + "Synopsis": "Nested deployments should meet naming requirements of deployments.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.yaml" }, - "Azure.PostgreSQL.GeoRedundantBackup": { - "Name": "Azure.PostgreSQL.GeoRedundantBackup", + "Azure.RedisEnterprise.MinTLS": { + "Name": "Azure.RedisEnterprise.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000326", + "Value": "PSRule.Rules.Azure\\AZR-000301", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000326" + "Name": "AZR-000301" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.GeoRedundantBackup", - "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.", + "DisplayName": "Azure.RedisEnterprise.MinTLS", + "Synopsis": "Redis Cache Enterprise should reject TLS versions older than 1.2.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml" }, - "Azure.FrontDoor.UseCaching": { - "Name": "Azure.FrontDoor.UseCaching", + "Azure.PostgreSQL.ServerName": { + "Name": "Azure.PostgreSQL.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000320", + "Value": "PSRule.Rules.Azure\\AZR-000152", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000320" + "Name": "AZR-000152" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.UseCaching", - "Synopsis": "Use caching to reduce retrieving contents from origins.", + "DisplayName": "Azure.PostgreSQL.ServerName", + "Synopsis": "Azure SQL logical server names should meet naming requirements.", "Recommendation": null, "Pillar": null, - "Control": null - }, - "Azure.ContainerApp.Storage": { - "Name": "Azure.ContainerApp.Storage", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000364", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000364" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2023_03", - "Level": "Error", - "Method": null, - "DisplayName": "Azure.ContainerApp.Storage", - "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.", - "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.AppGw.MinSku": { - "Name": "Azure.AppGw.MinSku", + "Azure.ACR.Name": { + "Name": "Azure.ACR.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000062", + "Value": "PSRule.Rules.Azure\\AZR-000007", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000062" + "Name": "AZR-000007" }, "Alias": [ null @@ -3479,375 +3630,393 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.MinSku", - "Synopsis": "Application Gateway should use a minimum instance size of Medium.", + "DisplayName": "Azure.ACR.Name", + "Synopsis": "Container registry names should meet naming requirements.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.LB.Probe": { - "Name": "Azure.LB.Probe", + "Azure.RSV.Name": { + "Name": "Azure.RSV.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000126", + "Value": "PSRule.Rules.Azure\\AZR-000350", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000126" + "Name": "AZR-000350" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.LB.Probe", - "Synopsis": "Use specific network probe", + "DisplayName": "Azure.RSV.Name", + "Synopsis": "Recovery Services vaults should meet naming requirements.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.yaml" }, - "Azure.AppGwWAF.Enabled": { - "Name": "Azure.AppGwWAF.Enabled", + "Azure.Redis.NonSslPort": { + "Name": "Azure.Redis.NonSslPort", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000309", + "Value": "PSRule.Rules.Azure\\AZR-000163", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000309" + "Name": "AZR-000163" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGwWAF.Enabled", - "Synopsis": "Application Gateways should use a WAF.", + "DisplayName": "Azure.Redis.NonSslPort", + "Synopsis": "Redis Cache should only accept secure connections.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.MariaDB.VNETRuleName": { - "Name": "Azure.MariaDB.VNETRuleName", + "Azure.Cognitive.PublicAccess": { + "Name": "Azure.Cognitive.PublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000339", + "Value": "PSRule.Rules.Azure\\AZR-000280", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000339" + "Name": "AZR-000280" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.VNETRuleName", - "Synopsis": "Azure Database for MariaDB VNET rules should meet naming requirements.", + "DisplayName": "Azure.Cognitive.PublicAccess", + "Synopsis": "Restrict access to Cognitive Services accounts to authorized virtual networks.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.Template.UseVariables": { - "Name": "Azure.Template.UseVariables", + "Azure.vWAN.Name": { + "Name": "Azure.vWAN.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000219", + "Value": "PSRule.Rules.Azure\\AZR-000276", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000219" + "Name": "AZR-000276" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.UseVariables", - "Synopsis": "ARM template variables should be used at least once.", + "DisplayName": "Azure.vWAN.Name", + "Synopsis": "Virtual WAN (vWAN) names should meet naming requirements.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.vWAN.Rule.yaml" }, - "Azure.EventGrid.ManagedIdentity": { - "Name": "Azure.EventGrid.ManagedIdentity", + "Azure.SQL.ServerName": { + "Name": "Azure.SQL.ServerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000099", + "Value": "PSRule.Rules.Azure\\AZR-000190", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000099" + "Name": "AZR-000190" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.EventGrid.ManagedIdentity", - "Synopsis": "Use managed identities to deliver Event Grid Topic events.", + "DisplayName": "Azure.SQL.ServerName", + "Synopsis": "Azure SQL logical server names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.AppGw.WAFEnabled": { - "Name": "Azure.AppGw.WAFEnabled", + "Azure.VM.AMA": { + "Name": "Azure.VM.AMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000066", + "Value": "PSRule.Rules.Azure\\AZR-000345", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000066" + "Name": "AZR-000345" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.WAFEnabled", - "Synopsis": "Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.", + "DisplayName": "Azure.VM.AMA", + "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.PostgreSQL.FirewallRuleCount": { - "Name": "Azure.PostgreSQL.FirewallRuleCount", + "Azure.Deployment.AdminUsername": { + "Name": "Azure.Deployment.AdminUsername", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000149", + "Value": "PSRule.Rules.Azure\\AZR-000284", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000149" + "Name": "AZR-000284" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.FirewallRuleCount", - "Synopsis": "Determine if there is an excessive number of firewall rules", + "DisplayName": "Azure.Deployment.AdminUsername", + "Synopsis": "Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string)", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.Cosmos.DisableMetadataWrite": { - "Name": "Azure.Cosmos.DisableMetadataWrite", + "Azure.Template.TemplateFile": { + "Name": "Azure.Template.TemplateFile", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000095", + "Value": "PSRule.Rules.Azure\\AZR-000212", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000095" + "Name": "AZR-000212" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cosmos.DisableMetadataWrite", - "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.", + "DisplayName": "Azure.Template.TemplateFile", + "Synopsis": "Use ARM template file structure.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Template.ParameterStrongType": { - "Name": "Azure.Template.ParameterStrongType", + "Azure.Template.ParameterValue": { + "Name": "Azure.Template.ParameterValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000227", + "Value": "PSRule.Rules.Azure\\AZR-000232", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000227" + "Name": "AZR-000232" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterStrongType", - "Synopsis": "Set the parameter value to a value that matches the specified strong type.", + "DisplayName": "Azure.Template.ParameterValue", + "Synopsis": "Specify a value for each parameter in template parameter files.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.SQLMI.AADOnly": { - "Name": "Azure.SQLMI.AADOnly", + "Azure.ServiceBus.DisableLocalAuth": { + "Name": "Azure.ServiceBus.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000366", + "Value": "PSRule.Rules.Azure\\AZR-000178", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000366" + "Name": "AZR-000178" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQLMI.AADOnly", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.", + "DisplayName": "Azure.ServiceBus.DisableLocalAuth", + "Synopsis": "Authenticate Service Bus publishers and consumers with Azure AD identities.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.yaml" }, - "Azure.ADX.ManagedIdentity": { - "Name": "Azure.ADX.ManagedIdentity", + "Azure.APIM.PolicyBase": { + "Name": "Azure.APIM.PolicyBase", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000012", + "Value": "PSRule.Rules.Azure\\AZR-000371", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000012" + "Name": "AZR-000371" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ADX.ManagedIdentity", - "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.", + "DisplayName": "Azure.APIM.PolicyBase", + "Synopsis": "Base element for any policy element in a section should be configured.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Defender.Containers": { - "Name": "Azure.Defender.Containers", + "Azure.ACR.ContentTrust": { + "Name": "Azure.ACR.ContentTrust", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000290", + "Value": "PSRule.Rules.Azure\\AZR-000009", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000290" + "Name": "AZR-000009" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Containers", - "Synopsis": "Enable Microsoft Defender for Containers.", + "DisplayName": "Azure.ACR.ContentTrust", + "Synopsis": "Use container images signed by a trusted image publisher.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.MySQL.DefenderCloud": { - "Name": "Azure.MySQL.DefenderCloud", + "Azure.AKS.AvailabilityZone": { + "Name": "Azure.AKS.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000328", + "Value": "PSRule.Rules.Azure\\AZR-000021", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000328" + "Name": "AZR-000021" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.DefenderCloud", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for MySQL.", + "DisplayName": "Azure.AKS.AvailabilityZone", + "Synopsis": "AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.Automation.EncryptVariables": { - "Name": "Azure.Automation.EncryptVariables", + "Azure.AppConfig.Name": { + "Name": "Azure.AppConfig.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000086", + "Value": "PSRule.Rules.Azure\\AZR-000058", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000086" + "Name": "AZR-000058" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Automation.EncryptVariables", - "Synopsis": "Ensure variables are encrypted", + "DisplayName": "Azure.AppConfig.Name", + "Synopsis": "App Configuration store names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml" }, - "Azure.AKS.LocalAccounts": { - "Name": "Azure.AKS.LocalAccounts", + "Azure.ContainerApp.PublicAccess": { + "Name": "Azure.ContainerApp.PublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000031", + "Value": "PSRule.Rules.Azure\\AZR-000363", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000031" + "Name": "AZR-000363" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2021_06", + "Release": "GA", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.LocalAccounts", - "Synopsis": "Enforce named user accounts with RBAC assigned permissions.", + "DisplayName": "Azure.ContainerApp.PublicAccess", + "Synopsis": "Ensure public network access for Container Apps environment is disabled.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Storage.SecureTransfer": { - "Name": "Azure.Storage.SecureTransfer", + "Azure.MariaDB.FirewallRuleCount": { + "Name": "Azure.MariaDB.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000196", + "Value": "PSRule.Rules.Azure\\AZR-000343", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000196" + "Name": "AZR-000343" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.SecureTransfer", - "Synopsis": "Storage accounts should only accept encrypted connections.", + "DisplayName": "Azure.MariaDB.FirewallRuleCount", + "Synopsis": "Determine if there is an excessive number of firewall rules.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.AppConfig.Name": { - "Name": "Azure.AppConfig.Name", + "Azure.CDN.EndpointName": { + "Name": "Azure.CDN.EndpointName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000058", + "Value": "PSRule.Rules.Azure\\AZR-000091", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000058" + "Name": "AZR-000091" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppConfig.Name", - "Synopsis": "App Configuration store names should meet naming requirements.", + "DisplayName": "Azure.CDN.EndpointName", + "Synopsis": "Use CDN endpoint naming requirements", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1" }, - "Azure.APIM.EncryptValues": { - "Name": "Azure.APIM.EncryptValues", + "Azure.Storage.DefenderCloud": { + "Name": "Azure.Storage.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000045", + "Value": "PSRule.Rules.Azure\\AZR-000386", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000045" + "Name": "AZR-000386" }, "Alias": [ null @@ -3857,32 +4026,34 @@ "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.EncryptValues", - "Synopsis": "Encrypt all API Management named values with Key Vault secrets.", + "DisplayName": "Azure.Storage.DefenderCloud", + "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Policy.WaiverExpiry": { - "Name": "Azure.Policy.WaiverExpiry", + "Azure.Defender.Servers": { + "Name": "Azure.Defender.Servers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000146", + "Value": "PSRule.Rules.Azure\\AZR-000293", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000146" + "Name": "AZR-000293" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Policy.WaiverExpiry", - "Synopsis": "Policy exceptions must be less then 2 years.", + "DisplayName": "Azure.Defender.Servers", + "Synopsis": "Consider enabling Defender for Servers", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, "Azure.FrontDoor.WAF.Name": { "Name": "Azure.FrontDoor.WAF.Name", @@ -3903,77 +4074,81 @@ "Synopsis": "Use Front Door WAF naming requirements", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.ContainerApp.PublicAccess": { - "Name": "Azure.ContainerApp.PublicAccess", + "Azure.PublicIP.AvailabilityZone": { + "Name": "Azure.PublicIP.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000363", + "Value": "PSRule.Rules.Azure\\AZR-000157", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000363" + "Name": "AZR-000157" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.PublicAccess", - "Synopsis": "Ensure public network access for Container Apps environment is disabled.", + "DisplayName": "Azure.PublicIP.AvailabilityZone", + "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.Defender.Storage.SensitiveData": { - "Name": "Azure.Defender.Storage.SensitiveData", + "Azure.AKS.ManagedAAD": { + "Name": "Azure.AKS.ManagedAAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000385", + "Value": "PSRule.Rules.Azure\\AZR-000029", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000385" + "Name": "AZR-000029" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Storage.SensitiveData", - "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", + "DisplayName": "Azure.AKS.ManagedAAD", + "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.EventGrid.DisableLocalAuth": { - "Name": "Azure.EventGrid.DisableLocalAuth", + "Azure.RSV.ReplicationAlert": { + "Name": "Azure.RSV.ReplicationAlert", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000100", + "Value": "PSRule.Rules.Azure\\AZR-000171", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000100" + "Name": "AZR-000171" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.EventGrid.DisableLocalAuth", - "Synopsis": "Authenticate publishing clients with Azure AD identities.", + "DisplayName": "Azure.RSV.ReplicationAlert", + "Synopsis": "Recovery Services Vault (RSV) without a replication alert may be at risk.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.RSV.Rule.ps1" }, - "Azure.VMSS.ComputerName": { - "Name": "Azure.VMSS.ComputerName", + "Azure.RBAC.UseRGDelegation": { + "Name": "Azure.RBAC.UseRGDelegation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000262", + "Value": "PSRule.Rules.Azure\\AZR-000207", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000262" + "Name": "AZR-000207" }, "Alias": [ null @@ -3983,148 +4158,151 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VMSS.ComputerName", - "Synopsis": "Use VM naming requirements", + "DisplayName": "Azure.RBAC.UseRGDelegation", + "Synopsis": "Use RBAC assignments on resource groups instead of individual resources", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.NSG.AKSRules": { - "Name": "Azure.NSG.AKSRules", + "Azure.Policy.AssignmentAssignedBy": { + "Name": "Azure.Policy.AssignmentAssignedBy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000292", + "Value": "PSRule.Rules.Azure\\AZR-000144", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000292" + "Name": "AZR-000144" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.NSG.AKSRules", - "Synopsis": "AKS Network Security Groups (NSG) shouldn't contain custom rules", + "DisplayName": "Azure.Policy.AssignmentAssignedBy", + "Synopsis": "Policy assignments require assignedBy metadata.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.FrontDoor.MinTLS": { - "Name": "Azure.FrontDoor.MinTLS", + "Azure.Defender.SQLOnVM": { + "Name": "Azure.Defender.SQLOnVM", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000106", + "Value": "PSRule.Rules.Azure\\AZR-000297", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000106" + "Name": "AZR-000297" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.MinTLS", - "Synopsis": "Front Door should reject TLS versions older than 1.2.", + "DisplayName": "Azure.Defender.SQLOnVM", + "Synopsis": "Enable Microsoft Defender for SQL servers on machines.", "Recommendation": null, "Pillar": "Security", - "Control": "DP-3" + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.DefenderCloud.Provisioning": { - "Name": "Azure.DefenderCloud.Provisioning", + "Azure.AppGw.UseWAF": { + "Name": "Azure.AppGw.UseWAF", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000210", + "Value": "PSRule.Rules.Azure\\AZR-000063", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000210" + "Name": "AZR-000063" }, "Alias": [ - { - "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Provisioning", - "Scope": "PSRule.Rules.Azure", - "Name": "Azure.SecurityCenter.Provisioning" - } + null ], "Flags": 0, "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.DefenderCloud.Provisioning", - "Synopsis": "Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights", + "DisplayName": "Azure.AppGw.UseWAF", + "Synopsis": "Internet accessible Application Gateways should use protect endpoints with WAF.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.VM.ScriptExtensions": { - "Name": "Azure.VM.ScriptExtensions", + "Azure.Template.TemplateSchema": { + "Name": "Azure.Template.TemplateSchema", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000332", + "Value": "PSRule.Rules.Azure\\AZR-000213", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000332" + "Name": "AZR-000213" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ScriptExtensions", - "Synopsis": "Protect Custom Script Extensions commands", + "DisplayName": "Azure.Template.TemplateSchema", + "Synopsis": "Use a more recent version of the Azure template schema.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.APIM.ProductTerms": { - "Name": "Azure.APIM.ProductTerms", + "Azure.AppGwWAF.PreventionMode": { + "Name": "Azure.AppGwWAF.PreventionMode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000050", + "Value": "PSRule.Rules.Azure\\AZR-000302", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000050" + "Name": "AZR-000302" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.ProductTerms", - "Synopsis": "Use product terms", + "DisplayName": "Azure.AppGwWAF.PreventionMode", + "Synopsis": "Application Gateways WAF should be in prevention mode.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.CDN.EndpointName": { - "Name": "Azure.CDN.EndpointName", + "Azure.ACR.ImageHealth": { + "Name": "Azure.ACR.ImageHealth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000091", + "Value": "PSRule.Rules.Azure\\AZR-000003", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000091" + "Name": "AZR-000003" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_12", "Level": "Error", - "Method": null, - "DisplayName": "Azure.CDN.EndpointName", - "Synopsis": "Use CDN endpoint naming requirements", + "Method": "in-flight", + "DisplayName": "Azure.ACR.ImageHealth", + "Synopsis": "Consider removing vulnerable container images.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.NSG.Name": { - "Name": "Azure.NSG.Name", + "Azure.PostgreSQL.FirewallIPRange": { + "Name": "Azure.PostgreSQL.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000141", + "Value": "PSRule.Rules.Azure\\AZR-000151", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000141" + "Name": "AZR-000151" }, "Alias": [ null @@ -4134,60 +4312,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.NSG.Name", - "Synopsis": "Network Security Group (NSG) names should meet naming requirements.", + "DisplayName": "Azure.PostgreSQL.FirewallIPRange", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.Deployment.Name": { - "Name": "Azure.Deployment.Name", + "Azure.MySQL.AADOnly": { + "Name": "Azure.MySQL.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000359", + "Value": "PSRule.Rules.Azure\\AZR-000394", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000359" + "Name": "AZR-000394" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Deployment.Name", - "Synopsis": "Nested deployments should meet naming requirements of deployments.", + "DisplayName": "Azure.MySQL.AADOnly", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.VNET.LocalDNS": { - "Name": "Azure.VNET.LocalDNS", + "Azure.SQLMI.AAD": { + "Name": "Azure.SQLMI.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000265", + "Value": "PSRule.Rules.Azure\\AZR-000368", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000265" + "Name": "AZR-000368" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.LocalDNS", - "Synopsis": "Virtual networks (VNETs) should use Azure local DNS servers.", + "DisplayName": "Azure.SQLMI.AAD", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instances.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1" }, - "Azure.VM.UseHybridUseBenefit": { - "Name": "Azure.VM.UseHybridUseBenefit", + "Azure.AKS.ManagedIdentity": { + "Name": "Azure.AKS.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000243", + "Value": "PSRule.Rules.Azure\\AZR-000025", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000243" + "Name": "AZR-000025" }, "Alias": [ null @@ -4197,186 +4378,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.UseHybridUseBenefit", - "Synopsis": "Use Hybrid Use Benefit", - "Recommendation": null, - "Pillar": null, - "Control": null - }, - "Azure.Template.MetadataLink": { - "Name": "Azure.Template.MetadataLink", - "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000231", - "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000231" - }, - "Alias": [ - null - ], - "Flags": 0, - "Release": "GA", - "RuleSet": "2021_09", - "Level": "Error", - "Method": null, - "DisplayName": "Azure.Template.MetadataLink", - "Synopsis": "Configure a metadata link for each parameter file.", + "DisplayName": "Azure.AKS.ManagedIdentity", + "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.VM.PromoSku": { - "Name": "Azure.VM.PromoSku", + "Azure.Search.ManagedIdentity": { + "Name": "Azure.Search.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000240", + "Value": "PSRule.Rules.Azure\\AZR-000175", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000240" + "Name": "AZR-000175" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.PromoSku", - "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.", + "DisplayName": "Azure.Search.ManagedIdentity", + "Synopsis": "Configure managed identities to access Azure resources.", "Recommendation": null, - "Pillar": "Cost Optimization", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.VNG.VPNActiveActive": { - "Name": "Azure.VNG.VPNActiveActive", + "Azure.PostgreSQL.MinTLS": { + "Name": "Azure.PostgreSQL.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000270", + "Value": "PSRule.Rules.Azure\\AZR-000148", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000270" + "Name": "AZR-000148" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.VPNActiveActive", - "Synopsis": "Use Active-Active configuration", + "DisplayName": "Azure.PostgreSQL.MinTLS", + "Synopsis": "PostgreSQL DB servers should reject TLS versions older than 1.2.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml" }, - "Azure.AppInsights.Workspace": { - "Name": "Azure.AppInsights.Workspace", + "Azure.ACR.Firewall": { + "Name": "Azure.ACR.Firewall", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000069", + "Value": "PSRule.Rules.Azure\\AZR-000402", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000069" + "Name": "AZR-000402" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppInsights.Workspace", - "Synopsis": "Configure Application Insights resources to store data in workspaces.", + "DisplayName": "Azure.ACR.Firewall", + "Synopsis": "Limit network access of container registries to only trusted clients.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.Deployment.SecureValue": { - "Name": "Azure.Deployment.SecureValue", + "Azure.Search.SKU": { + "Name": "Azure.Search.SKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000316", + "Value": "PSRule.Rules.Azure\\AZR-000172", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000316" + "Name": "AZR-000172" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Deployment.SecureValue", - "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.", + "DisplayName": "Azure.Search.SKU", + "Synopsis": "Use a minimum of a basic SKU.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.Defender.Api": { - "Name": "Azure.Defender.Api", + "Azure.SQL.MinTLS": { + "Name": "Azure.SQL.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000377", + "Value": "PSRule.Rules.Azure\\AZR-000189", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000377" + "Name": "AZR-000189" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Api", - "Synopsis": "Enable Microsoft Defender for APIs.", + "DisplayName": "Azure.SQL.MinTLS", + "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.yaml" }, - "Azure.Template.TemplateScheme": { - "Name": "Azure.Template.TemplateScheme", + "Azure.Template.DefineParameters": { + "Name": "Azure.Template.DefineParameters", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000214", + "Value": "PSRule.Rules.Azure\\AZR-000218", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000214" + "Name": "AZR-000218" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.TemplateScheme", - "Synopsis": "Use a Azure template schema with the https scheme.", + "DisplayName": "Azure.Template.DefineParameters", + "Synopsis": "Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.RSV.StorageType": { - "Name": "Azure.RSV.StorageType", + "Azure.Automation.EncryptVariables": { + "Name": "Azure.Automation.EncryptVariables", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000170", + "Value": "PSRule.Rules.Azure\\AZR-000086", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000170" + "Name": "AZR-000086" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.RSV.StorageType", - "Synopsis": "Recovery Services Vault (RSV) not using geo-replicated storage (GRS) may be at risk.", + "DisplayName": "Azure.Automation.EncryptVariables", + "Synopsis": "Ensure variables are encrypted", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.VNET.Name": { - "Name": "Azure.VNET.Name", + "Azure.AppGw.SSLPolicy": { + "Name": "Azure.AppGw.SSLPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000268", + "Value": "PSRule.Rules.Azure\\AZR-000064", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000268" + "Name": "AZR-000064" }, "Alias": [ null @@ -4386,81 +4554,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.Name", - "Synopsis": "Virtual Network (VNET) names should meet naming requirements.", + "DisplayName": "Azure.AppGw.SSLPolicy", + "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.SQL.AAD": { - "Name": "Azure.SQL.AAD", + "Azure.Defender.Arm": { + "Name": "Azure.Defender.Arm", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000188", + "Value": "PSRule.Rules.Azure\\AZR-000354", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000188" + "Name": "AZR-000354" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.AAD", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL databases.", + "DisplayName": "Azure.Defender.Arm", + "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.VNET.FirewallSubnet": { - "Name": "Azure.VNET.FirewallSubnet", + "Azure.AppService.WebProbe": { + "Name": "Azure.AppService.WebProbe", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000322", + "Value": "PSRule.Rules.Azure\\AZR-000079", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000322" + "Name": "AZR-000079" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.FirewallSubnet", - "Synopsis": "Use Azure Firewall to filter network traffic to and from Azure resources.", + "DisplayName": "Azure.AppService.WebProbe", + "Synopsis": "Configure and enable instance health probes.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.FrontDoor.ProbeMethod": { - "Name": "Azure.FrontDoor.ProbeMethod", + "Azure.SQL.AADOnly": { + "Name": "Azure.SQL.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000109", + "Value": "PSRule.Rules.Azure\\AZR-000369", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000109" + "Name": "AZR-000369" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.ProbeMethod", - "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.", + "DisplayName": "Azure.SQL.AADOnly", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Database.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.VM.ADE": { - "Name": "Azure.VM.ADE", + "Azure.Firewall.Mode": { + "Name": "Azure.Firewall.Mode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000252", + "Value": "PSRule.Rules.Azure\\AZR-000105", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000252" + "Name": "AZR-000105" }, "Alias": [ null @@ -4470,39 +4642,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ADE", - "Synopsis": "Use Azure Disk Encryption", + "DisplayName": "Azure.Firewall.Mode", + "Synopsis": "Deny high confidence malicious IP addresses and domains.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.VNG.Name": { - "Name": "Azure.VNG.Name", + "Azure.FrontDoor.ProbeMethod": { + "Name": "Azure.FrontDoor.ProbeMethod", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000274", + "Value": "PSRule.Rules.Azure\\AZR-000109", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000274" + "Name": "AZR-000109" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.Name", - "Synopsis": "Virtual Network Gateway (VNG) names should meet naming requirements.", + "DisplayName": "Azure.FrontDoor.ProbeMethod", + "Synopsis": "Configure health probes to use HEAD requests to reduce performance overhead.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.MariaDB.AllowAzureAccess": { - "Name": "Azure.MariaDB.AllowAzureAccess", + "Azure.PostgreSQL.DefenderCloud": { + "Name": "Azure.PostgreSQL.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000342", + "Value": "PSRule.Rules.Azure\\AZR-000327", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000342" + "Name": "AZR-000327" }, "Alias": [ null @@ -4512,144 +4686,151 @@ "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.AllowAzureAccess", - "Synopsis": "Determine if access from Azure services is required.", + "DisplayName": "Azure.PostgreSQL.DefenderCloud", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.APIM.HTTPBackend": { - "Name": "Azure.APIM.HTTPBackend", + "Azure.AKS.DefenderProfile": { + "Name": "Azure.AKS.DefenderProfile", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000044", + "Value": "PSRule.Rules.Azure\\AZR-000370", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000044" + "Name": "AZR-000370" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.HTTPBackend", - "Synopsis": "Use HTTPS for communication to backend services.", + "DisplayName": "Azure.AKS.DefenderProfile", + "Synopsis": "Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.APIM.DefenderCloud": { - "Name": "Azure.APIM.DefenderCloud", + "Azure.AppService.PHPVersion": { + "Name": "Azure.AppService.PHPVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000387", + "Value": "PSRule.Rules.Azure\\AZR-000076", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000387" + "Name": "AZR-000076" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.DefenderCloud", - "Synopsis": "APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.", + "DisplayName": "Azure.AppService.PHPVersion", + "Synopsis": "Configure applications to use newer PHP runtime versions.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.Defender.KeyVault": { - "Name": "Azure.Defender.KeyVault", + "Azure.MySQL.FirewallRuleCount": { + "Name": "Azure.MySQL.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000352", + "Value": "PSRule.Rules.Azure\\AZR-000133", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000352" + "Name": "AZR-000133" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.KeyVault", - "Synopsis": "Enable Microsoft Defender for Key Vault.", + "DisplayName": "Azure.MySQL.FirewallRuleCount", + "Synopsis": "Determine if there is an excessive number of firewall rules", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.RedisEnterprise.Zones": { - "Name": "Azure.RedisEnterprise.Zones", + "Azure.APIM.ProductApproval": { + "Name": "Azure.APIM.ProductApproval", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000162", + "Value": "PSRule.Rules.Azure\\AZR-000047", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000162" + "Name": "AZR-000047" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.RedisEnterprise.Zones", - "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.", + "DisplayName": "Azure.APIM.ProductApproval", + "Synopsis": "Require approval for products", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Firewall.PolicyMode": { - "Name": "Azure.Firewall.PolicyMode", + "Azure.CDN.MinTLS": { + "Name": "Azure.CDN.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000399", + "Value": "PSRule.Rules.Azure\\AZR-000092", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000399" + "Name": "AZR-000092" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Firewall.PolicyMode", - "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.", + "DisplayName": "Azure.CDN.MinTLS", + "Synopsis": "Consider configuring the minimum supported TLS version to be 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": "DP-3", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1" }, - "Azure.APIM.CORSPolicy": { - "Name": "Azure.APIM.CORSPolicy", + "Azure.APIM.EncryptValues": { + "Name": "Azure.APIM.EncryptValues", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000365", + "Value": "PSRule.Rules.Azure\\AZR-000045", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000365" + "Name": "AZR-000045" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.CORSPolicy", - "Synopsis": "Wildcard * for any configuration option in CORS policies settings should not be used.", + "DisplayName": "Azure.APIM.EncryptValues", + "Synopsis": "Encrypt all API Management named values with Key Vault secrets.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.VNG.VPNLegacySKU": { - "Name": "Azure.VNG.VPNLegacySKU", + "Azure.Storage.Name": { + "Name": "Azure.Storage.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000269", + "Value": "PSRule.Rules.Azure\\AZR-000201", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000269" + "Name": "AZR-000201" }, "Alias": [ null @@ -4659,123 +4840,129 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.VPNLegacySKU", - "Synopsis": "Migrate from legacy VPN gateway SKUs", + "DisplayName": "Azure.Storage.Name", + "Synopsis": "Use Storage naming requirements", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.KeyVault.SecretName": { - "Name": "Azure.KeyVault.SecretName", + "Azure.Defender.Storage.MalwareScan": { + "Name": "Azure.Defender.Storage.MalwareScan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000121", + "Value": "PSRule.Rules.Azure\\AZR-000383", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000121" + "Name": "AZR-000383" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2021_03", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.SecretName", - "Synopsis": "Key Vault Secret names should meet naming requirements.", + "DisplayName": "Azure.Defender.Storage.MalwareScan", + "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1" }, - "Azure.APIM.ManagedIdentity": { - "Name": "Azure.APIM.ManagedIdentity", + "Azure.AKS.AuditLogs": { + "Name": "Azure.AKS.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000053", + "Value": "PSRule.Rules.Azure\\AZR-000022", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000053" + "Name": "AZR-000022" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.ManagedIdentity", - "Synopsis": "Consider configuring a managed identity for each API Management instance.", + "DisplayName": "Azure.AKS.AuditLogs", + "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AppConfig.PurgeProtect": { - "Name": "Azure.AppConfig.PurgeProtect", + "Azure.AppService.HTTP2": { + "Name": "Azure.AppService.HTTP2", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000313", + "Value": "PSRule.Rules.Azure\\AZR-000078", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000313" + "Name": "AZR-000078" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppConfig.PurgeProtect", - "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.", + "DisplayName": "Azure.AppService.HTTP2", + "Synopsis": "Use HTTP/2 for App Service apps.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.PostgreSQL.AAD": { - "Name": "Azure.PostgreSQL.AAD", + "Azure.PrivateEndpoint.Name": { + "Name": "Azure.PrivateEndpoint.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000389", + "Value": "PSRule.Rules.Azure\\AZR-000153", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000389" + "Name": "AZR-000153" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.AAD", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.", + "DisplayName": "Azure.PrivateEndpoint.Name", + "Synopsis": "Private Endpoint names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PrivateEndpoint.Rule.yaml" }, - "Azure.RSV.ReplicationAlert": { - "Name": "Azure.RSV.ReplicationAlert", + "Azure.BV.Immutable": { + "Name": "Azure.BV.Immutable", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000171", + "Value": "PSRule.Rules.Azure\\AZR-000398", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000171" + "Name": "AZR-000398" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.RSV.ReplicationAlert", - "Synopsis": "Recovery Services Vault (RSV) without a replication alert may be at risk.", + "DisplayName": "Azure.BV.Immutable", + "Synopsis": "Ensure immutability is configured to protect backup data.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml" }, - "Azure.VM.Agent": { - "Name": "Azure.VM.Agent", + "Azure.Automation.WebHookExpiry": { + "Name": "Azure.Automation.WebHookExpiry", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000246", + "Value": "PSRule.Rules.Azure\\AZR-000087", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000246" + "Name": "AZR-000087" }, "Alias": [ null @@ -4785,39 +4972,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.Agent", - "Synopsis": "Ensure that the VM agent is provisioned automatically", + "DisplayName": "Azure.Automation.WebHookExpiry", + "Synopsis": "Ensure webhook expiry is not longer than one year", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.ACR.SoftDelete": { - "Name": "Azure.ACR.SoftDelete", + "Azure.Template.TemplateScheme": { + "Name": "Azure.Template.TemplateScheme", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000310", + "Value": "PSRule.Rules.Azure\\AZR-000214", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000310" + "Name": "AZR-000214" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2022_09", + "Release": "GA", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.SoftDelete", - "Synopsis": "Azure Container Registries should have soft delete policy enabled.", + "DisplayName": "Azure.Template.TemplateScheme", + "Synopsis": "Use a Azure template schema with the https scheme.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.MySQL.UseSSL": { - "Name": "Azure.MySQL.UseSSL", + "Azure.SQL.FirewallRuleCount": { + "Name": "Azure.SQL.FirewallRuleCount", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000131", + "Value": "PSRule.Rules.Azure\\AZR-000183", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000131" + "Name": "AZR-000183" }, "Alias": [ null @@ -4827,39 +5016,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.UseSSL", - "Synopsis": "Enforce encrypted MySQL connections.", + "DisplayName": "Azure.SQL.FirewallRuleCount", + "Synopsis": "Determine if there is an excessive number of firewall rules", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.VNG.ConnectionName": { - "Name": "Azure.VNG.ConnectionName", + "Azure.VMSS.PublicKey": { + "Name": "Azure.VMSS.PublicKey", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000275", + "Value": "PSRule.Rules.Azure\\AZR-000288", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000275" + "Name": "AZR-000288" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.ConnectionName", - "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.", + "DisplayName": "Azure.VMSS.PublicKey", + "Synopsis": "Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.AppGw.SSLPolicy": { - "Name": "Azure.AppGw.SSLPolicy", + "Azure.VM.DiskAttached": { + "Name": "Azure.VM.DiskAttached", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000064", + "Value": "PSRule.Rules.Azure\\AZR-000250", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000064" + "Name": "AZR-000250" }, "Alias": [ null @@ -4869,18 +5060,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.SSLPolicy", - "Synopsis": "Application Gateway should only accept a minimum of TLS 1.2.", + "DisplayName": "Azure.VM.DiskAttached", + "Synopsis": "Managed disks should be attached to virtual machines", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VM.NICAttached": { - "Name": "Azure.VM.NICAttached", + "Azure.SQL.AAD": { + "Name": "Azure.SQL.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000257", + "Value": "PSRule.Rules.Azure\\AZR-000188", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000257" + "Name": "AZR-000188" }, "Alias": [ null @@ -4890,60 +5082,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.NICAttached", - "Synopsis": "Network interfaces (NICs) should be attached.", + "DisplayName": "Azure.SQL.AAD", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL databases.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.AKS.ManagedAAD": { - "Name": "Azure.AKS.ManagedAAD", + "Azure.ACR.AnonymousAccess": { + "Name": "Azure.ACR.AnonymousAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000029", + "Value": "PSRule.Rules.Azure\\AZR-000401", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000029" + "Name": "AZR-000401" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2021_06", + "Release": "preview", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.ManagedAAD", - "Synopsis": "Use AKS-managed Azure AD to simplify authorization and improve security.", + "DisplayName": "Azure.ACR.AnonymousAccess", + "Synopsis": "Disable anonymous pull access.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.Redis.NonSslPort": { - "Name": "Azure.Redis.NonSslPort", + "Azure.AKS.CNISubnetSize": { + "Name": "Azure.AKS.CNISubnetSize", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000163", + "Value": "PSRule.Rules.Azure\\AZR-000020", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000163" + "Name": "AZR-000020" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.NonSslPort", - "Synopsis": "Redis Cache should only accept secure connections.", + "DisplayName": "Azure.AKS.CNISubnetSize", + "Synopsis": "AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.Template.TemplateFile": { - "Name": "Azure.Template.TemplateFile", + "Azure.KeyVault.Logs": { + "Name": "Azure.KeyVault.Logs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000212", + "Value": "PSRule.Rules.Azure\\AZR-000119", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000212" + "Name": "AZR-000119" }, "Alias": [ null @@ -4953,102 +5148,107 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.TemplateFile", - "Synopsis": "Use ARM template file structure.", + "DisplayName": "Azure.KeyVault.Logs", + "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.Defender.Storage.MalwareScan": { - "Name": "Azure.Defender.Storage.MalwareScan", + "Azure.Search.QuerySLA": { + "Name": "Azure.Search.QuerySLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000383", + "Value": "PSRule.Rules.Azure\\AZR-000173", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000383" + "Name": "AZR-000173" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Storage.MalwareScan", - "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", + "DisplayName": "Azure.Search.QuerySLA", + "Synopsis": "Use a minimum of 2 replicas to receive an SLA for index queries.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Search.Rule.ps1" }, - "Azure.SQL.TDE": { - "Name": "Azure.SQL.TDE", + "Azure.Storage.ContainerSoftDelete": { + "Name": "Azure.Storage.ContainerSoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000191", + "Value": "PSRule.Rules.Azure\\AZR-000289", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000191" + "Name": "AZR-000289" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.TDE", - "Synopsis": "Enable transparent data encryption", + "DisplayName": "Azure.Storage.ContainerSoftDelete", + "Synopsis": "Enable container soft delete on Storage Accounts.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.ACR.ImageHealth": { - "Name": "Azure.ACR.ImageHealth", + "Azure.Template.ParameterScheme": { + "Name": "Azure.Template.ParameterScheme", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000003", + "Value": "PSRule.Rules.Azure\\AZR-000230", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000003" + "Name": "AZR-000230" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_09", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Azure.ACR.ImageHealth", - "Synopsis": "Consider removing vulnerable container images.", + "Method": null, + "DisplayName": "Azure.Template.ParameterScheme", + "Synopsis": "Use a Azure template parameter schema with the https scheme.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.VMSS.AMA": { - "Name": "Azure.VMSS.AMA", + "Azure.AppGw.Prevention": { + "Name": "Azure.AppGw.Prevention", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000346", + "Value": "PSRule.Rules.Azure\\AZR-000065", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000346" + "Name": "AZR-000065" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VMSS.AMA", - "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", + "DisplayName": "Azure.AppGw.Prevention", + "Synopsis": "Internet exposed Application Gateways should use prevention mode to protect backend resources.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.AKS.AuditLogs": { - "Name": "Azure.AKS.AuditLogs", + "Azure.AppGw.AvailabilityZone": { + "Name": "Azure.AppGw.AvailabilityZone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000022", + "Value": "PSRule.Rules.Azure\\AZR-000060", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000022" + "Name": "AZR-000060" }, "Alias": [ null @@ -5058,81 +5258,85 @@ "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AuditLogs", - "Synopsis": "AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.", + "DisplayName": "Azure.AppGw.AvailabilityZone", + "Synopsis": "Application gateways deployed with should use availability zones in supported regions for high availability.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1" }, - "Azure.APIM.APIDescriptors": { - "Name": "Azure.APIM.APIDescriptors", + "Azure.AKS.StandardLB": { + "Name": "Azure.AKS.StandardLB", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000043", + "Value": "PSRule.Rules.Azure\\AZR-000026", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000043" + "Name": "AZR-000026" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", - "Level": "Warning", + "RuleSet": "2020_06", + "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.APIDescriptors", - "Synopsis": "APIs should have descriptors set", + "DisplayName": "Azure.AKS.StandardLB", + "Synopsis": "Use a Standard load-balancer with AKS clusters.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.Redis.PublicNetworkAccess": { - "Name": "Azure.Redis.PublicNetworkAccess", + "Azure.FrontDoorWAF.PreventionMode": { + "Name": "Azure.FrontDoorWAF.PreventionMode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000165", + "Value": "PSRule.Rules.Azure\\AZR-000306", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000165" + "Name": "AZR-000306" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.PublicNetworkAccess", - "Synopsis": "Redis cache should disable public network access.", + "DisplayName": "Azure.FrontDoorWAF.PreventionMode", + "Synopsis": "FrontDoor WAF should be in prevention mode.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.AKS.MinNodeCount": { - "Name": "Azure.AKS.MinNodeCount", + "Azure.ContainerApp.ExternalIngress": { + "Name": "Azure.ContainerApp.ExternalIngress", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000024", + "Value": "PSRule.Rules.Azure\\AZR-000362", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000024" + "Name": "AZR-000362" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.MinNodeCount", - "Synopsis": "AKS clusters should have minimum number of nodes for failover and updates", + "DisplayName": "Azure.ContainerApp.ExternalIngress", + "Synopsis": "Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.AppService.MinPlan": { - "Name": "Azure.AppService.MinPlan", + "Azure.VM.ADE": { + "Name": "Azure.VM.ADE", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000072", + "Value": "PSRule.Rules.Azure\\AZR-000252", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000072" + "Name": "AZR-000252" }, "Alias": [ null @@ -5142,39 +5346,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.MinPlan", - "Synopsis": "Use at least a Standard App Service Plan.", + "DisplayName": "Azure.VM.ADE", + "Synopsis": "Use Azure Disk Encryption", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Resource.AllowedRegions": { - "Name": "Azure.Resource.AllowedRegions", + "Azure.Cosmos.DisableMetadataWrite": { + "Name": "Azure.Cosmos.DisableMetadataWrite", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000167", + "Value": "PSRule.Rules.Azure\\AZR-000095", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000167" + "Name": "AZR-000095" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Resource.AllowedRegions", - "Synopsis": "Resources should be deployed to allowed regions.", + "DisplayName": "Azure.Cosmos.DisableMetadataWrite", + "Synopsis": "Use Azure AD identities for management place operations in Azure Cosmos DB.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml" }, - "Azure.AKS.PoolScaleSet": { - "Name": "Azure.AKS.PoolScaleSet", + "Azure.VM.DiskCaching": { + "Name": "Azure.VM.DiskCaching", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000017", + "Value": "PSRule.Rules.Azure\\AZR-000242", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000017" + "Name": "AZR-000242" }, "Alias": [ null @@ -5184,81 +5390,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.PoolScaleSet", - "Synopsis": "AKS node pools should use scale sets", + "DisplayName": "Azure.VM.DiskCaching", + "Synopsis": "Check disk caching is configured correctly for the workload", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AKS.AzureRBAC": { - "Name": "Azure.AKS.AzureRBAC", + "Azure.Template.ResourceLocation": { + "Name": "Azure.Template.ResourceLocation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000032", + "Value": "PSRule.Rules.Azure\\AZR-000222", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000032" + "Name": "AZR-000222" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AzureRBAC", - "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.", + "DisplayName": "Azure.Template.ResourceLocation", + "Synopsis": "Template resource location should be an expression or `global`.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Cognitive.DisableLocalAuth": { - "Name": "Azure.Cognitive.DisableLocalAuth", + "Azure.VM.ShouldNotBeStopped": { + "Name": "Azure.VM.ShouldNotBeStopped", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000282", + "Value": "PSRule.Rules.Azure\\AZR-000351", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000282" + "Name": "AZR-000351" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cognitive.DisableLocalAuth", - "Synopsis": "Authenticate requests to Cognitive Services with Azure AD identities.", + "DisplayName": "Azure.VM.ShouldNotBeStopped", + "Synopsis": "VMs should be deallocated instead of stopped.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.MySQL.ServerName": { - "Name": "Azure.MySQL.ServerName", + "Azure.ADX.DiskEncryption": { + "Name": "Azure.ADX.DiskEncryption", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000136", + "Value": "PSRule.Rules.Azure\\AZR-000013", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000136" + "Name": "AZR-000013" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.ServerName", - "Synopsis": "Azure SQL logical server names should meet naming requirements.", + "DisplayName": "Azure.ADX.DiskEncryption", + "Synopsis": "Use disk encryption for Azure Data Explorer (ADX) clusters.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml" }, - "Azure.TrafficManager.Endpoints": { - "Name": "Azure.TrafficManager.Endpoints", + "Azure.AKS.PoolScaleSet": { + "Name": "Azure.AKS.PoolScaleSet", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000236", + "Value": "PSRule.Rules.Azure\\AZR-000017", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000236" + "Name": "AZR-000017" }, "Alias": [ null @@ -5268,18 +5478,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.TrafficManager.Endpoints", - "Synopsis": "Traffic Manager should use at lest two enabled endpoints", + "DisplayName": "Azure.AKS.PoolScaleSet", + "Synopsis": "AKS node pools should use scale sets", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AKS.NetworkPolicy": { - "Name": "Azure.AKS.NetworkPolicy", + "Azure.AppService.ARRAffinity": { + "Name": "Azure.AppService.ARRAffinity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000027", + "Value": "PSRule.Rules.Azure\\AZR-000083", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000027" + "Name": "AZR-000083" }, "Alias": [ null @@ -5289,81 +5500,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.NetworkPolicy", - "Synopsis": "Deploy AKS clusters with Network Policies enabled.", + "DisplayName": "Azure.AppService.ARRAffinity", + "Synopsis": "Disable client affinity for stateless services.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.KeyVault.RBAC": { - "Name": "Azure.KeyVault.RBAC", + "Azure.AKS.AzureRBAC": { + "Name": "Azure.AKS.AzureRBAC", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000388", + "Value": "PSRule.Rules.Azure\\AZR-000032", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000388" + "Name": "AZR-000032" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", - "Level": "Warning", + "RuleSet": "2021_06", + "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.RBAC", - "Synopsis": "Key Vaults should use Azure RBAC as the authorization system for the data plane.", + "DisplayName": "Azure.AKS.AzureRBAC", + "Synopsis": "Use Azure RBAC for Kubernetes Authorization with AKS clusters.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.SQL.DBName": { - "Name": "Azure.SQL.DBName", + "Azure.VM.Agent": { + "Name": "Azure.VM.Agent", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000192", + "Value": "PSRule.Rules.Azure\\AZR-000246", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000192" + "Name": "AZR-000246" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.DBName", - "Synopsis": "Azure SQL Database names should meet naming requirements.", + "DisplayName": "Azure.VM.Agent", + "Synopsis": "Ensure that the VM agent is provisioned automatically", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.PublicIP.AvailabilityZone": { - "Name": "Azure.PublicIP.AvailabilityZone", + "Azure.PostgreSQL.GeoRedundantBackup": { + "Name": "Azure.PostgreSQL.GeoRedundantBackup", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000157", + "Value": "PSRule.Rules.Azure\\AZR-000326", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000157" + "Name": "AZR-000326" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.PublicIP.AvailabilityZone", - "Synopsis": "Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.", + "DisplayName": "Azure.PostgreSQL.GeoRedundantBackup", + "Synopsis": "Azure Database for PostgreSQL should store backups in a geo-redundant storage.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.Resource.UseTags": { - "Name": "Azure.Resource.UseTags", + "Azure.VM.UseManagedDisks": { + "Name": "Azure.VM.UseManagedDisks", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000166", + "Value": "PSRule.Rules.Azure\\AZR-000238", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000166" + "Name": "AZR-000238" }, "Alias": [ null @@ -5373,60 +5588,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Resource.UseTags", - "Synopsis": "Azure resources should be tagged using a standard convention.", + "DisplayName": "Azure.VM.UseManagedDisks", + "Synopsis": "Virtual machines should use managed disks", "Recommendation": null, - "Pillar": "Cost Optimization", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AKS.EphemeralOSDisk": { - "Name": "Azure.AKS.EphemeralOSDisk", + "Azure.APIM.MultiRegion": { + "Name": "Azure.APIM.MultiRegion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000287", + "Value": "PSRule.Rules.Azure\\AZR-000340", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000287" + "Name": "AZR-000340" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", - "Level": "Warning", + "RuleSet": "2022_12", + "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.EphemeralOSDisk", - "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.", + "DisplayName": "Azure.APIM.MultiRegion", + "Synopsis": "API Management instances should use multi-region deployment to improve service availability.", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.ResourceLocation": { - "Name": "Azure.Template.ResourceLocation", + "Azure.PostgreSQL.AADOnly": { + "Name": "Azure.PostgreSQL.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000222", + "Value": "PSRule.Rules.Azure\\AZR-000390", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000222" + "Name": "AZR-000390" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ResourceLocation", - "Synopsis": "Template resource location should be an expression or `global`.", + "DisplayName": "Azure.PostgreSQL.AADOnly", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml" }, - "Azure.SQL.AllowAzureAccess": { - "Name": "Azure.SQL.AllowAzureAccess", + "Azure.CDN.HTTP": { + "Name": "Azure.CDN.HTTP", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000184", + "Value": "PSRule.Rules.Azure\\AZR-000093", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000184" + "Name": "AZR-000093" }, "Alias": [ null @@ -5436,11 +5654,12 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.AllowAzureAccess", - "Synopsis": "Determine if access from Azure services is required", + "DisplayName": "Azure.CDN.HTTP", + "Synopsis": "Enforce HTTPS for client connections.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml" }, "Azure.SQL.Auditing": { "Name": "Azure.SQL.Auditing", @@ -5461,56 +5680,59 @@ "Synopsis": "Enable auditing for Azure SQL logical server", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.APIM.SampleProducts": { - "Name": "Azure.APIM.SampleProducts", + "Azure.Defender.KeyVault": { + "Name": "Azure.Defender.KeyVault", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000048", + "Value": "PSRule.Rules.Azure\\AZR-000352", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000048" + "Name": "AZR-000352" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.SampleProducts", - "Synopsis": "Remove sample products", + "DisplayName": "Azure.Defender.KeyVault", + "Synopsis": "Enable Microsoft Defender for Key Vault.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.Storage.FileShareSoftDelete": { - "Name": "Azure.Storage.FileShareSoftDelete", + "Azure.FrontDoor.UseCaching": { + "Name": "Azure.FrontDoor.UseCaching", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000298", + "Value": "PSRule.Rules.Azure\\AZR-000320", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000298" + "Name": "AZR-000320" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.FileShareSoftDelete", - "Synopsis": "Enable soft delete on Storage Accounts file shares.", + "DisplayName": "Azure.FrontDoor.UseCaching", + "Synopsis": "Use caching to reduce retrieving contents from origins.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.ACR.Name": { - "Name": "Azure.ACR.Name", + "Azure.VM.UniqueDns": { + "Name": "Azure.VM.UniqueDns", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000007", + "Value": "PSRule.Rules.Azure\\AZR-000258", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000007" + "Name": "AZR-000258" }, "Alias": [ null @@ -5520,18 +5742,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.Name", - "Synopsis": "Container registry names should meet naming requirements.", + "DisplayName": "Azure.VM.UniqueDns", + "Synopsis": "Network interfaces (NICs) should inherit DNS from virtual networks.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.AppGw.WAFRules": { - "Name": "Azure.AppGw.WAFRules", + "Azure.VM.PublicKey": { + "Name": "Azure.VM.PublicKey", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000068", + "Value": "PSRule.Rules.Azure\\AZR-000245", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000068" + "Name": "AZR-000245" }, "Alias": [ null @@ -5541,169 +5764,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.WAFRules", - "Synopsis": "Application Gateway Web Application Firewall (WAF) should have all rules enabled.", + "DisplayName": "Azure.VM.PublicKey", + "Synopsis": "Linux VMs should use public key pair", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AppService.ManagedIdentity": { - "Name": "Azure.AppService.ManagedIdentity", + "Azure.FrontDoorWAF.RuleGroups": { + "Name": "Azure.FrontDoorWAF.RuleGroups", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000082", + "Value": "PSRule.Rules.Azure\\AZR-000308", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000082" + "Name": "AZR-000308" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.ManagedIdentity", - "Synopsis": "Use a Managed Identities with Azure Service apps.", + "DisplayName": "Azure.FrontDoorWAF.RuleGroups", + "Synopsis": "FrontDoor WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.Automation.PlatformLogs": { - "Name": "Azure.Automation.PlatformLogs", + "Azure.APIM.Ciphers": { + "Name": "Azure.APIM.Ciphers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000089", + "Value": "PSRule.Rules.Azure\\AZR-000055", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000089" + "Name": "AZR-000055" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Automation.PlatformLogs", - "Synopsis": "Ensure automation account platform diagnostic logs are enabled.", + "DisplayName": "Azure.APIM.Ciphers", + "Synopsis": "API Management should not accept weak or deprecated ciphers.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.VMSS.ScriptExtensions": { - "Name": "Azure.VMSS.ScriptExtensions", + "Azure.RBAC.LimitOwner": { + "Name": "Azure.RBAC.LimitOwner", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000333", + "Value": "PSRule.Rules.Azure\\AZR-000204", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000333" + "Name": "AZR-000204" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VMSS.ScriptExtensions", - "Synopsis": "Protect Custom Script Extensions commands", + "DisplayName": "Azure.RBAC.LimitOwner", + "Synopsis": "Limit the number of subscription Owners", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.SQL.DefenderCloud": { - "Name": "Azure.SQL.DefenderCloud", + "Azure.VM.BasicSku": { + "Name": "Azure.VM.BasicSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000186", + "Value": "PSRule.Rules.Azure\\AZR-000241", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000186" + "Name": "AZR-000241" }, "Alias": [ - { - "Value": "PSRule.Rules.Azure\\Azure.SQL.ThreatDetection", - "Scope": "PSRule.Rules.Azure", - "Name": "Azure.SQL.ThreatDetection" - } + null ], "Flags": 0, "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.DefenderCloud", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure SQL logical server", + "DisplayName": "Azure.VM.BasicSku", + "Synopsis": "Virtual machines (VMs) should not use Basic sizes.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.LB.Name": { - "Name": "Azure.LB.Name", + "Azure.VNG.VPNAvailabilityZoneSKU": { + "Name": "Azure.VNG.VPNAvailabilityZoneSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000129", + "Value": "PSRule.Rules.Azure\\AZR-000272", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000129" + "Name": "AZR-000272" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.LB.Name", - "Synopsis": "Application Security Group (ASG) names should meet naming requirements.", + "DisplayName": "Azure.VNG.VPNAvailabilityZoneSKU", + "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.Route.Name": { - "Name": "Azure.Route.Name", + "Azure.Storage.BlobPublicAccess": { + "Name": "Azure.Storage.BlobPublicAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000169", + "Value": "PSRule.Rules.Azure\\AZR-000198", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000169" + "Name": "AZR-000198" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Route.Name", - "Synopsis": "Route table names should meet naming requirements.", + "DisplayName": "Azure.Storage.BlobPublicAccess", + "Synopsis": "Disallow blob containers with public access types.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml" }, - "Azure.ACR.ContentTrust": { - "Name": "Azure.ACR.ContentTrust", + "Azure.VM.Updates": { + "Name": "Azure.VM.Updates", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000009", + "Value": "PSRule.Rules.Azure\\AZR-000247", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000009" + "Name": "AZR-000247" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.ContentTrust", - "Synopsis": "Use container images signed by a trusted image publisher.", + "DisplayName": "Azure.VM.Updates", + "Synopsis": "Ensure automatic updates are enabled at deployment", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VM.DiskCaching": { - "Name": "Azure.VM.DiskCaching", + "Azure.FrontDoor.UseWAF": { + "Name": "Azure.FrontDoor.UseWAF", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000242", + "Value": "PSRule.Rules.Azure\\AZR-000111", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000242" + "Name": "AZR-000111" }, "Alias": [ null @@ -5713,102 +5940,107 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.DiskCaching", - "Synopsis": "Check disk caching is configured correctly for the workload", + "DisplayName": "Azure.FrontDoor.UseWAF", + "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": "NS-6", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1" }, - "Azure.FrontDoor.Name": { - "Name": "Azure.FrontDoor.Name", + "Azure.Policy.AssignmentDescriptors": { + "Name": "Azure.Policy.AssignmentDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000113", + "Value": "PSRule.Rules.Azure\\AZR-000143", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000113" + "Name": "AZR-000143" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.Name", - "Synopsis": "Use Front Door naming requirements", + "DisplayName": "Azure.Policy.AssignmentDescriptors", + "Synopsis": "Policy assignments require a display name and description.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Policy.Rule.ps1" }, - "Azure.VM.ASAlignment": { - "Name": "Azure.VM.ASAlignment", + "Azure.ContainerApp.DisableAffinity": { + "Name": "Azure.ContainerApp.DisableAffinity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000254", + "Value": "PSRule.Rules.Azure\\AZR-000378", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000254" + "Name": "AZR-000378" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.ASAlignment", - "Synopsis": "Use availability sets aligned with managed disks fault domains.", + "DisplayName": "Azure.ContainerApp.DisableAffinity", + "Synopsis": "Disable session affinity to prevent unbalanced distribution.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.NSG.AnyInboundSource": { - "Name": "Azure.NSG.AnyInboundSource", + "Azure.AKS.SecretStoreRotation": { + "Name": "Azure.AKS.SecretStoreRotation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000137", + "Value": "PSRule.Rules.Azure\\AZR-000034", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000137" + "Name": "AZR-000034" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.NSG.AnyInboundSource", - "Synopsis": "Network security groups should avoid any inbound rules", + "DisplayName": "Azure.AKS.SecretStoreRotation", + "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.Deployment.OuterSecret": { - "Name": "Azure.Deployment.OuterSecret", + "Azure.Template.ParameterMetadata": { + "Name": "Azure.Template.ParameterMetadata", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000331", + "Value": "PSRule.Rules.Azure\\AZR-000215", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000331" + "Name": "AZR-000215" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Deployment.OuterSecret", - "Synopsis": "Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters", + "DisplayName": "Azure.Template.ParameterMetadata", + "Synopsis": "Use template parameter descriptions.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.KeyVault.AccessPolicy": { - "Name": "Azure.KeyVault.AccessPolicy", + "Azure.AppService.MinTLS": { + "Name": "Azure.AppService.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000118", + "Value": "PSRule.Rules.Azure\\AZR-000073", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000118" + "Name": "AZR-000073" }, "Alias": [ null @@ -5818,18 +6050,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.AccessPolicy", - "Synopsis": "Limit access to Key Vault data", + "DisplayName": "Azure.AppService.MinTLS", + "Synopsis": "App Service should reject TLS versions older than 1.2.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.APIM.ProductSubscription": { - "Name": "Azure.APIM.ProductSubscription", + "Azure.VM.ASName": { + "Name": "Azure.VM.ASName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000046", + "Value": "PSRule.Rules.Azure\\AZR-000256", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000046" + "Name": "AZR-000256" }, "Alias": [ null @@ -5839,39 +6072,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.ProductSubscription", - "Synopsis": "Require subscription for products", + "DisplayName": "Azure.VM.ASName", + "Synopsis": "Use Availability Set naming requirements", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VMSS.MigrateAMA": { - "Name": "Azure.VMSS.MigrateAMA", + "Azure.SQL.TDE": { + "Name": "Azure.SQL.TDE", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000318", + "Value": "PSRule.Rules.Azure\\AZR-000191", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000318" + "Name": "AZR-000191" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VMSS.MigrateAMA", - "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", + "DisplayName": "Azure.SQL.TDE", + "Synopsis": "Enable transparent data encryption", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.SQL.FirewallRuleCount": { - "Name": "Azure.SQL.FirewallRuleCount", + "Azure.VM.ASAlignment": { + "Name": "Azure.VM.ASAlignment", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000183", + "Value": "PSRule.Rules.Azure\\AZR-000254", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000183" + "Name": "AZR-000254" }, "Alias": [ null @@ -5881,123 +6116,129 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.FirewallRuleCount", - "Synopsis": "Determine if there is an excessive number of firewall rules", + "DisplayName": "Azure.VM.ASAlignment", + "Synopsis": "Use availability sets aligned with managed disks fault domains.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.Defender.Arm": { - "Name": "Azure.Defender.Arm", + "Azure.AppService.NETVersion": { + "Name": "Azure.AppService.NETVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000354", + "Value": "PSRule.Rules.Azure\\AZR-000075", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000354" + "Name": "AZR-000075" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Arm", - "Synopsis": "Enable Microsoft Defender for Azure Resource Manager (ARM).", + "DisplayName": "Azure.AppService.NETVersion", + "Synopsis": "Configure applications to use newer .NET Framework versions.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.SQL.ServerName": { - "Name": "Azure.SQL.ServerName", + "Azure.ACR.MinSku": { + "Name": "Azure.ACR.MinSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000190", + "Value": "PSRule.Rules.Azure\\AZR-000006", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000190" + "Name": "AZR-000006" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.ServerName", - "Synopsis": "Azure SQL logical server names should meet naming requirements.", + "DisplayName": "Azure.ACR.MinSku", + "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.VM.AcceleratedNetworking": { - "Name": "Azure.VM.AcceleratedNetworking", + "Azure.VMSS.AMA": { + "Name": "Azure.VMSS.AMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000244", + "Value": "PSRule.Rules.Azure\\AZR-000346", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000244" + "Name": "AZR-000346" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.AcceleratedNetworking", - "Synopsis": "Use accelerated networking for supported operating systems and VM types.", + "DisplayName": "Azure.VMSS.AMA", + "Synopsis": "Use Azure Monitor Agent for collecting monitoring data.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.PublicIP.Name": { - "Name": "Azure.PublicIP.Name", + "Azure.Arc.Server.MaintenanceConfig": { + "Name": "Azure.Arc.Server.MaintenanceConfig", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000155", + "Value": "PSRule.Rules.Azure\\AZR-000374", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000155" + "Name": "AZR-000374" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.PublicIP.Name", - "Synopsis": "Use public IP address naming requirements", + "DisplayName": "Azure.Arc.Server.MaintenanceConfig", + "Synopsis": "Use a maintenance configuration for Arc-enabled servers. ", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1" }, - "Azure.RBAC.LimitMGDelegation": { - "Name": "Azure.RBAC.LimitMGDelegation", + "Azure.APIM.ProductDescriptors": { + "Name": "Azure.APIM.ProductDescriptors", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000205", + "Value": "PSRule.Rules.Azure\\AZR-000049", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000205" + "Name": "AZR-000049" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", - "Level": "Error", + "RuleSet": "2020_09", + "Level": "Warning", "Method": null, - "DisplayName": "Azure.RBAC.LimitMGDelegation", - "Synopsis": "Limit RBAC inheritance from Management Groups", + "DisplayName": "Azure.APIM.ProductDescriptors", + "Synopsis": "Products should have descriptors set", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.ParameterFile": { - "Name": "Azure.Template.ParameterFile", + "Azure.SQL.AllowAzureAccess": { + "Name": "Azure.SQL.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000229", + "Value": "PSRule.Rules.Azure\\AZR-000184", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000229" + "Name": "AZR-000184" }, "Alias": [ null @@ -6007,81 +6248,85 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterFile", - "Synopsis": "Use ARM parameter file structure.", + "DisplayName": "Azure.SQL.AllowAzureAccess", + "Synopsis": "Determine if access from Azure services is required", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.Search.ManagedIdentity": { - "Name": "Azure.Search.ManagedIdentity", + "Azure.Cognitive.PrivateEndpoints": { + "Name": "Azure.Cognitive.PrivateEndpoints", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000175", + "Value": "PSRule.Rules.Azure\\AZR-000283", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000175" + "Name": "AZR-000283" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Search.ManagedIdentity", - "Synopsis": "Configure managed identities to access Azure resources.", + "DisplayName": "Azure.Cognitive.PrivateEndpoints", + "Synopsis": "Use Private Endpoints to access Cognitive Services accounts.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.PostgreSQL.ServerName": { - "Name": "Azure.PostgreSQL.ServerName", + "Azure.Template.DebugDeployment": { + "Name": "Azure.Template.DebugDeployment", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000152", + "Value": "PSRule.Rules.Azure\\AZR-000225", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000152" + "Name": "AZR-000225" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.ServerName", - "Synopsis": "Azure SQL logical server names should meet naming requirements.", + "DisplayName": "Azure.Template.DebugDeployment", + "Synopsis": "Use default deployment detail level for nested deployments.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.ServiceBus.DisableLocalAuth": { - "Name": "Azure.ServiceBus.DisableLocalAuth", + "Azure.LB.Probe": { + "Name": "Azure.LB.Probe", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000178", + "Value": "PSRule.Rules.Azure\\AZR-000126", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000178" + "Name": "AZR-000126" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ServiceBus.DisableLocalAuth", - "Synopsis": "Authenticate Service Bus publishers and consumers with Azure AD identities.", + "DisplayName": "Azure.LB.Probe", + "Synopsis": "Use specific network probe", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1" }, - "Azure.AppService.PlanInstanceCount": { - "Name": "Azure.AppService.PlanInstanceCount", + "Azure.NSG.AnyInboundSource": { + "Name": "Azure.NSG.AnyInboundSource", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000071", + "Value": "PSRule.Rules.Azure\\AZR-000137", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000071" + "Name": "AZR-000137" }, "Alias": [ null @@ -6091,207 +6336,217 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.PlanInstanceCount", - "Synopsis": "App Service Plan should use a minimum number of instances for failover.", + "DisplayName": "Azure.NSG.AnyInboundSource", + "Synopsis": "Network security groups should avoid any inbound rules", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.APIM.ProductDescriptors": { - "Name": "Azure.APIM.ProductDescriptors", + "Azure.PostgreSQL.AAD": { + "Name": "Azure.PostgreSQL.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000049", + "Value": "PSRule.Rules.Azure\\AZR-000389", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000049" + "Name": "AZR-000389" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", - "Level": "Warning", + "RuleSet": "2023_06", + "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.ProductDescriptors", - "Synopsis": "Products should have descriptors set", + "DisplayName": "Azure.PostgreSQL.AAD", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1" }, - "Azure.MySQL.AllowAzureAccess": { - "Name": "Azure.MySQL.AllowAzureAccess", + "Azure.VM.ScriptExtensions": { + "Name": "Azure.VM.ScriptExtensions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000134", + "Value": "PSRule.Rules.Azure\\AZR-000332", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000134" + "Name": "AZR-000332" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.AllowAzureAccess", - "Synopsis": "Determine if access from Azure services is required", + "DisplayName": "Azure.VM.ScriptExtensions", + "Synopsis": "Protect Custom Script Extensions commands", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.SQLMI.AAD": { - "Name": "Azure.SQLMI.AAD", + "Azure.SQL.FirewallIPRange": { + "Name": "Azure.SQL.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000368", + "Value": "PSRule.Rules.Azure\\AZR-000185", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000368" + "Name": "AZR-000185" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQLMI.AAD", - "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instances.", + "DisplayName": "Azure.SQL.FirewallIPRange", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.LB.StandardSKU": { - "Name": "Azure.LB.StandardSKU", + "Azure.ADX.Usage": { + "Name": "Azure.ADX.Usage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000128", + "Value": "PSRule.Rules.Azure\\AZR-000011", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000128" + "Name": "AZR-000011" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_03", "Level": "Error", - "Method": null, - "DisplayName": "Azure.LB.StandardSKU", - "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.", + "Method": "in-flight", + "DisplayName": "Azure.ADX.Usage", + "Synopsis": "Regularly remove unused resources to reduce costs.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1" }, - "Azure.AKS.AutoUpgrade": { - "Name": "Azure.AKS.AutoUpgrade", + "Azure.VM.PromoSku": { + "Name": "Azure.VM.PromoSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000036", + "Value": "PSRule.Rules.Azure\\AZR-000240", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000036" + "Name": "AZR-000240" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AutoUpgrade", - "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.", + "DisplayName": "Azure.VM.PromoSku", + "Synopsis": "Virtual machines (VMs) should not use expired promotional SKU.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.Identity.UserAssignedName": { - "Name": "Azure.Identity.UserAssignedName", + "Azure.MariaDB.FirewallRuleName": { + "Name": "Azure.MariaDB.FirewallRuleName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000117", + "Value": "PSRule.Rules.Azure\\AZR-000338", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000117" + "Name": "AZR-000338" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Identity.UserAssignedName", - "Synopsis": "User Assigned Managed Identity names should meet naming requirements.", + "DisplayName": "Azure.MariaDB.FirewallRuleName", + "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.VNET.PeerState": { - "Name": "Azure.VNET.PeerState", + "Azure.ContainerApp.Storage": { + "Name": "Azure.ContainerApp.Storage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000266", + "Value": "PSRule.Rules.Azure\\AZR-000364", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000266" + "Name": "AZR-000364" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.PeerState", - "Synopsis": "VNET peering connections must be connected.", + "DisplayName": "Azure.ContainerApp.Storage", + "Synopsis": "Use of Azure Files volume mounts to persistent storage container data.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.Databricks.SecureConnectivity": { - "Name": "Azure.Databricks.SecureConnectivity", + "Azure.SignalR.ManagedIdentity": { + "Name": "Azure.SignalR.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000393", + "Value": "PSRule.Rules.Azure\\AZR-000181", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000393" + "Name": "AZR-000181" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Databricks.SecureConnectivity", - "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.", + "DisplayName": "Azure.SignalR.ManagedIdentity", + "Synopsis": "Configure SignalR Services to use managed identities to access Azure resources securely.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.yaml" }, - "Azure.PublicIP.MigrateStandard": { - "Name": "Azure.PublicIP.MigrateStandard", + "Azure.APIM.CORSPolicy": { + "Name": "Azure.APIM.CORSPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000395", + "Value": "PSRule.Rules.Azure\\AZR-000365", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000395" + "Name": "AZR-000365" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.PublicIP.MigrateStandard", - "Synopsis": "Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.", + "DisplayName": "Azure.APIM.CORSPolicy", + "Synopsis": "Wildcard * for any configuration option in CORS policies settings should not be used.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.APIM.HTTPEndpoint": { - "Name": "Azure.APIM.HTTPEndpoint", + "Azure.APIM.ManagedIdentity": { + "Name": "Azure.APIM.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000042", + "Value": "PSRule.Rules.Azure\\AZR-000053", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000042" + "Name": "AZR-000053" }, "Alias": [ null @@ -6301,18 +6556,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.HTTPEndpoint", - "Synopsis": "Enforce HTTPS for communication to API clients.", + "DisplayName": "Azure.APIM.ManagedIdentity", + "Synopsis": "Consider configuring a managed identity for each API Management instance.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.KeyVault.Logs": { - "Name": "Azure.KeyVault.Logs", + "Azure.Template.ParameterFile": { + "Name": "Azure.Template.ParameterFile", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000119", + "Value": "PSRule.Rules.Azure\\AZR-000229", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000119" + "Name": "AZR-000229" }, "Alias": [ null @@ -6322,18 +6578,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.Logs", - "Synopsis": "Ensure audit diagnostics logs are enabled to audit Key Vault access.", + "DisplayName": "Azure.Template.ParameterFile", + "Synopsis": "Use ARM parameter file structure.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AKS.PoolVersion": { - "Name": "Azure.AKS.PoolVersion", + "Azure.ASG.Name": { + "Name": "Azure.ASG.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000016", + "Value": "PSRule.Rules.Azure\\AZR-000085", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000016" + "Name": "AZR-000085" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "GA", + "RuleSet": "2021_12", + "Level": "Error", + "Method": null, + "DisplayName": "Azure.ASG.Name", + "Synopsis": "Application Security Group (ASG) names should meet naming requirements.", + "Recommendation": null, + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASG.Rule.yaml" + }, + "Azure.APIM.CertificateExpiry": { + "Name": "Azure.APIM.CertificateExpiry", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000051", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000051" }, "Alias": [ null @@ -6343,165 +6622,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.PoolVersion", - "Synopsis": "AKS agent pools should run the same Kubernetes version as the cluster", + "DisplayName": "Azure.APIM.CertificateExpiry", + "Synopsis": "Renew expired certificates", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.Template.LocationDefault": { - "Name": "Azure.Template.LocationDefault", + "Azure.RedisEnterprise.Zones": { + "Name": "Azure.RedisEnterprise.Zones", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000220", + "Value": "PSRule.Rules.Azure\\AZR-000162", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000220" + "Name": "AZR-000162" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.LocationDefault", - "Synopsis": "Set the default value for location parameters within ARM template to the default value to `[resourceGroup().location]`.", + "DisplayName": "Azure.RedisEnterprise.Zones", + "Synopsis": "Enterprise Redis cache should be zone-redundant for high availability.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.CDN.MinTLS": { - "Name": "Azure.CDN.MinTLS", + "Azure.AppConfig.SKU": { + "Name": "Azure.AppConfig.SKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000092", + "Value": "PSRule.Rules.Azure\\AZR-000057", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000092" + "Name": "AZR-000057" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.CDN.MinTLS", - "Synopsis": "Consider configuring the minimum supported TLS version to be 1.2.", + "DisplayName": "Azure.AppConfig.SKU", + "Synopsis": "App Configuration should use a minimum size of Standard.", "Recommendation": null, - "Pillar": "Security", - "Control": "DP-3" + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml" }, - "Azure.Policy.AssignmentDescriptors": { - "Name": "Azure.Policy.AssignmentDescriptors", + "Azure.Arc.Kubernetes.Defender": { + "Name": "Azure.Arc.Kubernetes.Defender", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000143", + "Value": "PSRule.Rules.Azure\\AZR-000373", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000143" + "Name": "AZR-000373" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2021_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Policy.AssignmentDescriptors", - "Synopsis": "Policy assignments require a display name and description.", + "DisplayName": "Azure.Arc.Kubernetes.Defender", + "Synopsis": "Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1" }, - "Azure.MySQL.AADOnly": { - "Name": "Azure.MySQL.AADOnly", + "Azure.MySQL.UseFlexible": { + "Name": "Azure.MySQL.UseFlexible", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000394", + "Value": "PSRule.Rules.Azure\\AZR-000325", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000394" + "Name": "AZR-000325" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", - "Level": "Error", + "RuleSet": "2022_12", + "Level": "Warning", "Method": null, - "DisplayName": "Azure.MySQL.AADOnly", - "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.", + "DisplayName": "Azure.MySQL.UseFlexible", + "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.AppGw.MinInstance": { - "Name": "Azure.AppGw.MinInstance", + "Azure.Defender.Storage.SensitiveData": { + "Name": "Azure.Defender.Storage.SensitiveData", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000061", + "Value": "PSRule.Rules.Azure\\AZR-000385", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000061" + "Name": "AZR-000385" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.MinInstance", - "Synopsis": "Application Gateways should use a minimum of two instances.", + "DisplayName": "Azure.Defender.Storage.SensitiveData", + "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1" }, - "Azure.AKS.HttpAppRouting": { - "Name": "Azure.AKS.HttpAppRouting", + "Azure.APIM.Name": { + "Name": "Azure.APIM.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000035", + "Value": "PSRule.Rules.Azure\\AZR-000056", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000035" + "Name": "AZR-000056" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.HttpAppRouting", - "Synopsis": "Disable HTTP application routing add-on in AKS clusters.", + "DisplayName": "Azure.APIM.Name", + "Synopsis": "API Management service names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml" }, - "Azure.Storage.DefenderCloud.MalwareScan": { - "Name": "Azure.Storage.DefenderCloud.MalwareScan", + "Azure.MySQL.GeoRedundantBackup": { + "Name": "Azure.MySQL.GeoRedundantBackup", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000384", + "Value": "PSRule.Rules.Azure\\AZR-000323", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000384" + "Name": "AZR-000323" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.DefenderCloud.MalwareScan", - "Synopsis": "Enable Malware Scanning in Microsoft Defender for Storage.", + "DisplayName": "Azure.MySQL.GeoRedundantBackup", + "Synopsis": "Azure Database for MySQL should store backups in a geo-redundant storage.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.RBAC.LimitOwner": { - "Name": "Azure.RBAC.LimitOwner", + "Azure.KeyVault.AccessPolicy": { + "Name": "Azure.KeyVault.AccessPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000204", + "Value": "PSRule.Rules.Azure\\AZR-000118", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000204" + "Name": "AZR-000118" }, "Alias": [ null @@ -6511,165 +6798,173 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.RBAC.LimitOwner", - "Synopsis": "Limit the number of subscription Owners", + "DisplayName": "Azure.KeyVault.AccessPolicy", + "Synopsis": "Limit access to Key Vault data", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.VNET.UseNSGs": { - "Name": "Azure.VNET.UseNSGs", + "Azure.VMSS.MigrateAMA": { + "Name": "Azure.VMSS.MigrateAMA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000263", + "Value": "PSRule.Rules.Azure\\AZR-000318", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000263" + "Name": "AZR-000318" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.UseNSGs", - "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.", + "DisplayName": "Azure.VMSS.MigrateAMA", + "Synopsis": "Use Azure Monitor Agent as replacement for Log Analytics Agent.", "Recommendation": null, - "Pillar": "Security", - "Control": "NS-1" + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1" }, - "Azure.AKS.UptimeSLA": { - "Name": "Azure.AKS.UptimeSLA", + "Azure.AppGw.MinSku": { + "Name": "Azure.AppGw.MinSku", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000285", + "Value": "PSRule.Rules.Azure\\AZR-000062", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000285" + "Name": "AZR-000062" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.UptimeSLA", - "Synopsis": "AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads.", + "DisplayName": "Azure.AppGw.MinSku", + "Synopsis": "Application Gateway should use a minimum instance size of Medium.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.ContainerApp.ManagedIdentity": { - "Name": "Azure.ContainerApp.ManagedIdentity", + "Azure.ASE.MigrateV3": { + "Name": "Azure.ASE.MigrateV3", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000361", + "Value": "PSRule.Rules.Azure\\AZR-000319", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000361" + "Name": "AZR-000319" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.ManagedIdentity", - "Synopsis": "Ensure managed identity is used for authentication.", + "DisplayName": "Azure.ASE.MigrateV3", + "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ASE.Rule.ps1" }, - "Azure.Defender.SQLOnVM": { - "Name": "Azure.Defender.SQLOnVM", + "Azure.Storage.DefenderCloud.SensitiveData": { + "Name": "Azure.Storage.DefenderCloud.SensitiveData", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000297", + "Value": "PSRule.Rules.Azure\\AZR-000391", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000297" + "Name": "AZR-000391" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2022_09", + "Release": "Preview", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.SQLOnVM", - "Synopsis": "Enable Microsoft Defender for SQL servers on machines.", + "DisplayName": "Azure.Storage.DefenderCloud.SensitiveData", + "Synopsis": "Enable sensitive data threat detection in Microsoft Defender for Storage.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.Cognitive.PublicAccess": { - "Name": "Azure.Cognitive.PublicAccess", + "Azure.AppService.ManagedIdentity": { + "Name": "Azure.AppService.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000280", + "Value": "PSRule.Rules.Azure\\AZR-000082", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000280" + "Name": "AZR-000082" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Cognitive.PublicAccess", - "Synopsis": "Restrict access to Cognitive Services accounts to authorized virtual networks.", + "DisplayName": "Azure.AppService.ManagedIdentity", + "Synopsis": "Use a Managed Identities with Azure Service apps.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.AKS.SecretStoreRotation": { - "Name": "Azure.AKS.SecretStoreRotation", + "Azure.CDN.UseFrontDoor": { + "Name": "Azure.CDN.UseFrontDoor", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000034", + "Value": "PSRule.Rules.Azure\\AZR-000286", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000034" + "Name": "AZR-000286" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.SecretStoreRotation", - "Synopsis": "Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.", + "DisplayName": "Azure.CDN.UseFrontDoor", + "Synopsis": "Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.ps1" }, - "Azure.Storage.BlobAccessType": { - "Name": "Azure.Storage.BlobAccessType", + "Azure.Cognitive.ManagedIdentity": { + "Name": "Azure.Cognitive.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000199", + "Value": "PSRule.Rules.Azure\\AZR-000281", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000199" + "Name": "AZR-000281" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.BlobAccessType", - "Synopsis": "Use containers configured with a private access type that requires authorization.", + "DisplayName": "Azure.Cognitive.ManagedIdentity", + "Synopsis": "Configure managed identities to access Azure resources.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.AppConfig.AuditLogs": { - "Name": "Azure.AppConfig.AuditLogs", + "Azure.Defender.Containers": { + "Name": "Azure.Defender.Containers", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000311", + "Value": "PSRule.Rules.Azure\\AZR-000290", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000311" + "Name": "AZR-000290" }, "Alias": [ null @@ -6679,81 +6974,85 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppConfig.AuditLogs", - "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.", + "DisplayName": "Azure.Defender.Containers", + "Synopsis": "Enable Microsoft Defender for Containers.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.AppService.PHPVersion": { - "Name": "Azure.AppService.PHPVersion", + "Azure.PublicIP.DNSLabel": { + "Name": "Azure.PublicIP.DNSLabel", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000076", + "Value": "PSRule.Rules.Azure\\AZR-000156", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000076" + "Name": "AZR-000156" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.PHPVersion", - "Synopsis": "Configure applications to use newer PHP runtime versions.", + "DisplayName": "Azure.PublicIP.DNSLabel", + "Synopsis": "Use public IP DNS label naming requirements", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PublicIP.Rule.ps1" }, - "Azure.LB.AvailabilityZone": { - "Name": "Azure.LB.AvailabilityZone", + "Azure.VNET.Name": { + "Name": "Azure.VNET.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000127", + "Value": "PSRule.Rules.Azure\\AZR-000268", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000127" + "Name": "AZR-000268" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.LB.AvailabilityZone", - "Synopsis": "Load balancers deployed with Standard SKU should be zone-redundant for high availability.", + "DisplayName": "Azure.VNET.Name", + "Synopsis": "Virtual Network (VNET) names should meet naming requirements.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.yaml" }, - "Azure.FrontDoorWAF.Enabled": { - "Name": "Azure.FrontDoorWAF.Enabled", + "Azure.AppGw.UseHTTPS": { + "Name": "Azure.AppGw.UseHTTPS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000305", + "Value": "PSRule.Rules.Azure\\AZR-000059", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000305" + "Name": "AZR-000059" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoorWAF.Enabled", - "Synopsis": "FrontDoor should use a WAF.", + "DisplayName": "Azure.AppGw.UseHTTPS", + "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1" }, - "Azure.Redis.AvailabilityZone": { - "Name": "Azure.Redis.AvailabilityZone", + "Azure.Template.ExpressionLength": { + "Name": "Azure.Template.ExpressionLength", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000161", + "Value": "PSRule.Rules.Azure\\AZR-000228", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000161" + "Name": "AZR-000228" }, "Alias": [ null @@ -6763,39 +7062,41 @@ "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.AvailabilityZone", - "Synopsis": "Premium Redis cache should be deployed with availability zones for high availability.", + "DisplayName": "Azure.Template.ExpressionLength", + "Synopsis": "Template expressions should not exceed the maximum length.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.NSG.LateralTraversal": { - "Name": "Azure.NSG.LateralTraversal", + "Azure.Template.ParameterMinMaxValue": { + "Name": "Azure.Template.ParameterMinMaxValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000139", + "Value": "PSRule.Rules.Azure\\AZR-000224", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000139" + "Name": "AZR-000224" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.NSG.LateralTraversal", - "Synopsis": "Lateral traversal from application servers should be blocked", + "DisplayName": "Azure.Template.ParameterMinMaxValue", + "Synopsis": "Template parameters `minValue` and `maxValue` constraints must be valid.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.AppService.HTTP2": { - "Name": "Azure.AppService.HTTP2", + "Azure.Redis.MaxMemoryReserved": { + "Name": "Azure.Redis.MaxMemoryReserved", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000078", + "Value": "PSRule.Rules.Azure\\AZR-000160", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000078" + "Name": "AZR-000160" }, "Alias": [ null @@ -6805,144 +7106,151 @@ "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.HTTP2", - "Synopsis": "Use HTTP/2 for App Service apps.", + "DisplayName": "Azure.Redis.MaxMemoryReserved", + "Synopsis": "Configure `maxmemory-reserved` to reserve memory for non-cache operations.", "Recommendation": null, "Pillar": "Performance Efficiency", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.VM.Name": { - "Name": "Azure.VM.Name", + "Azure.Defender.OssRdb": { + "Name": "Azure.Defender.OssRdb", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000248", + "Value": "PSRule.Rules.Azure\\AZR-000381", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000248" + "Name": "AZR-000381" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.Name", - "Synopsis": "Use VM naming requirements", + "DisplayName": "Azure.Defender.OssRdb", + "Synopsis": "Enable Microsoft Defender for open-source relational databases.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.VM.DiskName": { - "Name": "Azure.VM.DiskName", + "Azure.AppInsights.Workspace": { + "Name": "Azure.AppInsights.Workspace", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000253", + "Value": "PSRule.Rules.Azure\\AZR-000069", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000253" + "Name": "AZR-000069" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.DiskName", - "Synopsis": "Use Managed Disk naming requirements", + "DisplayName": "Azure.AppInsights.Workspace", + "Synopsis": "Configure Application Insights resources to store data in workspaces.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppInsights.Rule.yaml" }, - "Azure.FrontDoor.Probe": { - "Name": "Azure.FrontDoor.Probe", + "Azure.VM.Standalone": { + "Name": "Azure.VM.Standalone", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000108", + "Value": "PSRule.Rules.Azure\\AZR-000239", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000108" + "Name": "AZR-000239" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.Probe", - "Synopsis": "Configure and enable health probes for each backend pool.", + "DisplayName": "Azure.VM.Standalone", + "Synopsis": "Use VM features to increase reliability and improve covered SLA for VM configurations.", "Recommendation": null, "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.yaml" }, - "Azure.ACR.Usage": { - "Name": "Azure.ACR.Usage", + "Azure.FrontDoor.WAF.Mode": { + "Name": "Azure.FrontDoor.WAF.Mode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000001", + "Value": "PSRule.Rules.Azure\\AZR-000114", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000001" + "Name": "AZR-000114" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2020_06", "Level": "Error", - "Method": "in-flight", - "DisplayName": "Azure.ACR.Usage", - "Synopsis": "Consider freeing up registry space.", + "Method": null, + "DisplayName": "Azure.FrontDoor.WAF.Mode", + "Synopsis": "Use Front Door WAF policy in prevention mode", "Recommendation": null, - "Pillar": "Cost Optimization", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.AKS.ManagedIdentity": { - "Name": "Azure.AKS.ManagedIdentity", + "Azure.Firewall.PolicyMode": { + "Name": "Azure.Firewall.PolicyMode", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000025", + "Value": "PSRule.Rules.Azure\\AZR-000399", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000025" + "Name": "AZR-000399" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.ManagedIdentity", - "Synopsis": "Configure AKS clusters to use managed identities for managing cluster infrastructure.", + "DisplayName": "Azure.Firewall.PolicyMode", + "Synopsis": "Deny high confidence malicious IP addresses, domains and URLs.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.VM.PublicKey": { - "Name": "Azure.VM.PublicKey", + "Azure.ACR.SoftDelete": { + "Name": "Azure.ACR.SoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000245", + "Value": "PSRule.Rules.Azure\\AZR-000310", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000245" + "Name": "AZR-000310" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "preview", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.PublicKey", - "Synopsis": "Linux VMs should use public key pair", + "DisplayName": "Azure.ACR.SoftDelete", + "Synopsis": "Azure Container Registries should have soft delete policy enabled.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.Redis.FirewallRuleCount": { - "Name": "Azure.Redis.FirewallRuleCount", + "Azure.AKS.EphemeralOSDisk": { + "Name": "Azure.AKS.EphemeralOSDisk", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000299", + "Value": "PSRule.Rules.Azure\\AZR-000287", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000299" + "Name": "AZR-000287" }, "Alias": [ null @@ -6950,41 +7258,43 @@ "Flags": 0, "Release": "GA", "RuleSet": "2022_09", - "Level": "Error", + "Level": "Warning", "Method": null, - "DisplayName": "Azure.Redis.FirewallRuleCount", - "Synopsis": "Determine if there is an excessive number of firewall rules for the Redis cache.", + "DisplayName": "Azure.AKS.EphemeralOSDisk", + "Synopsis": "AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Performance Efficiency", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.VNET.BastionSubnet": { - "Name": "Azure.VNET.BastionSubnet", + "Azure.VM.DiskSizeAlignment": { + "Name": "Azure.VM.DiskSizeAlignment", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000314", + "Value": "PSRule.Rules.Azure\\AZR-000251", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000314" + "Name": "AZR-000251" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.BastionSubnet", - "Synopsis": "VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.", + "DisplayName": "Azure.VM.DiskSizeAlignment", + "Synopsis": "Managed disk is smaller than SKU size", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.VM.DiskSizeAlignment": { - "Name": "Azure.VM.DiskSizeAlignment", + "Azure.AKS.PoolVersion": { + "Name": "Azure.AKS.PoolVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000251", + "Value": "PSRule.Rules.Azure\\AZR-000016", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000251" + "Name": "AZR-000016" }, "Alias": [ null @@ -6994,274 +7304,283 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.DiskSizeAlignment", - "Synopsis": "Managed disk is smaller than SKU size", + "DisplayName": "Azure.AKS.PoolVersion", + "Synopsis": "AKS agent pools should run the same Kubernetes version as the cluster", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.AppConfig.SKU": { - "Name": "Azure.AppConfig.SKU", + "Azure.Databricks.SecureConnectivity": { + "Name": "Azure.Databricks.SecureConnectivity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000057", + "Value": "PSRule.Rules.Azure\\AZR-000393", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000057" + "Name": "AZR-000393" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppConfig.SKU", - "Synopsis": "App Configuration should use a minimum size of Standard.", + "DisplayName": "Azure.Databricks.SecureConnectivity", + "Synopsis": "Use Databricks workspaces configured for secure cluster connectivity.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml" }, - "Azure.AppGw.UseHTTPS": { - "Name": "Azure.AppGw.UseHTTPS", + "Azure.MariaDB.AllowAzureAccess": { + "Name": "Azure.MariaDB.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000059", + "Value": "PSRule.Rules.Azure\\AZR-000342", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000059" + "Name": "AZR-000342" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.UseHTTPS", - "Synopsis": "Application Gateways should only expose frontend HTTP endpoints over HTTPS.", + "DisplayName": "Azure.MariaDB.AllowAzureAccess", + "Synopsis": "Determine if access from Azure services is required.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1" }, - "Azure.AKS.StandardLB": { - "Name": "Azure.AKS.StandardLB", + "Azure.ADX.SLA": { + "Name": "Azure.ADX.SLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000026", + "Value": "PSRule.Rules.Azure\\AZR-000014", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000026" + "Name": "AZR-000014" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.StandardLB", - "Synopsis": "Use a Standard load-balancer with AKS clusters.", + "DisplayName": "Azure.ADX.SLA", + "Synopsis": "Use SKUs that include a SLA when configuring Azure Data Explorer (ADX) clusters.", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml" }, - "Azure.APIM.MultiRegion": { - "Name": "Azure.APIM.MultiRegion", + "Azure.MySQL.AAD": { + "Name": "Azure.MySQL.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000340", + "Value": "PSRule.Rules.Azure\\AZR-000392", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000340" + "Name": "AZR-000392" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.MultiRegion", - "Synopsis": "API Management instances should use multi-region deployment to improve service availability.", + "DisplayName": "Azure.MySQL.AAD", + "Synopsis": "Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.AppService.RemoteDebug": { - "Name": "Azure.AppService.RemoteDebug", + "Azure.APIM.MinAPIVersion": { + "Name": "Azure.APIM.MinAPIVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000074", + "Value": "PSRule.Rules.Azure\\AZR-000321", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000074" + "Name": "AZR-000321" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.RemoteDebug", - "Synopsis": "Disable remote debugging", + "DisplayName": "Azure.APIM.MinAPIVersion", + "Synopsis": "API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.DefenderCloud.Contact": { - "Name": "Azure.DefenderCloud.Contact", + "Azure.VM.UseHybridUseBenefit": { + "Name": "Azure.VM.UseHybridUseBenefit", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000209", + "Value": "PSRule.Rules.Azure\\AZR-000243", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000209" + "Name": "AZR-000243" }, "Alias": [ - { - "Value": "PSRule.Rules.Azure\\Azure.SecurityCenter.Contact", - "Scope": "PSRule.Rules.Azure", - "Name": "Azure.SecurityCenter.Contact" - } + null ], "Flags": 0, "Release": "GA", "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.DefenderCloud.Contact", - "Synopsis": "Microsoft Defender for Cloud email and phone contact details should be set", + "DisplayName": "Azure.VM.UseHybridUseBenefit", + "Synopsis": "Use Hybrid Use Benefit", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.MySQL.MinTLS": { - "Name": "Azure.MySQL.MinTLS", + "Azure.Resource.UseTags": { + "Name": "Azure.Resource.UseTags", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000132", + "Value": "PSRule.Rules.Azure\\AZR-000166", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000132" + "Name": "AZR-000166" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.MinTLS", - "Synopsis": "MySQL DB servers should reject TLS versions older than 1.2.", + "DisplayName": "Azure.Resource.UseTags", + "Synopsis": "Azure resources should be tagged using a standard convention.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1" }, - "Azure.AppGw.Name": { - "Name": "Azure.AppGw.Name", + "Azure.LB.StandardSKU": { + "Name": "Azure.LB.StandardSKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000348", + "Value": "PSRule.Rules.Azure\\AZR-000128", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000348" + "Name": "AZR-000128" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.Name", - "Synopsis": "Application Gateways should meet naming requirements.", + "DisplayName": "Azure.LB.StandardSKU", + "Synopsis": "Load balancers should be deployed with Standard SKU for production workloads.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.LB.Rule.ps1" }, - "Azure.AKS.AzurePolicyAddOn": { - "Name": "Azure.AKS.AzurePolicyAddOn", + "Azure.Automation.AuditLogs": { + "Name": "Azure.Automation.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000028", + "Value": "PSRule.Rules.Azure\\AZR-000088", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000028" + "Name": "AZR-000088" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AzurePolicyAddOn", - "Synopsis": "AKS clusters should use Azure Policy add-on.", + "DisplayName": "Azure.Automation.AuditLogs", + "Synopsis": "Ensure automation account audit diagnostic logs are enabled.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1" }, - "Azure.WebPubSub.SLA": { - "Name": "Azure.WebPubSub.SLA", + "Azure.SQLMI.AADOnly": { + "Name": "Azure.SQLMI.AADOnly", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000278", + "Value": "PSRule.Rules.Azure\\AZR-000366", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000278" + "Name": "AZR-000366" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.WebPubSub.SLA", - "Synopsis": "Use SKUs that includes a SLA when configuring a Web PubSub Service.", + "DisplayName": "Azure.SQLMI.AADOnly", + "Synopsis": "Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1" }, - "Azure.Policy.AssignmentAssignedBy": { - "Name": "Azure.Policy.AssignmentAssignedBy", + "Azure.AppGw.MigrateV2": { + "Name": "Azure.AppGw.MigrateV2", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000144", + "Value": "PSRule.Rules.Azure\\AZR-000376", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000144" + "Name": "AZR-000376" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_06", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Policy.AssignmentAssignedBy", - "Synopsis": "Policy assignments require assignedBy metadata.", + "DisplayName": "Azure.AppGw.MigrateV2", + "Synopsis": "Use a Application Gateway v2 SKU.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.AppGw.AvailabilityZone": { - "Name": "Azure.AppGw.AvailabilityZone", + "Azure.Bastion.Name": { + "Name": "Azure.Bastion.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000060", + "Value": "PSRule.Rules.Azure\\AZR-000349", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000060" + "Name": "AZR-000349" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.AvailabilityZone", - "Synopsis": "Application gateways deployed with should use availability zones in supported regions for high availability.", + "DisplayName": "Azure.Bastion.Name", + "Synopsis": "Bastion hosts should meet naming requirements.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Bastion.Rule.yaml" }, - "Azure.AppGw.MigrateV2": { - "Name": "Azure.AppGw.MigrateV2", + "Azure.ContainerApp.Insecure": { + "Name": "Azure.ContainerApp.Insecure", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000376", + "Value": "PSRule.Rules.Azure\\AZR-000094", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000376" + "Name": "AZR-000094" }, "Alias": [ null @@ -7271,81 +7590,85 @@ "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.MigrateV2", - "Synopsis": "Use a Application Gateway v2 SKU.", + "DisplayName": "Azure.ContainerApp.Insecure", + "Synopsis": "Ensure insecure inbound traffic is not permitted to the container app.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.ContainerApp.RestrictIngress": { - "Name": "Azure.ContainerApp.RestrictIngress", + "Azure.Cognitive.DisableLocalAuth": { + "Name": "Azure.Cognitive.DisableLocalAuth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000380", + "Value": "PSRule.Rules.Azure\\AZR-000282", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000380" + "Name": "AZR-000282" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.RestrictIngress", - "Synopsis": "IP ingress restrictions mode should be set to allow action for all rules defined.", + "DisplayName": "Azure.Cognitive.DisableLocalAuth", + "Synopsis": "Authenticate requests to Cognitive Services with Azure AD identities.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml" }, - "Azure.SignalR.SLA": { - "Name": "Azure.SignalR.SLA", + "Azure.AKS.DNSPrefix": { + "Name": "Azure.AKS.DNSPrefix", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000182", + "Value": "PSRule.Rules.Azure\\AZR-000040", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000182" + "Name": "AZR-000040" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.SignalR.SLA", - "Synopsis": "Use SKUs that includes a SLA when configuring a SignalR Service.", + "DisplayName": "Azure.AKS.DNSPrefix", + "Synopsis": "Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.MariaDB.FirewallRuleName": { - "Name": "Azure.MariaDB.FirewallRuleName", + "Azure.WebPubSub.ManagedIdentity": { + "Name": "Azure.WebPubSub.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000338", + "Value": "PSRule.Rules.Azure\\AZR-000277", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000338" + "Name": "AZR-000277" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.FirewallRuleName", - "Synopsis": "Azure Database for MariaDB firewall rules should meet naming requirements.", + "DisplayName": "Azure.WebPubSub.ManagedIdentity", + "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml" }, - "Azure.RedisEnterprise.MinTLS": { - "Name": "Azure.RedisEnterprise.MinTLS", + "Azure.FrontDoorWAF.Exclusions": { + "Name": "Azure.FrontDoorWAF.Exclusions", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000301", + "Value": "PSRule.Rules.Azure\\AZR-000307", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000301" + "Name": "AZR-000307" }, "Alias": [ null @@ -7355,123 +7678,151 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.RedisEnterprise.MinTLS", - "Synopsis": "Redis Cache Enterprise should reject TLS versions older than 1.2.", + "DisplayName": "Azure.FrontDoorWAF.Exclusions", + "Synopsis": "FrontDoor WAF should have no exclusions.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml" }, - "Azure.ServiceBus.AuditLogs": { - "Name": "Azure.ServiceBus.AuditLogs", + "Azure.VNET.SingleDNS": { + "Name": "Azure.VNET.SingleDNS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000358", + "Value": "PSRule.Rules.Azure\\AZR-000264", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000358" + "Name": "AZR-000264" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", + "Level": "Error", + "Method": null, + "DisplayName": "Azure.VNET.SingleDNS", + "Synopsis": "VNETs should have at least two DNS servers assigned.", + "Recommendation": null, + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" + }, + "Azure.PostgreSQL.UseSSL": { + "Name": "Azure.PostgreSQL.UseSSL", + "Ref": { + "Value": "PSRule.Rules.Azure\\AZR-000147", + "Scope": "PSRule.Rules.Azure", + "Name": "AZR-000147" + }, + "Alias": [ + null + ], + "Flags": 0, + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ServiceBus.AuditLogs", - "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.", + "DisplayName": "Azure.PostgreSQL.UseSSL", + "Synopsis": "Enforce encrypted PostgreSQL connections.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml" }, - "Azure.AKS.AutoScaling": { - "Name": "Azure.AKS.AutoScaling", + "Azure.MySQL.FirewallIPRange": { + "Name": "Azure.MySQL.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000019", + "Value": "PSRule.Rules.Azure\\AZR-000135", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000019" + "Name": "AZR-000135" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.AutoScaling", - "Synopsis": "Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present.", + "DisplayName": "Azure.MySQL.FirewallIPRange", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.APIM.Name": { - "Name": "Azure.APIM.Name", + "Azure.MySQL.AllowAzureAccess": { + "Name": "Azure.MySQL.AllowAzureAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000056", + "Value": "PSRule.Rules.Azure\\AZR-000134", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000056" + "Name": "AZR-000134" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.Name", - "Synopsis": "API Management service names should meet naming requirements.", + "DisplayName": "Azure.MySQL.AllowAzureAccess", + "Synopsis": "Determine if access from Azure services is required", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1" }, - "Azure.MariaDB.UseSSL": { - "Name": "Azure.MariaDB.UseSSL", + "Azure.VM.DiskName": { + "Name": "Azure.VM.DiskName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000334", + "Value": "PSRule.Rules.Azure\\AZR-000253", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000334" + "Name": "AZR-000253" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.UseSSL", - "Synopsis": "Azure Database for MariaDB servers should only accept encrypted connections.", + "DisplayName": "Azure.VM.DiskName", + "Synopsis": "Use Managed Disk naming requirements", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Storage.Firewall": { - "Name": "Azure.Storage.Firewall", + "Azure.VNG.ConnectionName": { + "Name": "Azure.VNG.ConnectionName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000202", + "Value": "PSRule.Rules.Azure\\AZR-000275", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000202" + "Name": "AZR-000275" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.Firewall", - "Synopsis": "Storage Accounts should only accept explicitly allowed traffic.", + "DisplayName": "Azure.VNG.ConnectionName", + "Synopsis": "Virtual Network Gateway (VNG) connection names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.yaml" }, - "Azure.FrontDoor.UseWAF": { - "Name": "Azure.FrontDoor.UseWAF", + "Azure.VM.Name": { + "Name": "Azure.VM.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000111", + "Value": "PSRule.Rules.Azure\\AZR-000248", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000111" + "Name": "AZR-000248" }, "Alias": [ null @@ -7481,18 +7832,19 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.UseWAF", - "Synopsis": "Enable Web Application Firewall (WAF) policies on each Front Door endpoint.", + "DisplayName": "Azure.VM.Name", + "Synopsis": "Use VM naming requirements", "Recommendation": null, - "Pillar": "Security", - "Control": "NS-6" + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Automation.WebHookExpiry": { - "Name": "Azure.Automation.WebHookExpiry", + "Azure.FrontDoor.Name": { + "Name": "Azure.FrontDoor.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000087", + "Value": "PSRule.Rules.Azure\\AZR-000113", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000087" + "Name": "AZR-000113" }, "Alias": [ null @@ -7502,312 +7854,331 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Automation.WebHookExpiry", - "Synopsis": "Ensure webhook expiry is not longer than one year", + "DisplayName": "Azure.FrontDoor.Name", + "Synopsis": "Use Front Door naming requirements", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml" }, - "Azure.PostgreSQL.DefenderCloud": { - "Name": "Azure.PostgreSQL.DefenderCloud", + "Azure.ACR.GeoReplica": { + "Name": "Azure.ACR.GeoReplica", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000327", + "Value": "PSRule.Rules.Azure\\AZR-000004", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000327" + "Name": "AZR-000004" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_12", "Level": "Error", - "Method": null, - "DisplayName": "Azure.PostgreSQL.DefenderCloud", - "Synopsis": "Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.", + "Method": "in-flight", + "DisplayName": "Azure.ACR.GeoReplica", + "Synopsis": "Consider geo-replicating container images.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1" }, - "Azure.AKS.ContainerInsights": { - "Name": "Azure.AKS.ContainerInsights", + "Azure.Firewall.PolicyName": { + "Name": "Azure.Firewall.PolicyName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000041", + "Value": "PSRule.Rules.Azure\\AZR-000104", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000041" + "Name": "AZR-000104" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.ContainerInsights", - "Synopsis": "Enable Container insights to monitor AKS cluster workloads.", + "DisplayName": "Azure.Firewall.PolicyName", + "Synopsis": "Firewall policy names should meet naming requirements.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml" }, - "Azure.Template.ValidSecretRef": { - "Name": "Azure.Template.ValidSecretRef", + "Azure.Redis.PublicNetworkAccess": { + "Name": "Azure.Redis.PublicNetworkAccess", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000233", + "Value": "PSRule.Rules.Azure\\AZR-000165", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000233" + "Name": "AZR-000165" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ValidSecretRef", - "Synopsis": "Use a valid secret reference within parameter files.", + "DisplayName": "Azure.Redis.PublicNetworkAccess", + "Synopsis": "Redis cache should disable public network access.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.ServiceFabric.AAD": { - "Name": "Azure.ServiceFabric.AAD", + "Azure.SQL.DefenderCloud": { + "Name": "Azure.SQL.DefenderCloud", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000179", + "Value": "PSRule.Rules.Azure\\AZR-000186", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000179" + "Name": "AZR-000186" }, "Alias": [ - null + { + "Value": "PSRule.Rules.Azure\\Azure.SQL.ThreatDetection", + "Scope": "PSRule.Rules.Azure", + "Name": "Azure.SQL.ThreatDetection" + } ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ServiceFabric.AAD", - "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.", + "DisplayName": "Azure.SQL.DefenderCloud", + "Synopsis": "Enable Microsoft Defender for Cloud for Azure SQL logical server", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1" }, - "Azure.ContainerApp.APIVersion": { - "Name": "Azure.ContainerApp.APIVersion", + "Azure.Storage.SoftDelete": { + "Name": "Azure.Storage.SoftDelete", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000400", + "Value": "PSRule.Rules.Azure\\AZR-000197", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000400" + "Name": "AZR-000197" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.APIVersion", - "Synopsis": "Migrate from retired API version to a supported version.", + "DisplayName": "Azure.Storage.SoftDelete", + "Synopsis": "Enable soft delete on Storage Accounts", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1" }, - "Azure.FrontDoor.WAF.Mode": { - "Name": "Azure.FrontDoor.WAF.Mode", + "Azure.KeyVault.AutoRotationPolicy": { + "Name": "Azure.KeyVault.AutoRotationPolicy", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000114", + "Value": "PSRule.Rules.Azure\\AZR-000123", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000114" + "Name": "AZR-000123" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.WAF.Mode", - "Synopsis": "Use Front Door WAF policy in prevention mode", + "DisplayName": "Azure.KeyVault.AutoRotationPolicy", + "Synopsis": "Key Vault keys should have auto-rotation enabled.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": "IM-3", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.ContainerApp.DisableAffinity": { - "Name": "Azure.ContainerApp.DisableAffinity", + "Azure.TrafficManager.Endpoints": { + "Name": "Azure.TrafficManager.Endpoints", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000378", + "Value": "PSRule.Rules.Azure\\AZR-000236", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000378" + "Name": "AZR-000236" }, "Alias": [ null ], "Flags": 0, - "Release": "Preview", - "RuleSet": "2023_06", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.DisableAffinity", - "Synopsis": "Disable session affinity to prevent unbalanced distribution.", + "DisplayName": "Azure.TrafficManager.Endpoints", + "Synopsis": "Traffic Manager should use at lest two enabled endpoints", "Recommendation": null, - "Pillar": "Performance Efficiency", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1" }, - "Azure.SQL.MinTLS": { - "Name": "Azure.SQL.MinTLS", + "Azure.ContainerApp.APIVersion": { + "Name": "Azure.ContainerApp.APIVersion", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000189", + "Value": "PSRule.Rules.Azure\\AZR-000400", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000189" + "Name": "AZR-000400" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2023_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.SQL.MinTLS", - "Synopsis": "Azure SQL Database servers should reject TLS versions older than 1.2.", + "DisplayName": "Azure.ContainerApp.APIVersion", + "Synopsis": "Migrate from retired API version to a supported version.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml" }, - "Azure.VM.SQLServerDisk": { - "Name": "Azure.VM.SQLServerDisk", + "Azure.VNET.UseNSGs": { + "Name": "Azure.VNET.UseNSGs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000324", + "Value": "PSRule.Rules.Azure\\AZR-000263", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000324" + "Name": "AZR-000263" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VM.SQLServerDisk", - "Synopsis": "Use Premium SSD disks or greater for data and log files for production SQL Server workloads.", + "DisplayName": "Azure.VNET.UseNSGs", + "Synopsis": "Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": "NS-1", + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.Redis.FirewallIPRange": { - "Name": "Azure.Redis.FirewallIPRange", + "Azure.Deployment.SecureValue": { + "Name": "Azure.Deployment.SecureValue", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000300", + "Value": "PSRule.Rules.Azure\\AZR-000316", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000300" + "Name": "AZR-000316" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2022_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Redis.FirewallIPRange", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.", + "DisplayName": "Azure.Deployment.SecureValue", + "Synopsis": "Use secure parameters for setting properties of resources that contain sensitive information.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1" }, - "Azure.EventHub.MinTLS": { - "Name": "Azure.EventHub.MinTLS", + "Azure.AKS.SecretStore": { + "Name": "Azure.AKS.SecretStore", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000356", + "Value": "PSRule.Rules.Azure\\AZR-000033", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000356" + "Name": "AZR-000033" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.EventHub.MinTLS", - "Synopsis": "Event Hubs namespaces should reject TLS versions older than 1.2.", + "DisplayName": "Azure.AKS.SecretStore", + "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.WebPubSub.ManagedIdentity": { - "Name": "Azure.WebPubSub.ManagedIdentity", + "Azure.IoTHub.MinTLS": { + "Name": "Azure.IoTHub.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000277", + "Value": "PSRule.Rules.Azure\\AZR-000357", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000277" + "Name": "AZR-000357" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_03", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.WebPubSub.ManagedIdentity", - "Synopsis": "Configure Web PubSub Services to use managed identities to access Azure resources securely.", + "DisplayName": "Azure.IoTHub.MinTLS", + "Synopsis": "IoT Hubs should reject TLS versions older than 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.IoTHub.Rule.yaml" }, - "Azure.AppService.WebProbePath": { - "Name": "Azure.AppService.WebProbePath", + "Azure.VM.ComputerName": { + "Name": "Azure.VM.ComputerName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000080", + "Value": "PSRule.Rules.Azure\\AZR-000249", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000080" + "Name": "AZR-000249" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.WebProbePath", - "Synopsis": "Web apps should use a dedicated health check path.", + "DisplayName": "Azure.VM.ComputerName", + "Synopsis": "Use VM naming requirements", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.AppService.AlwaysOn": { - "Name": "Azure.AppService.AlwaysOn", + "Azure.Redis.FirewallIPRange": { + "Name": "Azure.Redis.FirewallIPRange", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000077", + "Value": "PSRule.Rules.Azure\\AZR-000300", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000077" + "Name": "AZR-000300" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.AlwaysOn", - "Synopsis": "Configure Always On for App Service apps.", + "DisplayName": "Azure.Redis.FirewallIPRange", + "Synopsis": "Determine if there is an excessive number of permitted IP addresses for the Redis cache.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1" }, - "Azure.ACR.MinSku": { - "Name": "Azure.ACR.MinSku", + "Azure.SignalR.Name": { + "Name": "Azure.SignalR.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000006", + "Value": "PSRule.Rules.Azure\\AZR-000180", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000006" + "Name": "AZR-000180" }, "Alias": [ null @@ -7817,39 +8188,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.MinSku", - "Synopsis": "ACR should use the Premium or Standard SKU for production deployments.", + "DisplayName": "Azure.SignalR.Name", + "Synopsis": "Use SignalR naming requirements", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SignalR.Rule.ps1" }, - "Azure.Defender.SQL": { - "Name": "Azure.Defender.SQL", + "Azure.Monitor.ServiceHealth": { + "Name": "Azure.Monitor.ServiceHealth", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000294", + "Value": "PSRule.Rules.Azure\\AZR-000211", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000294" + "Name": "AZR-000211" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.SQL", - "Synopsis": "Consider enabling Defender for SQL", + "DisplayName": "Azure.Monitor.ServiceHealth", + "Synopsis": "Configure Azure service logs", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.KeyVault.SoftDelete": { - "Name": "Azure.KeyVault.SoftDelete", + "Azure.AKS.Version": { + "Name": "Azure.AKS.Version", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000124", + "Value": "PSRule.Rules.Azure\\AZR-000015", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000124" + "Name": "AZR-000015" }, "Alias": [ null @@ -7859,39 +8232,41 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.KeyVault.SoftDelete", - "Synopsis": "Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.", + "DisplayName": "Azure.AKS.Version", + "Synopsis": "AKS control plane and nodes pools should use a current stable release.", "Recommendation": null, "Pillar": "Reliability", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1" }, - "Azure.ASE.MigrateV3": { - "Name": "Azure.ASE.MigrateV3", + "Azure.APIM.ProductTerms": { + "Name": "Azure.APIM.ProductTerms", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000319", + "Value": "PSRule.Rules.Azure\\AZR-000050", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000319" + "Name": "AZR-000050" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.ASE.MigrateV3", - "Synopsis": "Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.", + "DisplayName": "Azure.APIM.ProductTerms", + "Synopsis": "Use product terms", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Operational Excellence", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1" }, - "Azure.FrontDoor.WAF.Enabled": { - "Name": "Azure.FrontDoor.WAF.Enabled", + "Azure.VNG.ERLegacySKU": { + "Name": "Azure.VNG.ERLegacySKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000115", + "Value": "PSRule.Rules.Azure\\AZR-000271", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000115" + "Name": "AZR-000271" }, "Alias": [ null @@ -7901,60 +8276,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.WAF.Enabled", - "Synopsis": "Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.", + "DisplayName": "Azure.VNG.ERLegacySKU", + "Synopsis": "Migrate from legacy ExpressRoute gateway SKUs", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.VNET.SingleDNS": { - "Name": "Azure.VNET.SingleDNS", + "Azure.KeyVault.KeyName": { + "Name": "Azure.KeyVault.KeyName", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000264", + "Value": "PSRule.Rules.Azure\\AZR-000122", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000264" + "Name": "AZR-000122" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNET.SingleDNS", - "Synopsis": "VNETs should have at least two DNS servers assigned.", + "DisplayName": "Azure.KeyVault.KeyName", + "Synopsis": "Key Vault Key names should meet naming requirements.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1" }, - "Azure.Storage.SoftDelete": { - "Name": "Azure.Storage.SoftDelete", + "Azure.ServiceBus.AuditLogs": { + "Name": "Azure.ServiceBus.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000197", + "Value": "PSRule.Rules.Azure\\AZR-000358", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000197" + "Name": "AZR-000358" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.SoftDelete", - "Synopsis": "Enable soft delete on Storage Accounts", + "DisplayName": "Azure.ServiceBus.AuditLogs", + "Synopsis": "Ensure namespaces audit diagnostic logs are enabled.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceBus.Rule.ps1" }, - "Azure.AppService.ARRAffinity": { - "Name": "Azure.AppService.ARRAffinity", + "Azure.AppService.MinPlan": { + "Name": "Azure.AppService.MinPlan", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000083", + "Value": "PSRule.Rules.Azure\\AZR-000072", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000083" + "Name": "AZR-000072" }, "Alias": [ null @@ -7964,60 +8342,63 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppService.ARRAffinity", - "Synopsis": "Disable client affinity for stateless services.", + "DisplayName": "Azure.AppService.MinPlan", + "Synopsis": "Use at least a Standard App Service Plan.", "Recommendation": null, "Pillar": "Performance Efficiency", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml" }, - "Azure.Template.ParameterMetadata": { - "Name": "Azure.Template.ParameterMetadata", + "Azure.AppService.WebProbePath": { + "Name": "Azure.AppService.WebProbePath", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000215", + "Value": "PSRule.Rules.Azure\\AZR-000080", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000215" + "Name": "AZR-000080" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_09", + "RuleSet": "2022_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterMetadata", - "Synopsis": "Use template parameter descriptions.", + "DisplayName": "Azure.AppService.WebProbePath", + "Synopsis": "Web apps should use a dedicated health check path.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1" }, - "Azure.EventGrid.TopicPublicAccess": { - "Name": "Azure.EventGrid.TopicPublicAccess", + "Azure.WebPubSub.SLA": { + "Name": "Azure.WebPubSub.SLA", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000098", + "Value": "PSRule.Rules.Azure\\AZR-000278", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000098" + "Name": "AZR-000278" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.EventGrid.TopicPublicAccess", - "Synopsis": "Use Private Endpoints to access Event Grid topics and domains.", + "DisplayName": "Azure.WebPubSub.SLA", + "Synopsis": "Use SKUs that includes a SLA when configuring a Web PubSub Service.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Reliability", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.WebPubSub.Rule.yaml" }, - "Azure.PostgreSQL.FirewallIPRange": { - "Name": "Azure.PostgreSQL.FirewallIPRange", + "Azure.NSG.Associated": { + "Name": "Azure.NSG.Associated", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000151", + "Value": "PSRule.Rules.Azure\\AZR-000140", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000151" + "Name": "AZR-000140" }, "Alias": [ null @@ -8027,249 +8408,261 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.PostgreSQL.FirewallIPRange", - "Synopsis": "Determine if there is an excessive number of permitted IP addresses", + "DisplayName": "Azure.NSG.Associated", + "Synopsis": "Network security groups should be associated to either a subnet or network interface", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1" }, - "Azure.FrontDoor.ManagedIdentity": { - "Name": "Azure.FrontDoor.ManagedIdentity", + "Azure.Route.Name": { + "Name": "Azure.Route.Name", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000396", + "Value": "PSRule.Rules.Azure\\AZR-000169", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000396" + "Name": "AZR-000169" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.ManagedIdentity", - "Synopsis": "Ensure Front Door uses a managed identity to authorize access to Azure resources.", + "DisplayName": "Azure.Route.Name", + "Synopsis": "Route table names should meet naming requirements.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Route.Rule.yaml" }, - "Azure.Template.ParameterValue": { - "Name": "Azure.Template.ParameterValue", + "Azure.AppGw.OWASP": { + "Name": "Azure.AppGw.OWASP", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000232", + "Value": "PSRule.Rules.Azure\\AZR-000067", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000232" + "Name": "AZR-000067" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_09", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Template.ParameterValue", - "Synopsis": "Specify a value for each parameter in template parameter files.", + "DisplayName": "Azure.AppGw.OWASP", + "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.", "Recommendation": null, - "Pillar": null, - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml" }, - "Azure.Bastion.Name": { - "Name": "Azure.Bastion.Name", + "Azure.TrafficManager.Protocol": { + "Name": "Azure.TrafficManager.Protocol", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000349", + "Value": "PSRule.Rules.Azure\\AZR-000237", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000349" + "Name": "AZR-000237" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Bastion.Name", - "Synopsis": "Bastion hosts should meet naming requirements.", + "DisplayName": "Azure.TrafficManager.Protocol", + "Synopsis": "Monitor Traffic Manager endpoints with HTTPS", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1" }, - "Azure.AppGw.OWASP": { - "Name": "Azure.AppGw.OWASP", + "Azure.ACR.Retention": { + "Name": "Azure.ACR.Retention", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000067", + "Value": "PSRule.Rules.Azure\\AZR-000010", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000067" + "Name": "AZR-000010" }, "Alias": [ null ], "Flags": 0, - "Release": "GA", - "RuleSet": "2020_06", + "Release": "preview", + "RuleSet": "2020_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.AppGw.OWASP", - "Synopsis": "Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.", + "DisplayName": "Azure.ACR.Retention", + "Synopsis": "Use a retention policy to cleanup untagged manifests.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": "Cost Optimization", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.VNG.VPNAvailabilityZoneSKU": { - "Name": "Azure.VNG.VPNAvailabilityZoneSKU", + "Azure.VNG.VPNLegacySKU": { + "Name": "Azure.VNG.VPNLegacySKU", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000272", + "Value": "PSRule.Rules.Azure\\AZR-000269", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000272" + "Name": "AZR-000269" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.VNG.VPNAvailabilityZoneSKU", - "Synopsis": "Use availability zone SKU for virtual network gateways deployed with VPN gateway type", + "DisplayName": "Azure.VNG.VPNLegacySKU", + "Synopsis": "Migrate from legacy VPN gateway SKUs", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNG.Rule.ps1" }, - "Azure.AKS.SecretStore": { - "Name": "Azure.AKS.SecretStore", + "Azure.AppGwWAF.RuleGroups": { + "Name": "Azure.AppGwWAF.RuleGroups", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000033", + "Value": "PSRule.Rules.Azure\\AZR-000304", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000033" + "Name": "AZR-000304" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.SecretStore", - "Synopsis": "Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.", + "DisplayName": "Azure.AppGwWAF.RuleGroups", + "Synopsis": "Application Gateways WAF should have at least 2 Rule Groups. One for OWASP and one for Microsoft_BotManagerRuleSet.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml" }, - "Azure.ACR.Quarantine": { - "Name": "Azure.ACR.Quarantine", + "Azure.ACR.AdminUser": { + "Name": "Azure.ACR.AdminUser", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000008", + "Value": "PSRule.Rules.Azure\\AZR-000005", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000008" + "Name": "AZR-000005" }, "Alias": [ null ], "Flags": 0, - "Release": "preview", - "RuleSet": "2020_12", + "Release": "GA", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ACR.Quarantine", - "Synopsis": "Enable container image quarantine, scan, and mark images as verified.", + "DisplayName": "Azure.ACR.AdminUser", + "Synopsis": "Use Azure AD identities instead of using the registry admin user.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml" }, - "Azure.MariaDB.ServerName": { - "Name": "Azure.MariaDB.ServerName", + "Azure.Template.MetadataLink": { + "Name": "Azure.Template.MetadataLink", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000336", + "Value": "PSRule.Rules.Azure\\AZR-000231", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000336" + "Name": "AZR-000231" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2022_12", + "RuleSet": "2021_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.MariaDB.ServerName", - "Synopsis": "Azure Database for MariaDB servers should meet naming requirements.", + "DisplayName": "Azure.Template.MetadataLink", + "Synopsis": "Configure a metadata link for each parameter file.", "Recommendation": null, - "Pillar": "Operational Excellence", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Template.Rule.ps1" }, - "Azure.Defender.Storage": { - "Name": "Azure.Defender.Storage", + "Azure.RBAC.LimitMGDelegation": { + "Name": "Azure.RBAC.LimitMGDelegation", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000296", + "Value": "PSRule.Rules.Azure\\AZR-000205", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000296" + "Name": "AZR-000205" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Storage", - "Synopsis": "Enable Microsoft Defender for Storage.", + "DisplayName": "Azure.RBAC.LimitMGDelegation", + "Synopsis": "Limit RBAC inheritance from Management Groups", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1" }, - "Azure.Storage.DefenderCloud": { - "Name": "Azure.Storage.DefenderCloud", + "Azure.AKS.AutoUpgrade": { + "Name": "Azure.AKS.AutoUpgrade", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000386", + "Value": "PSRule.Rules.Azure\\AZR-000036", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000386" + "Name": "AZR-000036" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_06", + "RuleSet": "2021_12", "Level": "Error", "Method": null, - "DisplayName": "Azure.Storage.DefenderCloud", - "Synopsis": "Enable Microsoft Defender for Storage for storage accounts.", + "DisplayName": "Azure.AKS.AutoUpgrade", + "Synopsis": "Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml" }, - "Azure.ContainerApp.Name": { - "Name": "Azure.ContainerApp.Name", + "Azure.VNET.PeerState": { + "Name": "Azure.VNET.PeerState", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000360", + "Value": "PSRule.Rules.Azure\\AZR-000266", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000360" + "Name": "AZR-000266" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2023_03", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.ContainerApp.Name", - "Synopsis": "Container Apps should meet naming requirements.", + "DisplayName": "Azure.VNET.PeerState", + "Synopsis": "VNET peering connections must be connected.", "Recommendation": null, "Pillar": "Operational Excellence", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1" }, - "Azure.Monitor.ServiceHealth": { - "Name": "Azure.Monitor.ServiceHealth", + "Azure.VM.NICAttached": { + "Name": "Azure.VM.NICAttached", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000211", + "Value": "PSRule.Rules.Azure\\AZR-000257", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000211" + "Name": "AZR-000257" }, "Alias": [ null @@ -8279,123 +8672,129 @@ "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Monitor.ServiceHealth", - "Synopsis": "Configure Azure service logs", + "DisplayName": "Azure.VM.NICAttached", + "Synopsis": "Network interfaces (NICs) should be attached.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1" }, - "Azure.Automation.ManagedIdentity": { - "Name": "Azure.Automation.ManagedIdentity", + "Azure.Redis.MinTLS": { + "Name": "Azure.Redis.MinTLS", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000090", + "Value": "PSRule.Rules.Azure\\AZR-000164", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000090" + "Name": "AZR-000164" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2020_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.Automation.ManagedIdentity", - "Synopsis": "Ensure managed identity is used for authentication.", + "DisplayName": "Azure.Redis.MinTLS", + "Synopsis": "Redis Cache should reject TLS versions older than 1.2.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml" }, - "Azure.AKS.Version": { - "Name": "Azure.AKS.Version", + "Azure.ServiceFabric.AAD": { + "Name": "Azure.ServiceFabric.AAD", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000015", + "Value": "PSRule.Rules.Azure\\AZR-000179", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000015" + "Name": "AZR-000179" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2021_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.AKS.Version", - "Synopsis": "AKS control plane and nodes pools should use a current stable release.", + "DisplayName": "Azure.ServiceFabric.AAD", + "Synopsis": "Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1" }, - "Azure.APIM.AvailabilityZone": { - "Name": "Azure.APIM.AvailabilityZone", + "Azure.ADX.ManagedIdentity": { + "Name": "Azure.ADX.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000052", + "Value": "PSRule.Rules.Azure\\AZR-000012", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000052" + "Name": "AZR-000012" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_12", + "RuleSet": "2022_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.AvailabilityZone", - "Synopsis": "API management services deployed with Premium SKU should use availability zones in supported regions for high availability.", + "DisplayName": "Azure.ADX.ManagedIdentity", + "Synopsis": "Configure Data Explorer clusters to use managed identities to access Azure resources securely.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml" }, - "Azure.FrontDoor.ProbePath": { - "Name": "Azure.FrontDoor.ProbePath", + "Azure.Defender.Storage": { + "Name": "Azure.Defender.Storage", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000110", + "Value": "PSRule.Rules.Azure\\AZR-000296", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000110" + "Name": "AZR-000296" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2021_03", + "RuleSet": "2023_06", "Level": "Error", "Method": null, - "DisplayName": "Azure.FrontDoor.ProbePath", - "Synopsis": "Configure a dedicated path for health probe requests.", + "DisplayName": "Azure.Defender.Storage", + "Synopsis": "Enable Microsoft Defender for Storage.", "Recommendation": null, - "Pillar": "Reliability", - "Control": null + "Pillar": "Security", + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml" }, - "Azure.APIM.CertificateExpiry": { - "Name": "Azure.APIM.CertificateExpiry", + "Azure.SQLMI.ManagedIdentity": { + "Name": "Azure.SQLMI.ManagedIdentity", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000051", + "Value": "PSRule.Rules.Azure\\AZR-000367", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000051" + "Name": "AZR-000367" }, "Alias": [ null ], "Flags": 0, "Release": "GA", - "RuleSet": "2020_06", + "RuleSet": "2023_03", "Level": "Error", "Method": null, - "DisplayName": "Azure.APIM.CertificateExpiry", - "Synopsis": "Renew expired certificates", + "DisplayName": "Azure.SQLMI.ManagedIdentity", + "Synopsis": "Ensure managed identity is used to allow support for Azure AD authentication.", "Recommendation": null, "Pillar": "Security", - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml" }, - "Azure.Defender.Servers": { - "Name": "Azure.Defender.Servers", + "Azure.AppConfig.AuditLogs": { + "Name": "Azure.AppConfig.AuditLogs", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000293", + "Value": "PSRule.Rules.Azure\\AZR-000311", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000293" + "Name": "AZR-000311" }, "Alias": [ null @@ -8405,18 +8804,19 @@ "RuleSet": "2022_09", "Level": "Error", "Method": null, - "DisplayName": "Azure.Defender.Servers", - "Synopsis": "Consider enabling Defender for Servers", + "DisplayName": "Azure.AppConfig.AuditLogs", + "Synopsis": "Ensure app configuration store audit diagnostic logs are enabled.", "Recommendation": null, - "Pillar": "Security", - "Control": null + "Pillar": null, + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1" }, - "Azure.MySQL.UseFlexible": { - "Name": "Azure.MySQL.UseFlexible", + "Azure.AppConfig.PurgeProtect": { + "Name": "Azure.AppConfig.PurgeProtect", "Ref": { - "Value": "PSRule.Rules.Azure\\AZR-000325", + "Value": "PSRule.Rules.Azure\\AZR-000313", "Scope": "PSRule.Rules.Azure", - "Name": "AZR-000325" + "Name": "AZR-000313" }, "Alias": [ null @@ -8424,12 +8824,13 @@ "Flags": 0, "Release": "GA", "RuleSet": "2022_12", - "Level": "Warning", + "Level": "Error", "Method": null, - "DisplayName": "Azure.MySQL.UseFlexible", - "Synopsis": "Use Azure Database for MySQL Flexible Server deployment model.", + "DisplayName": "Azure.AppConfig.PurgeProtect", + "Synopsis": "Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.", "Recommendation": null, "Pillar": null, - "Control": null + "Control": null, + "Source": "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1" } } diff --git a/features/index.html b/features/index.html index c57596849a..b07b0d4058 100644 --- a/features/index.html +++ b/features/index.html @@ -12102,7 +12102,7 @@

    Framework alignedWAF and product documentation. This allows you to explore and learn the context of each WAF principle.

    Start day one#

    -

    PSRule for Azure includes over 390 rules for validating resources against configuration recommendations. +

    PSRule for Azure includes over 400 rules for validating resources against configuration recommendations. Rules automatically detect and analyze resources from Azure IaC artifacts. This allows you to quickly light up unit testing of Azure resources from templates and Bicep deployments.

    Use the built-in rules to start enforcing testing quickly. @@ -12154,7 +12154,7 @@

    Cross-platform", " · [:octicons-container-24: " + page.meta['resource'] + "](resource.md#" + page.meta['resource'].lower().replace(" ", "-") + ")\r") + if page.meta.get('source', 'None') != 'None': + markdown = markdown.replace("", " · [:octicons-file-code-24: Rule](" + page.meta['source'] + ")\r") + if page.meta.get('release', 'None') == 'preview': markdown = markdown.replace("", " · :octicons-beaker-24: Preview\r") @@ -128,6 +131,10 @@ def read_metadata(page: mkdocs.structure.nav.Page): description = data[name]['Synopsis'] page.meta['description'] = description + if page.meta.get('rule', '') != '' and data.get(name, None) != None and data[name].get('Source', None) != None: + page.meta['source'] = data[name]['Source'] + + page.meta['tags'] = tags diff --git a/index.html b/index.html index ddc74be447..9921f95f15 100644 --- a/index.html +++ b/index.html @@ -662,7 +662,7 @@

    Framework aligned

    Start day one

    -

    Leverage over 390 pre-built rules to test Azure resources.

    +

    Leverage over 400 pre-built rules to test Azure resources.

    diff --git a/search/search_index.json b/search/search_index.json index 47f1c18b66..1b0ed504f2 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"CHANGELOG-v0/","title":"Change log","text":""},{"location":"CHANGELOG-v0/#v0190","title":"v0.19.0","text":"

    What's changed since v0.18.0:

    • New features:
      • Added Azure.GA_2020_12 baseline. #593
        • Includes rules released before or during December 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_09 as obsolete.
    • New rules:
      • Database for MySQL:
        • Check database servers meet name requirements. #583
      • Database for PostgreSQL:
        • Check database servers meet name requirements. #583
      • SQL Database:
        • Check SQL logical servers meet name requirements. #583
        • Check SQL failover groups meet name requirements. #583
        • Check SQL databases meet name requirements. #583
      • SQL Managed Instance:
        • Check SQL Managed Instances meet name requirements. #583
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.3. #590
    • General improvements:
      • Added support for true, false, and null template functions. #579
      • Added support for createObject template function. #580
    • Engineering:
      • Bump PSRule dependency to v1.0.0. #588

    What's changed since pre-release v0.19.0-B2012008:

    • New features:
      • Added Azure.GA_2020_12 baseline. #593
        • Includes rules released before or during December 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_09 as obsolete.
    "},{"location":"CHANGELOG-v0/#v0190-b2012008-pre-release","title":"v0.19.0-B2012008 (pre-release)","text":"

    What's changed since pre-release v0.19.0-B2011008:

    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.3. #590
    • Engineering:
      • Bump PSRule dependency to v1.0.0. #588
    "},{"location":"CHANGELOG-v0/#v0190-b2011008-pre-release","title":"v0.19.0-B2011008 (pre-release)","text":"

    What's changed since v0.18.0:

    • New rules:
      • Database for MySQL:
        • Check database servers meet name requirements. #583
      • Database for PostgreSQL:
        • Check database servers meet name requirements. #583
      • SQL Database:
        • Check SQL logical servers meet name requirements. #583
        • Check SQL failover groups meet name requirements. #583
        • Check SQL databases meet name requirements. #583
      • SQL Managed Instance:
        • Check SQL Managed Instances meet name requirements. #583
    • General improvements:
      • Added support for true, false, and null template functions. #579
      • Added support for createObject template function. #580
    "},{"location":"CHANGELOG-v0/#v0180","title":"v0.18.0","text":"

    What's changed since v0.17.0:

    • New rules:
      • Container Registry:
        • Check registries use container image scanning. #558
        • Check registries image scanning results are healthy. #558
        • Check registries use content trust. #558
        • Check registries are geo-replicated. #558
        • Check registries uses storage space less than included storage. #558
        • Check registries have a retention set of untagged manifests (preview). #558
        • Check registries use image quarantine pattern (preview). #558
      • Front Door:
        • Check Front Door WAF policy name requirements. #552
    • Bug fixes:
      • Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554
      • Fixed reason typo on template parameter metadata. #567
      • Fixed Get-AzRuleTemplateLink reports incorrect parameter with file path. #568
      • Fixed variable property not resolved with copy peer. #571
      • Fixed blob soft delete for FileStorage storage accounts. #573
      • Fixed top level variable copy detected as unused variable.#569
      • Fixed ResourceGroupName property cannot be found on this object. #561

    What's changed since pre-release v0.18.0-B2011023:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0180-b2011023-pre-release","title":"v0.18.0-B2011023 (pre-release)","text":"

    What's changed since pre-release v0.18.0-B2011005:

    • Bug fixes:
      • Fixed reason typo on template parameter metadata. #567
      • Fixed Get-AzRuleTemplateLink reports incorrect parameter with file path. #568
      • Fixed variable property not resolved with copy peer. #571
      • Fixed blob soft delete for FileStorage storage accounts. #573
      • Fixed top level variable copy detected as unused variable.#569
    "},{"location":"CHANGELOG-v0/#v0180-b2011005-pre-release","title":"v0.18.0-B2011005 (pre-release)","text":"

    What's changed since pre-release v0.18.0-B2010016:

    • Bug fixes:
      • Fixed ResourceGroupName property cannot be found on this object. #561
    "},{"location":"CHANGELOG-v0/#v0180-b2010016-pre-release","title":"v0.18.0-B2010016 (pre-release)","text":"

    What's changed since v0.17.0:

    • New rules:
      • Container Registry:
        • Check registries use container image scanning. #558
        • Check registries image scanning results are healthy. #558
        • Check registries use content trust. #558
        • Check registries are geo-replicated. #558
        • Check registries uses storage space less than included storage. #558
        • Check registries have a retention set of untagged manifests (preview). #558
        • Check registries use image quarantine pattern (preview). #558
      • Front Door:
        • Check Front Door WAF policy name requirements. #552
    • Bug fixes:
      • Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554
    "},{"location":"CHANGELOG-v0/#v0170","title":"v0.17.0","text":"

    What's changed since v0.16.0:

    • New rules:
      • Azure Cache for Redis:
        • Check cache instances use Standard C1 or greater SKU. #501
        • Cache cache instances configure maxmemory-reserved setting. #502
      • App Configuration:
        • Check App Configuration stores meet name requirements. #528
        • Check App Configuration stores use standard SKU. #528
      • App Service:
        • Check App Service apps use HTTP/2. #538
        • Check App Service apps use managed identities. #537
        • Check App Service apps use Always On. #521
        • Check App Service apps have remote debugging disabled. #521
        • Check App Service apps use newer .NET Framework versions. #521
        • Check App Service apps use newer PHP runtime versions. #521
      • Logic App:
        • Check Logic App apps limit IP range for HTTP triggers. #526
    • Updated rules:
      • Storage:
        • Updated Azure.Storage.UseReplication for additional use cases.
          • Added support for geo-zone-redundant storage. #535
          • Exclude storage tagged with resource-usage = 'azure-functions' or resource-usage = 'azure-monitor'. #534
      • Azure Kubernetes Service:
        • Promote Azure.AKS.AzurePolicyAddOn to GA rule set. #524
    • Removed rules:
      • Azure Kubernetes Service:
        • Remove Azure.AKS.PodSecurityPolicy as this AKS feature is replaced by Azure Policy. #523
    • General improvements:
      • Added support for providers template function. #177
      • Added support for dateTimeAdd template function. #516
    • Bug fixes:
      • Fixed expansion of templates with multiple variables copy blocks. #541
      • Fixed App Service rule site config false positives in templates. #533

    What's changed since pre-release v0.17.0-B2010028:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0170-b2010028-pre-release","title":"v0.17.0-B2010028 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2010022:

    • New rules:
      • Azure Cache for Redis:
        • Check cache instances use Standard C1 or greater SKU. #501
        • Cache cache instances configure maxmemory-reserved setting. #502
    "},{"location":"CHANGELOG-v0/#v0170-b2010022-pre-release","title":"v0.17.0-B2010022 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2010017:

    • Bug fixes:
      • Fixed expansion of templates with multiple variables copy blocks. #541
    "},{"location":"CHANGELOG-v0/#v0170-b2010017-pre-release","title":"v0.17.0-B2010017 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2010006:

    • New rules:
      • App Service:
        • Check App Service apps use HTTP/2. #538
        • Check App Service apps use managed identities. #537
    • Updated rules:
      • Storage:
        • Updated Azure.Storage.UseReplication for additional use cases.
          • Added support for geo-zone-redundant storage. #535
          • Exclude storage tagged with resource-usage = 'azure-functions' or resource-usage = 'azure-monitor'. #534
    • Bug fixes:
      • Fixed App Service rule site config false positives in templates. #533
    "},{"location":"CHANGELOG-v0/#v0170-b2010006-pre-release","title":"v0.17.0-B2010006 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2009009:

    • New rules:
      • App Configuration:
        • Check App Configuration stores meet name requirements. #528
        • Check App Configuration stores use standard SKU. #528
      • App Service:
        • Check App Service apps use Always On. #521
        • Check App Service apps have remote debugging disabled. #521
        • Check App Service apps use newer .NET Framework versions. #521
        • Check App Service apps use newer PHP runtime versions. #521
      • Logic App:
        • Check Logic App apps limit IP range for HTTP triggers. #526
    • Updated rules:
      • Azure Kubernetes Service:
        • Promote Azure.AKS.AzurePolicyAddOn to GA rule set. #524
    • Removed rules:
      • Azure Kubernetes Service:
        • Remove Azure.AKS.PodSecurityPolicy as this AKS feature is replaced by Azure Policy. #523
    "},{"location":"CHANGELOG-v0/#v0170-b2009009-pre-release","title":"v0.17.0-B2009009 (pre-release)","text":"

    What's changed since v0.16.0:

    • General improvements:
      • Added support for providers template function. #177
      • Added support for dateTimeAdd template function. #516
    "},{"location":"CHANGELOG-v0/#v0160","title":"v0.16.0","text":"

    What's changed since v0.15.0:

    • New features:
      • Added Azure.GA_2020_09 baseline. #488
        • Includes rules released before or during September 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_06 as obsolete.
    • New rules:
      • CDN:
        • Check CDN endpoint naming requirements. #486
        • Check CDN endpoints use TLS 1.2. #487
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.18.8. #504
    • General improvements:
      • Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481
      • Improve output of template processing exceptions. #484
    • Engineering:
      • Bump PSRule dependency to v0.20.0.
    • Bug fixes:
      • Fixed Data Factory version not detected with template. #498
      • Fixed parameter file detection with 2019-04-01 schema. #495
      • Fixed deprecated $Rule properties. #491

    What's changed since pre-release v0.16.0-B2009033:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0160-b2009033-pre-release","title":"v0.16.0-B2009033 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009024:

    • New features:
      • Added Azure.GA_2020_09 baseline. #488
        • Includes rules released before or during September 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_06 as obsolete.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.18.8. #504
    • Engineering:
      • Bump PSRule dependency to v0.20.0.
    "},{"location":"CHANGELOG-v0/#v0160-b2009024-pre-release","title":"v0.16.0-B2009024 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009019:

    • Bug fixes:
      • Fixed Data Factory version not detected with template. #498
    "},{"location":"CHANGELOG-v0/#v0160-b2009019-pre-release","title":"v0.16.0-B2009019 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009011:

    • Bug fixes:
      • Fixed parameter file detection with 2019-04-01 schema. #495
    "},{"location":"CHANGELOG-v0/#v0160-b2009011-pre-release","title":"v0.16.0-B2009011 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009004:

    • Bug fixes:
      • Fixed deprecated $Rule properties. #491
    "},{"location":"CHANGELOG-v0/#v0160-b2009004-pre-release","title":"v0.16.0-B2009004 (pre-release)","text":"

    What's changed since v0.15.0:

    • New rules:
      • CDN:
        • Check CDN endpoint naming requirements. #486
        • Check CDN endpoints use TLS 1.2. #487
    • General improvements:
      • Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481
      • Improve output of template processing exceptions. #484
    "},{"location":"CHANGELOG-v0/#v0150","title":"v0.15.0","text":"

    What's changed since v0.14.1:

    • New rules:
      • All resources:
        • Check ARM template parameters are used. #232
        • Check ARM template variables are used. #233
        • Check ARM template parameters include a metadata description. #360
        • Check ARM templates define at least one resource. #359
      • Database for MySQL:
        • Check database servers reject TLS versions older than 1.2. #469
      • Database for PostgreSQL:
        • Check database servers reject TLS versions older than 1.2. #470
      • SQL Database:
        • Check database servers reject TLS versions older than 1.2. #471
      • Storage Account:
        • Check Storage Accounts reject TLS versions older than 1.2. #455
        • Check Storage Accounts only accept authorized requests. #456
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.9. #452
    • Engineering:
      • Bump PSRule dependency to v0.19.0.
    • Bug fixes:
      • Fixed export of non-blob Storage Accounts. #464
      • Fixed export of subscription Security Center data based on API version. #465
      • Fixed masking of sharedKey when property does not exist. #466

    What's changed since pre-release v0.15.0-B2008034:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0150-b2008043-pre-release","title":"v0.15.0-B2008043 (pre-release)","text":"

    What's changed since pre-release v0.15.0-B2008034:

    • New rules:
      • Database for MySQL:
        • Check database servers reject TLS versions older than 1.2. #469
      • Database for PostgreSQL:
        • Check database servers reject TLS versions older than 1.2. #470
      • SQL Database:
        • Check database servers reject TLS versions older than 1.2. #471
    • Bug fixes:
      • Fixed use variables check when no variables are defined. #462
    "},{"location":"CHANGELOG-v0/#v0150-b2008034-pre-release","title":"v0.15.0-B2008034 (pre-release)","text":"

    What's changed since pre-release v0.15.0-B2008026:

    • Bug fixes:
      • Fixed export of non-blob Storage Accounts. #464
      • Fixed export of subscription Security Center data based on API version. #465
      • Fixed masking of sharedKey when property does not exist. #466
    "},{"location":"CHANGELOG-v0/#v0150-b2008026-pre-release","title":"v0.15.0-B2008026 (pre-release)","text":"

    What's changed since v0.14.1:

    • New rules:
      • All resources:
        • Check ARM template parameters are used. #232
        • Check ARM template variables are used. #233
        • Check ARM template parameters include a metadata description. #360
        • Check ARM templates define at least one resource. #359
      • Storage Account:
        • Check Storage Accounts reject TLS versions older than 1.2. #455
        • Check Storage Accounts only accept authorized requests. #456
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.9. #452
    "},{"location":"CHANGELOG-v0/#v0141","title":"v0.14.1","text":"

    What's changed since v0.14.0:

    • Bug fixes:
      • Fixed resource tags rule to exclude diagnostic settings. #448
    "},{"location":"CHANGELOG-v0/#v0140","title":"v0.14.0","text":"

    What's changed since v0.13.0:

    • New rules:
      • API Management:
        • Check API Management service name requirements. #437
        • Check API Management products have legal terms. #438
        • Check API Management products have a display name and description. #439
        • Check API Management APIs have a display name and description. #440
      • Subscriptions:
        • Check subscription is managed by PIM. #422
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.7. #427
    • General improvements:
      • Updated rule reasons and logic. #424
    • Bug fixes:
      • Fixed masking for network connection resource configuration. #434
      • Fixed hybrid use benefit rule to exclude Windows client OSs. #433
      • Fixed VM standalone rule to exclude Windows client OSs. #442

    What's changed since pre-release v0.14.0-B2007031:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0140-b2007031-pre-release","title":"v0.14.0-B2007031 (pre-release)","text":"

    What's changed since pre-release v0.14.0-B2007020:

    • New rules:
      • API Management:
        • Check API Management service name requirements. #437
        • Check API Management products have legal terms. #438
        • Check API Management products have a display name and description. #439
        • Check API Management APIs have a display name and description. #440
    • Bug fixes:
      • Fixed masking for network connection resource configuration. #434
      • Fixed hybrid use benefit rule to exclude Windows client OSs. #433
      • Fixed VM standalone rule to exclude Windows client OSs. #442
    "},{"location":"CHANGELOG-v0/#v0140-b2007020-pre-release","title":"v0.14.0-B2007020 (pre-release)","text":"

    What's changed since v0.13.0:

    • New rules:
      • Subscriptions:
        • Check subscription is managed by PIM. #422
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.7. #427
    • General improvements:
      • Updated rule reasons and logic. #424
    "},{"location":"CHANGELOG-v0/#v0130","title":"v0.13.0","text":"

    What's changed since v0.12.1:

    • New features:
      • Added Azure.GA_2020_06 baseline. #399
        • Includes rules released before or during June 2020 for Azure GA features.
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS clusters use a Standard load balancer SKU. #334
        • Check AKS clusters use Managed Identities for cluster infrastructure. #333
        • Check AKS clusters use Azure Policy add-on (preview). #405
      • Public IP:
        • Check Public IP domain name label requirements. #389
      • Virtual Machines:
        • Check Availability Set name requirements. #387
        • Check Computer name requirements. #387
        • Check Managed Disk name requirements. #387
        • Check Network Interface name requirements. #387
        • Check Virtual Machine name requirements. #387
        • Check Proximity Placement Group name requirements. #387
      • Virtual Machine Scale Sets:
        • Check Computer name requirements. #387
        • Check Virtual Machine Scale Set name requirements. #387
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.9. #394
    • Bug fixes:
      • Fixed module default culture. #390
      • Fixed exception message for object property that does not exist. #362
      • Fixed substring raises an exception processing sub expressions. #413

    What's changed since pre-release v0.13.0-B2006032:

    • Bug fixes:
      • Fixed substring raises an exception processing sub expressions. #413
    "},{"location":"CHANGELOG-v0/#v0130-b2006032-pre-release","title":"v0.13.0-B2006032 (pre-release)","text":"
    • New features:
      • Added Azure.GA_2020_06 baseline. #399
        • Includes rules released before or during June 2020 for Azure GA features.
    • Bug fixes:
      • Fixed exception message for object property that does not exist. #362
    "},{"location":"CHANGELOG-v0/#v0130-b2006023-pre-release","title":"v0.13.0-B2006023 (pre-release)","text":"
    • New rules:
      • Public IP:
        • Check Public IP domain name label requirements. #389
      • Virtual Machines:
        • Check Availability Set name requirements. #387
        • Check Computer name requirements. #387
        • Check Managed Disk name requirements. #387
        • Check Network Interface name requirements. #387
        • Check Virtual Machine name requirements. #387
        • Check Proximity Placement Group name requirements. #387
      • Virtual Machine Scale Sets:
        • Check Computer name requirements. #387
        • Check Virtual Machine Scale Set name requirements. #387
    "},{"location":"CHANGELOG-v0/#v0130-b2006017-pre-release","title":"v0.13.0-B2006017 (pre-release)","text":"
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS clusters use a Standard load balancer SKU. #334
        • Check AKS clusters use Managed Identities for cluster infrastructure. #333
        • Check AKS clusters use Azure Policy add-on (preview). #405
    "},{"location":"CHANGELOG-v0/#v0130-b2006003-pre-release","title":"v0.13.0-B2006003 (pre-release)","text":"
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.9. #394
    • Bug fixes:
      • Fixed module default culture. #390
    "},{"location":"CHANGELOG-v0/#v0121","title":"v0.12.1","text":"

    What's changed since v0.12.0:

    • Bug fixes:
      • Fixed subnet name check for VNET with no subnets. #386
    "},{"location":"CHANGELOG-v0/#v0120","title":"v0.12.0","text":"

    What's changed since v0.11.0:

    • New rules:
      • Azure Kubernetes Service:
        • Check AKS cluster name requirements. #373
        • Check AKS cluster DNS prefix requirements. #373
      • Container Registry:
        • Check registry name requirements. #373
      • Front Door:
        • Check Front Door name requirements. #373
      • Load Balancer:
        • Check Load Balancer name requirements. #373
      • Network Security Group:
        • Check NSG name requirements. #373
      • Public IP:
        • Check Public IP name requirements. #373
      • Policy:
        • Check Policy definitions use descriptive fields. #364
      • Resource Group:
        • Check Resource Group name requirements. #373
      • Route table
        • Check Route table name requirements. #373
      • SignalR Service:
        • Check SignalR Service name requirements. #373
      • SQL Database:
        • Check SQL Database uses TDE. #379
        • Check SQL Database uses AAD authentication. #378
      • Storage Account:
        • Check Storage Account name requirements. #373
        • Check Storage blob containers use private access type. #365
      • Virtual Network:
        • Check VNET name requirements. #373
        • Check VNET subnet name requirements. #373
      • Virtual Network Gateway:
        • Check VNG name requirements. #373
        • Check VNG connection name requirements. #373
        • Check ExpressRoute Gateway uses current SKU. #369
        • Check VPN Gateway uses current SKU. #370
        • Check VPN Gateway uses active-active configuration. #371

    What's changed since pre-release v0.12.0-B2005026:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0120-b2005026-pre-release","title":"v0.12.0-B2005026 (pre-release)","text":"
    • New rules:
      • SQL Database:
        • Check SQL Database uses TDE. #379
        • Check SQL Database uses AAD authentication. #378
    • Bug fixes:
      • Fixed handling of subnet sub-resource name with slash. #381
    "},{"location":"CHANGELOG-v0/#v0120-b2005019-pre-release","title":"v0.12.0-B2005019 (pre-release)","text":"
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS cluster name requirements. #373
        • Check AKS cluster DNS prefix requirements. #373
      • Container Registry:
        • Check registry name requirements. #373
      • Front Door:
        • Check Front Door name requirements. #373
      • Load Balancer:
        • Check Load Balancer name requirements. #373
      • Network Security Group:
        • Check NSG name requirements. #373
      • Public IP:
        • Check Public IP name requirements. #373
      • Resource Group:
        • Check Resource Group name requirements. #373
      • Route table
        • Check Route table name requirements. #373
      • SignalR Service:
        • Check SignalR Service name requirements. #373
      • Storage Account:
        • Check Storage Account name requirements. #373
      • Virtual Network:
        • Check VNET name requirements. #373
        • Check VNET subnet name requirements. #373
      • Virtual Network Gateway:
        • Check VNG name requirements. #373
        • Check VNG connection name requirements. #373
        • Check ExpressRoute Gateway uses current SKU. #369
        • Check VPN Gateway uses current SKU. #370
        • Check VPN Gateway uses active-active configuration. #371
    "},{"location":"CHANGELOG-v0/#v0120-b2005005-pre-release","title":"v0.12.0-B2005005 (pre-release)","text":"
    • New rules:
      • Storage Account:
        • Check Storage blob containers use private access type. #365
      • Policy:
        • Check Policy definitions use descriptive fields. #364
    "},{"location":"CHANGELOG-v0/#v0110","title":"v0.11.0","text":"

    What's changed since v0.10.1:

    • New rules:
      • Azure Kubernetes Service:
        • Check AKS nodes use a minimum number of pods. #274
      • API Management:
        • Check API Management products require a subscription. #342
        • Check API Management products require approval. #343
        • Check API Management sample products have been removed. #344
        • Check API Management uses a managed identity. #345
        • Check API Management certificates are not expired. #346
    • General improvements:
      • Added name and type bindings for template files. #353
      • Breaking change: Renamed configuration options to use a standard prefix. #327
        • Configuration options use the Azure_ prefix.
        • Update configuration settings to use the new name, old configuration names are ignored.
        • Renamed minAKSVersion to Azure_AKSMinimumVersion.
        • Renamed azureAllowedRegions to Azure_AllowedRegions.
        • Added configuration option documentation. See about_PSRule_Azure_Configuration for details.

    What's changed since pre-release v0.11.0-B2004012:

    • General improvements:
      • Added name and type bindings for template files. #353
    "},{"location":"CHANGELOG-v0/#v0110-b2004012-pre-release","title":"v0.11.0-B2004012 (pre-release)","text":"
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS nodes use a minimum number of pods. #274
    • General improvements:
      • Breaking change: Renamed configuration options to use a standard prefix. #327
        • Configuration options use the Azure_ prefix.
        • Update configuration settings to use the new name, old configuration names are ignored.
        • Renamed minAKSVersion to Azure_AKSMinimumVersion.
        • Renamed azureAllowedRegions to Azure_AllowedRegions.
        • Added configuration option documentation. See about_PSRule_Azure_Configuration for details.
    "},{"location":"CHANGELOG-v0/#v0110-b2004005-pre-release","title":"v0.11.0-B2004005 (pre-release)","text":"
    • New rules:
      • API Management:
        • Check API Management products require a subscription. #342
        • Check API Management products require approval. #343
        • Check API Management sample products have been removed. #344
        • Check API Management uses a managed identity. #345
        • Check API Management certificates are not expired. #346
    "},{"location":"CHANGELOG-v0/#v0101","title":"v0.10.1","text":"

    What's changed since v0.10.0:

    • Bug fixes:
      • Fixed false positive for unused public IP in templates. #336
      • Fixed false positive for use of managed disks in templates. #337
      • Fixed false positive for disk caching when no VM data disks is null in templates. #338
    "},{"location":"CHANGELOG-v0/#v0100","title":"v0.10.0","text":"

    What's changed since v0.9.0:

    • New features:
      • Added support for linking parameter and template files for analysis with metadata. #324
        • Added Get-AzRuleTemplateLink cmdlet to get metadata link to template files.
        • See cmdlet help for usage.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.7. #330
    • General improvements:
      • Removed warning message for azureAllowedRegions option. #328
      • Improvements to verbose logging of Export-AzRuleData. #301
    • Bug fixes:
      • Fixed unused VM resource false positives in templates. #312
      • Fixed handling SKU for accelerated networking. #314
      • Fixed detection of hybrid use benefit in templates. #313
      • Fixed exception message when a template or parameter file is not found. #316
      • Fixed detection of diagnostic logging for Front Door. #307
      • Fixed Front Door WAF Policy export. #308
      • Fixed union of object properties in templates. #303

    What's changed since pre-release v0.10.0-B2003051:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0100-b2003051-pre-release","title":"v0.10.0-B2003051 (pre-release)","text":"
    • New features:
      • Added support for linking parameter and template files for analysis with metadata. #324
        • Added Get-AzRuleTemplateLink cmdlet to get metadata link to template files.
        • See cmdlet help for usage.
    • General improvements:
      • Removed warning message for azureAllowedRegions option. #328
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.7. #330
    "},{"location":"CHANGELOG-v0/#v0100-b2003032-pre-release","title":"v0.10.0-B2003032 (pre-release)","text":"
    • Bug fixes:
      • Fixed unused VM resource false positives in templates. #312
      • Fixed handling SKU for accelerated networking. #314
      • Fixed detection of hybrid use benefit in templates. #313
      • Fixed exception message when a template or parameter file is not found. #316
    "},{"location":"CHANGELOG-v0/#v0100-b2003004-pre-release","title":"v0.10.0-B2003004 (pre-release)","text":"
    • Bug fixes:
      • Fixed detection of diagnostic logging for Front Door. #307
      • Fixed Front Door WAF Policy export. #308
    "},{"location":"CHANGELOG-v0/#v0100-b2002023-pre-release","title":"v0.10.0-B2002023 (pre-release)","text":"
    • General improvements:
      • Improvements to verbose logging of Export-AzRuleData. #301
    • Bug fixes:
      • Fixed union of object properties in templates. #303
    "},{"location":"CHANGELOG-v0/#v090","title":"v0.9.0","text":"

    What's changed since v0.8.0:

    • New rules:
      • Azure Firewall:
        • Check threat intelligence is configured as deny. #266
      • Front Door:
        • Check Front Door is enabled. #267
        • Check Front Door uses TLS 1.2. #268
        • Check Front Door has a configured WAF policy. #269
        • Check Front Door WAF policy is configured in prevention mode. #271
        • Check Front Door WAF policy is enabled. #270
        • Check if diagnostic logs are configured. #289
      • Traffic Manager:
        • Check web-based endpoints are monitored with HTTPS. #240
        • Check at least two endpoints are enabled. #241
      • Key Vault:
        • Check soft delete is enabled. #277
        • Check purge protection is enabled. #280
        • Check least privileges permissions assigned in access policy. #281
        • Check if diagnostic logs are configured. #288
      • Subscriptions:
        • Check if service health alerts are configured. #290
    • Updated rules:
      • Exclude cloud shell storage accounts from data rules. #278
        • Azure.Storage.UseReplication and Azure.Storage.SoftDelete ignore cloud shell storage accounts.
    • General improvements:
      • Removed module dependency on Az.Security. #105
    • Bug fixes:
      • Fixed incorrect string formatting in POSIX culture. #262
      • Fixed Azure.VNET.UseNSGs to exclude AzureFirewallSubnet. #261

    What's changed since pre-release v0.9.0-B2002036:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v090-b2002036-pre-release","title":"v0.9.0-B2002036 (pre-release)","text":"
    • Exclude cloud shell storage accounts from data rules. #278
    • Added new rule for Subscriptions:
      • Check if service health alerts are configured. #290
    • Added new rule for Key Vault:
      • Check if diagnostic logs are configured. #288
    • Added new rule for Front Door:
      • Check if diagnostic logs are configured. #289
    • Removed module dependency on Az.Security. #105
    "},{"location":"CHANGELOG-v0/#v090-b2002026-pre-release","title":"v0.9.0-B2002026 (pre-release)","text":"
    • Added new rules for Traffic Manager:
      • Check web-based endpoints are monitored with HTTPS. #240
      • Check at least two endpoints are enabled. #241
    • Added new rules for Key Vault:
      • Check soft delete is enabled. #277
      • Check purge protection is enabled. #280
      • Check least privileges permissions assigned in access policy. #281
    "},{"location":"CHANGELOG-v0/#v090-b2002019-pre-release","title":"v0.9.0-B2002019 (pre-release)","text":"
    • Added new rule to check Azure Firewall threat intelligence is configured as deny. #266
    • Added new rules for Front Door:
      • Check Front Door is enabled. #267
      • Check Front Door uses TLS 1.2. #268
      • Check Front Door has a configured WAF policy. #269
      • Check Front Door WAF policy is configured in prevention mode. #271
      • Check Front Door WAF policy is enabled. #270
    "},{"location":"CHANGELOG-v0/#v090-b2002011-pre-release","title":"v0.9.0-B2002011 (pre-release)","text":"
    • Fixed incorrect string formatting in POSIX culture. #262
    • Fixed Azure.VNET.UseNSGs to exclude AzureFirewallSubnet. #261
    "},{"location":"CHANGELOG-v0/#v080","title":"v0.8.0","text":"

    What's changed since v0.7.0:

    • New rules:
      • API Management:
        • Check API Management uses secure protocol versions. #237
        • Check API Management published APIs use HTTPS. #236
        • Check API Management backend connections use HTTPS. #238
        • Check API Management named values are encrypted. #239
      • Automation Accounts:
        • Check automation accounts use encrypted variables. #211
        • Check automation account webhook expiry interval. #212
      • CDN:
        • Check Azure CDN connections use HTTPS. #242
      • Resource Manager Templates:
        • Check ARM template and parameter file structure. #225
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.15.7. #247
      • Virtual networks:
        • Updated Azure.VNET.UseNSGs to apply to subnet resources from templates. #246
    • General improvements:
      • Improvements to rule help wording and usage of links section. #220 #224 #257
        • Documentation and reasons messages are now available for all en cultures.
      • Various updates to rule implementation to take advantage of PSRule v0.12.0 language features. #220
      • Breaking change: Shorten rule names to improve output display. #119
        • Application Gateway rules have been renamed from Azure.VirtualNetwork.* to Azure.AppGW.*.
        • Load balancer rules have been renamed from Azure.VirtualNetwork.* to Azure.LB.*.
        • NSG rules have been renamed from Azure.VirtualNetwork.* to Azure.NSG.*.
        • VNET rules have been renamed from Azure.VirtualNetwork.* to Azure.VNET.*.
        • NIC rules have been renamed from Azure.VirtualNetwork.* to Azure.VM.*.
        • Renamed storage account rule Azure.Storage.SecureTransferRequired to Azure.Storage.SecureTransfer.
    • Bug fixes:
      • Fix Azure.Resource.UseTags applying to template and parameter files. #230

    What's changed since pre-release v0.8.0-B2001029:

    • Fixed Azure.VNET.UseNSGs not populating subnet name in reason message. #256
    • Updated reason strings to use parent culture en. #257
    "},{"location":"CHANGELOG-v0/#v080-b2001029-pre-release","title":"v0.8.0-B2001029 (pre-release)","text":"
    • Updated Azure.VNET.UseNSGs to apply to subnet resources from templates. #246
    • Updated Azure.AKS.Version to 1.15.7. #247
    • Breaking change: Renamed Azure.File.* rules to Azure.Template.*. #252
    "},{"location":"CHANGELOG-v0/#v080-b2001018-pre-release","title":"v0.8.0-B2001018 (pre-release)","text":"
    • Fixed Azure.Resource.UseTags applying to template and parameter files. #230
    • Fixed ARM template and parameter schemas used to detect files. #234
    • Added new rule to check API Management uses secure protocol versions. #237
    • Added new rule to check API Management published APIs use HTTPS. #236
    • Added new rule to check API Management backend connections use HTTPS. #238
    • Added new rule to check API Management named values are encrypted. #239
    • Added new rule to check Azure CDN connections use HTTPS. #242
    "},{"location":"CHANGELOG-v0/#v080-b2001006-pre-release","title":"v0.8.0-B2001006 (pre-release)","text":"
    • Updated documentation to use parent culture en. #224
    • Added rules for ARM template and parameter file structure. #225
    • Breaking change: Application Gateway rules have been renamed from Azure.VirtualNetwork.* to Azure.AppGW.*. #119
    • Breaking change: Load balancer rules have been renamed from Azure.VirtualNetwork.* to Azure.LB.*. #119
    • Breaking change: NSG rules have been renamed from Azure.VirtualNetwork.* to Azure.NSG.*. #119
    • Breaking change: VNET rules have been renamed from Azure.VirtualNetwork.* to Azure.VNET.*. #119
    • Breaking change: NIC rules have been renamed from Azure.VirtualNetwork.* to Azure.VM.*. #119
    • Breaking change: Renamed storage account rule Azure.Storage.SecureTransferRequired to Azure.Storage.SecureTransfer. #119
    "},{"location":"CHANGELOG-v0/#v080-b1912026-pre-release","title":"v0.8.0-B1912026 (pre-release)","text":"
    • Fixed Automation account handling with no webhooks or variables. #219
    • Rule improvements from PSRule v0.12.0. #220
    • Updated Azure.AKS.Version to 1.15.5. #217
    "},{"location":"CHANGELOG-v0/#v080-b1912012-pre-release","title":"v0.8.0-B1912012 (pre-release)","text":"
    • Added new rule to check automation accounts use encrypted variables. #211
    • Added new rule to check automation account webhook expiry interval. #212
    "},{"location":"CHANGELOG-v0/#v070","title":"v0.7.0","text":"

    What's changed since v0.6.0:

    • New rules:
      • Role assignment:
        • Check presence of classic Co-Administrators. #188
      • Azure Kubernetes Service:
        • Check AKS node pool version matches cluster version. #186
        • Check AKS clusters use pod security policies. #142
        • Check AKS clusters use network policies. #143
        • Check AKS node pools use scale sets. #187
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to check for node pool version. #191
    • General improvements:
      • Added custom bindings for common resource properties. #202
      • Added new baseline to include rules for preview features. #190
      • Breaking change: Shorten rule names to improve output display. #119
        • RBAC rules have been renamed from Azure.Subscription.* to Azure.RBAC.*.
        • Security Center rules have been renamed from Azure.Subscription.* to Azure.SecureCenter.*.
      • Breaking change: Renamed default baseline from Azure.SubscriptionDefault to Azure.Default. #190
    • Bug fixes:
      • Fixed handling of tags for sub-resources. #203
      • Fixed missing cmdlet help. #196
      • Fixed AKS templates without node pool orchestratorVersion fail. #198
      • Fixed null reference without parameters file. #189

    What's changed since pre-release v0.7.0-B1912024:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v070-b1912024-pre-release","title":"v0.7.0-B1912024 (pre-release)","text":"
    • Fixed handling of tags for sub-resources. #203
    • Added custom bindings for common resource properties. #202
    "},{"location":"CHANGELOG-v0/#v070-b1912017-pre-release","title":"v0.7.0-B1912017 (pre-release)","text":"
    • Fixed missing cmdlet help. #196
    • Fixed AKS templates without node pool orchestratorVersion fail. #198
    "},{"location":"CHANGELOG-v0/#v070-b1912008-pre-release","title":"v0.7.0-B1912008 (pre-release)","text":"
    • Fixed null reference without parameters file. #189
    • Added new rule to check presence of classic Co-Administrators. #188
    • Added new rule to check AKS node pool version matches cluster version. #186
    • Added new rule to check AKS clusters use pod security policies. #142
    • Added new rule to check AKS clusters use network policies. #143
    • Added new rule to check AKS node pools use scale sets. #187
    • Added new baseline to include rules for preview features. #190
    • Updated Azure.AKS.Version to check for node pool version. #191
    • Breaking change: RBAC rules have been renamed from Azure.Subscription.* to Azure.RBAC.*. #119
    • Breaking change: Security Center rules have been renamed from Azure.Subscription.* to Azure.SecureCenter.*. #119
    • Breaking change: Renamed default baseline from Azure.SubscriptionDefault to Azure.Default. #190
    "},{"location":"CHANGELOG-v0/#v060","title":"v0.6.0","text":"

    What's changed since v0.5.0:

    • New features:
      • Added support for exporting rule data from templates. #145
        • Added Export-AzTemplateRuleData cmdlet to export templates. See cmdlet help for limitations.
        • Template and parameters are merged, resolving functions, copy loops and conditions.
    • Updated rules:
      • Azure Kubernetes Services:
        • Updated Azure.AKS.Version to 1.14.8. #140
    • General improvements:
      • Updated rules to use type pre-conditions. #144
    • Bug fixes:
      • Fixed processing of Azure.Resource.UseTags to exclude */providers/roleAssignments. #155
        • Provider role assignments do not support tags.
      • Fixed processing of Azure.Resource.AllowedRegions. #156
        • Exclude */providers/roleAssignments, Microsoft.Authorization/* and Microsoft.Consumption/*.
      • Fixed processing of Azure.VirtualNetwork.NSGAssociated for templates. #150
      • Fixed processing of Azure.VirtualNetwork.LateralTraversal when destinationPortRanges is used. #149

    What's changed since pre-release v0.6.0-B1911046:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v060-b1911046-pre-release","title":"v0.6.0-B1911046 (pre-release)","text":"
    • Improved template support of Export-AzTemplateRuleData cmdlet. #145
      • Added support for deployment function.
      • Fixed property copy loop.
    • Fixed Export-AzTemplateRuleData does not return FileInfo objects. #162
    • Fixed automatically name outputs from Export-AzTemplateRuleData. #163
    • Fixed resource segmentation issue when ResourceType includes trailing slash. #165
    • Fixed expand resource template property as null fails. #167
    • Fixed case-sensitivity of variables, parameters and functions. #168
    • Fixed out of order parameter and variables cross reference. #170
    • Fixed expression parser race condition. #171
    • Fixed handling of padding spaces in expressions. #173
    • Fixed property of property is parsed incorrectly. #174
    • Fixed root variable copy loop handling. #175
    "},{"location":"CHANGELOG-v0/#v060-b1911027-pre-release","title":"v0.6.0-B1911027 (pre-release)","text":"
    • Fixed processing of Azure.Resource.UseTags to exclude */providers/roleAssignments. #155
      • Provider role assignments do not support tags.
    • Fixed processing of Azure.Resource.AllowedRegions. #156
      • Exclude */providers/roleAssignments, Microsoft.Authorization/* and Microsoft.Consumption/*.
    "},{"location":"CHANGELOG-v0/#v060-b1911020-pre-release","title":"v0.6.0-B1911020 (pre-release)","text":"
    • Fixed processing of Azure.VirtualNetwork.NSGAssociated for templates. #150
    • Fixed processing of Azure.VirtualNetwork.LateralTraversal when destinationPortRanges is used. #149
    • Improved template support of Export-AzTemplateRuleData cmdlet. #145
      • Added support for nested templates.
      • Added support for array, createArray, coalesce, intersection, dataUri and dataUriToString functions.
    "},{"location":"CHANGELOG-v0/#v060-b1911011-pre-release","title":"v0.6.0-B1911011 (pre-release)","text":"
    • Updated Azure.AKS.Version to 1.14.8. #140
    • Updated rules to use type pre-conditions. #144
    • Experimental: Added support for exporting rule data from templates. #145
      • Added Export-AzTemplateRuleData cmdlet to export templates. See cmdlet help for limitations.
      • Template and parameters are merged, resolving functions, copy loops and conditions.
    "},{"location":"CHANGELOG-v0/#v050","title":"v0.5.0","text":"

    What's changed since v0.4.0:

    • New rules:
      • Virtual machines:
        • Check Windows automatic updates are enabled. #132
        • Check VM agent is automatically provisioned. #131
    • Updated rules:
      • Azure Kubernetes Services:
        • Updated Azure.AKS.Version to 1.14.6. #130
    • General improvements:
      • Shorten rule names for virtual machined to Azure.VM.* to improve output display. #119
        • Breaking change: Rules have been renamed from Azure.VirtualMachine.* to Azure.VM.*.

    What's changed since pre-release v0.5.0-B1910004:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v050-b1910004-pre-release","title":"v0.5.0-B1910004 (pre-release)","text":"
    • Added rule to verify Windows automatic updates are enabled. #132
    • Added rule to verify VM agent is automatically provisioned. #131
    • Updated Azure.AKS.Version to 1.14.6. #130
    • Breaking change: Renamed Azure.VirtualMachine.* rules to Azure.VM.*. #119
    "},{"location":"CHANGELOG-v0/#v040","title":"v0.4.0","text":"

    What's changed since v0.3.0:

    • New rules:
      • Virtual machines:
        • Added rule to verify Azure Disk Encryption. #122
        • Added rule to check if public key is used for Linux. #123
      • Virtual networking:
        • Added rule to verify connectivity of VNET peers. #120
        • Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121
    • General improvements:
      • Removed dependency on Az.Storage module. #105
      • Added default baseline to module. #126

    What's changed since pre-release v0.4.0-B190902:

    • Added default baseline to module. #126
    "},{"location":"CHANGELOG-v0/#v040-b190902-pre-release","title":"v0.4.0-B190902 (pre-release)","text":"
    • Added rule to verify connectivity of VNET peers. #120
    • Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121
    • Added rule to verify Azure Disk Encryption. #122
    • Added rule to check if public key is used for Linux. #123
    • Removed dependency on Az.Storage module. #105
    "},{"location":"CHANGELOG-v0/#v030","title":"v0.3.0","text":"

    What's changed since v0.2.0:

    • New rules:
      • App Services:
        • Enforce minimum TLS version for App Service. #99
      • Resource clean up:
        • Network security groups that are not associated. #93
        • Unattached network interfaces. #92
      • Role assignment:
        • Added subscription RBAC delegation rules. #107
          • Check for number of subscription owners.
          • Check for RBAC inheritance from management groups.
          • Check for user RBAC assignments.
          • Check for RBAC delegation on individual resources.
      • Virtual machines:
        • VMs should avoid using expired promo SKUs. #87
        • VMs should avoid using basic SKUs. #69
      • Virtual networking:
        • Added NSG rule to check for lateral traversal security rules. #103
        • Added rule to detect deny all inbound NSG rule. #94
    • Updated rules:
      • App Services:
        • Updated App Service site rules to include slots. #100
        • Azure.AppService.ARRAffinity and Azure.AppService.UseHTTPS now run against slots.
      • Azure Kubernetes Services:
        • Updated Azure.AKS.Version to 1.14.5. #109
    • Bug fixes:
      • Fix handling of empty DNS servers in Azure.VirtualNetwork.LocalDNS. #84
      • Fix handling of no peering connections in Azure.VirtualNetwork.LocalDNS. #89
      • Fix export of additional properties for Microsoft.Sql/servers. #114
      • Excluded global services from Azure.Resource.AllowedRegions. #96

    What's changed since pre-release v0.3.0-B190807:

    • Fix export of additional properties for Microsoft.Sql/servers. #114
    "},{"location":"CHANGELOG-v0/#v030-b190807-pre-release","title":"v0.3.0-B190807 (pre-release)","text":"
    • Updated Azure.AKS.Version to 1.14.5. #109
    • Added subscription RBAC delegation rules. #107
      • Check for number of subscription owners.
      • Check for RBAC inheritance from management groups.
      • Check for user RBAC assignments.
      • Check for RBAC delegation on individual resources.
    "},{"location":"CHANGELOG-v0/#v030-b190723-pre-release","title":"v0.3.0-B190723 (pre-release)","text":"
    • Excluded global services from Azure.Resource.AllowedRegions. #96
    • Enforce minimum TLS version for App Service. #99
    • Updated App Service site rules to include slots. #100
      • Azure.AppService.ARRAffinity and Azure.AppService.UseHTTPS now run against slots.
    • Added rule to detect deny all inbound NSG rule. #94
    • Added unused resource rules.
      • Network security groups that are not associated. #93
      • Unattached network interfaces. #92
    • Added NSG rule to check for lateral traversal security rules. #103
    "},{"location":"CHANGELOG-v0/#v030-b190710-pre-release","title":"v0.3.0-B190710 (pre-release)","text":"
    • Fix handling of empty DNS servers in Azure.VirtualNetwork.LocalDNS. #84
    • Fix handling of no peering connections in Azure.VirtualNetwork.LocalDNS. #89
    • Updated AKS version in Azure.AKS.Version to 1.13.7. #83
    • Added VM SKU rules:
      • VMs should avoid using expired promo SKUs. #87
      • VMs should avoid using basic SKUs. #69
    "},{"location":"CHANGELOG-v0/#v020","title":"v0.2.0","text":"

    What's changed since v0.1.0:

    • Fix rule Azure.AKS.UseRBAC returns null. #60
    • Fix rule Azure.Storage.SoftDelete and Azure.Storage.SecureTransferRequired returns null. #64
    • Fix collection of ASR vault configuration for cmdlet deprecation. #63
    • Updated rules to use Recommend keyword instead of Hint alias. #71
    • Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54
      • The rules Azure.SQL.FirewallIPRange, Azure.MySQL.FirewallIPRange and Azure.PostgreSQL.FirewallIPRange were added to check SQL, MySQL and PostgreSQL.
    • Added parameters to filter resource export by resource group and/ or tag. #59
      • Added -ResourceGroupName and -Tag parameters to Export-AzRuleData cmdlet.
    • Added support for Application Gateway v2. #75
    • Added VNET rule to check for local DNS. #68
    • Added WAF hardening rules for Application Gateway. #78
      • Application Gateways use OWASP 3.x rules.
      • Application Gateways have WAF enabled.
      • Application Gateways have all OWASP rules enabled.

    What's changed since pre-release v0.2.0-B190715:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v020-b190715-pre-release","title":"v0.2.0-B190715 (pre-release)","text":"
    • Added support for Application Gateway v2. #75
    • Added VNET rule to check for local DNS. #68
    • Added WAF hardening rules for Application Gateway. #78
      • Application Gateways use OWASP 3.x rules.
      • Application Gateways have WAF enabled.
      • Application Gateways have all OWASP rules enabled.
    "},{"location":"CHANGELOG-v0/#v020-b190706-pre-release","title":"v0.2.0-B190706 (pre-release)","text":"
    • Fix rule Azure.AKS.UseRBAC returns null. #60
    • Fix rule Azure.Storage.SoftDelete and Azure.Storage.SecureTransferRequired returns null. #64
    • Fix collection of ASR vault configuration for cmdlet deprecation. #63
    • Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54
      • The rules Azure.SQL.FirewallIPRange, Azure.MySQL.FirewallIPRange and Azure.PostgreSQL.FirewallIPRange were added to check SQL, MySQL and PostgreSQL.
    • Updated rules to use Recommend keyword instead of Hint alias. #71
    • Added parameters to filter resource export by resource group and/ or tag. #59
      • Added -ResourceGroupName and -Tag parameters to Export-AzRuleData cmdlet.
    "},{"location":"CHANGELOG-v0/#v010","title":"v0.1.0","text":"
    • Initial release.

    What's changed since pre-release v0.1.0-B190624:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v010-b190624-pre-release","title":"v0.1.0-B190624 (pre-release)","text":"
    • Added rule to check if allow access to Azure services enabled for MySQL. #4
    • Added rule to count the number of database server firewall rules for MySQL. #2
    • Added rule to check if allow access to Azure services enabled for PostgreSQL. #50
    • Added rule to count the number of database server firewall rules for PostgreSQL. #51
    • Added rule to check if SSL is enforced for PostgreSQL. #49
    "},{"location":"CHANGELOG-v0/#v010-b190607-pre-release","title":"v0.1.0-B190607 (pre-release)","text":"
    • Added rule documentation. #40
    "},{"location":"CHANGELOG-v0/#v010-b190569-pre-release","title":"v0.1.0-B190569 (pre-release)","text":"
    • Fix exported resource data overwritten. #34
    "},{"location":"CHANGELOG-v0/#v010-b190562-pre-release","title":"v0.1.0-B190562 (pre-release)","text":"
    • Add units tests for Export-AzRuleData and update filters. #28
    • Export-AzRuleData returns files generated by default. #27
    • Export-AzRuleData passes through objects resource objects to the pipeline. #25
    • Breaking change - Export-AzRuleData only exports data from current subscription context by default. #24
      • Data can be exported from all subscription contexts by using the -All switch, or specifying specific subscriptions with the -Subscription or -Tenant parameters.
    "},{"location":"CHANGELOG-v0/#v010-b190543-pre-release","title":"v0.1.0-B190543 (pre-release)","text":"
    • Fix cannot find the type for custom attribute error. #21
    "},{"location":"CHANGELOG-v0/#v010-b190536-pre-release","title":"v0.1.0-B190536 (pre-release)","text":"
    • Initial pre-release.
    "},{"location":"CHANGELOG-v1/","title":"Change log","text":"

    See upgrade notes for helpful information when upgrading from previous versions.

    Important notes:

    • Issue #741: Could not load file or assembly YamlDotNet. See troubleshooting guide for a workaround to this issue.
    • The configuration option Azure_AKSMinimumVersion is replaced with AZURE_AKS_CLUSTER_MINIMUM_VERSION. If you have this option configured, please update it to AZURE_AKS_CLUSTER_MINIMUM_VERSION. Support for Azure_AKSMinimumVersion will be removed in v2. See upgrade notes for more information.
    • The configuration option Azure_AllowedRegions is replaced with AZURE_RESOURCE_ALLOWED_LOCATIONS. If you have this option configured, please update it to AZURE_RESOURCE_ALLOWED_LOCATIONS. Support for Azure_AllowedRegions will be removed in v2. See upgrade notes for more information.
    • The SupportsTag PowerShell function has been replaced with the Azure.Resource.SupportsTags selector. Update PowerShell rules to use the Azure.Resource.SupportsTags selector instead. Support for the SupportsTag function will be removed in v2. See upgrade notes for more information.
    "},{"location":"CHANGELOG-v1/#unreleased","title":"Unreleased","text":"

    What's changed since pre-release v1.30.0-B0080:

    • New features:
      • Added September 2023 baselines Azure.GA_2023_09 and Azure.Preview_2023_09 by @BernieWhite. #2451
        • Includes rules released before or during September 2023.
        • Marked Azure.GA_2023_06 and Azure.Preview_2023_06 baselines as obsolete.
    • New rules:
      • Azure Container Registry:
        • Check that Container Registries restricts network access by @BenjaminEngeset. #2423
        • Check that Container Registries disables anonymous pull access by @BenjaminEngeset. #2422
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.26.6 by @BernieWhite. #2404
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Updated resource providers and policy aliases. #2442
      • Bump xunit to v2.5.1. #2436
      • Bump xunit.runner.visualstudio to v2.5.1. #2435
    • Bug fixes:
      • Fixed Azure.AKS.Version by excluding node-image channel by @BernieWhite. #2446
    "},{"location":"CHANGELOG-v1/#v1300-b0080-pre-release","title":"v1.30.0-B0080 (pre-release)","text":"

    What's changed since pre-release v1.30.0-B0047:

    • General improvements:
      • Important change: Replaced the Azure_AllowedRegions option with AZURE_RESOURCE_ALLOWED_LOCATIONS. #941
        • For compatibility, if Azure_AllowedRegions is set it will be used instead of AZURE_RESOURCE_ALLOWED_LOCATIONS.
        • If only AZURE_RESOURCE_ALLOWED_LOCATIONS is set, this value will be used.
        • The default will be used neither options are configured.
        • If Azure_AllowedRegions is set a warning will be generated until the configuration is removed.
        • Support for Azure_AllowedRegions is deprecated and will be removed in v2.
        • See upgrade notes for details.
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.7.2. #2407
      • Bump BenchmarkDotNet to v0.13.8. #2425
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8. #2425
    • Bug fixes:
      • Fixed false positive with Azure.Storage.SecureTransfer on new API versions by @BernieWhite. #2414
      • Fixed false positive with Azure.VNET.LocalDNS for DNS server addresses out of local scope by @BernieWhite. #2370
        • This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.
        • Set AZURE_VNET_DNS_WITH_IDENTITY to true when using an Identity subscription for DNS.
    "},{"location":"CHANGELOG-v1/#v1300-b0047-pre-release","title":"v1.30.0-B0047 (pre-release)","text":"

    What's changed since pre-release v1.30.0-B0026:

    • Engineering:
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4. #2405
    • Bug fixes:
      • Fixed lambda map in map variable by @BernieWhite. #2410
    "},{"location":"CHANGELOG-v1/#v1300-b0026-pre-release","title":"v1.30.0-B0026 (pre-release)","text":"

    What's changed since pre-release v1.30.0-B0011:

    • New rules:
      • Azure Container Apps:
        • Check that Container Apps uses a supported API version by @BenjaminEngeset. #2398
    • Bug fixes:
      • Fixed non-resource group rule triggering for a resource group by @BernieWhite. #2401
    "},{"location":"CHANGELOG-v1/#v1300-b0011-pre-release","title":"v1.30.0-B0011 (pre-release)","text":"

    What's changed since v1.29.0:

    • New rules:
      • Azure Database for MySQL:
        • Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2227
      • Azure Firewall:
        • Check that Azure Firewall polices has configured threat intelligence-based filtering in alert and deny mode by @BenjaminEngeset. #2354
      • Backup vault:
        • Check that immutability is configured for Backup vaults by @BenjaminEngeset. #2387
      • Front Door:
        • Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset. #2378
      • Public IP address:
        • Check that Public IP addresses uses Standard SKU by @BenjaminEngeset. #2376
      • Recovery Services vault:
        • Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset. #2386
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.7. #2385
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.7. #2382
      • Bump Microsoft.NET.Test.Sdk to v17.7.1. #2393
    "},{"location":"CHANGELOG-v1/#v1290","title":"v1.29.0","text":"

    What's changed since v1.28.2:

    • New rules:
      • Databricks:
        • Check that workspaces use secure cluster connectivity by @BernieWhite. #2334
    • General improvements:
      • Use policy definition name when generating a rule from it by @BernieWhite. #1959
      • Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite. #2248
      • Added export in-flight data for Defender for APIs from API Management by @BernieWhite. #2247
    • Bug fixes:
      • Fixed policy expansion with unquoted field property by @BernieWhite. #2352
      • Fixed array contains with JArray by @BernieWhite. #2368
      • Fixed index out of bounds of array with first function on empty array by @BernieWhite. #2372

    What's changed since pre-release v1.29.0-B0062:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1290-b0062-pre-release","title":"v1.29.0-B0062 (pre-release)","text":"

    What's changed since pre-release v1.29.0-B0036:

    • Bug fixes:
      • Fixed array contains with JArray by @BernieWhite. #2368
      • Fixed index out of bounds of array with first function on empty array by @BernieWhite. #2372
    "},{"location":"CHANGELOG-v1/#v1290-b0036-pre-release","title":"v1.29.0-B0036 (pre-release)","text":"

    What's changed since pre-release v1.29.0-B0015:

    • General improvements:
      • Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite. #2248
      • Added export in-flight data for Defender for APIs from API Management by @BernieWhite. #2247
    "},{"location":"CHANGELOG-v1/#v1290-b0015-pre-release","title":"v1.29.0-B0015 (pre-release)","text":"

    What's changed since v1.28.2:

    • New rules:
      • Databricks:
        • Check that workspaces use secure cluster connectivity by @BernieWhite. #2334
    • General improvements:
      • Use policy definition name when generating a rule from it by @BernieWhite. #1959
    • Bug fixes:
      • Fixed policy expansion with unquoted field property by @BernieWhite. #2352
    "},{"location":"CHANGELOG-v1/#v1282","title":"v1.28.2","text":"

    What's changed since v1.28.1:

    • Bug fixes:
      • Fixed policy rules with no effect conditions are evaluated incorrectly by @BernieWhite. #2346
    "},{"location":"CHANGELOG-v1/#v1281","title":"v1.28.1","text":"

    What's changed since v1.28.0:

    • Bug fixes:
      • Fixed parseCidr with /32 is not valid by @BernieWhite. #2336
      • Fixed mismatch of resource group type on policy as code rules by @BernieWhite. #2338
      • Fixed length cannot be less than zero when converting policy to rules by @BernieWhite. #1802
      • Fixed naming rules for MariaDB by @BernieWhite. #2335
        • Updated Azure.MariaDB.VNETRuleName to allow for parent resources.
        • Updated Azure.MariaDB.FirewallRuleName to allow for parent resources.
      • Fixed network watcher existence check by @BernieWhite. #2342
    "},{"location":"CHANGELOG-v1/#v1280","title":"v1.28.0","text":"

    What's changed since v1.27.3:

    • New features:
      • Added June 2023 baselines Azure.GA_2023_06 and Azure.Preview_2023_06 by @BernieWhite. #2310
        • Includes rules released before or during June 2023.
        • Marked Azure.GA_2023_03 and Azure.Preview_2023_03 baselines as obsolete.
    • New rules:
      • Azure Database for MySQL:
        • Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2226
      • Azure Database for PostgreSQL:
        • Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2250
        • Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2249
    • Removed rules:
      • Azure Kubernetes Service:
        • Removed Azure.AKS.PodIdentity as pod identities has been replaced by workload identities by @BernieWhite. #2273
    • General improvements:
      • Added support for safe dereference operator by @BernieWhite. #2322
        • Added support for tryGet Bicep function.
      • Added support for Bicep CIDR functions by @BernieWhite. #2279
        • Added support for parseCidr, cidrSubnet, and cidrHost.
      • Added support for managementGroupResourceId Bicep function by @BernieWhite. #2294
    • Engineering:
      • Bump PSRule to v2.9.0. #2293
      • Updated resource providers and policy aliases. #2261
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3. #2281
      • Bump Microsoft.NET.Test.Sdk to v17.6.3. #2290
      • Bump coverlet.collector to v6.0.0. #2232
      • Bump Az.Resources to v6.7.0. #2274
      • Bump xunit to v2.5.0. #2306
      • Bump xunit.runner.visualstudio to v2.5.0. #2307
      • Bump BenchmarkDotNet to v0.13.6. #2317
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6. #2318
    • Bug fixes:
      • Fixed Redis firewall rules can not bind to start by @BernieWhite. #2303
      • Fixed null condition handling by @BernieWhite. #2316
      • Fixed reference expression in property name by @BernieWhite. #2321
      • Fixed handling of nested mock objects by @BernieWhite. #2325
      • Fixed late binding of coalesce function by @BernieWhite. #2328
      • Fixed handling of JArray outputs with runtime values by @BernieWhite. #2159

    What's changed since pre-release v1.28.0-B0213:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1280-b0213-pre-release","title":"v1.28.0-B0213 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0159:

    • General improvements:
      • Added support for safe dereference operator by @BernieWhite. #2322
        • Added support for tryGet Bicep function.
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.6. #2317
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6. #2318
    • Bug fixes:
      • Fixed null condition handling by @BernieWhite. #2316
      • Fixed reference expression in property name by @BernieWhite. #2321
      • Fixed handling of nested mock objects by @BernieWhite. #2325
      • Fixed late binding of coalesce function by @BernieWhite. #2328
    "},{"location":"CHANGELOG-v1/#v1280-b0159-pre-release","title":"v1.28.0-B0159 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0115:

    • New features:
      • Added June 2023 baselines Azure.GA_2023_06 and Azure.Preview_2023_06 by @BernieWhite. #2310
        • Includes rules released before or during June 2023.
        • Marked Azure.GA_2023_03 and Azure.Preview_2023_03 baselines as obsolete.
    • Engineering:
      • Bump xunit to v2.5.0. #2306
      • Bump xunit.runner.visualstudio to v2.5.0. #2307
    • Bug fixes:
      • Fixed Redis firewall rules can not bind to start by @BernieWhite. #2303
    "},{"location":"CHANGELOG-v1/#v1280-b0115-pre-release","title":"v1.28.0-B0115 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0079:

    • General improvements:
      • Added support for Bicep CIDR functions by @BernieWhite. #2279
        • Added support for parseCidr, cidrSubnet, and cidrHost.
    "},{"location":"CHANGELOG-v1/#v1280-b0079-pre-release","title":"v1.28.0-B0079 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0045:

    • General improvements:
      • Added support for managementGroupResourceId Bicep function by @BernieWhite. #2294
    • Engineering:
      • Bump PSRule to v2.9.0. #2293
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3. #2281
      • Bump Microsoft.NET.Test.Sdk to v17.6.3. #2290
      • Bump coverlet.collector to v6.0.0. #2232
    • Bug fixes:
      • Fixed handling of JArray outputs with runtime values by @BernieWhite. #2159
    "},{"location":"CHANGELOG-v1/#v1280-b0045-pre-release","title":"v1.28.0-B0045 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0024:

    • Removed rules:
      • Azure Kubernetes Service:
        • Removed Azure.AKS.PodIdentity as pod identities has been replaced by workload identities by @BernieWhite. #2273
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.6.2. #2266
      • Bump Az.Resources to v6.7.0. #2274
    • Bug fixes:
      • Fixed false positive of IsolatedV2 with Azure.AppService.MinPlan by @BernieWhite. #2277
    "},{"location":"CHANGELOG-v1/#v1280-b0024-pre-release","title":"v1.28.0-B0024 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0010:

    • Bug fixes:
      • Fixed union function for merge of object properties by @BernieWhite. #2264
      • Fixed length function counting properties in object by @BernieWhite. #2263
    "},{"location":"CHANGELOG-v1/#v1280-b0010-pre-release","title":"v1.28.0-B0010 (pre-release)","text":"

    What's changed since v1.27.1:

    • New rules:
      • Azure Database for MySQL:
        • Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2226
      • Azure Database for PostgreSQL:
        • Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2250
        • Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2249
    • Engineering:
      • Updated resource providers and policy aliases. #2261
      • Bump Microsoft.NET.Test.Sdk to v17.6.1. #2256
    "},{"location":"CHANGELOG-v1/#v1273","title":"v1.27.3","text":"

    What's changed since v1.27.2:

    • Bug fixes:
      • Fixed false positive of IsolatedV2 with Azure.AppService.MinPlan by @BernieWhite. #2277
    "},{"location":"CHANGELOG-v1/#v1272","title":"v1.27.2","text":"

    What's changed since v1.27.1:

    • Bug fixes:
      • Fixed union function for merge of object properties by @BernieWhite. #2264
      • Fixed length function counting properties in object by @BernieWhite. #2263
    "},{"location":"CHANGELOG-v1/#v1271","title":"v1.27.1","text":"

    What's changed since v1.27.0:

    • Bug fixes:
      • Fixed depends on ordering fails to expand deployment by @BernieWhite. #2255
    "},{"location":"CHANGELOG-v1/#v1270","title":"v1.27.0","text":"

    What's changed since v1.26.1:

    • New features:
      • Experimental: Added support for expanding deployments from .bicepparam files by @BernieWhite. #2132
        • See Using Bicep source for details.
    • New rules:
      • Application Gateway:
        • Check that Application Gateways uses a v2 SKU by @BenjaminEngeset. #2185
      • API Management:
        • Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset. #2187
        • Check that base element for any policy element in a section is configured by @BenjaminEngeset. #2072
      • Arc-enabled Kubernetes cluster:
        • Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset. #2124
      • Arc-enabled server:
        • Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset. #2122
      • Container App:
        • Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset. #2188
        • Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset. #2189
      • Cosmos DB:
        • Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset. #2203
      • Defender for Cloud:
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2207
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2206
        • Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset. #2186
        • Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset. #2204
        • Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset. #1632
        • Check that Microsoft Defender Cloud Security Posture Management is using Standard plan by @BenjaminEngeset. #2151
      • Key Vault:
        • Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset. #1916
      • Storage Account:
        • Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2225
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2207
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2206
      • Virtual Machine:
        • Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset. #2121
    • General improvements:
      • Added support for Bicep symbolic names by @BernieWhite. #2238
    • Updated rules:
      • API Management:
        • Updated Azure.APIM.EncryptValues to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset. #2146
      • Container App:
        • Promoted Azure.ContainerApp.Insecure to GA rule set by @BernieWhite. #2174
      • Defender for Cloud:
        • Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset. #2205
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.6.0. #2216
    • Bug fixes:
      • Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset. #2171
      • Fixed left-side or function evaluation by @BernieWhite. #2220
      • Fixed interdependent variable copy loop count by @BernieWhite. #2221
      • Fixed handling of database name in Azure.MariaDB.Database by @BernieWhite. #2191
      • Fixed typing error in Azure.Defender.Api documentation by @BenjaminEngeset. #2209
      • Fixed Azure.AKS.UptimeSLA with new pricing by @BenjaminEngeset. #2065 #2202
      • Fixed false positive on managed identity without space by @BernieWhite. #2235
      • Fixed reference for runtime subnet ID property by @BernieWhite. #2159

    What's changed since pre-release v1.27.0-B0186:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1270-b0186-pre-release","title":"v1.27.0-B0186 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0136:

    • New rules:
      • API Management:
        • Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset. #2187
      • Key Vault:
        • Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset. #1916
      • Storage Account:
        • Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2225
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2207
    "},{"location":"CHANGELOG-v1/#v1270-b0136-pre-release","title":"v1.27.0-B0136 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0091:

    • New rules:
      • Defender for Cloud:
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2207
    • General improvements:
      • Added support for Bicep symbolic names by @BernieWhite. #2238
    • Bug fixes:
      • Fixed false positive on managed identity without space by @BernieWhite. #2235
    "},{"location":"CHANGELOG-v1/#v1270-b0091-pre-release","title":"v1.27.0-B0091 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0050:

    • New features:
      • Experimental: Added support for expanding deployments from .bicepparam files by @BernieWhite. #2132
        • See Using Bicep source for details.
    • New rules:
      • Storage Account:
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.
      • Defender for Cloud:
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2206
    • Bug fixes:
      • Fixed left-side or function evaluation by @BernieWhite. #2220
      • Fixed interdependent variable copy loop count by @BernieWhite. #2221
    "},{"location":"CHANGELOG-v1/#v1270-b0050-pre-release","title":"v1.27.0-B0050 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0015:

    • New rules:
      • Application Gateway:
        • Check that Application Gateways uses a v2 SKU by @BenjaminEngeset. #2185
      • Arc-enabled Kubernetes cluster:
        • Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset. #2124
      • Arc-enabled server:
        • Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset. #2122
      • Container App:
        • Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset. #2188
        • Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset. #2189
      • Cosmos DB:
        • Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset. #2203
      • Defender for Cloud:
        • Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset. #2186
        • Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset. #2204
        • Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset. #1632
      • Virtual Machine:
        • Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset. #2121
    • Updated rules:
      • Defender for Cloud:
        • Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset. #2205
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.6.0. #2216
    • Bug fixes:
      • Fixed handling of database name in Azure.MariaDB.Database by @BernieWhite. #2191
      • Fixed typing error in Azure.Defender.Api documentation by @BenjaminEngeset. #2209
      • Fixed Azure.AKS.UptimeSLA with new pricing by @BenjaminEngeset. #2065 #2202
    "},{"location":"CHANGELOG-v1/#v1270-b0015-pre-release","title":"v1.27.0-B0015 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0003:

    • New rules:
      • API Management:
        • Check that base element for any policy element in a section is configured by @BenjaminEngeset. #2072
      • Defender for Cloud:
        • Check that Microsoft Defender Cloud Security Posture Management is using Standard plan by @BenjaminEngeset. #2151
    • Updated rules:
      • Container App:
        • Promoted Azure.ContainerApp.Insecure to GA rule set by @BernieWhite. #2174
    • Bug fixes:
      • Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset. #2171
    "},{"location":"CHANGELOG-v1/#v1270-b0003-pre-release","title":"v1.27.0-B0003 (pre-release)","text":"

    What's changed since v1.26.1:

    • Updated rules:
      • API Management:
        • Updated Azure.APIM.EncryptValues to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset. #2146
    • Bug fixes:
      • Fixed reference for runtime subnet ID property by @BernieWhite. #2159
    "},{"location":"CHANGELOG-v1/#v1261","title":"v1.26.1","text":"

    What's changed since v1.26.0:

    • Bug fixes:
      • Fixed null union with first value being null by @BernieWhite. #2075
      • Fixed Azure.Resource.UseTags for additional resources that don't support tags by @BernieWhite. #2129
    "},{"location":"CHANGELOG-v1/#v1260","title":"v1.26.0","text":"

    What's changed since v1.25.0:

    • New features:
      • Added March 2023 baselines Azure.GA_2023_03 and Azure.Preview_2023_03 by @BernieWhite. #2138
        • Includes rules released before or during March 2023.
        • Marked Azure.GA_2022_12 and Azure.Preview_2022_12 baselines as obsolete.
    • New rules:
      • API Management:
        • Check that wildcard * for any configuration option in CORS policies settings is not in use by @BenjaminEngeset. #2073
      • Azure Kubernetes Service:
        • Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset. #2123
      • Container App:
        • Check that internal-only ingress for container apps are configured by @BenjaminEngeset. #2098
        • Check that Azure File volumes for container apps are configured by @BenjaminEngeset. #2101
        • Check that the names of container apps meets the naming requirements by @BenjaminEngeset. #2094
        • Check that managed identity for container apps are configured by @BenjaminEngeset. #2096
        • Check that public network access for container apps environments are disabled by @BenjaminEngeset. #2098
      • Deployment:
        • Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset. #1915
      • IoT Hub:
        • Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset. #1996
      • Service Bus:
        • Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset. #1862
      • SQL Database:
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2119
        • Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset. #2117
      • SQL Managed Instance:
        • Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset. #2120
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2118
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.6 by @BernieWhite. #2136
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Added a selector for premium Service Bus namespaces by @BernieWhite. #2091
      • Improved export of in-flight deeply nested API Management policies by @BernieWhite. #2153
    • Engineering:
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1. #2082
      • Bump Newtonsoft.Json to v13.0.3. #2080
      • Updated resource providers and policy aliases. #2144
      • Bump PSRule to v2.8.1. #2155
      • Bump Az.Resources to v6.6.0. #2155
      • Bump Pester to v5.4.1. #2155
    • Bug fixes:
      • Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
      • Fixed false positive with Azure.Deployment.Name by @BernieWhite. #2109
      • Fixed false positives for Azure.AppService.AlwaysOn with Functions and Workflows by @BernieWhite. #943

    What's changed since pre-release v1.26.0-B0078:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1260-b0078-pre-release","title":"v1.26.0-B0078 (pre-release)","text":"

    What's changed since pre-release v1.26.0-B0040:

    • General improvements:
      • Improved export of in-flight deeply nested API Management policies by @BernieWhite. #2153
    • Engineering:
      • Updated resource providers and policy aliases. #2144
      • Bump PSRule to v2.8.1. #2155
      • Bump Az.Resources to v6.6.0. #2155
      • Bump Pester to v5.4.1. #2155
    • Bug fixes:
      • Fixed false positives for Azure.AppService.AlwaysOn with Functions and Workflows by @BernieWhite. #943
    "},{"location":"CHANGELOG-v1/#v1260-b0040-pre-release","title":"v1.26.0-B0040 (pre-release)","text":"

    What's changed since pre-release v1.26.0-B0011:

    • New features:
      • Added March 2023 baselines Azure.GA_2023_03 and Azure.Preview_2023_03 by @BernieWhite. #2138
        • Includes rules released before or during March 2023.
        • Marked Azure.GA_2022_12 and Azure.Preview_2022_12 baselines as obsolete.
    • New rules:
      • API Management:
        • Check that wildcard * for any configuration option in CORS policies settings is not in use by @BenjaminEngeset. #2073
      • Azure Kubernetes Service:
        • Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset. #2123
      • Container App:
        • Check that internal-only ingress for container apps are configured by @BenjaminEngeset. #2098
        • Check that Azure File volumes for container apps are configured by @BenjaminEngeset. #2101
      • SQL Database:
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2119
        • Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset. #2117
      • SQL Managed Instance:
        • Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset. #2120
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2118
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.6 by @BernieWhite. #2136
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Bug fixes:
      • Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
      • Fixed false positive with Azure.Deployment.Name by @BernieWhite. #2109
    "},{"location":"CHANGELOG-v1/#v1260-b0011-pre-release","title":"v1.26.0-B0011 (pre-release)","text":"

    What's changed since v1.25.0:

    • New rules:
      • Container App:
        • Check that the names of container apps meets the naming requirements by @BenjaminEngeset. #2094
        • Check that managed identity for container apps are configured by @BenjaminEngeset. #2096
        • Check that public network access for container apps environments are disabled by @BenjaminEngeset. #2098
      • Deployment:
        • Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset. #1915
      • IoT Hub:
        • Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset. #1996
      • Service Bus:
        • Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset. #1862
    • General improvements:
      • Added a selector for premium Service Bus namespaces by @BernieWhite. #2091
    • Engineering:
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1. #2082
      • Bump Newtonsoft.Json to v13.0.3. #2080
    "},{"location":"CHANGELOG-v1/#v1251","title":"v1.25.1","text":"

    What's changed since v1.25.0:

    • Bug fixes:
      • Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
    "},{"location":"CHANGELOG-v1/#v1250","title":"v1.25.0","text":"

    What's changed since v1.24.2:

    • New features:
      • Experimental: Added Azure.MCSB.v1 which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite. #1634
    • New rules:
      • Defender for Cloud:
        • Check Microsoft Defender for Key Vault is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for DNS is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for ARM is enabled by @BernieWhite. #1632
      • Event Hub:
        • Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset. #1995
      • Key Vault:
        • Check if firewall is set to deny by @zilberd. #2067
      • Virtual Machine:
        • Virtual machines should be fully deallocated and not stopped by @dcrreynolds. #88
    • General improvements:
      • Added support for Bicep toObject function by @BernieWhite. #2014
      • Added support for configuring a minimum version of Bicep by @BernieWhite. #1935
        • Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.
        • Set AZURE_BICEP_CHECK_TOOL to true to check the Bicep CLI.
        • Set AZURE_BICEP_MINIMUM_VERSION to configure the minimum version.
        • If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.
        • By default, the minimum Bicep version defaults to 0.4.451.
      • Added support for Bicep custom types by @BernieWhite. #2026
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.5. #2052
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5. #2052
      • Bump Microsoft.NET.Test.Sdk to v17.5.0. #2055
      • Bump Az.Resources to v6.5.2. #2037
      • Updated build to use GitHub Actions by @BernieWhite. #1696
    • Bug fixes:
      • Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd. #2059
      • Fixed cases of exit code 5 with path probing by @BernieWhite. #1901

    What's changed since pre-release v1.25.0-B0100:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1250-b0138-pre-release","title":"v1.25.0-B0138 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0100:

    • New rules:
      • Event Hub:
        • Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset. #1995
    "},{"location":"CHANGELOG-v1/#v1250-b0100-pre-release","title":"v1.25.0-B0100 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0065:

    • New rules:
      • Key Vault:
        • Check if firewall is set to deny by @zilberd. #2067
    "},{"location":"CHANGELOG-v1/#v1250-b0065-pre-release","title":"v1.25.0-B0065 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0035:

    • General improvements:
      • Added support for Bicep toObject function by @BernieWhite. #2014
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.5. #2052
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5. #2052
      • Bump Microsoft.NET.Test.Sdk to v17.5.0. #2055
    • Bug fixes:
      • Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd. #2059
    "},{"location":"CHANGELOG-v1/#v1250-b0035-pre-release","title":"v1.25.0-B0035 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0013:

    • New rules:
      • Defender for Cloud:
        • Check Microsoft Defender for Key Vault is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for DNS is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for ARM is enabled by @BernieWhite. #1632
    • General improvements:
      • Added support for configuring a minimum version of Bicep by @BernieWhite. #1935
        • Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.
        • Set AZURE_BICEP_CHECK_TOOL to true to check the Bicep CLI.
        • Set AZURE_BICEP_MINIMUM_VERSION to configure the minimum version.
        • If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.
        • By default, the minimum Bicep version defaults to 0.4.451.
    • Engineering:
      • Bump Az.Resources to v6.5.2. #2037
    • Bug fixes:
      • Fixed cases of exit code 5 with path probing by @BernieWhite. #1901
    "},{"location":"CHANGELOG-v1/#v1250-b0013-pre-release","title":"v1.25.0-B0013 (pre-release)","text":"

    What's changed since v1.24.2:

    • New features:
      • Experimental: Added Azure.MCSB.v1 which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite. #1634
    • New rules:
      • Virtual Machine:
        • Virtual machines should be fully deallocated and not stopped by @dcrreynolds. #88
    • General improvements:
      • Added support for Bicep custom types by @BernieWhite. #2026
    • Engineering:
      • Updated build to use GitHub Actions by @BernieWhite. #1696
      • Bump BenchmarkDotNet to v0.13.4. #1992
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.4. #1992
    "},{"location":"CHANGELOG-v1/#v1242","title":"v1.24.2","text":"

    This is a republish of v1.24.1 to fix a release issue. What's changed since v1.24.0:

    • Bug fixes:
      • Fixed Bicep expand object or null by @BernieWhite. #2021
    "},{"location":"CHANGELOG-v1/#v1241","title":"v1.24.1","text":"

    What's changed since v1.24.0:

    • Bug fixes:
      • Fixed Bicep expand object or null by @BernieWhite. #2021
    "},{"location":"CHANGELOG-v1/#v1240","title":"v1.24.0","text":"

    What's changed since v1.23.0:

    • General improvements:
      • Updated Export-AzRuleData to improve export performance by @BernieWhite. #1341
        • Removed Az.Resources dependency.
        • Added async threading for export concurrency.
        • Improved performance by using automatic look up of API versions by using provider cache.
      • Added support for Bicep lambda functions by @BernieWhite. #1536
        • Bicep filter, map, reduce, and sort are supported.
        • Support for flatten was previously added in v1.23.0.
      • Added optimization for policy type conditions by @BernieWhite. #1966
    • Engineering:
      • Bump PSRule to v2.7.0. #1973
      • Updated resource providers and policy aliases. #1736
      • Bump Az.Resources to v6.5.1. #1973
      • Bump Newtonsoft.Json to v13.0.2. #1903
      • Bump Pester to v5.4.0. #1994
    • Bug fixes:
      • Fixed Export-AzRuleData may not export all data if throttled by @BernieWhite. #1341
      • Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite. #2004
      • Fixed apiVersion comparison of requestContext by @BernieWhite. #1654
      • Fixed simple cases for field type expressions by @BernieWhite. #1323

    What's changed since pre-release v1.24.0-B0035:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1240-b0035-pre-release","title":"v1.24.0-B0035 (pre-release)","text":"

    What's changed since pre-release v1.24.0-B0013:

    • General improvements:
      • Added support for Bicep lambda functions by @BernieWhite. #1536
        • Bicep filter, map, reduce, and sort are supported.
        • Support for flatten was previously added in v1.23.0.
      • Added optimization for policy type conditions by @BernieWhite. #1966
    • Engineering:
      • Updated resource providers and policy aliases. #1736
    • Bug fixes:
      • Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite. #2004
      • Fixed apiVersion comparison of requestContext by @BernieWhite. #1654
      • Fixed simple cases for field type expressions by @BernieWhite. #1323
    "},{"location":"CHANGELOG-v1/#v1240-b0013-pre-release","title":"v1.24.0-B0013 (pre-release)","text":"

    What's changed since v1.23.0:

    • General improvements:
      • Updated Export-AzRuleData to improve export performance by @BernieWhite. #1341
        • Removed Az.Resources dependency.
        • Added async threading for export concurrency.
        • Improved performance by using automatic look up of API versions by using provider cache.
    • Engineering:
      • Bump PSRule to v2.7.0. #1973
      • Bump Az.Resources to v6.5.1. #1973
      • Bump Newtonsoft.Json to v13.0.2. #1903
      • Bump Pester to v5.4.0. #1994
    • Bug fixes:
      • Fixed Export-AzRuleData may not export all data if throttled by @BernieWhite. #1341
    "},{"location":"CHANGELOG-v1/#v1230","title":"v1.23.0","text":"

    What's changed since v1.22.2:

    • New features:
      • Added December 2022 baselines Azure.GA_2022_12 and Azure.Preview_2022_12 by @BernieWhite. #1961
        • Includes rules released before or during December 2022.
        • Marked Azure.GA_2022_09 and Azure.Preview_2022_09 baselines as obsolete.
    • New rules:
      • API Management:
        • Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset. #1910
      • Application Gateway:
        • Check Application Gateways names meet naming requirements by @BenjaminEngeset. #1943
      • Azure Cache for Redis:
        • Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset. #1077
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset. #1856
        • Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset. #1855
        • Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset. #1857
      • Bastion:
        • Check Bastion hosts names meet naming requirements by @BenjaminEngeset. #1950
      • Recovery Services Vault:
        • Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset. #1953
      • Virtual Machine:
        • Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset. #1868
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset. #1867
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.4 by @BernieWhite. #1960
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Improves handling for policy definition modes by using support tags selector by @BernieWhite. #1946
      • Added support to export exemptions related to policy assignments by @BernieWhite. #1888
      • Added support for Bicep flatten function by @BernieWhite. #1536
    • Engineering:
      • Bump Az.Resources to v6.5.0. #1945
      • Bump Microsoft.NET.Test.Sdk v17.4.1. #1964
    • Bug fixes:
      • Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset. #1926

    What's changed since pre-release v1.23.0-B0072:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1230-b0072-pre-release","title":"v1.23.0-B0072 (pre-release)","text":"

    What's changed since pre-release v1.23.0-B0046:

    • New features:
      • Added December 2022 baselines Azure.GA_2022_12 and Azure.Preview_2022_12 by @BernieWhite. #1961
        • Includes rules released before or during December 2022.
        • Marked Azure.GA_2022_09 and Azure.Preview_2022_09 baselines as obsolete.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.4 by @BernieWhite. #1960
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Improves handling for policy definition modes by using support tags selector by @BernieWhite. #1946
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk v17.4.1. #1964
    "},{"location":"CHANGELOG-v1/#v1230-b0046-pre-release","title":"v1.23.0-B0046 (pre-release)","text":"

    What's changed since pre-release v1.23.0-B0025:

    • New rules:
      • Bastion:
        • Check Bastion hosts names meet naming requirements by @BenjaminEngeset. #1950
      • Recovery Services Vault:
        • Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset. #1953
    • Bug fixes:
      • Fixed Azure.Deployment.SecureValue with reference function expression by @BernieWhite. #1882
    "},{"location":"CHANGELOG-v1/#v1230-b0025-pre-release","title":"v1.23.0-B0025 (pre-release)","text":"

    What's changed since pre-release v1.23.0-B0009:

    • New rules:
      • Application Gateway:
        • Check Application Gateways names meet naming requirements by @BenjaminEngeset. #1943
      • Azure Cache for Redis:
        • Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset. #1077
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset. #1867
    • General improvements:
      • Added support to export exemptions related to policy assignments by @BernieWhite. #1888
      • Added support for Bicep flatten function by @BernieWhite. #1536
    • Engineering:
      • Bump Az.Resources to v6.5.0. #1945
    "},{"location":"CHANGELOG-v1/#v1230-b0009-pre-release","title":"v1.23.0-B0009 (pre-release)","text":"

    What's changed since v1.22.1:

    • New rules:
      • API Management:
        • Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset. #1910
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset. #1856
        • Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset. #1855
        • Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset. #1857
      • Virtual Machine:
        • Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset. #1868
    • Bug fixes:
      • Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset. #1926
    "},{"location":"CHANGELOG-v1/#v1222","title":"v1.22.2","text":"

    What's changed since v1.22.1:

    • Bug fixes:
      • Fixed Azure.Deployment.SecureValue with reference function expression by @BernieWhite. #1882
    "},{"location":"CHANGELOG-v1/#v1221","title":"v1.22.1","text":"

    What's changed since v1.22.0:

    • Bug fixes:
      • Fixed template parameter does not use the required format by @BernieWhite. #1930
    "},{"location":"CHANGELOG-v1/#v1220","title":"v1.22.0","text":"

    What's changed since v1.21.2:

    • New rules:
      • API Management:
        • Check API management instances uses multi-region deployment by @BenjaminEngeset. #1030
        • Check api management instances limits control plane API calls to apim with version '2021-08-01' or newer by @BenjaminEngeset. #1819
      • App Service Environment:
        • Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset. #1805
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset. #1854
        • Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset. #1853
        • Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset. #1852
        • Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset. #1850
        • Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset. #1848
      • Azure Database for PostgreSQL:
        • Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset. #286
        • Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset. #285
      • Azure Database for MySQL:
        • Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset. #287
        • Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset. #1841
        • Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset. #1840
        • Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset. #284
      • Azure Resource Deployments:
        • Check for nested deployment that are scoped to outer and passing secure values by @ms-sambell. #1475
        • Check custom script extension uses protected settings for secure values by @ms-sambell. #1478
      • Front Door:
        • Check front door uses caching by @BenjaminEngeset. #548
      • Virtual Machine:
        • Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset. #9
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite. #875
    • General improvements:
      • Added debug logging improvements for Bicep expansion by @BernieWhite. #1901
    • Engineering:
      • Bump PSRule to v2.6.0. #1883
      • Bump Az.Resources to v6.4.1. #1883
      • Bump Microsoft.NET.Test.Sdk to v17.4.0 #1838
      • Bump coverlet.collector to v3.2.0. #1814
    • Bug fixes:
      • Fixed ref and name duplicated by @BernieWhite. #1876
      • Fixed an item with the same key for parameters by @BernieWhite #1871
      • Fixed policy parse of requestContext function by @BernieWhite. #1654
      • Fixed handling of policy type field by @BernieWhite. #1323
      • Fixed Azure.AppService.WebProbe with non-boolean value set by @BernieWhite. #1906
      • Fixed managed identity flagged as secret by Azure.Deployment.OutputSecretValue by @BernieWhite. #1826 #1886
      • Fixed missing support for diagnostic settings category groups by @BenjaminEngeset. #1873

    What's changed since pre-release v1.22.0-B0203:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1220-b0203-pre-release","title":"v1.22.0-B0203 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0153:

    • General improvements:
      • Added debug logging improvements for Bicep expansion by @BernieWhite. #1901
    • Bug fixes:
      • Fixed Azure.AppService.WebProbe with non-boolean value set by @BernieWhite. #1906
    "},{"location":"CHANGELOG-v1/#v1220-b0153-pre-release","title":"v1.22.0-B0153 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0106:

    • Bug fixes:
      • Fixed managed identity flagged as secret by Azure.Deployment.OutputSecretValue by @BernieWhite. #1826 #1886
    "},{"location":"CHANGELOG-v1/#v1220-b0106-pre-release","title":"v1.22.0-B0106 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0062:

    • New rules:
      • API Management:
        • Check API management instances uses multi-region deployment by @BenjaminEngeset. #1030
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset. #1854
    • Engineering:
      • Bump PSRule to v2.6.0. #1883
      • Bump Az.Resources to v6.4.1. #1883
    • Bug fixes:
      • Fixed ref and name duplicated by @BernieWhite. #1876
      • Fixed an item with the same key for parameters by @BernieWhite #1871
      • Fixed policy parse of requestContext function by @BernieWhite. #1654
      • Fixed handling of policy type field by @BernieWhite. #1323
    "},{"location":"CHANGELOG-v1/#v1220-b0062-pre-release","title":"v1.22.0-B0062 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0026:

    • New rules:
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset. #1853
        • Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset. #1852
        • Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset. #1850
        • Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset. #1848
      • Azure Database for PostgreSQL:
        • Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset. #286
        • Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset. #285
      • Azure Database for MySQL:
        • Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset. #287
        • Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset. #1841
        • Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset. #1840
        • Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset. #284
      • Azure Resource Deployments:
        • Check for nested deployment that are scoped to outer and passing secure values by @ms-sambell. #1475
        • Check custom script extension uses protected settings for secure values by @ms-sambell. #1478
      • Virtual Machine:
        • Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset. #9
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.4.0 #1838
      • Bump coverlet.collector to v3.2.0. #1814
    • Bug fixes:
      • Fixed missing support for diagnostic settings category groups by @BenjaminEngeset. #1873
    "},{"location":"CHANGELOG-v1/#v1220-b0026-pre-release","title":"v1.22.0-B0026 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0011:

    • New rules:
      • API Management:
        • Check api management instances limits control plane API calls to apim with version '2021-08-01' or newer by @BenjaminEngeset. #1819
    • Engineering:
      • Bump Az.Resources to v6.4.0. #1829
    • Bug fixes:
      • Fixed non-Linux VM images flagged as Linux by @BernieWhite. #1825
      • Fixed failed to expand with last function on runtime property by @BernieWhite. #1830
    "},{"location":"CHANGELOG-v1/#v1220-b0011-pre-release","title":"v1.22.0-B0011 (pre-release)","text":"

    What's changed since v1.21.0:

    • New rules:
      • App Service Environment:
        • Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset. #1805
      • Front Door:
        • Check front door uses caching by @BenjaminEngeset. #548
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite. #875
    "},{"location":"CHANGELOG-v1/#v1212","title":"v1.21.2","text":"

    What's changed since v1.21.1:

    • Bug fixes:
      • Fixed non-Linux VM images flagged as Linux by @BernieWhite. #1825
      • Fixed failed to expand with last function on runtime property by @BernieWhite. #1830
    "},{"location":"CHANGELOG-v1/#v1211","title":"v1.21.1","text":"

    What's changed since v1.21.0:

    • Bug fixes:
      • Fixed multiple nested parameter loops returns stack empty exception by @BernieWhite. #1811
      • Fixed Azure.ACR.ContentTrust when customer managed keys are enabled by @BernieWhite. #1810
    "},{"location":"CHANGELOG-v1/#v1210","title":"v1.21.0","text":"

    What's changed since v1.20.2:

    • New features:
      • Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
    • New rules:
      • Deployment:
        • Check sensitive resource values use secure parameters by @VeraBE @BernieWhite. #1773
      • Service Bus:
        • Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset. #1777
      • Virtual Machine:
        • Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset. #1761
    • General improvements:
      • Added built-in list of ignored policy definitions by @BernieWhite. #1730
        • To ignore additional policy definitions, use the AZURE_POLICY_IGNORE_LIST configuration option.
    • Engineering:
      • Bump PSRule to v2.5.3. #1800
      • Bump Az.Resources to v6.3.1. #1800

    What's changed since pre-release v1.21.0-B0050:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1210-b0050-pre-release","title":"v1.21.0-B0050 (pre-release)","text":"

    What's changed since pre-release v1.21.0-B0027:

    • New rules:
      • Virtual Machine:
        • Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
    • Engineering:
      • Bump PSRule to v2.5.3. #1800
      • Bump Az.Resources to v6.3.1. #1800
    • Bug fixes:
      • Fixed contains function unable to match array by @BernieWhite. #1793
    "},{"location":"CHANGELOG-v1/#v1210-b0027-pre-release","title":"v1.21.0-B0027 (pre-release)","text":"

    What's changed since pre-release v1.21.0-B0011:

    • New rules:
      • Deployment:
        • Check sensitive resource values use secure parameters by @VeraBE @BernieWhite. #1773
      • Service Bus:
        • Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset. #1777
    "},{"location":"CHANGELOG-v1/#v1210-b0011-pre-release","title":"v1.21.0-B0011 (pre-release)","text":"

    What's changed since v1.20.1:

    • New features:
      • Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
    • New rules:
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset. #1761
    • General improvements:
      • Added built-in list of ignored policy definitions by @BernieWhite. #1730
        • To ignore additional policy definitions, use the AZURE_POLICY_IGNORE_LIST configuration option.
    • Engineering:
      • Bump PSRule to v2.5.1. #1782
      • Bump Az.Resources to v6.3.0. #1782
    "},{"location":"CHANGELOG-v1/#v1202","title":"v1.20.2","text":"

    What's changed since v1.20.1:

    • Bug fixes:
      • Fixed contains function unable to match array by @BernieWhite. #1793
    "},{"location":"CHANGELOG-v1/#v1201","title":"v1.20.1","text":"

    What's changed since v1.20.0:

    • Bug fixes:
      • Fixed expand bicep source when reading JsonContent into a parameter by @BernieWhite. #1780
    "},{"location":"CHANGELOG-v1/#v1200","title":"v1.20.0","text":"

    What's changed since v1.19.2:

    • New features:
      • Added September 2022 baselines Azure.GA_2022_09 and Azure.Preview_2022_09 by @BernieWhite. #1738
        • Includes rules released before or during September 2022.
        • Marked Azure.GA_2022_06 and Azure.Preview_2022_06 baselines as obsolete.
    • New rules:
      • AKS:
        • Check clusters use Ephemeral OS disk by @BenjaminEngeset. #1618
      • App Configuration:
        • Check app configuration store has purge protection enabled by @BenjaminEngeset. #1689
        • Check app configuration store has one or more replicas by @BenjaminEngeset. #1688
        • Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset. #1690
        • Check identity-based authentication is used for configuration stores by @pazdedav. #1691
      • Application Gateway WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Azure Cache for Redis:
        • Check the number of firewall rules for caches by @jonathanruiz. #544
        • Check the number of IP addresses in firewall rules for caches by @jonathanruiz. #544
      • CDN:
        • Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset. #1612
      • Container Registry:
        • Check soft delete policy is enabled by @BenjaminEngeset. #1674
      • Defender for Cloud:
        • Check Microsoft Defender for Containers is enable by @jdewisscher. #1632
        • Check Microsoft Defender for Servers is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for SQL is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for App Services is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for Storage is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for SQL Servers on VMs is enabled by @jdewisscher. #1632
      • Deployment:
        • Check that nested deployments securely pass through administrator usernames by @ms-sambell. #1479
      • Front Door WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Network Security Group:
        • Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
      • Storage Account:
        • Check blob container soft delete is enabled by @pazdedav. #1671
        • Check file share soft delete is enabled by @jonathanruiz. #966
      • VMSS:
        • Check Linux VMSS has disabled password authentication by @BenjaminEngeset. #1635
    • Updated rules:
      • Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz. #545
        • The following rules have been renamed with aliases:
          • Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
          • Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
          • Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
        • If you are referencing the old names please consider updating to the new names.
      • Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
      • Improved the way we check that VM or VMSS has Linux by @verabe. #1704
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.23.8 by @BernieWhite. #1627
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Event Grid:
        • Promoted Azure.EventGrid.DisableLocalAuth to GA rule set by @BernieWhite. #1628
      • Key Vault:
        • Promoted Azure.KeyVault.AutoRotationPolicy to GA rule set by @BernieWhite. #1629
    • General improvements:
      • Updated NSG documentation with code snippets and links by @simone-bennett. #1607
      • Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
      • Updated SQL firewall rules documentation by @ms-sambell. #1569
      • Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
      • Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
      • Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
      • Added hash to name and ref properties for policy rules by @ArmaanMcleod. #1653
        • Use AZURE_POLICY_RULE_PREFIX or Export-AzPolicyAssignmentRuleData -RulePrefix to override rule prefix.
    • Engineering:
      • Bump PSRule to v2.4.2. #1753 #1748
      • Bump Microsoft.NET.Test.Sdk to v17.3.2. #1719
      • Updated provider data for analysis. #1605
      • Bump Az.Resources to v6.2.0. #1636
      • Bump PSScriptAnalyzer to v1.21.0. #1636
    • Bug fixes:
      • Fixed continue processing policy assignments on error by @BernieWhite. #1651
      • Fixed handling of runtime assessment data by @BernieWhite. #1707
      • Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
      • Fixed inconclusive failure of Azure.Deployment.AdminUsername by @BernieWhite. #1631
      • Fixed error expanding with json() and single quotes by @BernieWhite. #1656
      • Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod. #1653
      • Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset. #1726
      • Fixed Azure.Deployment.AdminUsername incorrectly fails with nested deployments by @BernieWhite. #1762
      • Fixed Azure.FrontDoorWAF.Exclusions reports exclusions when none are specified by @BernieWhite. #1751
      • Fixed Azure.Deployment.AdminUsername does not match the pattern by @BernieWhite. #1758
      • Consider private offerings when checking that a VM or VMSS has Linux by @verabe. #1725

    What's changed since pre-release v1.20.0-B0477:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1200-b0477-pre-release","title":"v1.20.0-B0477 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0389:

    • General improvements:
      • Added hash to name and ref properties for policy rules by @ArmaanMcleod. #1653
        • Use AZURE_POLICY_RULE_PREFIX or Export-AzPolicyAssignmentRuleData -RulePrefix to override rule prefix.
    "},{"location":"CHANGELOG-v1/#v1200-b0389-pre-release","title":"v1.20.0-B0389 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0304:

    • New rules:
      • App Configuration:
        • Check app configuration store has purge protection enabled by @BenjaminEngeset. #1689
    • Bug fixes:
      • Fixed Azure.Deployment.AdminUsername incorrectly fails with nested deployments by @BernieWhite. #1762
    "},{"location":"CHANGELOG-v1/#v1200-b0304-pre-release","title":"v1.20.0-B0304 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0223:

    • Engineering:
      • Bump PSRule to v2.4.2. #1753 #1748
    • Bug fixes:
      • Fixed Azure.FrontDoorWAF.Exclusions reports exclusions when none are specified by @BernieWhite. #1751
      • Fixed Azure.Deployment.AdminUsername does not match the pattern by @BernieWhite. #1758
      • Consider private offerings when checking that a VM or VMSS has Linux by @verabe. #1725
    "},{"location":"CHANGELOG-v1/#v1200-b0223-pre-release","title":"v1.20.0-B0223 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0148:

    • New features:
      • Added September 2022 baselines Azure.GA_2022_09 and Azure.Preview_2022_09 by @BernieWhite. #1738
        • Includes rules released before or during September 2022.
        • Marked Azure.GA_2022_06 and Azure.Preview_2022_06 baselines as obsolete.
    • New rules:
      • App Configuration:
        • Check app configuration store has one or more replicas by @BenjaminEngeset. #1688
    • Engineering:
      • Bump PSRule to v2.4.1. #1636
      • Bump Az.Resources to v6.2.0. #1636
      • Bump PSScriptAnalyzer to v1.21.0. #1636
    • Bug fixes:
      • Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod. #1653
      • Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset. #1726
    "},{"location":"CHANGELOG-v1/#v1200-b0148-pre-release","title":"v1.20.0-B0148 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0085:

    • New rules:
      • App Configuration:
        • Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset. #1690
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.3.2. #1719
    • Bug fixes:
      • Fixed error expanding with json() and single quotes by @BernieWhite. #1656
    "},{"location":"CHANGELOG-v1/#v1200-b0085-pre-release","title":"v1.20.0-B0085 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0028:

    • New rules:
      • Azure Cache for Redis:
        • Check the number of firewall rules for caches by @jonathanruiz. #544
        • Check the number of IP addresses in firewall rules for caches by @jonathanruiz. #544
      • App Configuration:
        • Check identity-based authentication is used for configuration stores by @pazdedav. #1691
      • Container Registry:
        • Check soft delete policy is enabled by @BenjaminEngeset. #1674
      • Defender for Cloud:
        • Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher. #1632
      • Network Security Group:
        • Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
      • Storage Account:
        • Check blob container soft delete is enabled by @pazdedav. #1671
        • Check file share soft delete is enabled by @jonathanruiz. #966
    • Updated rules:
      • Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz. #545
        • The following rules have been renamed with aliases:
          • Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
          • Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
          • Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
        • If you are referencing the old names please consider updating to the new names.
      • Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
      • Improved the way we check that VM or VMSS has Linux by @verabe. #1704
    • General improvements:
      • Updated NSG documentation with code snippets and links by @simone-bennett. #1607
      • Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
      • Updated SQL firewall rules documentation by @ms-sambell. #1569
      • Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
      • Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
      • Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
    • Bug fixes:
      • Fixed continue processing policy assignments on error by @BernieWhite. #1651
      • Fixed handling of runtime assessment data by @BernieWhite. #1707
      • Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
    "},{"location":"CHANGELOG-v1/#v1200-b0028-pre-release","title":"v1.20.0-B0028 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0004:

    • New rules:
      • AKS:
        • Check clusters use Ephemeral OS disk by @BenjaminEngeset. #1618
      • CDN:
        • Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset. #1612
      • VMSS:
        • Check Linux VMSS has disabled password authentication by @BenjaminEngeset. #1635
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.23.8 by @BernieWhite. #1627
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Event Grid:
        • Promoted Azure.EventGrid.DisableLocalAuth to GA rule set by @BernieWhite. #1628
      • Key Vault:
        • Promoted Azure.KeyVault.AutoRotationPolicy to GA rule set by @BernieWhite. #1629
    • Engineering:
      • Bump PSRule to v2.4.0. #1620
      • Updated provider data for analysis. #1605
    • Bug fixes:
      • Fixed function dateTimeAdd errors handling utcNow output by @BernieWhite. #1637
      • Fixed inconclusive failure of Azure.Deployment.AdminUsername by @BernieWhite. #1631
    "},{"location":"CHANGELOG-v1/#v1200-b0004-pre-release","title":"v1.20.0-B0004 (pre-release)","text":"

    What's changed since v1.19.1:

    • New rules:
      • Azure Resources:
        • Check that nested deployments securely pass through administrator usernames by @ms-sambell. #1479
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.3.1. #1603
    "},{"location":"CHANGELOG-v1/#v1192","title":"v1.19.2","text":"

    What's changed since v1.19.1:

    • Bug fixes:
      • Fixed function dateTimeAdd errors handling utcNow output by @BernieWhite. #1637
    "},{"location":"CHANGELOG-v1/#v1191","title":"v1.19.1","text":"

    What's changed since v1.19.0:

    • Bug fixes:
      • Fixed Azure.VNET.UseNSGs is missing exceptions by @BernieWhite. #1609
        • Added exclusions for RouteServerSubnet and any subnet with a dedicated HSM delegation.
    "},{"location":"CHANGELOG-v1/#v1190","title":"v1.19.0","text":"

    What's changed since v1.18.1:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use uptime SLA by @BenjaminEngeset. #1601
    • General improvements:
      • Updated rule level for the following rules by @BernieWhite. #1551
        • Set Azure.APIM.APIDescriptors to warning from error.
        • Set Azure.APIM.ProductDescriptors to warning from error.
        • Set Azure.Template.UseLocationParameter to warning from error.
        • Set Azure.Template.UseComments to information from error.
        • Set Azure.Template.UseDescriptions to information from error.
      • Improve reporting of failing resource property for rules by @BernieWhite. #1429
    • Engineering:
      • Added publishing of symbols for NuGet packages by @BernieWhite. #1549
      • Bump Az.Resources to v6.1.0. #1557
      • Bump Microsoft.NET.Test.Sdk to v17.3.0. #1563
      • Bump PSRule to v2.3.2. #1574
      • Bump support projects to .NET 6 by @BernieWhite. #1560
      • Bump BenchmarkDotNet to v0.13.2. #1593
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2. #1594
      • Updated provider data for analysis. #1598
    • Bug fixes:
      • Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite. #1582
      • Fixed handling of storage accounts sub-resources with CMK by @BernieWhite. #1575

    What's changed since pre-release v1.19.0-B0077:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1190-b0077-pre-release","title":"v1.19.0-B0077 (pre-release)","text":"

    What's changed since pre-release v1.19.0-B0042:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use uptime SLA by @BenjaminEngeset. #1601
    "},{"location":"CHANGELOG-v1/#v1190-b0042-pre-release","title":"v1.19.0-B0042 (pre-release)","text":"

    What's changed since pre-release v1.19.0-B0010:

    • General improvements:
      • Improve reporting of failing resource property for rules by @BernieWhite. #1429
    • Engineering:
      • Bump PSRule to v2.3.2. #1574
      • Bump support projects to .NET 6 by @BernieWhite. #1560
      • Bump BenchmarkDotNet to v0.13.2. #1593
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2. #1594
      • Updated provider data for analysis. #1598
    • Bug fixes:
      • Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite. #1582
      • Fixed handling of storage accounts sub-resources with CMK by @BernieWhite. #1575
    "},{"location":"CHANGELOG-v1/#v1190-b0010-pre-release","title":"v1.19.0-B0010 (pre-release)","text":"

    What's changed since v1.18.1:

    • General improvements:
      • Updated rule level for the following rules by @BernieWhite. #1551
        • Set Azure.APIM.APIDescriptors to warning from error.
        • Set Azure.APIM.ProductDescriptors to warning from error.
        • Set Azure.Template.UseLocationParameter to warning from error.
        • Set Azure.Template.UseComments to information from error.
        • Set Azure.Template.UseDescriptions to information from error.
    • Engineering:
      • Added publishing of symbols for NuGet packages by @BernieWhite. #1549
      • Bump PSRule to v2.3.1. #1561
      • Bump Az.Resources to v6.1.0. #1557
      • Bump Microsoft.NET.Test.Sdk to v17.3.0. #1563
    "},{"location":"CHANGELOG-v1/#v1181","title":"v1.18.1","text":"

    What's changed since v1.18.0:

    • Bug fixes:
      • Fixed Azure.APIM.HTTPBackend reports failure when service URL is not defined by @BernieWhite. #1555
      • Fixed Azure.SQL.AAD failure with newer API by @BernieWhite. #1302
    "},{"location":"CHANGELOG-v1/#v1180","title":"v1.18.0","text":"

    What's changed since v1.17.1:

    • New rules:
      • Cognitive Services:
        • Check accounts use network access restrictions by @BernieWhite. #1532
        • Check accounts use managed identities to access Azure resources by @BernieWhite. #1532
        • Check accounts only accept requests using Azure AD identities by @BernieWhite. #1532
        • Check accounts disable access using public endpoints by @BernieWhite. #1532
    • General improvements:
      • Added support for array indexOf, lastIndexOf, and items ARM functions by @BernieWhite. #1440
      • Added support for join ARM function by @BernieWhite. #1535
      • Improved output of full path to emitted resources by @BernieWhite. #1523
    • Engineering:
      • Bump Az.Resources to v6.0.1. #1521
      • Updated provider data for analysis. #1540
      • Bump xunit to v2.4.2. #1542
      • Added readme and tags to NuGet by @BernieWhite. #1513
    • Bug fixes:
      • Fixed Azure.SQL.TDE is not required to enable Transparent Data Encryption for IaC by @BernieWhite. #1530

    What's changed since pre-release v1.18.0-B0027:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1180-b0027-pre-release","title":"v1.18.0-B0027 (pre-release)","text":"

    What's changed since pre-release v1.18.0-B0010:

    • New rules:
      • Cognitive Services:
        • Check accounts use network access restrictions by @BernieWhite. #1532
        • Check accounts use managed identities to access Azure resources by @BernieWhite. #1532
        • Check accounts only accept requests using Azure AD identities by @BernieWhite. #1532
        • Check accounts disable access using public endpoints by @BernieWhite. #1532
    • General improvements:
      • Added support for array indexOf, lastIndexOf, and items ARM functions by @BernieWhite. #1440
      • Added support for join ARM function by @BernieWhite. #1535
    • Engineering:
      • Updated provider data for analysis. #1540
      • Bump xunit to v2.4.2. #1542
    • Bug fixes:
      • Fixed Azure.SQL.TDE is not required to enable Transparent Data Encryption for IaC by @BernieWhite. #1530
    "},{"location":"CHANGELOG-v1/#v1180-b0010-pre-release","title":"v1.18.0-B0010 (pre-release)","text":"

    What's changed since pre-release v1.18.0-B0002:

    • General improvements:
      • Improved output of full path to emitted resources by @BernieWhite. #1523
    • Engineering:
      • Bump Az.Resources to v6.0.1. #1521
    "},{"location":"CHANGELOG-v1/#v1180-b0002-pre-release","title":"v1.18.0-B0002 (pre-release)","text":"

    What's changed since v1.17.1:

    • Engineering:
      • Added readme and tags to NuGet by @BernieWhite. #1513
    "},{"location":"CHANGELOG-v1/#v1171","title":"v1.17.1","text":"

    What's changed since v1.17.0:

    • Bug fixes:
      • Fixed union returns null when merged with built-in expansion objects by @BernieWhite. #1515
      • Fixed missing zones in test for standalone VM by @BernieWhite. #1506
    "},{"location":"CHANGELOG-v1/#v1170","title":"v1.17.0","text":"

    What's changed since v1.16.1:

    • New features:
      • Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
      • Added June 2022 baselines Azure.GA_2022_06 and Azure.Preview_2022_06 by @BernieWhite. #1499
        • Includes rules released before or during June 2022.
        • Marked Azure.GA_2022_03 and Azure.Preview_2022_03 baselines as obsolete.
    • New rules:
      • Deployment:
        • Check for secure values in outputs by @BernieWhite. #297
    • Engineering:
      • Bump Newtonsoft.Json to v13.0.1. #1494
      • Updated NuGet packaging metadata by @BernieWhite. #1428
      • Updated provider data for analysis. #1502
      • Bump PSRule to v2.2.0. #1444
      • Updated NuGet packaging metadata by @BernieWhite. #1428
    • Bug fixes:
      • Fixed TDE property status to state by @Dylan-Prins. #1505
      • Fixed the language expression value fails in outputs by @BernieWhite. #1485

    What's changed since pre-release v1.17.0-B0064:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1170-b0064-pre-release","title":"v1.17.0-B0064 (pre-release)","text":"

    What's changed since pre-release v1.17.0-B0035:

    • Engineering:
      • Updated provider data for analysis. #1502
      • Bump PSRule to v2.2.0. #1444
    • Bug fixes:
      • Fixed TDE property status to state by @Dylan-Prins. #1505
    "},{"location":"CHANGELOG-v1/#v1170-b0035-pre-release","title":"v1.17.0-B0035 (pre-release)","text":"

    What's changed since pre-release v1.17.0-B0014:

    • New features:
      • Added June 2022 baselines Azure.GA_2022_06 and Azure.Preview_2022_06 by @BernieWhite. #1499
        • Includes rules released before or during June 2022.
        • Marked Azure.GA_2022_03 and Azure.Preview_2022_03 baselines as obsolete.
    • Engineering:
      • Bump Newtonsoft.Json to v13.0.1. #1494
      • Updated NuGet packaging metadata by @BernieWhite. #1428
    "},{"location":"CHANGELOG-v1/#v1170-b0014-pre-release","title":"v1.17.0-B0014 (pre-release)","text":"

    What's changed since v1.16.1:

    • New features:
      • Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
    • New rules:
      • Deployment:
        • Check for secure values in outputs by @BernieWhite. #297
    • Engineering:
      • Updated NuGet packaging metadata by @BernieWhite. #1428
    • Bug fixes:
      • Fixed the language expression value fails in outputs by @BernieWhite. #1485
    "},{"location":"CHANGELOG-v1/#v1161","title":"v1.16.1","text":"

    What's changed since v1.16.0:

    • Bug fixes:
      • Fixed TLS 1.3 support in Azure.AppGw.SSLPolicy by @BernieWhite. #1469
      • Fixed Application Gateway referencing a WAF policy by @BernieWhite. #1466
    "},{"location":"CHANGELOG-v1/#v1160","title":"v1.16.0","text":"

    What's changed since v1.15.2:

    • New rules:
      • App Service:
        • Check web apps have insecure FTP disabled by @BernieWhite. #1436
        • Check web apps use a dedicated health probe by @BernieWhite. #1437
    • Updated rules:
      • Public IP:
        • Updated Azure.PublicIP.AvailabilityZone to exclude IP addresses for Azure Bastion by @BernieWhite. #1442
          • Public IP addresses with the resource-usage tag set to azure-bastion are excluded.
    • General improvements:
      • Added support for dateTimeFromEpoch and dateTimeToEpoch ARM functions by @BernieWhite. #1451
    • Engineering:
      • Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
      • Added ref properties for several rules by @BernieWhite. #1430
      • Updated provider data for analysis. #1453
      • Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
      • Update CI checks to include required ref property by @BernieWhite. #1431
      • Added ref properties for rules by @BernieWhite. #1430
    • Bug fixes:
      • Fixed Azure.Template.UseVariables does not accept function variables names by @BernieWhite. #1427
      • Fixed dependency issue within Azure Pipelines AzurePowerShell task by @BernieWhite. #1447
        • Removed dependency on Az.Accounts and Az.Resources from manifest. Pre-install these modules to use export cmdlets.

    What's changed since pre-release v1.16.0-B0072:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1160-b0072-pre-release","title":"v1.16.0-B0072 (pre-release)","text":"

    What's changed since pre-release v1.16.0-B0041:

    • Engineering:
      • Update CI checks to include required ref property by @BernieWhite. #1431
      • Added ref properties for rules by @BernieWhite. #1430
    • Bug fixes:
      • Fixed dependency issue within Azure Pipelines AzurePowerShell task by @BernieWhite. #1447
        • Removed dependency on Az.Accounts and Az.Resources from manifest. Pre-install these modules to use export cmdlets.
    "},{"location":"CHANGELOG-v1/#v1160-b0041-pre-release","title":"v1.16.0-B0041 (pre-release)","text":"

    What's changed since pre-release v1.16.0-B0017:

    • Updated rules:
      • Public IP:
        • Updated Azure.PublicIP.AvailabilityZone to exclude IP addresses for Azure Bastion by @BernieWhite. #1442
          • Public IP addresses with the resource-usage tag set to azure-bastion are excluded.
    • General improvements:
      • Added support for dateTimeFromEpoch and dateTimeToEpoch ARM functions by @BernieWhite. #1451
    • Engineering:
      • Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
      • Added ref properties for several rules by @BernieWhite. #1430
      • Updated provider data for analysis. #1453
    "},{"location":"CHANGELOG-v1/#v1160-b0017-pre-release","title":"v1.16.0-B0017 (pre-release)","text":"

    What's changed since v1.15.2:

    • New rules:
      • App Service:
        • Check web apps have insecure FTP disabled by @BernieWhite. #1436
        • Check web apps use a dedicated health probe by @BernieWhite. #1437
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
    • Bug fixes:
      • Fixed Azure.Template.UseVariables does not accept function variables names by @BernieWhite. #1427
    "},{"location":"CHANGELOG-v1/#v1152","title":"v1.15.2","text":"

    What's changed since v1.15.1:

    • Bug fixes:
      • Fixed Azure.AppService.ManagedIdentity does not accept both system and user assigned by @BernieWhite. #1415
        • This also applies to:
          • Azure.ADX.ManagedIdentity
          • Azure.APIM.ManagedIdentity
          • Azure.EventGrid.ManagedIdentity
          • Azure.Automation.ManagedIdentity
      • Fixed Web apps with .NET 6 do not meet version constraint of Azure.AppService.NETVersion by @BernieWhite. #1414
        • This also applies to Azure.AppService.PHPVersion.
    "},{"location":"CHANGELOG-v1/#v1151","title":"v1.15.1","text":"

    What's changed since v1.15.0:

    • Bug fixes:
      • Fixed exclusion of dataCollectionRuleAssociations from Azure.Resource.UseTags by @BernieWhite. #1400
      • Fixed could not determine JSON object type for MockObject using CreateObject by @BernieWhite. #1411
      • Fixed cannot bind argument to parameter 'Sku' because it is an empty string by @BernieWhite. #1407
    "},{"location":"CHANGELOG-v1/#v1150","title":"v1.15.0","text":"

    What's changed since v1.14.3:

    • New features:
      • Important change: Added Azure.Resource.SupportsTags selector by @BernieWhite. #1339
        • Use this selector in custom rules to filter rules to only run against resources that support tags.
        • This selector replaces the SupportsTags PowerShell function.
        • Using the SupportsTag function will now result in a warning.
        • The SupportsTags function will be removed in v2.
        • See upgrade notes for more information.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.22.6 by @BernieWhite. #1386
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Added code signing of module by @BernieWhite. #1379
      • Added SBOM manifests to module by @BernieWhite. #1380
      • Embedded provider and alias information as manifest resources by @BernieWhite. #1383
        • Resources are minified and compressed to improve size and speed.
      • Added additional nodeps manifest that does not include dependencies for Az modules by @BernieWhite. #1392
      • Bump Az.Accounts to 2.7.6. #1338
      • Bump Az.Resources to 5.6.0. #1338
      • Bump PSRule to 2.1.0. #1338
      • Bump Pester to 5.3.3. #1338
    • Bug fixes:
      • Fixed dependency chain order when dependsOn copy by @BernieWhite. #1381
      • Fixed error calling SupportsTags function by @BernieWhite. #1401

    What's changed since pre-release v1.15.0-B0053:

    • Bug fixes:
      • Fixed error calling SupportsTags function by @BernieWhite. #1401
    "},{"location":"CHANGELOG-v1/#v1150-b0053-pre-release","title":"v1.15.0-B0053 (pre-release)","text":"

    What's changed since pre-release v1.15.0-B0022:

    • New features:
      • Important change: Added Azure.Resource.SupportsTags selector. #1339
        • Use this selector in custom rules to filter rules to only run against resources that support tags.
        • This selector replaces the SupportsTags PowerShell function.
        • Using the SupportsTag function will now result in a warning.
        • The SupportsTags function will be removed in v2.
        • See upgrade notes for more information.
    • Engineering:
      • Embedded provider and alias information as manifest resources. #1383
        • Resources are minified and compressed to improve size and speed.
      • Added additional nodeps manifest that does not include dependencies for Az modules. #1392
      • Bump Az.Accounts to 2.7.6. #1338
      • Bump Az.Resources to 5.6.0. #1338
      • Bump PSRule to 2.1.0. #1338
      • Bump Pester to 5.3.3. #1338
    "},{"location":"CHANGELOG-v1/#v1150-b0022-pre-release","title":"v1.15.0-B0022 (pre-release)","text":"

    What's changed since v1.14.3:

    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.22.6. #1386
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Added code signing of module. #1379
      • Added SBOM manifests to module. #1380
    • Bug fixes:
      • Fixed dependency chain order when dependsOn copy. #1381
    "},{"location":"CHANGELOG-v1/#v1143","title":"v1.14.3","text":"

    What's changed since v1.14.2:

    • Bug fixes:
      • Fixed Azure Firewall threat intel mode reported for Secure VNET hubs. #1365
      • Fixed array function handling with mock objects. #1367
    "},{"location":"CHANGELOG-v1/#v1142","title":"v1.14.2","text":"

    What's changed since v1.14.1:

    • Bug fixes:
      • Fixed handling of parent resources when sub resource is in a separate deployment. #1360
    "},{"location":"CHANGELOG-v1/#v1141","title":"v1.14.1","text":"

    What's changed since v1.14.0:

    • Bug fixes:
      • Fixed unable to set parameter defaults option with type object. #1355
    "},{"location":"CHANGELOG-v1/#v1140","title":"v1.14.0","text":"

    What's changed since v1.13.4:

    • New features:
      • Added support for referencing resources in template. #1315
        • The reference() function can be used to reference resources in template.
        • A placeholder value is still used for resources outside of the template.
      • Added March 2022 baselines Azure.GA_2022_03 and Azure.Preview_2022_03. #1334
        • Includes rules released before or during March 2022.
        • Marked Azure.GA_2021_12 and Azure.Preview_2021_12 baselines as obsolete.
      • Experimental: Cmdlets to validate objects with Azure policy conditions:
        • Export-AzPolicyAssignmentData - Exports policy assignment data. #1266
        • Export-AzPolicyAssignmentRuleData - Exports JSON rules from policy assignment data. #1278
        • Get-AzPolicyAssignmentDataSource - Discovers policy assignment data. #1340
        • See cmdlet help for limitations and usage.
        • Additional information will be posted as this feature evolves here.
    • New rules:
      • SignalR Service:
        • Check services use Managed Identities. #1306
        • Check services use a SKU with an SLA. #1307
      • Web PubSub Service:
        • Check services use Managed Identities. #1308
        • Check services use a SKU with an SLA. #1309
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.9. #1318
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Cache Azure Policy Aliases. #1277
      • Cleanup of additional alias metadata. #1351
    • Bug fixes:
      • Fixed index was out of range with split on mock properties. #1327
      • Fixed mock objects with no properties. #1347
      • Fixed sub-resources nesting by scope regression. #1348
      • Fixed expand of runtime properties on reference objects. #1324
      • Fixed processing of deployment outputs. #1316

    What's changed since pre-release v1.14.0-B2204013:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1140-b2204013-pre-release","title":"v1.14.0-B2204013 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2204007:

    • Engineering:
      • Cleanup of additional alias metadata. #1351
    "},{"location":"CHANGELOG-v1/#v1140-b2204007-pre-release","title":"v1.14.0-B2204007 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2203117:

    • Bug fixes:
      • Fixed mock objects with no properties. #1347
      • Fixed sub-resources nesting by scope regression. #1348
    "},{"location":"CHANGELOG-v1/#v1140-b2203117-pre-release","title":"v1.14.0-B2203117 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2203088:

    • New features:
      • Experimental: Cmdlets to validate objects with Azure policy conditions:
        • Export-AzPolicyAssignmentData - Exports policy assignment data. #1266
        • Export-AzPolicyAssignmentRuleData - Exports JSON rules from policy assignment data. #1278
        • Get-AzPolicyAssignmentDataSource - Discovers policy assignment data. #1340
        • See cmdlet help for limitations and usage.
        • Additional information will be posted as this feature evolves here.
    • Engineering:
      • Cache Azure Policy Aliases. #1277
    • Bug fixes:
      • Fixed index was out of range with split on mock properties. #1327
    "},{"location":"CHANGELOG-v1/#v1140-b2203088-pre-release","title":"v1.14.0-B2203088 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2203066:

    • New features:
      • Added March 2022 baselines Azure.GA_2022_03 and Azure.Preview_2022_03. #1334
        • Includes rules released before or during March 2022.
        • Marked Azure.GA_2021_12 and Azure.Preview_2021_12 baselines as obsolete.
    • Bug fixes:
      • Fixed expand of runtime properties on reference objects. #1324
    "},{"location":"CHANGELOG-v1/#v1140-b2203066-pre-release","title":"v1.14.0-B2203066 (pre-release)","text":"

    What's changed since v1.13.4:

    • New features:
      • Added support for referencing resources in template. #1315
        • The reference() function can be used to reference resources in template.
        • A placeholder value is still used for resources outside of the template.
    • New rules:
      • SignalR Service:
        • Check services use Managed Identities. #1306
        • Check services use a SKU with an SLA. #1307
      • Web PubSub Service:
        • Check services use Managed Identities. #1308
        • Check services use a SKU with an SLA. #1309
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.9. #1318
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Bug fixes:
      • Fixed processing of deployment outputs. #1316
    "},{"location":"CHANGELOG-v1/#v1134","title":"v1.13.4","text":"

    What's changed since v1.13.3:

    • Bug fixes:
      • Fixed virtual network without any subnets is invalid. #1303
      • Fixed container registry rules that require a premium tier. #1304
        • Rules Azure.ACR.Retention and Azure.ACR.ContentTrust are now only run against premium instances.
    "},{"location":"CHANGELOG-v1/#v1133","title":"v1.13.3","text":"

    What's changed since v1.13.2:

    • Bug fixes:
      • Fixed bicep build timeout for complex deployments. #1299
    "},{"location":"CHANGELOG-v1/#v1132","title":"v1.13.2","text":"

    What's changed since v1.13.1:

    • Engineering:
      • Bump PowerShellStandard.Library to 5.1.1. #1295
    • Bug fixes:
      • Fixed nested resource loops. #1293
    "},{"location":"CHANGELOG-v1/#v1131","title":"v1.13.1","text":"

    What's changed since v1.13.0:

    • Bug fixes:
      • Fixed parsing of nested quote pairs within JSON function. #1288
    "},{"location":"CHANGELOG-v1/#v1130","title":"v1.13.0","text":"

    What's changed since v1.12.2:

    • New features:
      • Added support for setting defaults for required parameters. #1065
        • When specified, the value will be used when a parameter value is not provided.
      • Added support expanding Bicep from parameter files. #1160
    • New rules:
      • Azure Cache for Redis:
        • Limit public access for Azure Cache for Redis instances. #935
      • Container App:
        • Check insecure ingress is not enabled (preview). #1252
      • Key Vault:
        • Check key auto-rotation is enabled (preview). #1159
      • Recovery Services Vault:
        • Check vaults have replication alerts configured. #7
    • Engineering:
      • Automatically build baseline docs. #1242
      • Bump PSRule dependency to v1.11.1. #1269
    • Bug fixes:
      • Fixed empty value with strong type. #1258
      • Fixed error with empty logic app trigger. #1249
      • Fixed out of order parameters. #1257
      • Fixed mapping default configuration causes cast exception. #1274
      • Fixed resource id is incorrectly built for sub resource types. #1279

    What's changed since pre-release v1.13.0-B2202113:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1130-b2202113-pre-release","title":"v1.13.0-B2202113 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202108:

    • Bug fixes:
      • Fixed resource id is incorrectly built for sub resource types. #1279
    "},{"location":"CHANGELOG-v1/#v1130-b2202108-pre-release","title":"v1.13.0-B2202108 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202103:

    • Bug fixes:
      • Fixed mapping default configuration causes cast exception. #1274
    "},{"location":"CHANGELOG-v1/#v1130-b2202103-pre-release","title":"v1.13.0-B2202103 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202090:

    • Engineering:
      • Bump PSRule dependency to v1.11.1. #1269
    • Bug fixes:
      • Fixed out of order parameters. #1257
    "},{"location":"CHANGELOG-v1/#v1130-b2202090-pre-release","title":"v1.13.0-B2202090 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202063:

    • New rules:
      • Azure Cache for Redis:
        • Limit public access for Azure Cache for Redis instances. #935
    • Engineering:
      • Automatically build baseline docs. #1242
    • Bug fixes:
      • Fixed empty value with strong type. #1258
    "},{"location":"CHANGELOG-v1/#v1130-b2202063-pre-release","title":"v1.13.0-B2202063 (pre-release)","text":"

    What's changed since v1.12.2:

    • New features:
      • Added support for setting defaults for required parameters. #1065
        • When specified, the value will be used when a parameter value is not provided.
      • Added support expanding Bicep from parameter files. #1160
    • New rules:
      • Container App:
        • Check insecure ingress is not enabled (preview). #1252
      • Key Vault:
        • Check key auto-rotation is enabled (preview). #1159
      • Recovery Services Vault:
        • Check vaults have replication alerts configured. #7
    • Bug fixes:
      • Fixed error with empty logic app trigger. #1249
    "},{"location":"CHANGELOG-v1/#v1122","title":"v1.12.2","text":"

    What's changed since v1.12.1:

    • Bug fixes:
      • Fixed detect strong type requirements for nested deployments. #1235
    "},{"location":"CHANGELOG-v1/#v1121","title":"v1.12.1","text":"

    What's changed since v1.12.0:

    • Bug fixes:
      • Fixed Bicep already exists with PSRule v2. #1232
    "},{"location":"CHANGELOG-v1/#v1120","title":"v1.12.0","text":"

    What's changed since v1.11.1:

    • New rules:
      • Data Explorer:
        • Check clusters use Managed Identities. #1207
        • Check clusters use a SKU with a SLA. #1208
        • Check clusters use disk encryption. #1209
        • Check clusters are in use with databases. #1215
      • Event Hub:
        • Check namespaces are in use with event hubs. #1216
        • Check namespaces only accept identity-based authentication. #1217
      • Azure Recovery Services Vault:
        • Check vaults use geo-redundant storage. #5
      • Service Bus:
        • Check namespaces are in use with queues and topics. #1218
        • Check namespaces only accept identity-based authentication. #1219
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.7. #1188
          • Pinned latest GA baseline Azure.GA_2021_12 to previous version 1.20.5.
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Azure API Management:
        • Check service disabled insecure ciphers. #1128
        • Refactored the cipher and protocol rule into individual rules.
          • Azure.APIM.Protocols
          • Azure.APIM.Ciphers
    • General improvements:
      • Important change: Replaced Azure_AKSMinimumVersion option with AZURE_AKS_CLUSTER_MINIMUM_VERSION. #941
        • For compatibility, if Azure_AKSMinimumVersion is set it will be used instead of AZURE_AKS_CLUSTER_MINIMUM_VERSION.
        • If only AZURE_AKS_CLUSTER_MINIMUM_VERSION is set, this value will be used.
        • The default will be used neither options are configured.
        • If Azure_AKSMinimumVersion is set a warning will be generated until the configuration is removed.
        • Support for Azure_AKSMinimumVersion is deprecated and will be removed in v2.
        • See upgrade notes for details.
    • Bug fixes:
      • Fixed false positive of blob container with access unspecified. #1212

    What's changed since pre-release v1.12.0-B2201086:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1120-b2201086-pre-release","title":"v1.12.0-B2201086 (pre-release)","text":"

    What's changed since pre-release v1.12.0-B2201067:

    • New rules:
      • Data Explorer:
        • Check clusters are in use with databases. #1215
      • Event Hub:
        • Check namespaces are in use with event hubs. #1216
        • Check namespaces only accept identity-based authentication. #1217
      • Azure Recovery Services Vault:
        • Check vaults use geo-redundant storage. #5
      • Service Bus:
        • Check namespaces are in use with queues and topics. #1218
        • Check namespaces only accept identity-based authentication. #1219
    "},{"location":"CHANGELOG-v1/#v1120-b2201067-pre-release","title":"v1.12.0-B2201067 (pre-release)","text":"

    What's changed since pre-release v1.12.0-B2201054:

    • New rules:
      • Data Explorer:
        • Check clusters use Managed Identities. #1207
        • Check clusters use a SKU with a SLA. #1208
        • Check clusters use disk encryption. #1209
    • Bug fixes:
      • Fixed false positive of blob container with access unspecified. #1212
    "},{"location":"CHANGELOG-v1/#v1120-b2201054-pre-release","title":"v1.12.0-B2201054 (pre-release)","text":"

    What's changed since v1.11.1:

    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.7. #1188
          • Pinned latest GA baseline Azure.GA_2021_12 to previous version 1.20.5.
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Azure API Management:
        • Check service disabled insecure ciphers. #1128
        • Refactored the cipher and protocol rule into individual rules.
          • Azure.APIM.Protocols
          • Azure.APIM.Ciphers
    • General improvements:
      • Important change: Replaced Azure_AKSMinimumVersion option with AZURE_AKS_CLUSTER_MINIMUM_VERSION. #941
        • For compatibility, if Azure_AKSMinimumVersion is set it will be used instead of AZURE_AKS_CLUSTER_MINIMUM_VERSION.
        • If only AZURE_AKS_CLUSTER_MINIMUM_VERSION is set, this value will be used.
        • The default will be used neither options are configured.
        • If Azure_AKSMinimumVersion is set a warning will be generated until the configuration is removed.
        • Support for Azure_AKSMinimumVersion is deprecated and will be removed in v2.
        • See upgrade notes for details.
    "},{"location":"CHANGELOG-v1/#v1111","title":"v1.11.1","text":"

    What's changed since v1.11.0:

    • Bug fixes:
      • Fixed Azure.AKS.CNISubnetSize rule to use CNI selector. #1178
    "},{"location":"CHANGELOG-v1/#v1110","title":"v1.11.0","text":"

    What's changed since v1.10.4:

    • New features:
      • Added baselines containing only Azure preview features. #1129
        • Added baseline Azure.Preview_2021_09.
        • Added baseline Azure.Preview_2021_12.
      • Added Azure.GA_2021_12 baseline. #1146
        • Includes rules released before or during December 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_09 as obsolete.
      • Bicep support promoted from experimental to generally available (GA). #1176
    • New rules:
      • All resources:
        • Check comments for each template resource. #969
      • Automation Account:
        • Automation accounts should enable diagnostic logs. #1075
      • Azure Kubernetes Service:
        • Check clusters have the HTTP application routing add-on disabled. #1131
        • Check clusters use the Secrets Store CSI Driver add-on. #992
        • Check clusters autorotation with the Secrets Store CSI Driver add-on. #993
        • Check clusters use Azure AD Pod Managed Identities (preview). #991
      • Azure Redis Cache:
        • Use availability zones for Azure Cache for Redis for regions that support it. #1078
          • Azure.Redis.AvailabilityZone
          • Azure.RedisEnterprise.Zones
      • Application Security Group:
        • Check Application Security Groups meet naming requirements. #1110
      • Firewall:
        • Check Firewalls meet naming requirements. #1110
        • Check Firewall policies meet naming requirements. #1110
      • Private Endpoint:
        • Check Private Endpoints meet naming requirements. #1110
      • Virtual WAN:
        • Check Virtual WANs meet naming requirements. #1110
    • Updated rules:
      • Azure Kubernetes Service:
        • Promoted Azure.AKS.AutoUpgrade to GA rule set. #1130
    • General improvements:
      • Added support for template function tenant(). #1124
      • Added support for template function managementGroup(). #1125
      • Added support for template function pickZones(). #518
    • Engineering:
      • Rule refactoring of rules from PowerShell to YAML. #1109
        • The following rules were refactored:
          • Azure.LB.Name
          • Azure.NSG.Name
          • Azure.Firewall.Mode
          • Azure.Route.Name
          • Azure.VNET.Name
          • Azure.VNG.Name
          • Azure.VNG.ConnectionName
          • Azure.AppConfig.SKU
          • Azure.AppConfig.Name
          • Azure.AppInsights.Workspace
          • Azure.AppInsights.Name
          • Azure.Cosmos.AccountName
          • Azure.FrontDoor.State
          • Azure.FrontDoor.Name
          • Azure.FrontDoor.WAF.Mode
          • Azure.FrontDoor.WAF.Enabled
          • Azure.FrontDoor.WAF.Name
          • Azure.AKS.MinNodeCount
          • Azure.AKS.ManagedIdentity
          • Azure.AKS.StandardLB
          • Azure.AKS.AzurePolicyAddOn
          • Azure.AKS.ManagedAAD
          • Azure.AKS.AuthorizedIPs
          • Azure.AKS.LocalAccounts
          • Azure.AKS.AzureRBAC
    • Bug fixes:
      • Fixed output of Bicep informational and warning messages in error stream. #1157

    What's changed since pre-release v1.11.0-B2112112:

    • New features:
      • Bicep support promoted from experimental to generally available (GA). #1176
    "},{"location":"CHANGELOG-v1/#v1110-b2112112-pre-release","title":"v1.11.0-B2112112 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2112104:

    • New rules:
      • Azure Redis Cache:
        • Use availability zones for Azure Cache for Redis for regions that support it. #1078
          • Azure.Redis.AvailabilityZone
          • Azure.RedisEnterprise.Zones
    "},{"location":"CHANGELOG-v1/#v1110-b2112104-pre-release","title":"v1.11.0-B2112104 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2112073:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use Azure AD Pod Managed Identities (preview). #991
    • Engineering:
      • Rule refactoring of rules from PowerShell to YAML. #1109
        • The following rules were refactored:
          • Azure.AppConfig.SKU
          • Azure.AppConfig.Name
          • Azure.AppInsights.Workspace
          • Azure.AppInsights.Name
          • Azure.Cosmos.AccountName
          • Azure.FrontDoor.State
          • Azure.FrontDoor.Name
          • Azure.FrontDoor.WAF.Mode
          • Azure.FrontDoor.WAF.Enabled
          • Azure.FrontDoor.WAF.Name
          • Azure.AKS.MinNodeCount
          • Azure.AKS.ManagedIdentity
          • Azure.AKS.StandardLB
          • Azure.AKS.AzurePolicyAddOn
          • Azure.AKS.ManagedAAD
          • Azure.AKS.AuthorizedIPs
          • Azure.AKS.LocalAccounts
          • Azure.AKS.AzureRBAC
    • Bug fixes:
      • Fixed output of Bicep informational and warning messages in error stream. #1157
      • Fixed obsolete flag for baseline Azure.Preview_2021_12. #1166
    "},{"location":"CHANGELOG-v1/#v1110-b2112073-pre-release","title":"v1.11.0-B2112073 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2112024:

    • New features:
      • Added baselines containing only Azure preview features. #1129
        • Added baseline Azure.Preview_2021_09.
        • Added baseline Azure.Preview_2021_12.
      • Added Azure.GA_2021_12 baseline. #1146
        • Includes rules released before or during December 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_09 as obsolete.
    • New rules:
      • All resources:
        • Check comments for each template resource. #969
    • Bug fixes:
      • Fixed template function equals parameter count mismatch. #1137
      • Fixed copy loop on nested deployment parameters is not handled. #1144
      • Fixed outer copy loop of nested deployment. #1154
    "},{"location":"CHANGELOG-v1/#v1110-b2112024-pre-release","title":"v1.11.0-B2112024 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2111014:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters have the HTTP application routing add-on disabled. #1131
        • Check clusters use the Secrets Store CSI Driver add-on. #992
        • Check clusters autorotation with the Secrets Store CSI Driver add-on. #993
      • Automation Account:
        • Automation accounts should enable diagnostic logs. #1075
    • Updated rules:
      • Azure Kubernetes Service:
        • Promoted Azure.AKS.AutoUpgrade to GA rule set. #1130
    • General improvements:
      • Added support for template function tenant(). #1124
      • Added support for template function managementGroup(). #1125
      • Added support for template function pickZones(). #518
    • Bug fixes:
      • Fixed Azure.Policy.WaiverExpiry date conversion. #1118
    "},{"location":"CHANGELOG-v1/#v1110-b2111014-pre-release","title":"v1.11.0-B2111014 (pre-release)","text":"

    What's changed since v1.10.0:

    • New rules:
      • Application Security Group:
        • Check Application Security Groups meet naming requirements. #1110
      • Firewall:
        • Check Firewalls meet naming requirements. #1110
        • Check Firewall policies meet naming requirements. #1110
      • Private Endpoint:
        • Check Private Endpoints meet naming requirements. #1110
      • Virtual WAN:
        • Check Virtual WANs meet naming requirements. #1110
    • Engineering:
      • Rule refactoring of rules from PowerShell to YAML. #1109
        • The following rules were refactored:
          • Azure.LB.Name
          • Azure.NSG.Name
          • Azure.Firewall.Mode
          • Azure.Route.Name
          • Azure.VNET.Name
          • Azure.VNG.Name
          • Azure.VNG.ConnectionName
    "},{"location":"CHANGELOG-v1/#v1104","title":"v1.10.4","text":"

    What's changed since v1.10.3:

    • Bug fixes:
      • Fixed outer copy loop of nested deployment. #1154
    "},{"location":"CHANGELOG-v1/#v1103","title":"v1.10.3","text":"

    What's changed since v1.10.2:

    • Bug fixes:
      • Fixed copy loop on nested deployment parameters is not handled. #1144
    "},{"location":"CHANGELOG-v1/#v1102","title":"v1.10.2","text":"

    What's changed since v1.10.1:

    • Bug fixes:
      • Fixed template function equals parameter count mismatch. #1137
    "},{"location":"CHANGELOG-v1/#v1101","title":"v1.10.1","text":"

    What's changed since v1.10.0:

    • Bug fixes:
      • Fixed Azure.Policy.WaiverExpiry date conversion. #1118
    "},{"location":"CHANGELOG-v1/#v1100","title":"v1.10.0","text":"

    What's changed since v1.9.1:

    • New features:
      • Added support for parameter strong types. #1083
        • The value of string parameters can be tested against the expected type.
        • When configuring a location strong type, the parameter value must be a valid Azure location.
        • When configuring a resource type strong type, the parameter value must be a matching resource Id.
    • New rules:
      • All resources:
        • Check template expressions do not exceed a maximum length. #1006
      • Automation Service:
        • Check automation accounts should use managed identities for authentication. #1074
      • Event Grid:
        • Check topics and domains use managed identities. #1091
        • Check topics and domains use private endpoints. #1092
        • Check topics and domains use identity-based authentication. #1093
    • General improvements:
      • Updated default baseline to use module configuration. #1089
    • Engineering:
      • Bump PSRule dependency to v1.9.0. #1081
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080
      • Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085
    • Bug fixes:
      • Fixed expansion of secret references. #1098
      • Fixed handling of tagging for deployments. #1099
      • Fixed strong type issue flagged with empty defaultValue string. #1100

    What's changed since pre-release v1.10.0-B2111081:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1100-b2111081-pre-release","title":"v1.10.0-B2111081 (pre-release)","text":"

    What's changed since pre-release v1.10.0-B2111072:

    • New rules:
      • Automation Service:
        • Automation accounts should use managed identities for authentication. #1074
    "},{"location":"CHANGELOG-v1/#v1100-b2111072-pre-release","title":"v1.10.0-B2111072 (pre-release)","text":"

    What's changed since pre-release v1.10.0-B2111058:

    • New rules:
      • All resources:
        • Check template expressions do not exceed a maximum length. #1006
    • Bug fixes:
      • Fixed expansion of secret references. #1098
      • Fixed handling of tagging for deployments. #1099
      • Fixed strong type issue flagged with empty defaultValue string. #1100
    "},{"location":"CHANGELOG-v1/#v1100-b2111058-pre-release","title":"v1.10.0-B2111058 (pre-release)","text":"

    What's changed since pre-release v1.10.0-B2111040:

    • New rules:
      • Event Grid:
        • Check topics and domains use managed identities. #1091
        • Check topics and domains use private endpoints. #1092
        • Check topics and domains use identity-based authentication. #1093
    • General improvements:
      • Updated default baseline to use module configuration. #1089
    "},{"location":"CHANGELOG-v1/#v1100-b2111040-pre-release","title":"v1.10.0-B2111040 (pre-release)","text":"

    What's changed since v1.9.1:

    • New features:
      • Added support for parameter strong types. #1083
        • The value of string parameters can be tested against the expected type.
        • When configuring a location strong type, the parameter value must be a valid Azure location.
        • When configuring a resource type strong type, the parameter value must be a matching resource Id.
    • Engineering:
      • Bump PSRule dependency to v1.9.0. #1081
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080
      • Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085
    "},{"location":"CHANGELOG-v1/#v191","title":"v1.9.1","text":"

    What's changed since v1.9.0:

    • Bug fixes:
      • Fixed can not index into resource group tags. #1066
      • Fixed Azure.VM.ASMinMembers for template deployments. #1064
      • Fixed zones property not found on public IP resource. #1070
    "},{"location":"CHANGELOG-v1/#v190","title":"v1.9.0","text":"

    What's changed since v1.8.1:

    • New rules:
      • API Management Service:
        • Check API management services are using availability zones when available. #1017
      • Public IP Address:
        • Check Public IP addresses are configured with zone-redundancy. #958
        • Check Public IP addresses are using Standard SKU. #979
      • User Assigned Managed Identity:
        • Check identities meet naming requirements. #1021
      • Virtual Network Gateway:
        • Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
    • General improvements:
      • Improved processing of AzOps generated templates. #799
        • Azure.Template.DefineParameters is ignored for AzOps generated templates.
        • Azure.Template.UseLocationParameter is ignored for AzOps generated templates.
      • Bicep is now installed when using PSRule GitHub Action. #1050
    • Engineering:
      • Bump PSRule dependency to v1.8.0. #1018
      • Added automated PR workflow to bump providers.json monthly. #1041
    • Bug fixes:
      • Fixed AKS Network Policy should accept calico. #1046
      • Fixed Azure.ACR.AdminUser fails when adminUserEnabled not set. #1014
      • Fixed Azure.KeyVault.Logs reports cannot index into a null array. #1024
      • Fixed template function empty returns object reference not set exception. #1025
      • Fixed delayed binding of and template function. #1026
      • Fixed template function array nests array with array parameters. #1027
      • Fixed property used by Azure.ACR.MinSKU to work more reliably with templates. #1034
      • Fixed could not determine JSON object type for MockMember using CreateObject. #1035
      • Fixed Bicep convention ordering. #1053

    What's changed since pre-release v1.9.0-B2110087:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v190-b2110087-pre-release","title":"v1.9.0-B2110087 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110082:

    • Bug fixes:
      • Fixed Bicep convention ordering. #1053
    "},{"location":"CHANGELOG-v1/#v190-b2110082-pre-release","title":"v1.9.0-B2110082 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110059:

    • General improvements:
      • Bicep is now installed when using PSRule GitHub Action. #1050
    • Engineering:
      • Added automated PR workflow to bump providers.json monthly. #1041
    • Bug fixes:
      • Fixed AKS Network Policy should accept calico. #1046
    "},{"location":"CHANGELOG-v1/#v190-b2110059-pre-release","title":"v1.9.0-B2110059 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110040:

    • New rules:
      • API Management Service:
        • Check API management services are using availability zones when available. #1017
    • Bug fixes:
      • Fixed property used by Azure.ACR.MinSKU to work more reliably with templates. #1034
      • Fixed could not determine JSON object type for MockMember using CreateObject. #1035
    "},{"location":"CHANGELOG-v1/#v190-b2110040-pre-release","title":"v1.9.0-B2110040 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110025:

    • New rules:
      • User Assigned Managed Identity:
        • Check identities meet naming requirements. #1021
    • Bug fixes:
      • Fixed Azure.KeyVault.Logs reports cannot index into a null array. #1024
      • Fixed template function empty returns object reference not set exception. #1025
      • Fixed delayed binding of and template function. #1026
      • Fixed template function array nests array with array parameters. #1027
    "},{"location":"CHANGELOG-v1/#v190-b2110025-pre-release","title":"v1.9.0-B2110025 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110014:

    • Engineering:
      • Bump PSRule dependency to v1.8.0. #1018
    • Bug fixes:
      • Fixed Azure.ACR.AdminUser fails when adminUserEnabled not set. #1014
    "},{"location":"CHANGELOG-v1/#v190-b2110014-pre-release","title":"v1.9.0-B2110014 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110009:

    • Bug fixes:
      • Fixed expression out of range of valid values. #1005
      • Fixed template expand fails in nested reference expansion. #1007
    "},{"location":"CHANGELOG-v1/#v190-b2110009-pre-release","title":"v1.9.0-B2110009 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2109027:

    • Bug fixes:
      • Fixed handling of comments with template and parameter file rules. #996
      • Fixed Azure.Template.UseLocationParameter to only apply to templates deployed as RG scope #995
      • Fixed expand template fails with createObject when no parameters are specified. #1000
    "},{"location":"CHANGELOG-v1/#v190-b2109027-pre-release","title":"v1.9.0-B2109027 (pre-release)","text":"

    What's changed since v1.8.0:

    • New rules:
      • Public IP Address:
        • Check Public IP addresses are configured with zone-redundancy. #958
        • Check Public IP addresses are using Standard SKU. #979
      • Virtual Network Gateway:
        • Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
    • General improvements:
      • Improved processing of AzOps generated templates. #799
        • Azure.Template.DefineParameters is ignored for AzOps generated templates.
        • Azure.Template.UseLocationParameter is ignored for AzOps generated templates.
    • Bug fixes:
      • Fixed ToUpper fails to convert character. #986
    "},{"location":"CHANGELOG-v1/#v181","title":"v1.8.1","text":"

    What's changed since v1.8.0:

    • Bug fixes:
      • Fixed handling of comments with template and parameter file rules. #996
      • Fixed Azure.Template.UseLocationParameter to only apply to templates deployed as RG scope #995
      • Fixed expand template fails with createObject when no parameters are specified. #1000
      • Fixed ToUpper fails to convert character. #986
      • Fixed expression out of range of valid values. #1005
      • Fixed template expand fails in nested reference expansion. #1007
    "},{"location":"CHANGELOG-v1/#v180","title":"v1.8.0","text":"

    What's changed since v1.7.0:

    • New features:
      • Added Azure.GA_2021_09 baseline. #961
        • Includes rules released before or during September 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_06 as obsolete.
    • New rules:
      • Application Gateway:
        • Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928
      • Azure Kubernetes Service:
        • Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882
        • Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922
        • Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881
        • Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880
      • Cosmos DB:
        • Check DB account names meet naming requirements. #954
        • Check DB accounts use Azure AD identities for resource management operations. #953
      • Load Balancer:
        • Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957
        • Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927
    • Engineering:
      • Bump PSRule dependency to v1.7.2. #951
      • Automated update of availability zone information in providers.json. #907
      • Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960
    • Bug fixes:
      • Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920
      • Fixed plan instance count is not applicable to Elastic Premium plans. #946
      • Fixed minimum App Service Plan fails Elastic Premium plans. #945
      • Fixed App Service Plan should include PremiumV3 plan. #944
      • Fixed Azure.VM.NICAttached with private endpoints. #932
      • Fixed Bicep CLI fails with unexpected end of content. #889
      • Fixed incomplete reason message for Azure.Storage.MinTLS. #971
      • Fixed false positive of Azure.Storage.UseReplication with large file storage. #965

    What's changed since pre-release v1.8.0-B2109060:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v180-b2109086-pre-release","title":"v1.8.0-B2109086 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2109060:

    • New rules:
      • Load Balancer:
        • Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957
    • Engineering:
      • Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960
    • Bug fixes:
      • Fixed Bicep CLI fails with unexpected end of content. #889
      • Fixed incomplete reason message for Azure.Storage.MinTLS. #971
      • Fixed false positive of Azure.Storage.UseReplication with large file storage. #965
    "},{"location":"CHANGELOG-v1/#v180-b2109060-pre-release","title":"v1.8.0-B2109060 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2109046:

    • New features:
      • Added Azure.GA_2021_09 baseline. #961
        • Includes rules released before or during September 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_06 as obsolete.
    • New rules:
      • Load Balancer:
        • Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927
    "},{"location":"CHANGELOG-v1/#v180-b2109046-pre-release","title":"v1.8.0-B2109046 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2109020:

    • New rules:
      • Application Gateway:
        • Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928
      • Cosmos DB:
        • Check DB account names meet naming requirements. #954
        • Check DB accounts use Azure AD identities for resource management operations. #953
    • Bug fixes:
      • Fixed plan instance count is not applicable to Elastic Premium plans. #946
      • Fixed minimum App Service Plan fails Elastic Premium plans. #945
      • Fixed App Service Plan should include PremiumV3 plan. #944
      • Fixed Azure.VM.NICAttached with private endpoints. #932
    • Engineering:
      • Bump PSRule dependency to v1.7.2. #951
    "},{"location":"CHANGELOG-v1/#v180-b2109020-pre-release","title":"v1.8.0-B2109020 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2108026:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882
        • Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922
    • Engineering:
      • Bump PSRule dependency to v1.7.0. #938
    "},{"location":"CHANGELOG-v1/#v180-b2108026-pre-release","title":"v1.8.0-B2108026 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2108013:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881
    • Bug fixes:
      • Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920
    "},{"location":"CHANGELOG-v1/#v180-b2108013-pre-release","title":"v1.8.0-B2108013 (pre-release)","text":"

    What's changed since v1.7.0:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880
    • Engineering:
      • Bump PSRule dependency to v1.6.1. #913
      • Automated update of availability zone information in providers.json. #907
    "},{"location":"CHANGELOG-v1/#v170","title":"v1.7.0","text":"

    What's changed since v1.6.0:

    • New rules:
      • All resources:
        • Check template parameter files use metadata links. #846
          • Configure the AZURE_PARAMETER_FILE_METADATA_LINK option to enable this rule.
        • Check template files use a recent schema. #845
        • Check template files use a https schema scheme. #894
        • Check template parameter files use a https schema scheme. #894
        • Check template parameters set a value. #896
        • Check template parameters use a valid secret reference. #897
      • Azure Kubernetes Service:
        • Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #273
        • Check clusters use auto-scale node pools. Thanks @ArmaanMcleod. #218
          • By default, a minimum of a /23 subnet is required.
          • Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to change the default minimum subnet size.
      • Storage Account:
        • Check Storage Accounts only accept explicitly allowed network traffic. #884
    • Updated rules:
      • Virtual Network:
        • Excluded AzureFirewallManagementSubnet from Azure.VNET.UseNSGs. #869
    • General improvements:
      • Added version information to bicep compilation exceptions. #903
    • Engineering:
      • Bump PSRule dependency to v1.6.0. #871
    • Bug fixes:
      • Fixed DateTimeAdd function and tests within timezones with DST. #891
      • Fixed Azure.Template.ParameterValue failing on empty value. #901

    What's changed since pre-release v1.7.0-B2108059:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v170-b2108059-pre-release","title":"v1.7.0-B2108059 (pre-release)","text":"

    What's changed since pre-release v1.7.0-B2108049:

    • General improvements:
      • Added version information to bicep compilation exceptions. #903
    • Bug fixes:
      • Fixed Azure.Template.ParameterValue failing on empty value. #901
    "},{"location":"CHANGELOG-v1/#v170-b2108049-pre-release","title":"v1.7.0-B2108049 (pre-release)","text":"

    What's changed since pre-release v1.7.0-B2108040:

    • New rules:
      • All resources:
        • Check template files use a recent schema. #845
        • Check template files use a https schema scheme. #894
        • Check template parameter files use a https schema scheme. #894
        • Check template parameters set a value. #896
        • Check template parameters use a valid secret reference. #897
    • Bug fixes:
      • Fixed DateTimeAdd function and tests within timezones with DST. #891
    "},{"location":"CHANGELOG-v1/#v170-b2108040-pre-release","title":"v1.7.0-B2108040 (pre-release)","text":"

    What's changed since pre-release v1.7.0-B2108020:

    • New rules:
      • All resources:
        • Check template parameter files use metadata links. #846
          • Configure the AZURE_PARAMETER_FILE_METADATA_LINK option to enable this rule.
      • Azure Kubernetes Service:
        • Check clusters using Azure CNI should use large subnets. Thanks @ArmaanMcleod. #273
          • By default, a minimum of a /23 subnet is required.
          • Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to change the default minimum subnet size.
      • Storage Account:
        • Check Storage Accounts only accept explicitly allowed network traffic. #884
    "},{"location":"CHANGELOG-v1/#v170-b2108020-pre-release","title":"v1.7.0-B2108020 (pre-release)","text":"

    What's changed since v1.6.0:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #218
    • Updated rules:
      • Virtual Network:
        • Excluded AzureFirewallManagementSubnet from Azure.VNET.UseNSGs. #869
    • Engineering:
      • Bump PSRule dependency to v1.6.0. #871
    "},{"location":"CHANGELOG-v1/#v160","title":"v1.6.0","text":"

    What's changed since v1.5.1:

    • New features:
      • Experimental: Added support for expansion from Bicep source files. #848 #670 #858
        • Bicep support is currently experimental.
        • To opt-in set the AZURE_BICEP_FILE_EXPANSION configuration to true.
        • For more information see Using Bicep.
    • New rules:
      • Application Gateways:
        • Check Application Gateways publish endpoints by HTTPS. #841
    • Engineering:
      • Bump PSRule dependency to v1.5.0. #832
      • Migration of Pester v4 tests to Pester v5. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #395

    What's changed since pre-release v1.6.0-B2108038:

    • Bug fixes:
      • Fixed Bicep expand creates deadlock and times out. #863
    "},{"location":"CHANGELOG-v1/#v160-b2108038-pre-release","title":"v1.6.0-B2108038 (pre-release)","text":"

    What's changed since pre-release v1.6.0-B2108023:

    • Bug fixes:
      • Fixed Bicep expand hangs analysis. #858
    "},{"location":"CHANGELOG-v1/#v160-b2108023-pre-release","title":"v1.6.0-B2108023 (pre-release)","text":"

    What's changed since pre-release v1.6.0-B2107028:

    • New features:
      • Experimental: Added support for expansion from Bicep source files. #848 #670
        • Bicep support is currently experimental.
        • To opt-in set the AZURE_BICEP_FILE_EXPANSION configuration to true.
        • For more information see Using Bicep.
    "},{"location":"CHANGELOG-v1/#v160-b2107028-pre-release","title":"v1.6.0-B2107028 (pre-release)","text":"

    What's changed since v1.5.1:

    • New rules:
      • Application Gateways:
        • Check Application Gateways publish endpoints by HTTPS. #841
    • Engineering:
      • Bump PSRule dependency to v1.5.0. #832
    "},{"location":"CHANGELOG-v1/#v151","title":"v1.5.1","text":"

    What's changed since v1.5.0:

    • Bug fixes:
      • Fixed rule does not detect more restrictive NSG rules. #831
    "},{"location":"CHANGELOG-v1/#v150","title":"v1.5.0","text":"

    What's changed since v1.4.1:

    • New features:
      • Added Azure.GA_2021_06 baseline. #822
        • Includes rules released before or during June 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_03 as obsolete.
    • New rules:
      • Application Insights:
        • Check App Insights resources use workspace-based configuration. #813
        • Check App Insights resources meet naming requirements. #814
    • General improvements:
      • Exclude not applicable rules for templates generated with Bicep and PSArm. #815
      • Updated rule help to use docs pages for online version. #824
    • Engineering:
      • Bump PSRule dependency to v1.4.0. #823
      • Bump YamlDotNet dependency to v11.2.1. #821
      • Migrate project to Azure GitHub organization and updated links. #800
    • Bug fixes:
      • Fixed detection of parameters and variables with line breaks. #811

    What's changed since pre-release v1.5.0-B2107002:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v150-b2107002-pre-release","title":"v1.5.0-B2107002 (pre-release)","text":"

    What's changed since pre-release v1.5.0-B2106018:

    • New features:
      • Added Azure.GA_2021_06 baseline. #822
        • Includes rules released before or during June 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_03 as obsolete.
    • General improvements:
      • Updated rule help to use docs pages for online version. #824
    • Engineering:
      • Bump PSRule dependency to v1.4.0. #823
      • Bump YamlDotNet dependency to v11.2.1. #821
    "},{"location":"CHANGELOG-v1/#v150-b2106018-pre-release","title":"v1.5.0-B2106018 (pre-release)","text":"

    What's changed since v1.4.1:

    • New rules:
      • Application Insights:
        • Check App Insights resources use workspace-based configuration. #813
        • Check App Insights resources meet naming requirements. #814
    • General improvements:
      • Exclude not applicable rules for templates generated with Bicep and PSArm. #815
    • Engineering:
      • Bump YamlDotNet dependency to v11.2.0. #801
      • Migrate project to Azure GitHub organization and updated links. #800
    • Bug fixes:
      • Fixed detection of parameters and variables with line breaks. #811
    "},{"location":"CHANGELOG-v1/#v141","title":"v1.4.1","text":"

    What's changed since v1.4.0:

    • Bug fixes:
      • Fixed boolean string conversion case. #793
      • Fixed case sensitive property matching. #794
      • Fixed automatic expansion of template parameter files. #796
        • Template parameter files are not automatically expanded by default.
        • To enable this, set the AZURE_PARAMETER_FILE_EXPANSION configuration option.
    "},{"location":"CHANGELOG-v1/#v140","title":"v1.4.0","text":"

    What's changed since v1.3.2:

    • New features:
      • Automatically expand template from parameter files for analysis. #772
        • Previously templates needed to be exported with Export-AzRuleTemplateData.
        • To export template data automatically use PSRule cmdlets with -Format File.
    • New rules:
      • Cognitive Search:
        • Check search services meet index SLA replica requirement. #761
        • Check search services meet query SLA replica requirement. #762
        • Check search services meet naming requirements. #763
        • Check search services use a minimum SKU. #764
        • Check search services use managed identities. #765
      • Azure Kubernetes Service:
        • Check clusters use AKS-managed Azure AD integration. #436
        • Check clusters have local account disabled (preview). #786
        • Check clusters have an auto-upgrade channel set (preview). #787
        • Check clusters limit access network access to the API server. #788
        • Check clusters used Azure RBAC for Kubernetes authorization. #789
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.20.5. #767
    • General improvements:
      • Automatically nest template sub-resources for analysis. #746
        • Sub-resources such as diagnostic logs or configurations are automatically nested.
        • Automatic nesting a resource requires:
          • The parent resource is defined in the same template.
          • The sub-resource depends on the parent resource.
      • Added support for source location references to template files. #781
        • Output includes source location to resources exported from a templates.
    • Bug fixes:
      • Fixed string index parsing in expressions with whitespace. #775
      • Fixed base for DateTimeAdd is not a valid string. #777
    • Engineering:
      • Added source link to project. #783

    What's changed since pre-release v1.4.0-B2105057:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v140-b2105057-pre-release","title":"v1.4.0-B2105057 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105050:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use AKS-managed Azure AD integration. #436
        • Check clusters have local account disabled (preview). #786
        • Check clusters have an auto-upgrade channel set (preview). #787
        • Check clusters limit access network access to the API server. #788
        • Check clusters used Azure RBAC for Kubernetes authorization. #789
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.20.5. #767
    • Engineering:
      • Added source link to project. #783
    "},{"location":"CHANGELOG-v1/#v140-b2105050-pre-release","title":"v1.4.0-B2105050 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105044:

    • General improvements:
      • Added support for source location references to template files. #781
        • Output includes source location to resources exported from a templates.
    "},{"location":"CHANGELOG-v1/#v140-b2105044-pre-release","title":"v1.4.0-B2105044 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105027:

    • New features:
      • Automatically expand template from parameter files for analysis. #772
        • Previously templates needed to be exported with Export-AzRuleTemplateData.
        • To export template data automatically use PSRule cmdlets with -Format File.
    • Bug fixes:
      • Fixed string index parsing in expressions with whitespace. #775
      • Fixed base for DateTimeAdd is not a valid string. #777
    "},{"location":"CHANGELOG-v1/#v140-b2105027-pre-release","title":"v1.4.0-B2105027 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105020:

    • New rules:
      • Cognitive Search:
        • Check search services meet index SLA replica requirement. #761
        • Check search services meet query SLA replica requirement. #762
        • Check search services meet naming requirements. #763
        • Check search services use a minimum SKU. #764
        • Check search services use managed identities. #765
    "},{"location":"CHANGELOG-v1/#v140-b2105020-pre-release","title":"v1.4.0-B2105020 (pre-release)","text":"

    What's changed since v1.3.2:

    • General improvements:
      • Automatically nest template sub-resources for analysis. #746
        • Sub-resources such as diagnostic logs or configurations are automatically nested.
        • Automatic nesting a resource requires:
          • The parent resource is defined in the same template.
          • The sub-resource depends on the parent resource.
    "},{"location":"CHANGELOG-v1/#v132","title":"v1.3.2","text":"

    What's changed since v1.3.1:

    • Bug fixes:
      • Fixed rule reason reported the parameter inputObject is null. #753
    "},{"location":"CHANGELOG-v1/#v131","title":"v1.3.1","text":"

    What's changed since v1.3.0:

    • Engineering:
      • Bump PSRule dependency to v1.3.0. #749
      • Bump YamlDotNet dependency to v11.1.1. #742
    "},{"location":"CHANGELOG-v1/#v130","title":"v1.3.0","text":"

    What's changed since v1.2.1:

    • New rules:
      • Policy:
        • Check policy assignment display name and description are set. #725
        • Check policy assignment assigned by metadata is set. #726
        • Check policy exemption display name and description are set. #723
        • Check policy waiver exemptions have an expiry date set. #724
    • Removed rules:
      • Storage:
        • Remove Azure.Storage.UseEncryption as Storage Service Encryption (SSE) is always on. #630
          • SSE is on by default and can not be disabled.
    • General improvements:
      • Additional metadata added in parameter files is passed through with Get-AzRuleTemplateLink. #706
      • Improved binding support for File inputs. #480
        • Template and parameter file names now return a relative path instead of full path.
      • Added API version for each module resource. #729
    • Engineering:
      • Clean up depreciated warning message for configuration option azureAllowedRegions. #737
      • Clean up depreciated warning message for configuration option minAKSVersion. #738
      • Bump PSRule dependency to v1.2.0. #713
    • Bug fixes:
      • Fixed could not load file or assembly YamlDotNet. #741
        • This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.

    What's changed since pre-release v1.3.0-B2104040:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v130-b2104040-pre-release","title":"v1.3.0-B2104040 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2104034:

    • Bug fixes:
      • Fixed could not load file or assembly YamlDotNet. #741
        • This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.
    "},{"location":"CHANGELOG-v1/#v130-b2104034-pre-release","title":"v1.3.0-B2104034 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2104023:

    • New rules:
      • Policy:
        • Check policy assignment display name and description are set. #725
        • Check policy assignment assigned by metadata is set. #726
        • Check policy exemption display name and description are set. #723
        • Check policy waiver exemptions have an expiry date set. #724
    • Engineering:
      • Clean up depreciated warning message for configuration option azureAllowedRegions. #737
      • Clean up depreciated warning message for configuration option minAKSVersion. #738
    "},{"location":"CHANGELOG-v1/#v130-b2104023-pre-release","title":"v1.3.0-B2104023 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2104013:

    • General improvements:
      • Improved binding support for File inputs. #480
        • Template and parameter file names now return a relative path instead of full path.
      • Added API version for each module resource. #729
    "},{"location":"CHANGELOG-v1/#v130-b2104013-pre-release","title":"v1.3.0-B2104013 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2103007:

    • Engineering:
      • Bump PSRule dependency to v1.2.0. #713
    • Bug fixes:
      • Fixed export not expanding nested deployments. #715
    "},{"location":"CHANGELOG-v1/#v130-b2103007-pre-release","title":"v1.3.0-B2103007 (pre-release)","text":"

    What's changed since v1.2.0:

    • Removed rules:
      • Storage:
        • Remove Azure.Storage.UseEncryption as Storage Service Encryption (SSE) is always on. #630
          • SSE is on by default and can not be disabled.
    • General improvements:
      • Additional metadata added in parameter files is passed through with Get-AzRuleTemplateLink. #706
    "},{"location":"CHANGELOG-v1/#v121","title":"v1.2.1","text":"

    What's changed since v1.2.0:

    • Bug fixes:
      • Fixed export not expanding nested deployments. #715
    "},{"location":"CHANGELOG-v1/#v120","title":"v1.2.0","text":"

    What's changed since v1.1.4:

    • New features:
      • Added Azure.GA_2021_03 baseline. #673
        • Includes rules released before or during March 2021 for Azure GA features.
        • Marked baseline Azure.GA_2020_12 as obsolete.
    • New rules:
      • Key Vault:
        • Check vaults, keys, and secrets meet name requirements. #646
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.7. #696
    • General improvements:
      • Added support for user defined functions in templates. #682
    • Engineering:
      • Bump PSRule dependency to v1.1.0. #692

    What's changed since pre-release v1.2.0-B2103044:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v120-b2103044-pre-release","title":"v1.2.0-B2103044 (pre-release)","text":"

    What's changed since pre-release v1.2.0-B2103032:

    • New features:
      • Added Azure.GA_2021_03 baseline. #673
        • Includes rules released before or during March 2021 for Azure GA features.
        • Marked baseline Azure.GA_2020_12 as obsolete.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.7. #696
    "},{"location":"CHANGELOG-v1/#v120-b2103032-pre-release","title":"v1.2.0-B2103032 (pre-release)","text":"

    What's changed since pre-release v1.2.0-B2103024:

    • New rules:
      • Key Vault:
        • Check vaults, keys, and secrets meet name requirements. #646
    • Engineering:
      • Bump PSRule dependency to v1.1.0. #692
    "},{"location":"CHANGELOG-v1/#v120-b2103024-pre-release","title":"v1.2.0-B2103024 (pre-release)","text":"

    What's changed since v1.1.4:

    • General improvements:
      • Added support for user defined functions in templates. #682
    "},{"location":"CHANGELOG-v1/#v114","title":"v1.1.4","text":"

    What's changed since v1.1.3:

    • Bug fixes:
      • Fixed handling of literal index with copyIndex function. #686
      • Fixed handling of inner scoped nested deployments. #687
    "},{"location":"CHANGELOG-v1/#v113","title":"v1.1.3","text":"

    What's changed since v1.1.2:

    • Bug fixes:
      • Fixed parsing of property names for functions across multiple lines. #683
    "},{"location":"CHANGELOG-v1/#v112","title":"v1.1.2","text":"

    What's changed since v1.1.1:

    • Bug fixes:
      • Fixed copy peer property resolve. #677
      • Fixed partial resource group or subscription object not populating. #678
      • Fixed lazy loading of environment and resource providers. #679
    "},{"location":"CHANGELOG-v1/#v111","title":"v1.1.1","text":"

    What's changed since v1.1.0:

    • Bug fixes:
      • Fixed support for parameter file schemas. #674
    "},{"location":"CHANGELOG-v1/#v110","title":"v1.1.0","text":"

    What's changed since v1.0.0:

    • New features:
      • Exporting template with Export-AzRuleTemplateData supports custom resource group and subscription. #651
        • Subscription and resource group used for deployment can be specified instead of using defaults.
        • ResourceGroupName parameter of Export-AzRuleTemplateData has been renamed to ResourceGroup.
        • Added a parameter alias for ResourceGroupName on Export-AzRuleTemplateData.
    • New rules:
      • All resources:
        • Check template parameters are defined. #631
        • Check location parameter is type string. #632
        • Check template parameter minValue and maxValue constraints are valid. #637
        • Check template resources do not use hard coded locations. #633
        • Check resource group location not referenced instead of location parameter. #634
        • Check increased debug detail is disabled for nested deployments. #638
    • General improvements:
      • Added support for matching template by name. #661
        • Get-AzRuleTemplateLink discovers <templateName>.json from <templateName>.parameters.json.
    • Engineering:
      • Bump PSRule dependency to v1.0.3. #648
    • Bug fixes:
      • Fixed Azure.VM.ADE to limit rule to exports only. #644
      • Fixed if condition values evaluation order. #652
      • Fixed handling of int parameters with large values. #653
      • Fixed handling of expressions split over multiple lines. #654
      • Fixed handling of bool parameter values within logical expressions. #655
      • Fixed copy loop value does not fall within the expected range. #664
      • Fixed template comparison functions handling of large integer values. #666
      • Fixed handling of createArray function with no arguments. #667

    What's changed since pre-release v1.1.0-B2102034:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v110-b2102034-pre-release","title":"v1.1.0-B2102034 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102023:

    • General improvements:
      • Added support for matching template by name. #661
        • Get-AzRuleTemplateLink discovers <templateName>.json from <templateName>.parameters.json.
    • Bug fixes:
      • Fixed copy loop value does not fall within the expected range. #664
      • Fixed template comparison functions handling of large integer values. #666
      • Fixed handling of createArray function with no arguments. #667
    "},{"location":"CHANGELOG-v1/#v110-b2102023-pre-release","title":"v1.1.0-B2102023 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102015:

    • New features:
      • Exporting template with Export-AzRuleTemplateData supports custom resource group and subscription. #651
        • Subscription and resource group used for deployment can be specified instead of using defaults.
        • ResourceGroupName parameter of Export-AzRuleTemplateData has been renamed to ResourceGroup.
        • Added a parameter alias for ResourceGroupName on Export-AzRuleTemplateData.
    "},{"location":"CHANGELOG-v1/#v110-b2102015-pre-release","title":"v1.1.0-B2102015 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102010:

    • Bug fixes:
      • Fixed if condition values evaluation order. #652
      • Fixed handling of int parameters with large values. #653
      • Fixed handling of expressions split over multiple lines. #654
      • Fixed handling of bool parameter values within logical expressions. #655
    "},{"location":"CHANGELOG-v1/#v110-b2102010-pre-release","title":"v1.1.0-B2102010 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102001:

    • Engineering:
      • Bump PSRule dependency to v1.0.3. #648
    • Bug fixes:
      • Fixed Azure.VM.ADE to limit rule to exports only. #644
    "},{"location":"CHANGELOG-v1/#v110-b2102001-pre-release","title":"v1.1.0-B2102001 (pre-release)","text":"

    What's changed since v1.0.0:

    • New rules:
      • All resources:
        • Check template parameters are defined. #631
        • Check location parameter is type string. #632
        • Check template parameter minValue and maxValue constraints are valid. #637
        • Check template resources do not use hard coded locations. #633
        • Check resource group location not referenced instead of location parameter. #634
        • Check increased debug detail is disabled for nested deployments. #638
    • Engineering:
      • Bump PSRule dependency to v1.0.2. #635
    "},{"location":"CHANGELOG-v1/#v100","title":"v1.0.0","text":"

    What's changed since v0.19.0:

    • New rules:
      • All resources:
        • Check parameter default value type matches type. #311
        • Check location parameter defaults to resource group. #361
      • Front Door:
        • Check Front Door uses a health probe for each backend pool. #546
        • Check Front Door uses a dedicated health probe path backend pools. #547
        • Check Front Door uses HEAD requests for backend health probes. #613
      • Service Fabric:
        • Check Service Fabric clusters use AAD client authentication. #619
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.6. #603
    • General improvements:
      • Renamed Export-AzTemplateRuleData to Export-AzRuleTemplateData. #596
        • New name Export-AzRuleTemplateData aligns with prefix of other cmdlets.
        • Use of Export-AzTemplateRuleData is now deprecated and will be removed in the next major version.
        • Added alias to allow Export-AzTemplateRuleData to continue to be used.
        • Using Export-AzTemplateRuleData returns a deprecation warning.
      • Added support for environment template function. #517
    • Engineering:
      • Bump PSRule dependency to v1.0.1. #611

    What's changed since pre-release v1.0.0-B2101028:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v100-b2101028-pre-release","title":"v1.0.0-B2101028 (pre-release)","text":"

    What's changed since pre-release v1.0.0-B2101016:

    • New rules:
      • All resources:
        • Check parameter default value type matches type. #311
    • General improvements:
      • Renamed Export-AzTemplateRuleData to Export-AzRuleTemplateData. #596
        • New name Export-AzRuleTemplateData aligns with prefix of other cmdlets.
        • Use of Export-AzTemplateRuleData is now deprecated and will be removed in the next major version.
        • Added alias to allow Export-AzTemplateRuleData to continue to be used.
        • Using Export-AzTemplateRuleData returns a deprecation warning.
    "},{"location":"CHANGELOG-v1/#v100-b2101016-pre-release","title":"v1.0.0-B2101016 (pre-release)","text":"

    What's changed since pre-release v1.0.0-B2101006:

    • New rules:
      • Service Fabric:
        • Check Service Fabric clusters use AAD client authentication. #619
    • Bug fixes:
      • Fixed reason Azure.FrontDoor.ProbePath so the probe name is included. #617
    "},{"location":"CHANGELOG-v1/#v100-b2101006-pre-release","title":"v1.0.0-B2101006 (pre-release)","text":"

    What's changed since v0.19.0:

    • New rules:
      • All resources:
        • Check location parameter defaults to resource group. #361
      • Front Door:
        • Check Front Door uses a health probe for each backend pool. #546
        • Check Front Door uses a dedicated health probe path backend pools. #547
        • Check Front Door uses HEAD requests for backend health probes. #613
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.6. #603
    • General improvements:
      • Added support for environment template function. #517
    • Engineering:
      • Bump PSRule dependency to v1.0.1. #611
    • Redis Cache Enterprise
      • Check Redis Cache Enterprise uses minimum TLS 1.2 1179
    "},{"location":"about/","title":"What is PSRule for Azure?","text":"

    PSRule for Azure is a pre-built set of tests and documentation to help you configure Azure solutions. These tests allow you to check your Infrastructure as Code (IaC) before or after deployment to Azure. PSRule for Azure includes unit tests that check how Azure resources defined in ARM templates or Bicep code are configured.

    "},{"location":"about/#why-use-psrule-for-azure","title":"Why use PSRule for Azure?","text":"

    PSRule for Azure helps you identify changes to improve the quality of solutions deployed on Azure. PSRule for Azure uses the principles of the Azure Well-Architected Framework (WAF) to:

    • Suggest changes \u2014 you can use to improve the quality of your solution.
    • Link to documentation \u2014 to learn how this applies to your environment.
    • Demonstrate \u2014 how you can implement the change with examples. Examples are provided in Azure Bicep and ARM templates syntax.

    If you want to write your own tests, you can do that too in your choice of YAML, JSON, or PowerShell. However with over 390 tests already built, you can identify and fix issues day one.

    Get started with a sample repository

    To get started with a sample repository, see PSRule for Azure Quick Start on GitHub.

    "},{"location":"about/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"

    An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.

    "},{"location":"about/#who-uses-psrule-for-azure","title":"Who uses PSRule for Azure?","text":"

    Several first-party repositories use PSRule for Azure. Here's a few you may be familiar with:

    • Azure/ResourceModules - Common Azure Resource Modules Library
    • Azure/ALZ-Bicep - Azure Landing Zones (ALZ)
    • Azure/AKS-Construction - AKS Construction
    "},{"location":"analyzing-resources/","title":"Analyzing resources","text":"

    The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.

    Abstract

    This topics covers how you can test the state of deployed Azure resources that have been exported.

    Important

    This step requires that you have already exported the state of deployed Azure resources. Before continuing, complete Exporting rule data for the resources that will be tested.

    "},{"location":"analyzing-resources/#analyzing-exported-state","title":"Analyzing exported state","text":"

    The state of resources can be analyzed for exported state by using the Invoke-PSRule PowerShell cmdlet.

    For example:

    Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure';\n

    To filter results to only failed rules, use Invoke-PSRule -Outcome Fail. Passed, failed and error results are shown by default.

    For example:

    # Only show failed results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -Outcome Fail;\n

    The output of this example is:

       TargetName: storage\n\nRuleName                            Outcome    Recommendation\n--------                            -------    --------------\nAzure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk\nAzure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic\nAzure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts\n

    A summary of results can be displayed by using Invoke-PSRule -As Summary.

    For example:

    # Display as summary results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -As Summary;\n

    The output of this example is:

    RuleName                            Pass  Fail  Outcome\n--------                            ----  ----  -------\nAzure.ACR.MinSku                    0     1     Fail\nAzure.AppService.PlanInstanceCount  0     1     Fail\nAzure.AppService.UseHTTPS           0     2     Fail\nAzure.Resource.UseTags              73    36    Fail\nAzure.SQL.ThreatDetection           0     1     Fail\nAzure.SQL.Auditing                  0     1     Fail\nAzure.Storage.UseReplication        1     7     Fail\nAzure.Storage.SecureTransferRequ... 2     6     Fail\nAzure.Storage.SoftDelete            0     8     Fail\n
    "},{"location":"analyzing-resources/#ignoring-rules","title":"Ignoring rules","text":"

    To prevent a rule executing you can either:

    • Exclude \u2014 The rule is not executed for any resource.
    • Suppress \u2014 The rule is not executed for a specific resource by name.

    To exclude a rule, set Rule.Exclude option within the ps-rule.yaml file.

    Docs

    rule:\nexclude:\n# Ignore the following rules for all resources\n- Azure.VM.UseHybridUseBenefit\n- Azure.VM.Standalone\n

    To suppress a rule, set Suppression option within the ps-rule.yaml file.

    Docs

    suppression:\nAzure.AKS.AuthorizedIPs:\n# Exclude the following externally managed AKS clusters\n- aks-cluster-prod-eus-001\nAzure.Storage.SoftDelete:\n# Exclude the following non-production storage accounts\n- storagedeveus6jo36t\n- storagedeveus1df278\n

    Tip

    Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

    "},{"location":"analyzing-resources/#advanced-configuration","title":"Advanced configuration","text":"

    Docs

    PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.

    "},{"location":"creating-your-pipeline/","title":"Creating your pipeline","text":"

    Abstract

    This topic covers how you can configuration continuous integration (CI) pipelines to tests Bicep and ARM templates automatically.

    You can use PSRule for Azure to validate Azure resources throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.

    Within the root directory of your infrastructure as code repository:

    GitHub ActionsAzure PipelinesGeneric with PowerShell

    Create a new GitHub Actions workflow by creating .github/workflows/analyze-arm.yaml.

    name: Analyze templates\non:\npush:\nbranches:\n- main\npull_request:\nbranches:\n- main\njobs:\nanalyze_arm:\nname: Analyze templates\nruns-on: ubuntu-latest\nsteps:\n- name: Checkout\nuses: actions/checkout@v3\n# Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\n

    Create a new Azure DevOps YAML pipeline by creating .azure-pipelines/analyze-arm.yaml.

    steps:\n# Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    Create a pipeline in any CI environment by using PowerShell.

    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n

    This will automatically install compatible versions of all dependencies.

    Tip

    If this is your first time implementing PSRule for Azure on a live repository, you may want to consider setting continue on error. This will allow you to try out PSRule without preventing pull requests (PRs) from being merged.

    "},{"location":"creating-your-pipeline/#parameters","title":"Parameters","text":"

    Several parameters are available to customize the behavior of the pipeline. In addition, many of these parameters are also available as configuration options configurable within ps-rule.yaml.

    Some of the most common parameters are listed below. For a full list of parameters see the readme for GitHub Actions or Azure Pipelines.

    "},{"location":"creating-your-pipeline/#limiting-input-to-a-specific-path","title":"Limiting input to a specific path","text":"

    By default, PSRule will scan all files and folders within the repository or current working path. You can use the inputPath parameter to limit the analysis to a specific file or directory path.

    Tip

    The inputPath parameter only accepts a relative path. Both file and directory paths are supported. For example: azure/modules/ if you have a azure/modules/ directory in the root of your repository. Be careful not to specify a leading / such as /azure/modules/. On Linux / is the root directory, which makes this a fully qualified path instead of a relative path.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\ninputPath: azure/modules/\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\ninputPath: azure/modules/\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath 'azure/modules/' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#configuring-a-baseline","title":"Configuring a baseline","text":"

    You can set the baseline parameter to specify the name of a baseline to use. A baseline is a set of rules and configuration. PSRule for Azure ships with multiple baselines to choose from. See working with baselines for more information.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\nbaseline: Azure.GA_2023_09\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\nbaseline: Azure.GA_2023_09\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Baseline 'Azure.GA_2023_09' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#continue-on-error","title":"Continue on error","text":"

    By default, PSRule breaks or stops the pipeline if any rules fail or errors occur. When adopting PSRule for Azure or a new baseline you may want to run PSRule without stopping the pipeline.

    To do this, configure the PSRule for Azure step to continue on error.

    GitHub ActionsAzure PipelinesGeneric with PowerShell

    Set the continue-on-error property to true.

    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\ncontinue-on-error: true\nwith:\nmodules: 'PSRule.Rules.Azure'\n

    Set the continueOnError property to true.

    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ncontinueOnError: true\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    Set the ErrorAction parameter of Assert-PSRule to Continue.

    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Continue;\n
    "},{"location":"creating-your-pipeline/#adding-additional-modules","title":"Adding additional modules","text":"

    You can add additional modules to the modules parameter by using comma (,) separating each module name.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure,PSRule.Monitor'\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure,PSRule.Monitor'\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure', 'PSRule.Monitor')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#outputting-results","title":"Outputting results","text":"

    You can configure PSRule to output results into a file by using the outputFormat and outputPath parameters. For details on the formats that are supported see analysis output.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\noutputFormat: Sarif\noutputPath: reports/ps-rule-results.sarif\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\noutputFormat: Sarif\noutputPath: reports/ps-rule-results.sarif\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#configuration","title":"Configuration","text":"

    Configuration options for PSRule for Azure are set within the ps-rule.yaml file. To set options, create a new file named ps-rule.yaml in the root directory of your repository.

    Tip

    This file should be committed to your repository so it is available when your pipeline runs.

    "},{"location":"creating-your-pipeline/#expand-template-parameter-files","title":"Expand template parameter files","text":"

    Docs

    PSRule for Azure can automatically expand Azure template parameter files. When enabled, PSRule for Azure automatically resolves parameter and template file context at runtime.

    To enabled this feature, set the Configuration.AZURE_PARAMETER_FILE_EXPANSION option to true. This option can be set within the ps-rule.yaml file.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of Azure parameter files\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"creating-your-pipeline/#expand-bicep-source-files","title":"Expand Bicep source files","text":"

    Docs

    PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from .bicep files.

    To enabled this feature, set the Configuration.AZURE_BICEP_FILE_EXPANSION option to true. This option can be set within the ps-rule.yaml file.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of bicep source files\nAZURE_BICEP_FILE_EXPANSION: true\n
    "},{"location":"creating-your-pipeline/#advanced-configuration","title":"Advanced configuration","text":"

    Docs

    PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.

    "},{"location":"creating-your-pipeline/#recommended-content","title":"Recommended content","text":"
    • Suppression and excluding rules
    • Using Bicep source

    "},{"location":"deprecations/","title":"Deprecations","text":""},{"location":"deprecations/#deprecations-for-v200","title":"Deprecations for v2.0.0","text":""},{"location":"deprecations/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"

    The following configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure.

    We plan to have all the old option names renamed and they will not longer work from v2. To upgrade use the new names instead. Until v2, the old option names are still work and will take precedence if new and old are configured.

    New name Old name Available from AZURE_AKS_CLUSTER_MINIMUM_VERSION Azure_AKSMinimumVersion v1.12.0 AZURE_AKS_POOL_MINIMUM_MAXPODS Azure_AKSNodeMinimumMaxPods TBA - not available AZURE_RESOURCE_ALLOWED_LOCATIONS Azure_AllowedRegions v1.30.0 AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME Azure_MinimumCertificateLifetime TBA - not available

    Note

    Configuration options marked TBA are not available yet. Please use the old names until they are available. Check the change log and the upgrade notes for more information on a future release.

    Important

    New option names will work from the release specified by Available from. Configuring these options prior to that release will have no affect. For details on configuring these options see upgrade notes for details.

    "},{"location":"expanding-source-files/","title":"Expanding source files","text":"

    PSRule for Azure supports analyzing resources contained within Azure Infrastructure as Code.

    Abstract

    This topic covers what source expansion is, why it's important, and how to use it within PSRule for Azure.

    "},{"location":"expanding-source-files/#source-expansion","title":"Source expansion","text":"

    PSRule for Azure goes beyond linting Azure Bicep and template files for syntax. Source expansion performs context specific static analysis on Azure resources. Azure resources are analyzed before deployment as if they are deployed.

    This provides some unique benefits such as:

    • Improve success \u2014 Azure resources are resolved before deployment, increasing success by finding errors earlier such as within a PR.
      • Detect common templates issues such as missing parameters and JSON structure.
      • Identify deployment issues such as invalid resource names and incorrect resource identifiers.
    • As deployed \u2014 Analysis of Azure resources against Azure WAF as if they are deployed.
      • Parameters, conditional resources, functions (built-in and user defined), variables, and copy loops are resolved.
      • Azure resource names are shown in passing and failing results. Resolving issues with resource configurations can be targeted by resource.
      • Resource file locations for template and parameter files are included in results.
    • Suppression by resource name \u2014 Azure resource names can be used to apply exceptions.
      • Suppression allows for individual resources to be excluded from rules by name.
    • Offline support \u2014 Static analysis is performed against source files instead of deployed resources.
      • Some functions that may be included in templates dynamically query Azure for current state. For these functions standard placeholder values are used by default. Functions that use placeholders include reference, list*.
    "},{"location":"expanding-source-files/#feature-support","title":"Feature support","text":"

    Source expansion is supported with:

    • Azure template and parameter files \u2014 Azure templates are expanded from parameter files. Link parameter files to templates by metadata or naming convention. See Using templates for a detailed explanation of how to do this.
    • Azure Bicep deployments \u2014 Files with the .bicep extension are detected and expanded. See Using Bicep source for a detailed explanation of how to do this.
    • Azure Bicep modules with tests \u2014 Reusable Bicep modules can be expanded with tests. See Using Bicep source for a detailed explanation of how to do this.

    "},{"location":"expanding-source-files/#limitations","title":"Limitations","text":"

    Currently the following limitations apply:

    • Required parameters in must be provided in parameter files or Bicep deployments.
    • Nested templates are expanded, external templates are not.
      • Deployment resources that link to an external template are returned as a resource.
    • Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:
      • The parent resource is defined in the same template.
      • The sub-resource depends on the parent resource.
    • The environment() template function always returns values for Azure public cloud.
    • References to Key Vault secrets are not expanded. A placeholder value is used instead.
    • The reference() function will return objects for resources within the same template. For resources that are not in the same template, a placeholder value is used instead.
    • Multi-line strings are not supported.
    • Template expressions up to a maximum of 100,000 characters are supported.

    In addition, currently the following limitation apply to using Bicep source files:

    • The Bicep CLI must be installed. When using GitHub Actions or Azure Pipelines the Bicep CLI is pre-installed.
    • Location of issues in Bicep source files is not supported.
    • Expansion of Bicep source files times out after 5 seconds by default. The timeout can be overridden by setting the AZURE_BICEP_FILE_EXPANSION_TIMEOUT option.

    "},{"location":"expanding-source-files/#strong-type","title":"Strong type","text":"

    String parameters are commonly used to pass values such as a resource Id or location. PSRule for Azure provides additional support to allow parameters to be strongly typed. When a parameter is strongly typed, the value is checked against the type during expansion.

    To configure a strong type for a parameter set the strongType metadata property on the parameter. The strong type will be set to the resource type that the parameter will accept, such as Microsoft.OperationalInsights/workspaces.

    TemplateBicep
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"workspaceId\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The resource identifier for a Log Analytics workspace.\",\n\"strongType\": \"Microsoft.OperationalInsights/workspaces\"\n}\n}\n}\n}\n
    @metadata({\n  strongType: 'Microsoft.OperationalInsights/workspaces'\n})\n@description('The resource identifier for a Log Analytics workspace.')\nparam workspaceId string\n

    Strong type also supports the following non-resource type values:

    • location - Specifies the parameter must contain any valid Azure location.
    "},{"location":"expanding-source-files/#scope-functions","title":"Scope functions","text":"

    Azure deployments support a number of scope functions can be used within Infrastructure as Code. When using PSRule for Azure, these functions have a default meaning that can be configured.

    When configuring scope functions, only the properties you want to override has to be specified. Unspecified properties will inherit from the defaults.

    "},{"location":"expanding-source-files/#subscription","title":"Subscription","text":"

    The subscription() function will return the following unless overridden:

    subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n

    To override, configure AZURE_SUBSCRIPTION.

    "},{"location":"expanding-source-files/#resource-group","title":"Resource Group","text":"

    The resourceGroup() function will return the following unless overridden:

    name: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\nprovisioningState: 'Succeeded'\n

    To override, configure AZURE_RESOURCE_GROUP.

    "},{"location":"expanding-source-files/#tenant","title":"Tenant","text":"

    The tenant() function will return the following unless overridden:

    countryCode: 'US'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule'\n

    To override, configure AZURE_TENANT.

    "},{"location":"expanding-source-files/#management-group","title":"Management Group","text":"

    The managementGroup() function will return the following unless overridden:

    name: 'psrule-test'\nproperties:\ndisplyName: 'PSRule Test Management Group'\n

    To override, configure AZURE_MANAGEMENT_GROUP.

    "},{"location":"export-rule-data/","title":"Exporting rule data","text":"

    The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.

    Abstract

    This topics covers how you can export the current state of Azure resources deployed into a subscription. After the current state has been exported, offline analysis can be performed against the saved state.

    Important

    Before continuing, complete the steps from Installing locally. To export data from a subscription, Azure PowerShell modules must be installed. Exporting rule data can also be automated and scheduled with Azure Automation Service. However, for this scenario we will focus how to run this process interactively.

    To perform analysis on Azure resources the current configuration state is exported to a JSON file format. The exported state is processed later during analysis.

    • What's exported \u2014 Configurations such as:
      • Resource SKUs, names, tags, and settings configured for an Azure resource.
    • What's not exported \u2014 Resource data such as:

      • The contents of blobs stored on a storage account, or databases tables.
    "},{"location":"export-rule-data/#export-an-azure-subscription","title":"Export an Azure subscription","text":"

    The state of resources from the current Azure subscription will be exported by using the following commands:

    # STEP 1: Authenticate to Azure, only required if not currently connected\nConnect-AzAccount;\n# STEP 2: Confirm the current subscription context\nGet-AzContext;\n# STEP 3: Exports Azure resources to JSON files\nExport-AzRuleData -OutputPath 'out/';\n
    "},{"location":"export-rule-data/#additional-options","title":"Additional options","text":"

    By default, resource data for the current subscription context will be exported.

    To export resource data for specific subscriptions use:

    • -Subscription - to specify subscriptions by id or name.
    • -Tenant - to specify subscriptions within an Azure Active Directory Tenant by id.

    For example:

    # Export data from two specific subscriptions\nExport-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';\n

    To export specific resource data use:

    • -ResourceGroupName - to filter resources by Resource Group.
    • -Tag - to filter resources based on tag.

    For example:

    # Export information from two resource groups within the current subscription context\nExport-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';\n

    To export resource data for all subscription contexts use:

    • -All - to export resource data for all subscription contexts.

    For example:

    # Export data from all subscription contexts\nExport-AzRuleData -All;\n
    "},{"location":"faq/","title":"Frequently Asked Questions (FAQ)","text":"

    Continue reading for FAQ relating to PSRule for Azure. For general FAQ see PSRule - Frequently Asked Questions (FAQ), including:

    • How is PSRule different to Pester?
    • How do I configure PSRule?
    • How do I ignore a rule?
    • How do exclude or ignore files from being processed?
    • How do I disable or suppress the not processed warning?
    • How do I layer on custom rules on top of an existing module?

    Note

    If you have a question that is not answered here, please join or start a discussion.

    "},{"location":"faq/#what-is-a-rule","title":"What is a rule?","text":"

    A rule is a named set of checks and documentation. You can find the documentation for each rule under reference.

    "},{"location":"faq/#what-is-a-baseline","title":"What is a baseline?","text":"

    A baseline combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule. Quarterly baselines provide a stable checkpoint of rules when you need to stagger adoption of new rules.

    Continue reading working with baselines for a detailed breakdown.

    "},{"location":"faq/#is-terraform-supported","title":"Is Terraform supported?","text":"

    Currently PSRule for Azure supports testing Azure resources from Infrastructure as Code (IaC) with:

    • Azure Resource Manager (ARM) templates.
    • Azure Bicep deployments.

    Checking Terraform from HashiCorp Configuration Language (HCL) is not supported at this time. If this feature is important to you, please upvote \ud83d\udc4d the issue on GitHub.

    What is supported? After resources are deployed to Azure, PSRule for Azure can be used to check the Azure resources in-flight.

    This methods works for Azure resources regardless of how they are deployed. Use this method for analyzing resources deployed via the Azure Portal, Terraform, Pulumi, or other tools.

    For instructions on how to do this see Exporting rule data.

    "},{"location":"faq/#what-methods-are-supported-for-checking-resources","title":"What methods are supported for checking resources?","text":"

    PSRule for Azure supports two methods for analyzing Azure resources:

    • Pre-flight \u2014 Before resources are deployed from an ARM template or Bicep. Use pre-flight analysis to:
      • Implement checks within Pull Requests (PRs).
      • Improve alignment of resources to WAF recommendations.
      • Identify issues that prevent successful resource deployments on Azure.
      • Integrate continual improvement and standardization of Azure resource configurations.
      • Implement release gates between environments.
      • For more information see Creating your pipeline.
    • In-flight \u2014 After resources are deployed to an Azure subscription. Use in-flight analysis to:

      • Implement release gates between environments for non-native tools such as Terraform.
      • Performing offline analysis in split-environments.
      • For more information see Exporting rule data.
    "},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-resource-group-tagging","title":"How do I create a custom rule to enforce resource group tagging?","text":"

    PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework. Use of resource and resource group tags is recommended in the WAF, however implementation may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.

    We have a walk through scenario Enforcing custom tags to get you started.

    "},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-code-ownership","title":"How do I create a custom rule to enforce code ownership?","text":"

    GitHub, Azure DevOps, and other DevOps platforms may implement code ownership. This process involves assigning a team or an individual review and approval responsibility. In GitHub or Azure DevOps implementation, ownership is linked to the file path.

    When a repository contains resources that different teams would approve how do you:

    • Ensure resources are created in a path that triggers the correct approval?

    We have a walk through scenario Enforcing code ownership to get you started.

    "},{"location":"faq/#do-you-have-sample-code","title":"Do you have sample code?","text":"

    In addition to the walk through scenarios, we have a quick start template here. The repository contains sample ARM templates, Bicep, and pipeline code to get you started.

    In GitHub you can simply use the repository as a template for your own project.

    "},{"location":"faq/#do-i-need-powershell-experience-to-start-using-psrule-for-azure","title":"Do I need PowerShell experience to start using PSRule for Azure?","text":"

    No. You can start using built-in rules and CI with Azure Pipelines or GitHub Actions. If we didn't tell you, you might not even know that PowerShell runs under the covers.

    To perform local validation, some PowerShell setup is required but we step you through that. See How to install PSRule for Azure for details.

    To start writing your own custom rules you can use YAML, JSON, or PowerShell. PowerShell experience is required for some scenarios. We have a walk through scenario Enforcing custom tags to get you started.

    "},{"location":"faq/#what-permissions-do-i-need-to-export-rule-data","title":"What permissions do I need to export rule data?","text":"

    When exporting data for in-flight analysis, the default built-in Reader role to a subscription is required for:

    • Exporting rule data with Export-AzRuleData.
    • Exporting rule data from templates with Export-AzRuleTemplateData when online features are used.
      • Optionally -ResourceGroupName and -Subscription parameter can be used; these require access Reader access.
    "},{"location":"faq/#what-permissions-do-i-need-to-analyze-exported-rule-data","title":"What permissions do I need to analyze exported rule data?","text":"

    When exporting data for in-flight analysis, no access to Azure is required after data has been exported to JSON.

    "},{"location":"faq/#should-i-continue-to-use-azure-advisor-defender-for-cloud-or-azure-policy","title":"Should I continue to use Azure Advisor, Defender for Cloud, or Azure Policy?","text":"

    Absolutely. PSRule for Azure does not replace Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.

    PSRule complements Azure Advisor, Microsoft Defender for Cloud, and Azure Policy features by:

    • Recommending turning on and using features of Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.
    • Providing offline analysis in split environments where the analyst has no access to Azure subscriptions. Rule data for analysis can be exported out to a JSON file.
    • Providing the ability to analyze resources in Azure Resource Manager templates before deployment. Additionally, analysis can be performed in a CI process.
    • Providing the ability to layer on organization specific rules, as required.
    • Data collection requires limited permissions and requires no additional configuration.
    "},{"location":"faq/#what-do-the-different-severity-and-levels-for-rules-means","title":"What do the different severity and levels for rules means?","text":"

    PSRule for Azure annotates rules with three (3) severities which indicate how you should prioritize remediation. The following severities are defined:

    • Critical \u2014 Consider addressing these first, ideally within the next thirty (30) days. Rules identified as critical often have high impact and are highly likely to affect your services.
    • Important \u2014 Consider addressing these next, ideally within the next sixty (60) days. Rules identified as important often have a significant impact and are likely to affect your services.
    • Awareness \u2014 Consider addressing these last, ideally within the next ninty (90) days. Rules identified as awareness often have a moderate or low impact to the operation of your services.

    Tip

    Severities and suggested time frames are an indicator only. They may affect your environment, compliance, or security differently based on your specific requirements. If you feel the severity for a rule is broadly incorrect then please let as know. You can do this by joining or starting a discussion.

    Additionally, PSRule for Azure uses three (3) rule levels. These levels determine how PSRule provides feedback about failing cases. The following levels are defined:

    • Error \u2014 Rules defined as error will stop CI pipelines that are configured to break on error.
    • Warning \u2014 Rules defined as warning will not stop CI pipelines and will produce a warning.
    • Information \u2014 Rules defined as information will not stop CI pipelines.
    "},{"location":"faq/#traditional-unit-testing-vs-psrule-for-azure","title":"Traditional unit testing vs PSRule for Azure?","text":"

    You may already be using a unit test framework such as Pester to test infrastructure code. If you are, then you may have encountered the following challenges.

    For a general PSRule/ Pester comparison see How is PSRule different to Pester?

    "},{"location":"faq/#unit-testing-more-than-basic-json-structure","title":"Unit testing more than basic JSON structure","text":"

    Unit tests are unable to effectively test resources contained within Azure templates. Templates should be reusable, but this creates problems for testing when functions, conditions and copy loops are used. Template parameters could completely change the type, number of, or configuration of resources.

    PSRule resolves templates to allow analysis of the resources that would be deployed based on provided parameters.

    "},{"location":"faq/#standard-library-of-tests","title":"Standard library of tests","text":"

    When building unit tests for Azure resources, starting with an empty repository can be a daunting experience. While there are several open source repositories and samples around to get you started, you need to integrate these yourself.

    PSRule for Azure is distributed as a PowerShell module using the PowerShell Gallery. Using a PowerShell module makes it easy to install and update. The built-in rules allow you starting testing resources quickly, with minimal integration.

    For detailed examples see:

    • Validate Azure resources from templates with Azure Pipelines
    • Validate Azure resources from templates with continuous integration (CI)
    "},{"location":"faq/#collection-of-telemetry","title":"Collection of telemetry","text":"

    PSRule and PSRule for Azure currently do not collect any telemetry during installation or execution.

    PowerShell (used by PSRule for Azure) does collect basic telemetry by default. Collection of telemetry in PowerShell and how to opt-out is explained in about_Telemetry.

    "},{"location":"features/","title":"Features","text":""},{"location":"features/#learn-by-example","title":"Learn by example","text":"

    PSRule for Azure helps you quickly identify and fix issues to improve the quality of solutions deployed on Azure. Tests include documentation with official documentation references and examples. Use the Azure Bicep or template examples to adapt your solution to recommendations.

    Note

    Start exploring the list of rules included with PSRule for Azure.

    "},{"location":"features/#framework-aligned","title":"Framework aligned","text":"

    PSRule for Azure is aligned to the Azure Well-Architected Framework (WAF). Tests called rules check the configuration of Azure resources against WAF principles. Rules exist across five (5) WAF pillars:

    • Cost Optimization
    • Operational Excellence
    • Performance Efficiency
    • Reliability
    • Security

    To help you align your Infrastructure as Code (IaC) to WAF principles, PSRule for Azure includes documentation. Included are examples, references to WAF and product documentation. This allows you to explore and learn the context of each WAF principle.

    "},{"location":"features/#start-day-one","title":"Start day one","text":"

    PSRule for Azure includes over 390 rules for validating resources against configuration recommendations. Rules automatically detect and analyze resources from Azure IaC artifacts. This allows you to quickly light up unit testing of Azure resources from templates and Bicep deployments.

    Use the built-in rules to start enforcing testing quickly. Then layer on your own rules as your organization's requirements mature. Custom rules can be implemented quickly and work side-by-side with built-in rules.

    As new built-in rules are added and improved, download the latest version to start using them.

    Tip

    For detailed information on building custom rules see:

    • Enforcing custom tags.
    • Enforcing code ownership.
    "},{"location":"features/#devops-integrated","title":"DevOps integrated","text":"

    Azure resources can be validated throughout their lifecycle to support a DevOps culture. Start testing your Bicep and ARM templates from code by validating them offline before deployment.

    Pre-flight validation can be integrated into a continuous integration (CI) pipeline as unit tests to:

    • Shift-left \u2014 Identify configuration issues and provide fast feedback in PRs.
    • Quality gates \u2014 Implement quality gates between environments such as dev, test, and production.
    • Monitor continuously \u2014 Perform ongoing checks for configuration optimization opportunities.

    Learn

    You can learn more about Azure Bicep with the following links:

    • What is Bicep?
    • Learn modules for Azure Bicep
    "},{"location":"features/#cross-platform","title":"Cross-platform","text":"

    PSRule for Azure uses modern PowerShell libraries at its core, allowing it to go anywhere PowerShell can go. PSRule for Azure runs on MacOS, Linux, and Windows.

    PowerShell makes it easy to integrate PSRule into popular CI systems. Run natively or in a container depending on your platform. PSRule has native extensions for:

    • Azure Pipelines (Azure DevOps)
    • GitHub Actions
    • Visual Studio Code

    Additionally, PSRule for Azure can be installed locally or within Azure Cloud Shell. For installation options see installation.

    "},{"location":"install/","title":"How to install PSRule for Azure","text":"

    PSRule for Azure supports running within continuous integration (CI) systems or locally. It is shipped as a PowerShell module which makes it easy to install and distribute updates.

    Task Options Run tests within CI pipelines With GitHub Actions or Azure Pipelines or PowerShell Run tests locally during development With Visual Studio Code and PowerShell Create custom tests for your organization With Visual Studio Code and PowerShell

    Tip

    PSRule for Azure provides native integration to popular CI systems such as GitHub Actions and Azure Pipelines. If you are using a different CI system you can use the local install to run on MacOS, Linux, and Windows worker nodes.

    "},{"location":"install/#with-github-actions","title":"With GitHub Actions","text":"

    GitHub Action

    Install and use PSRule for Azure with GitHub Actions by referencing the microsoft/ps-rule action.

    StablePre-release

    Install the latest stable version of PSRule for Azure.

    GitHub Actions
    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\n

    Install the latest stable or pre-release version of PSRule for Azure.

    GitHub Actions
    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\nprerelease: true\n

    This will automatically install compatible versions of all dependencies.

    Note

    For additional examples on commonly configured parameters see Creating your pipeline.

    "},{"location":"install/#with-azure-pipelines","title":"With Azure Pipelines","text":"

    Extension

    Install and use PSRule for Azure with Azure Pipeline by using extension tasks. Install the extension from the marketplace, then use the ps-rule-assert task in pipeline steps.

    StablePre-release

    Install the latest stable version of PSRule for Azure.

    Azure Pipelines
    - task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    Install the latest stable or pre-release version of PSRule for Azure.

    Azure Pipelines
    - task: ps-rule-install@2\ndisplayName: Install PSRule for Azure (pre-release)\ninputs:\nmodule: PSRule.Rules.Azure\nprerelease: true\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    This will automatically install compatible versions of all dependencies.

    Note

    For additional examples on commonly configured parameters see Creating your pipeline.

    "},{"location":"install/#with-visual-studio-code","title":"With Visual Studio Code","text":"

    Extension

    An extension for Visual Studio Code is available. The Visual Studio Code extension includes a built-in task to test locally and configuration schemas.

    To learn about Visual Studio Code support see the marketplace extension.

    For best results, configure the PSRule.Rules.Azure module using ps-rule.yaml by setting requires and include options.

    ps-rule.yaml
    requires:\nPSRule.Rules.Azure: '>=1.27.0'\ninclude:\nmodule:\n- PSRule.Rules.Azure\n

    Note

    Currently the Visual Studio Code extension relies on PSRule for Azure installed by PowerShell.

    "},{"location":"install/#with-powershell","title":"With PowerShell","text":"

    PSRule for Azure can be installed locally from the PowerShell Gallery using PowerShell. You can also use this option to install on CI workers that are not natively supported.

    "},{"location":"install/#prerequisites","title":"Prerequisites","text":"Operating System Tool Installation Link Windows Windows PowerShell 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell version 7.2.x or greater. link

    To use PSRule for Azure, PSRule a separate PowerShell module must be installed. The required version will automatically be installed along-side PSRule for Azure.

    Additionally, the exporting data from a subscription functionality requires the additional PowerShell modules:

    • Az.Accounts
    • Az.Resources

    Note

    Azure PowerShell modules are not installed automatically when installing PSRule for Azure. This has been changed from v1.16.0 due to module dependency chains in Azure DevOps. In most cases these modules will be pre-installed on the CI worker. For private CI workers, consider pre-installing these modules in a previous step.

    "},{"location":"install/#installing-powershell","title":"Installing PowerShell","text":"

    PowerShell 7.x can be installed on MacOS, Linux, and Windows but is not installed by default. For a list of platforms that PowerShell 7.2 is supported on and install instructions see Get PowerShell.

    "},{"location":"install/#getting-the-modules","title":"Getting the modules","text":"

    Module

    PSRule for Azure can be installed or updated from the PowerShell Gallery. Use the following command line examples from a PowerShell terminal to install or update PSRule for Azure.

    For the current userFor all users

    To install PSRule for Azure for the current user use:

    Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope CurrentUser\n

    To update PSRule for Azure for the current user use:

    Update-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser\n

    This will automatically install compatible versions of all dependencies.

    To install PSRule for Azure for all users (requires admin/ root permissions) use:

    Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope AllUsers\n

    To update PSRule for Azure for all users (requires admin/ root permissions) use:

    Update-Module -Name 'PSRule.Rules.Azure' -Scope AllUsers\n

    This will automatically install compatible versions of all dependencies.

    "},{"location":"install/#pre-release-versions","title":"Pre-release versions","text":"

    To use a pre-release version of PSRule for Azure add the -AllowPrerelease switch when calling Install-Module, Update-Module, or Save-Module cmdlets.

    Tip

    To install pre-release module versions, the latest version of PowerShellGet may be required.

    # Install the latest PowerShellGet version\nInstall-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\n

    Tip

    To install a pre-release version of PSRule and PSRule for Azure, install each in separate steps.

    For the current userFor all users

    To install PSRule for Azure for the current user use:

    Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope CurrentUser -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope CurrentUser -AllowPrerelease\n

    Open PowerShell with Run as administrator on Windows or sudo pwsh on Linux.

    To install PSRule for Azure for all users (requires admin/ root permissions) use:

    Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope AllUsers -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope AllUsers -AllowPrerelease\n
    "},{"location":"install/#building-from-source","title":"Building from source","text":"

    Source

    PSRule for Azure is provided as open source on GitHub. To build PSRule for Azure from source code:

    1. Clone the GitHub repository.
    2. Run ./build.ps1 from a PowerShell terminal in the cloned path.

    This build script will compile the module and documentation then output the result into out/modules/PSRule.Rules.Azure.

    "},{"location":"install/#development-dependencies","title":"Development dependencies","text":"Operating System Tool Overview Installation Link Windows Windows PowerShell Support for version 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell Version 7.2 or greater is support. link - - Multiple PowerShell modules are required (PlatyPS, Pester, PSScriptAnalyzer, PowerShellGet, PackageManagement, InvokeBuild, PSRule). Installed when you run the build.ps1 script - .NET .NET SDK v6 is required. link - Bicep CLI PSRule depends on the Bicep CLI to decompile (expand) Bicep modules to ARM link

    The following dependencies will be automatically installed if the required versions are not present:

    • PowerShell modules:
      • PlatyPS
      • Pester
      • PSScriptAnalyzer
      • PowerShellGet
      • PackageManagement
      • InvokeBuild
    • Bicep CLI

    These dependencies are only required for building and running tests for PSRule for Azure.

    "},{"location":"install/#troubleshooting","title":"Troubleshooting","text":"

    If the ./build.ps1 script fails, you can start troubleshooting this by:

    • Checking the prerequisites are installed installed (and the specific versions)
      • Check the PowerShell version enter the following statement in the PowerShell terminal: $PSVersionTable.PSVersion
      • Check the installed .NET version by entering the dotnet --list-sdks command in your terminal.
    • Check if your .NET setup is connected to any Nuget repositories and if there's any connectivity or authentication issues.
    • Installation of some pre-reqs may require admin privileges.
    "},{"location":"install/#limited-access-networks","title":"Limited access networks","text":"

    If you are on a network that does not permit Internet access to the PowerShell Gallery, download the required PowerShell modules on an alternative device that has access. PowerShell provides the Save-Module cmdlet that can be run from a PowerShell terminal to do this.

    The following command lines can be used to download the required modules using a PowerShell terminal. After downloading the modules, copy the module directories to devices with restricted Internet access.

    Runtime modulesDevelopment modules

    To save PSRule for Azure for offline use:

    $modules = @('PSRule', 'PSRule.Rules.Azure', 'Az.Accounts', 'Az.Resources')\nSave-Module -Name $modules -Path '.\\modules'\n

    This will save PSRule for Azure and all dependencies into the modules sub-directory.

    To save PSRule for Azure development module dependencies for offline use:

    $modules = @('PSRule', 'Az.Accounts', 'Az.Resources', 'PlatyPS', 'Pester',\n'PSScriptAnalyzer', 'PowerShellGet', 'PackageManagement', 'InvokeBuild')\nSave-Module -Name $modules -Repository PSGallery -Path '.\\modules';\n

    This will save required developments dependencies into the modules sub-directory.

    "},{"location":"integrations/","title":"Integrations","text":""},{"location":"integrations/#integrates-with-psrule-for-azure","title":"Integrates with PSRule for Azure","text":"

    The following tools also take advantage of PSRule for Azure.

    "},{"location":"integrations/#azure-governance-visualizer","title":"Azure Governance Visualizer","text":"

    Docs \u00b7 v6_major_20220521_1

    AzGovViz provides a convenient way to view your Azure governance and hierarchy. Additionally you can view recommendations from PSRule as you navigate to each level in your hierarchy.

    You can include PSRule recommendations in AzGovViz output by adding the -DoPSRule command-line switch. This and more is included in the documentation.

    "},{"location":"integrations/#template-analyzer","title":"Template Analyzer","text":"

    Docs \u00b7 v0.3.0

    Template Analyzer scans Azure templates and Bicep code to ensure security and best practice checks are being followed before deployment.

    By default, Template Analyzer will only include rules aligned to the Security Well-Architected Framework pillar. To include rules from other pillars, use the --include-non-security-rules command-line switch.

    "},{"location":"integrations/#microsoft-defender-for-devops","title":"Microsoft Defender for DevOps","text":"

    Docs \u00b7 Public Preview

    Microsoft Defender for DevOps (DfD) provides unified DevOps security management across multicloud and multiple-pipeline environments.

    In this preview, DfD will include PSRule for Azure rules aligned to the Security Well-Architected Framework pillar.

    "},{"location":"license-contributing/","title":"License and contributing","text":"

    PSRule for Azure is licensed with an MIT License, which means it's free to use and modify. But please check out the details.

    We open source at Microsoft.

    In addition to our team, we hope you will think about contributing too. Here is how you can get started:

    • Report issues.
    • Upvote existing issues that are important to you.
    • Improve documentation.
    • Contribute code.

    Please read our contributing guidelines and code of conduct to learn how to contribute.

    "},{"location":"related-projects/","title":"Related projects","text":"

    The PSRule project is distributed across multiple repositories. You can find out more by visiting each repository.

    Name Description microsoft/PSRule Core engine responsible for running rules. microsoft/ps-rule GitHub continious integration using GitHub Actions. microsoft/PSRule-pipelines Azure DevOps continious integration using Azure Pipelines. microsoft/PSRule-vscode Support for running and authoring rules within Visual Studio Code. microsoft/PSRule.Monitor Support for logging PSRule analysis results to Azure Monitor. microsoft/PSRule.Rules.CAF A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule."},{"location":"samples/","title":"Samples","text":""},{"location":"samples/#quick-start-repository","title":"Quick Start repository","text":"

    Template

    You can clone, download, or use as a template for your own repository. This repository contains the following samples for PSRule for Azure:

    • Azure Templates \u2014 Starter Azure Resource Manager (ARM) templates and parameter files.
    • Azure Bicep \u2014 Starter Azure Bicep deployments and test files.
    • GitHub Actions \u2014 Starter workflow for checking Azure Infrastructure as Code (IaC).
    • Azure Pipelines \u2014 Starter pipelines for checking Azure Infrastructure as Code (IaC).
    • Custom rules \u2014 Example custom rules that enforce organization specific requirements.
    • PSRule options \u2014 Example options for using PSRule for Azure.

    "},{"location":"samples/#psrule-samples","title":"PSRule samples","text":"

    Samples

    A community collection of samples for PSRule. This repository includes samples for Azure as well as other use cases.

    "},{"location":"support/","title":"Support","text":"

    This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.

    Please search the existing issues before filing new issues to avoid duplicates.

    • For new issues, file your bug or feature request as a new issue.
    • For help, discussion, and support questions about using this project, join or start a discussion.
    "},{"location":"support/#microsoft-support-policy","title":"Microsoft Support Policy","text":"

    Support for this project/ product is limited to the resources listed above.

    "},{"location":"troubleshooting/","title":"Troubleshooting","text":"

    This article provides troubleshooting instructions for common errors.

    "},{"location":"troubleshooting/#bicep-compile-errors","title":"Bicep compile errors","text":"

    When expanding Bicep source files you may get an error including a BCPnnn code similar to the following:

    Error

    Exception calling \"GetResources\" with \"3\" argument(s): \"Bicep (0.14.46) compilation of '' failed with: Error BCP057: The name \"storageAccountName\" does not exist in the current context.

    This error is raised when Bicep fails to compile a source file. To resolve this issue:

    • You may need to update your Bicep source file before PSRule can expand it. Use guidance from the Bicep error message to help resolve the issue.
    • Check that you are using a version of Bicep that supports the Bicep features you are using. It may not always be clear which version of Bicep CLI PSRule for Azure is using if you have multiple versions installed. Using the Bicep CLI via az bicep is not the default, and you may need to set additional options to use it.

    Tip

    From PSRule for Azure v1.25.0 you can configure the minimum version of Bicep CLI required. If an earlier version is detected, PSRule for Azure will generate an error. See Configuring minimum version for details on how to configure this option.

    "},{"location":"troubleshooting/#bicep-version","title":"Bicep version","text":"

    When expanding Bicep source files you may get an error relating to the Bicep version you have installed. For example if you attempt to use a Bicep feature that is not supported by the version used by PSRule for Azure.

    PSRule for Azure uses the Bicep CLI installed on your machine or CI worker. By default, the Bicep CLI binary will be selected by your PATH environment variable.

    Optionally you can configure an alternative Bicep CLI binary to use by either:

    • By path \u2014 Set the PSRULE_AZURE_BICEP_PATH environment variable to the specified binary path.
    • From Azure CLI \u2014 Set the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable to true.

    For more details on installing and configuring the Bicep CLI, see Setup Bicep.

    "},{"location":"troubleshooting/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"

    When expanding Bicep source files you may get an error similar to the following:

    Error

    Bicep (0.4.1124) compilation of 'C:\\temp\\deploy.bicep' failed with: Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues.

    This error is raised when Bicep takes longer then the timeout to build a source file. The default timeout is 5 seconds.

    You can take steps to reduce your code complexity and reduce the time a build takes by:

    • Removing unnecessary nested module calls.
    • Cache bicep modules restored from a registry in continuous integration (CI) pipelines.

    To increase the timeout value, set the AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option. See Bicep compilation timeout for details on how to configure this option.

    "},{"location":"troubleshooting/#no-rules-or-no-azure-resources-are-found","title":"No rules or no Azure resources are found","text":"

    There is a few common causes of this issue including:

    • Check input format \u2014 PSRule for Azure must discover files to expand them.
      • When running PSRule for Azure using GitHub Actions or the Azure Pipelines extension:
        • Your pipeline must be set to inputType: repository, which is the default value.
        • PSRule for Azure will not work with inputType set to inputPath.
        • You may have set this parameter because you wanted to use the inputPath parameter. Setting the inputType is not a requirement for using the inputPath parameter. The inputPath parameter can be used independently.
      • When running PSRule for Azure from PowerShell:
        • Your command-line must use the -Format File parameter.
        • Your command-line must use the -InputPath or -f parameter followed by a file or directory path.
        • For example: Assert-PSRule -Module PSRule.Rules.Azure -Format File -f 'modules/'.
    • Check expansion is enabled \u2014 Expansion must be enabled to analyze Azure Infrastructure as Code. See using templates and using Bicep source for details on how to enable expansion.
    • Check parameter files are linked \u2014 Parameter files must be linked to ARM templates or Bicep source files. See using templates for details on how to link using metadata or naming convention.

    Note

    If your pipeline is still not finding any Azure resources, please join or start a discussion.

    "},{"location":"troubleshooting/#custom-rules-are-not-running","title":"Custom rules are not running","text":"

    There is a few common causes of this issue including:

    • Check rule path \u2014 By default, PSRule will look for rules in the .ps-rule/ directory. This directory is the root for your repository or the current working path by default. On case-sensitive file systems such as Linux, this directory name is case-sensitive. See Storing and naming rules for more information.
    • Check file name suffix \u2014 PSRule only looks for files with the .Rule.ps1, .Rule.yaml, or .Rule.jsonc suffix. On case-sensitive file systems such as Linux, this file suffix is case-sensitive. See Storing and naming rules for more information.
    • Check binding configuration \u2014 PSRule uses binding to work out which property to use for a resource type. To be able to use the -Type parameter or type properties in rules definitions, binding must be set. This is automatically configured for PSRule for Azure, however must be set in ps-rule.yaml for custom rules. See binding type for more information.
    • Check modules \u2014 PSRule for Azure is responsible for expanding Azure resources from Infrastructure as Code. Expansion occurs automatically in memory when enabled. For this to work, the module PSRule.Rules.Azure must be run with any custom rules. See using templates and using Bicep source for details on how to enable expansion.
    • Check include local option \u2014 When running PSRule for Azure with a baseline. Baselines such as quarterly baselines may use filters to limit the rules that are included. As a result, custom rules may not be included. To include custom rules set the Rule.IncludeLocal option to true. See Including custom rules for more information.

    Tip

    You may be able to use git mv to change the case of a file if it is committed to the repository incorrectly.

    "},{"location":"troubleshooting/#parameter-file-warns-of-metadata-property","title":"Parameter file warns of metadata property","text":"

    You may find while editing a .json parameter file the root metadata property is flagged with a warning.

    Warning

    The property 'metadata' is not allowed.

    Azure parameter file
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./storage.template.json\"\n},\n\"parameters\": {\n}\n}\n

    This doesn't affect the workings of the parameter file or deployment. The reason for the warning is that the metadata property has not been added to the parameter file JSON schema. However, the top level metadata property is ignored by Azure Resource Manager when deploying a template.

    "},{"location":"troubleshooting/#an-earlier-version-of-azaccounts-is-imported","title":"An earlier version of Az.Accounts is imported","text":"

    When running PSRule for Azure in Azure DevOps within the AzurePowerShell@5 task, you may see the following error.

    Error

    This module requires Az.Accounts version 2.8.0. An earlier version of Az.Accounts is imported in the current PowerShell session. Please open a new session before importing this module. This error could indicate that multiple incompatible versions of the Azure PowerShell cmdlets are installed on your system. Please see https://aka.ms/azps-version-error for troubleshooting information.

    This error is raised by a chained dependency failure importing a newer version of Az.Accounts. To avoid this issue attempt to install the exact versions of Az.Resources. In the AzurePowerShell@5 task before installing PSRule.

    Install-Module Az.Resources -RequiredVersion '5.6.0' -Force -Scope CurrentUser\n

    From PSRule for Azure v1.16.0, Az.Accounts and Az.Resources are no longer installed as dependencies. When using export commands from PSRule, you may need to install these modules.

    To install these modules, use the following PowerShell command:

    Install-Module Az.Resources -Force -Scope CurrentUser\n
    "},{"location":"troubleshooting/#could-not-load-file-or-assembly-yamldotnet","title":"Could not load file or assembly YamlDotNet","text":"

    PSRule >=1.3.0 uses an updated version of the YamlDotNet library. The PSRule for Azure <1.3.1 uses an older version of this library which may conflict.

    To avoid this issue:

    • Update to the latest version and use PSRule for Azure >=1.3.1 with PSRule >=1.3.0.
    • Alternatively, when using PSRule for Azure <1.3.1 use PSRule =1.2.0.

    To install the latest module version of PSRule use the following commands:

    Install-Module -Name PSRule.Rules.Azure -MinimumVersion 1.3.1 -Scope CurrentUser -Force;\n

    For the PSRule GitHub Action, use >=1.4.0.

    - name: Run PSRule analysis\nuses: microsoft/ps-rule@v2.9.0\n
    "},{"location":"upgrade-notes/","title":"Upgrade notes","text":"

    This document contains notes to help upgrade from previous versions of PSRule for Azure.

    "},{"location":"upgrade-notes/#upgrading-to-v200","title":"Upgrading to v2.0.0","text":"

    PSRule for Azure v2.0.0 is a planned future release. It's not yet available, but you can take these steps to proactively prepare for the release.

    "},{"location":"upgrade-notes/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"

    Several configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure. For information on other options that will be renamed see deprecations.

    You only need to take action if you have explicitly set old configuration option names.

    The old option names may be set in:

    • An option file such as ps-rule.yaml.
    • A custom baseline.
    • An environment variable.

    To locate any configurations, search for the old option names within your Infrastructure as Code repo.

    New name Old name Available from AZURE_AKS_CLUSTER_MINIMUM_VERSION Azure_AKSMinimumVersion v1.12.0 AZURE_RESOURCE_ALLOWED_LOCATIONS Azure_AllowedRegions v1.30.0

    To update your configuration, use the new name instead.

    Note

    Environment variables are prefixed by PSRULE_CONFIGURATION_ and are case sensitive.

    Options fileBashGitHub ActionsAzure Pipelines

    Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION option in ps-rule.yaml.

    # YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nconfiguration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.3\n

    Set the PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION environment variable.

    # Bash: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nexport PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION=\"1.27.3\"\n

    Set the PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION environment variable.

    # GitHub Actions: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nenv:\nPSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.3'\n

    Set the PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION environment variable.

    # Azure Pipelines: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nvariables:\n- name: PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION\nvalue: '1.27.3'\n
    "},{"location":"upgrade-notes/#removal-of-supportstags-function","title":"Removal of SupportsTags function","text":"

    The SupportsTags function is a PowerShell function used for filtering rules. Previously you could use this function to only run a rule against resources that support tags. As of v1.15.0 this function has been deprecated for removal in the next major release v2.0.0.

    From v2.0.0 the SupportsTags function will not longer work.

    The SupportsTags function was previously only available for PowerShell rules and not well documented. Instead you can use the Azure.Resource.SupportsTags selector introduced in v1.15.0. This selector supports the the same features but also supports YAML and JSON rules in addition to PowerShell.

    To upgrade your PowerShell rules use the -With parameter to set Azure.Resource.SupportsTags. For example:

    # Synopsis: Old rule using the SupportsTags function\nRule 'Local.MyRule' -If { (SupportsTags) } {\n# Rule logic goes here\n}\n# Synopsis: Rule updated using the Azure.Resource.SupportsTags selector\nRule 'Local.MyRule' -With 'Azure.Resource.SupportsTags' {\n# Rule logic goes here\n}\n

    To read more about the selector, see the documentation.

    "},{"location":"using-bicep/","title":"Using Bicep source","text":"

    PSRule for Azure discovers and analyzes Azure resources contained within Bicep files. To enable this feature, you need to:

    • Enable expansion.
    • For modules (if used):
      • Define a deployment or parameters file.
      • Configure path exclusions.

    Abstract

    This topic covers how you can validate Azure resources within .bicep files. To learn more about why this is important see Expanding source files.

    "},{"location":"using-bicep/#enabling-expansion","title":"Enabling expansion","text":"

    To expand Bicep deployments configure ps-rule.yaml with the AZURE_BICEP_FILE_EXPANSION option.

    ps-rule.yaml
    # YAML: Enable expansion for Bicep source files.\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION: true\n

    Note

    If you are using JSON parameter files exclusively, you do not need to set this option. Instead continue reading using parameter files.

    "},{"location":"using-bicep/#setup-bicep","title":"Setup Bicep","text":"

    To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines. For details on how to configure Bicep for PSRule for Azure see Setup Bicep.

    "},{"location":"using-bicep/#building-files","title":"Building files","text":"

    It's not nessecary to build .bicep files with bicep build or az bicep build. PSRule will automatically detect and build .bicep files. You may choose to pre-build .bicep files if the Bicep CLI is not available when PSRule is run.

    Important

    If using this method, follow using templates instead. Using bicep build transpiles Bicep code into an Azure template .json.

    "},{"location":"using-bicep/#testing-bicep-modules","title":"Testing Bicep modules","text":"

    Bicep allows you to separate out complex details into separate files called modules. To expand resources, any parameters must be resolved.

    Tip

    If you are not familar with the concept of expansion within PSRule for Azure see Expanding source files.

    Two types of parameters exist, required (also called mandatory) and optional. An optional parameter is any parameter with a default value. Required parameters do not have a default value and must be specified.

    Example modules/storage/main.bicep

    // Required parameter\nparam name string\n\n// Optional parameters\nparam location string = resourceGroup().location\nparam sku string = 'Standard_LRS'\n

    To specify required parameters for a module, create a deployment or test that references the module.

    Example deploy.bicep

    // Deploy storage account to production subscription\nmodule storageAccount './modules/storage/main.bicep' = {\n  name: 'deploy-storage'\n  params: {\n    name: 'stpsrulebicep001'\n    sku: 'Standard_GRS'\n  }\n}\n

    Example modules/storage/.tests/main.tests.bicep

    // Test with only required parameters\nmodule test_required_params '../main.bicep' = {\n  name: 'test_required_params'\n  params: {\n    name: 'sttest001'\n  }\n}\n
    "},{"location":"using-bicep/#configuring-path-exclusions","title":"Configuring path exclusions","text":"

    Unless configured, PSRule will discover all .bicep files when expansion is enabled. Bicep module files with required parameters will not be able be expanded and should be excluded. Instead expand resources from deployments or tests.

    To do this configure ps-rule.yaml with the input.pathIgnore option.

    Example ps-rule.yaml

    configuration:\n# Enable expansion for Bicep source files.\nAZURE_BICEP_FILE_EXPANSION: true\ninput:\npathIgnore:\n# Exclude bicepconfig.json\n- 'bicepconfig.json'\n# Exclude module files\n- 'modules/**/*.bicep'\n# Include test files from modules\n- '!modules/**/*.tests.bicep'\n

    Note

    In this example, Bicep files such as deploy.bicep in other directories will be expanded.

    "},{"location":"using-bicep/#using-parameter-files","title":"Using parameter files","text":"

    When using Bicep, you don't need to use parameter files. You can call .bicep files directly from other .bicep files with modules by using the module keyword.

    Alternatively, Bicep supports two options for parameter files:

    • JSON parameter files \u2014 This format uses conventional JSON syntax compatible with ARM templates.
    • Bicep parameter files \u2014 This format uses Bicep language from a .bicepparam file to reference a Bicep module.

    Each option is described in more detail in the following sections.

    "},{"location":"using-bicep/#using-json-parameter-files","title":"Using JSON parameter files","text":"

    You can choose to expand and test a Bicep module from JSON parameter files by metadata.

    When using parameter files exclusively, the AZURE_BICEP_FILE_EXPANSION configuration option does not need to be set. Instead set the AZURE_PARAMETER_FILE_EXPANSION configuration option to true. This option will discover Bicep files from parameter metadata.

    Example ps-rule.yaml

    configuration:\n# Enable expansion for Bicep module from parameter files.\nAZURE_PARAMETER_FILE_EXPANSION: true\ninput:\npathIgnore:\n# Exclude bicepconfig.json\n- 'bicepconfig.json'\n# Exclude module files\n- 'modules/**/*.bicep'\n

    Example template.parameters.json

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./template.bicep\"\n},\n\"parameters\": {\n\"storageAccountName\": {\n\"value\": \"bicepstorage001\"\n},\n\"tags\": {\n\"value\": {\n\"env\": \"test\"\n}\n}\n}\n}\n
    "},{"location":"using-bicep/#using-bicep-parameter-files","title":"Using Bicep parameter files","text":"

    Experimental \u00b7 v1.27.0

    You can use .bicepparam files to reference your Bicep modules as a method for providing parameters. Using the Bicep parameter file format, allows you to get many of the benefits of the Bicep language.

    For example:

    using 'template.bicep'\n\nparam storageAccountName = 'bicepstorage001'\nparam tags = {\n  env: 'test'\n}\n

    Presently, to use this feature you must:

    1. Enable the experimental feature in bicepconfig.json.
    2. Enable expansion of Bicep parameter files in ps-rule.yaml.

    For example:

    bicepconfig.json
    {\n\"experimentalFeaturesEnabled\": {\n\"paramsFiles\": true\n}\n}\n
    ps-rule.yaml
    configuration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: true\n

    Experimental - Learn more

    Bicep parameter files are a work in progress. This feature will be transitioned to stable after the Bicep CLI support is finalized.

    Learn

    To learn more about Bicep parameter files see Create parameters files for Bicep deployment.

    "},{"location":"using-bicep/#restoring-modules-from-a-private-registry","title":"Restoring modules from a private registry","text":"

    Bicep modules can be stored in a private registry. Storing modules in a private registry gives you a central location to reference modules across your organization.

    To test Bicep deployments which uses modules stored in a private registry, these modules must be restored. The restore process automatically occurs when PSRule is run, however some additional steps are required to authenticate.

    To prepare your registry for storing Bicep modules see Create private registry for Bicep modules.

    To configure authentication for PSRule to a private registry:

    • Configure bicepconfig.json
    • Granting access to a private registry
    • Set pipeline environment variables

    Some organizations may want to expose Bicep modules publicly. This can be configured by enabling anonymous pull access. To configure your registry see Make your container registry content publicly available.

    Note

    To use anonymous pull access to a registry you must use a minimum of Bicep CLI version 0.15.31. You can configure PSRule to check for the minimum Bicep version. See configuring minimum version for information on how to enable this check.

    "},{"location":"using-bicep/#configure-bicepconfigjson","title":"Configure bicepconfig.json","text":"

    To authenticate to a private registry, configure bicepconfig.json by setting credentialPrecedence. This setting determines the order to find a credential to use when authenticating to the registry.

    Use the following credential type based on your environment as the first value of the credentialPrecedence setting:

    • Environment \u2014 Use environment variables to authenticate to the registry. This is the most common scenario for CI pipelines and works for cloud-hosted or self-hosted agents/ private runners.
    • ManagedIdentity \u2014 Use a managed identity to authenticate to the registry. This may be applicable for scenarios where you are using self-hosted agents or private runners. You must configure a System-Assigned managed identity for the Azure Virtual Machine or Virtual Machine Scale Set.

    Example bicepconfig.json

    {\n\"credentialPrecedence\": [\n\"Environment\",\n\"AzureCLI\",\n]\n}\n

    Tip

    The bicepconfig.json configures the Bicep CLI. You should commit this file into a repository along with your Bicep code.

    "},{"location":"using-bicep/#granting-access-to-a-private-registry","title":"Granting access to a private registry","text":"

    To access a private registry use an Azure AD identity which has been granted permissions to pull Bicep modules. When using Environment credential type, see create a service principal that can access resources to create the identity. If you are using the ManagedIdentity credential type, an identity is created for when you configure the managed identity.

    After configuring the identity, grant access using the AcrPull built-in RBAC role on the Azure Container Registry.

    "},{"location":"using-bicep/#set-pipeline-environment-variables","title":"Set pipeline environment variables","text":"

    When using the Environment credential type, environment variables should be set in the pipeline. Typically, the following three environment variables should be set:

    • AZURE_CLIENT_ID \u2014 The Client ID (also called Application ID) of an App Registration in Azure AD. This will be represented as a GUID.
    • AZURE_CLIENT_SECRET \u2014 A valid secret that was generated for the App Registration.
    • AZURE_TENANT_ID \u2014 The Tenant ID that identifies your specific Azure AD tenant where your App Registration is created. This will be represented as a GUID.

    Note

    The environment credential type also supports other environment variables that may be applicable to your environment. To see a list visit EnvironmentCredential Class.

    GitHub ActionsAzure Pipelines

    Configure the microsoft/ps-rule action with Azure environment variables.

    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables using GitHub encrypted secrets\nAZURE_CLIENT_ID: ${{ secrets.BICEP_REGISTRY_CLIENTID }}\nAZURE_CLIENT_SECRET: ${{ secrets.BICEP_REGISTRY_CLIENTSECRET }}\nAZURE_TENANT_ID: ${{ secrets.BICEP_REGISTRY_TENANTID }}\n

    Important

    Environment variables can be configured in the workflow or from a secret. To keep BICEP_REGISTRY_CLIENTSECRET secure, use an encrypted secret.

    Configure the ps-rule-assert task with Azure environment variables.

    - task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\nenv:\n# Define environment variables within Azure Pipelines\nAZURE_CLIENT_ID: $(BICEPREGISTRYCLIENTID)\nAZURE_CLIENT_SECRET: $(BICEPREGISTRYCLIENTSECRET)\nAZURE_TENANT_ID: $(BICEPREGISTRYTENANTID)\n

    Important

    Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep BICEPREGISTRYCLIENTSECRET secure, use a variable group linked to an Azure Key Vault.

    "},{"location":"using-bicep/#recommended-content","title":"Recommended content","text":"
    • Setup Bicep
    • Bicep compilation timeout
    • Troubleshooting
    "},{"location":"using-templates/","title":"Using templates","text":"

    PSRule for Azure discovers and analyzes Azure resources contained within template and parameter files. To enable this feature, you need to:

    • Enable expansion.
    • Link parameter files to templates.

    Abstract

    This topic covers how you can validate Azure resources within template .json files. To learn more about why this is important see Expanding source files.

    "},{"location":"using-templates/#enabling-expansion","title":"Enabling expansion","text":"

    To expand parameter files configure ps-rule.yaml with the AZURE_PARAMETER_FILE_EXPANSION option.

    ps-rule.yaml
    # YAML: Enable expansion for template expansion.\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"using-templates/#linking-templates","title":"Linking templates","text":"

    PSRule for Azure automatically detects parameter files and uses the following logic to link templates or Bicep modules.

    • By metadata \u2014 Check parameter file for a metadata link identifying the associated template.
    • By naming convention \u2014 Check for matching template files using file naming convention.

    Note

    Metadata links take priority over naming convention. For details on both options continue reading.

    Tip

    Linking templates also applies to Bicep modules when you are using .json parameter files.

    "},{"location":"using-templates/#by-metadata","title":"By metadata","text":"

    A parameter file can be linked to an associated template or Bicep module by setting metadata. To link a template within a parameter file, set the metadata.template property to the path of the template.

    PSRule for Azure supports either:

    • Relative to repository \u2014 By default, the path is relative to the root of the repository.
    • Relative to template \u2014 To use a path relative to the parameter file, prefix the path with ./.

    Tip

    Referencing a path outside of the repository is blocked as this could lead to unintended exposure.

    Relative to repositoryRelative to parameter file

    The following example shows linking to a template which is stored within a hierarchical template/ sub-directory.

    Example

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"templates/storage/v1/template.json\"\n},\n\"parameters\": {\n}\n}\n

    The following example shows linking to a template that is in the same directory as the parameter file.

    Example

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./storage.template.json\"\n},\n\"parameters\": {\n}\n}\n

    Additional benefits you get by using metadata links include:

    • You can share a common set of versioned templates across multiple deployments in a repository. This works great to mono-repositories.
    • You can discover all the deployments using a specific template by reading metadata. PSRule for Azure includes the Get-AzRuleTemplateLink cmdlet to list parameter file links.

    Tip

    By default, metadata links are not required. By configuring the AZURE_PARAMETER_FILE_METADATA_LINK option to true, this can be enforced. When configured, PSRule for Azure will fail parameter files that do not contain a metadata link. For details on AZURE_PARAMETER_FILE_METADATA_LINK see Configuring expansion.

    Note

    Bicep modules can also be expanded from parameter files. Instead of specifing a template path, you can specify the path to a Bicep file.

    Note

    You may find while editing a .json parameter file the root metadata property is flagged with a warning. For example Property metadata is not allowed.. This doesn't affect the workings of the parameter file or deployment. If you like a detailed description continue reading Troubleshooting.

    "},{"location":"using-templates/#by-naming-convention","title":"By naming convention","text":"

    When metadata links are not set, PSRule will fallback to use a naming convention to link to template files.

    Example

    A parameter file named azuredeploy.parameters.json links to the template file named azuredeploy.json.

    PSRule for Azure supports linking by naming convention when:

    • Parameter files end with .parameters.json linking to ARM templates or Bicep modules.
    • The parameter file prefix matches the file name of the template or Bicep module. For example, azuredeploy.parameters.json links to azuredeploy.json or azuredeploy.bicep.
    • If both an ARM template and Bicep module exist, the template (.json) is preferred. For example, azuredeploy.parameters.json chooses azuredeploy.json over azuredeploy.bicep if both exist.
    • Both parameter file and template or Bicep module must be in the same directory.

    The following is not currently supported:

    • Using a different naming convention for parameter files such as <templateName>.param.json.
    • Template or parameter files with alternative file extensions such as .jsonc.
    "},{"location":"versioning/","title":"Changes and versioning","text":"

    PSRule for Azure uses semantic versioning to declare breaking changes. The latest module version can be installed from the PowerShell Gallery. For a list of module changes please see the change log.

    "},{"location":"versioning/#pre-releases","title":"Pre-releases","text":"

    Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Module versions and change log details for pre-releases will be removed as stable releases are made available.

    Important

    Pre-release versions should be considered work in progress. These releases should not be used in production. We may introduce breaking changes between a pre-release as we work towards a stable version release.

    "},{"location":"versioning/#experimental-features","title":"Experimental features","text":"

    From time to time we may ship experiential features. These features are generally marked experimental in the change log as these features ship. Experimental features may ship in stable releases, however to use them you may need to:

    • Enable or explicitly reference them.

    Important

    Experimental features should be considered work in progress. These features may be incomplete and should not be used in production. We may introduce breaking changes for experimental features as we work towards a general release for the feature.

    "},{"location":"versioning/#reporting-bugs","title":"Reporting bugs","text":"

    If you experience an issue with an pre-release or experimental feature please let us know by logging an issue as a bug.

    "},{"location":"working-with-baselines/","title":"Working with baselines","text":"

    A baseline is a standard PSRule artifact that combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule.

    Abstract

    This topic covers how to use the baselines shipped with PSRule for Azure.

    "},{"location":"working-with-baselines/#quarterly-baselines","title":"Quarterly baselines","text":"

    PSRule for Azure ships new rules on a monthly cadence. As new rules are added, existing pipelines that previously passed may fail based on additional requirements. It is generally expected that files committed to an integration branch such as main continue to pass.

    PSRule for Azure addresses this through quarterly baselines that provide:

    • Greater consistency \u2014 Quarterly baselines provide a stable checkpoint of rules to use. Each quarterly baseline includes rules for generally available (GA) and preview Azure features to date. Rules released after the quarterly baseline are added to the next quarterly baseline. New quarterly baselines are released every three (3) months. Baselines are named Azure.GA_yyyy_mm and Azure.Preview_yyyy_mm based on the release year/ month.
    • Incremental adoption \u2014 It may not be possibly to implement new rules immediately. Existing backlogs or timelines may make it impossible to add new requirements until a future sprint. In a future sprint, bump the quarterly baseline to the latest release to get the additional rules.

    Considerations for adopting a quarterly baseline include:

    • The quarterly baselines older than the latest are flagged as obsolete. Obsolete baselines can still be used, however will generate a warning.
    • As Azure evolves there may be cases where a feature change means a rule is no longer required. In these cases, a rule may be removed from PSRule for Azure and any applicable baselines.
    • Separate quarterly baselines for Azure GA and preview features are provided. The baseline for GA features is named Azure.GA_yyyy_mm and preview features is named Azure.Preview_yyyy_mm.

    Important

    When using a quarterly baseline, by default PSRule will ignore custom/ standalone rules. To include custom rules, set the Rule.IncludeLocal option to true. This is described further in including custom rules.

    Note

    The preview quarterly baselines includes Azure features released under preview only. This is different from the Azure.Preview baseline which contains GA and preview features.

    "},{"location":"working-with-baselines/#limitations","title":"Limitations","text":"

    Quarterly baselines don't address all cases where a previously passing pipeline may fail, specifically:

    • As bugs are identified they are corrected and shipped in the next minor or patch release. If the rule was not correctly working previously, failures may be generated after the fix. To workaround this you can either:
      • Create a temporary suppression to ignore the issue.
      • Install a previous version of the PSRule for Azure module.
    • Rule configuration defaults change. Currently rule configuration defaults are not included in quarterly baselines. To workaround this, override the rule configuration option by setting the value in ps-rule.yaml.
    "},{"location":"working-with-baselines/#additional-standard-baselines","title":"Additional standard baselines","text":"

    In additional to quarterly baselines, some additional baselines exist:

    • Azure.Default - Includes rules for GA Azure features. This is the default baseline that is used when no baseline is specified. Rules for Azure features that are within the scope of a public or private preview are not included.
    • Azure.Preview - Includes rules for GA and preview Azure features.
    • Azure.All - Includes all Azure rules shipped with PSRule for Azure. This is functionally the same as Azure.Preview however intended for internal use only.
    • Azure.MCSB.v1 - Includes rules related to Microsoft cloud security benchmark (MCSB) controls. This baseline is currently experimental and may change in future releases. You can learn more about MCSB within PSRule for Azure in the Microsoft cloud security benchmark (MCSB) topic.

    "},{"location":"working-with-baselines/#using-baselines","title":"Using baselines","text":"

    To use a baseline within a CI pipeline specify the baseline by name. See reference for a list baselines shipped with PSRule for Azure.

    GitHub ActionsAzure PipelinesPowerShell

    Update your GitHub Actions workflow by specifying baseline: <name_of_baseline>.

    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\nbaseline: 'Azure.GA_2023_09'\n

    Update your Azure DevOps YAML pipeline by specifying baseline: <name_of_baseline>.

    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\nbaseline: 'Azure.GA_2023_09'\n

    Update your PowerShell command-line with -Baseline <name_of_baseline>.

    With Assert-PSRule
    Assert-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_09'\n
    With Invoke-PSRule
    Invoke-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_09'\n
    "},{"location":"working-with-baselines/#creating-baselines","title":"Creating baselines","text":"

    To create your own baselines see the PSRule help topic about_PSRule_Baseline.

    "},{"location":"working-with-baselines/#including-custom-rules","title":"Including custom rules","text":"

    v1.8.0

    The quarterly baselines shipped with PSRule for Azure target a subset of rules for GA Azure features. When you specify a baseline, custom rules you create and store in .ps-rule/ will be ignored by default.

    To change this behavior, set the Rule.IncludeLocal option to true. This option can be set in ps-rule.yaml.

    ps-rule.yaml
    # YAML: Enable custom rules that don't exist in the baseline\nrule:\nincludeLocal: true\n
    "},{"location":"benchmark/results-v1.10.4/","title":"Results v1.10.4","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|----------:|----------:|----------:|----------:| | Template | 74.25 ms | 4.140 ms | 12.206 ms | 6000.0000 | 1000.0000 | 27 MB | | PropertyCopyLoop | 47.84 ms | 0.936 ms | 1.615 ms | 4444.4444 | 222.2222 | 18 MB | | UserDefinedFunctions | 28.87 ms | 0.574 ms | 1.224 ms | 1500.0000 | 62.5000 | 6 MB |

    "},{"location":"benchmark/results-v1.11.0/","title":"Results v1.11.0","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| | Template | 78.97 ms | 2.842 ms | 8.246 ms | 6000.0000 | 1000.0000 | 27 MB | | PropertyCopyLoop | 47.83 ms | 0.954 ms | 2.033 ms | 4400.0000 | 200.0000 | 18 MB | | UserDefinedFunctions | 29.42 ms | 0.587 ms | 1.172 ms | 1500.0000 | 62.5000 | 6 MB |

    "},{"location":"benchmark/results-v1.14.3/","title":"Results v1.14.3","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n[Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\nDefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| | Template | 80.07 ms | 2.250 ms | 6.598 ms | 6666.6667 | 666.6667 | 28 MB | | PropertyCopyLoop | 52.08 ms | 0.955 ms | 0.798 ms | 4500.0000 | 125.0000 | 18 MB | | UserDefinedFunctions | 35.51 ms | 0.705 ms | 1.635 ms | 1600.0000 | 66.6667 | 7 MB |

    "},{"location":"benchmark/results-v1.15.0/","title":"Results v1.15.0","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n[Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\nDefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Median | Gen 0 | Gen 1 | Allocated | |----------------------- |----------------:|----------------:|----------------:|----------------:|----------:|----------:|-------------:| | Template | 58,758,457.6 ns | 1,368,418.79 ns | 3,859,649.48 ns | 57,989,600.0 ns | 6000.0000 | 2000.0000 | 28,881,656 B | | PropertyCopyLoop | 35,152,022.3 ns | 699,686.11 ns | 1,206,924.16 ns | 34,927,013.3 ns | 4466.6667 | 133.3333 | 19,040,308 B | | UserDefinedFunctions | 19,601,380.5 ns | 382,322.59 ns | 560,403.50 ns | 19,517,700.0 ns | 1562.5000 | 62.5000 | 6,821,540 B | | ResolvePolicyAliasPath | 2,194.6 ns | 42.05 ns | 84.93 ns | 2,154.7 ns | 0.2861 | - | 1,200 B | | GetResourceType | 293.9 ns | 1.82 ns | 1.52 ns | 293.9 ns | 0.0858 | - | 360 B |

    "},{"location":"benchmark/results-v1.8.1/","title":"Results v1.8.1","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| | Template | 49.11 ms | 1.871 ms | 5.307 ms | 5000.0000 | 1000.0000 | 21 MB | | PropertyCopyLoop | 42.65 ms | 0.815 ms | 1.001 ms | 3812.5000 | 125.0000 | 15 MB | | UserDefinedFunctions | 26.26 ms | 0.518 ms | 1.126 ms | 1125.0000 | 31.2500 | 5 MB |

    "},{"location":"benchmark/results-v1.9.1/","title":"Results v1.9.1","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| | Template | 54.28 ms | 1.081 ms | 1.443 ms | 5333.3333 | 555.5556 | 21 MB | | PropertyCopyLoop | 42.15 ms | 0.823 ms | 0.881 ms | 3833.3333 | 166.6667 | 15 MB | | UserDefinedFunctions | 25.76 ms | 0.510 ms | 1.076 ms | 1125.0000 | 31.2500 | 5 MB |

    "},{"location":"commands/Export-AzPolicyAssignmentData/","title":"Export-AzPolicyAssignmentData","text":"

    Export policy assignment data.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#default-default","title":"Default (Default)","text":"
    Export-AzPolicyAssignmentData [-OutputPath <String>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#name","title":"Name","text":"
    Export-AzPolicyAssignmentData [-Name <String>] [-Scope <String>] [-PolicyDefinitionId <String>]\n [-OutputPath <String>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#id","title":"Id","text":"
    Export-AzPolicyAssignmentData -Id <String> [-PolicyDefinitionId <String>] [-OutputPath <String>] [-PassThru]\n [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#includedescendent","title":"IncludeDescendent","text":"
    Export-AzPolicyAssignmentData [-Scope <String>] [-IncludeDescendent] [-OutputPath <String>] [-PassThru]\n [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#description","title":"Description","text":"

    This is an experimental cmdlet.

    Export policy assignment data.

    By default the current subscription context will be exported. i.e Get-AzContext

    Policy assignment data will be exported to the current working directory by default as JSON files, one per subscription.

    All output files include a .assignment.json extension by default.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#example-1","title":"Example 1","text":"
    Export-AzPolicyAssignmentData\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:01 PM         740098 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n

    Export policy assignment data from current subscription context.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#example-2","title":"Example 2","text":"
    Export-AzPolicyAssignmentData -Name '000000000000000000000000' -Scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:15 PM           4185 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n

    Export policy assignment with specific name and scope.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#example-3","title":"Example 3","text":"
    Export-AzPolicyAssignmentData -Id '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG/providers/Microsoft.Authorization/policyAssignments/000000000000000000000000'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:42 PM           4185 \ue60b  00000000-0000-0000-0000-00000000000.assignment.json\n

    Export policy assignment with specific resource ID.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#-name","title":"-Name","text":"

    Specifies the name of the policy assignment.

    Type: String\nParameter Sets: Name\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-id","title":"-Id","text":"

    Specifies the fully qualified resource ID for the policy assignment.

    Type: String\nParameter Sets: Id\nAliases: AssignmentId\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-scope","title":"-Scope","text":"

    Specifies the scope at which the policy is applied for the assignment.

    Type: String\nParameter Sets: Name, IncludeDescendent\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-policydefinitionid","title":"-PolicyDefinitionId","text":"

    Specifies the ID of the policy definition of the policy assignment.

    Type: String\nParameter Sets: Name, Id\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-includedescendent","title":"-IncludeDescendent","text":"

    Causes the list of returned policy assignments to include all assignments related to the given scope, including those from ancestor scopes and those from descendent scopes.

    Type: SwitchParameter\nParameter Sets: IncludeDescendent\nAliases:\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing policy assignment data.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#none","title":"None","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#systemiofileinfo","title":"System.IO.FileInfo","text":"

    Return FileInfo for each of the output files created, one per subscription context. This is the default.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#psobject","title":"PSObject","text":"

    Return an object for each Azure resource, and configuration exported. This is returned when the -PassThru switch is used.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/","title":"Export-AzPolicyAssignmentRuleData","text":"

    Export JSON based rules from policy assignment data.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#syntax","title":"SYNTAX","text":"
    Export-AzPolicyAssignmentRuleData [-Name <String>] -AssignmentFile <String>\n [-ResourceGroup <ResourceGroupReference>] [-Subscription <SubscriptionReference>] [-OutputPath <String>]\n [-RulePrefix <String>] [-PassThru] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#description","title":"Description","text":"

    This is an experimental cmdlet.

    Export JSON based rules from policy assignment data.

    Policy assignment data generated from Export-AzPolicyAssignmentData is used to generate JSON rules.

    By default this is an offline process, requiring no connectivity to Azure.

    Policy definitions with the Disabled effect are ignored.

    The subscription() function will return the following unless overridden:

    • subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • displayName: 'PSRule Test Subscription'
    • state: 'NotDefined'

    The resourceGroup() function will return the following unless overridden:

    • name: 'ps-rule-test-rg'
    • location: 'eastus'
    • tags: { }
    • properties:
      • provisioningState: 'Succeeded'

    To override, set the AZURE_SUBSCRIPTION and AZURE_RESOURCE_GROUP in configuration.

    The rule prefix Azure is also applied to the policy names unless overridden with -RulePrefix or AZURE_POLICY_RULE_PREFIX in configuration.

    Currently the following limitations apply:

    • field() expressions are not expanded.
    • Field/Value count expressions are not supported.
    • Template functions with value cannot be expanded e.g. \"value\": \"[substring(field('name'), 0, 3)]\".
    • Any of the above will lead to errors when emitting JSON rules.
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-1","title":"Example 1","text":"
    Export-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json\n
    Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n

    Export JSON rules to file in current working directory.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-2","title":"Example 2","text":"
    $subscription = @{\nsubscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\ndisplayName = 'My Azure Subscription'\ntenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\nExport-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json -Subscription $subscription\n
    Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n

    Export JSON rules to file in current working directory using a specific subscription.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-3","title":"Example 3","text":"
    Get-AzPolicyAssignmentDataSource | Export-AzPolicyAssignmentRuleData\n
    Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        27/03/2022  11:26 AM            721 \uf15b  definitions-export-1b474938.Rule.jsonc\n

    Export JSON rules from the current working directory using discovered assignment sources in the current working directory.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-name","title":"-Name","text":"

    The name of the assignment. If not specified export-<xxxxxxxx> will be used as the name of the assignment.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-assignmentfile","title":"-AssignmentFile","text":"

    The absolute or relative path to an assignment data file.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing resources.

    If this parameter is not specified, output will be written to the current working path. The file name definitions-<name>.Rule.jsonc will be used when this parameter is not set or a directory is specified. Where <name> is the name of the assignment specified by -Name.

    This parameter has no affect when -PassThru is used.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-ruleprefix","title":"-RulePrefix","text":"

    By default, policy rule names use the Azure prefix e.g. Azure.Policy.e749c2d003da.

    When -RulePrefix is specified, the default prefix is overridden.

    For example, with -RulePrefix 'CustomPolicyPrefix' this would generate the policy rule name CustomPolicyPrefix.Policy.e749c2d003da.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-resourcegroup","title":"-ResourceGroup","text":"

    A name or hashtable of the Resource Group in the assignment data file. This Resource Group specified here will be used to resolve the resourceGroup() function.

    When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.

    Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-subscription","title":"-Subscription","text":"

    The name or hashtable of the Subscription in the assignment data file. This subscription specified here will be used to resolve the subscription() function.

    When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.

    Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleData/","title":"Export-AzRuleData","text":"

    Export resource configuration data from one or more Azure subscriptions.

    "},{"location":"commands/Export-AzRuleData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleData/#default-default","title":"Default (Default)","text":"
    Export-AzRuleData [[-OutputPath] <String>] [-Subscription <String[]>] [-Tenant <String[]>]\n [-ResourceGroupName <String[]>] [-Tag <Hashtable>] [-PassThru] [-SkipDiscovery] [-ResourceId <String[]>]\n [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleData/#all","title":"All","text":"
    Export-AzRuleData [[-OutputPath] <String>] [-ResourceGroupName <String[]>] [-Tag <Hashtable>] [-PassThru]\n [-All] [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleData/#description","title":"Description","text":"

    Export resource configuration data from deployed resources in one or more Azure subscriptions.

    If no filters are specified then the current subscription context will be exported. i.e. Get-AzContext

    To export all subscriptions contexts use the -All switch. When the -All switch is used, all subscriptions contexts will be exported. i.e. Get-AzContext -ListAvailable

    Resource data will be exported to the current working directory by default as JSON files, one per subscription.

    "},{"location":"commands/Export-AzRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleData/#example-1","title":"Example 1","text":"
    Export-AzRuleData\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n

    Export resource configuration data from current subscription context.

    "},{"location":"commands/Export-AzRuleData/#example-2","title":"Example 2","text":"
    Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000002.json\n

    Export resource configuration data from subscriptions by name.

    "},{"location":"commands/Export-AzRuleData/#example-3","title":"Example 3","text":"
    Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n

    Export resource configuration data from two resource groups within the current subscription context.

    "},{"location":"commands/Export-AzRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleData/#-all","title":"-All","text":"

    By default, resources from the current subscription context are extracted. Use -All to extract resource data for all subscription contexts instead.

    Type: SwitchParameter\nParameter Sets: All\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing resources.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-resourcegroupname","title":"-ResourceGroupName","text":"

    Optionally filter resources by Resource Group name.

    Type: String[]\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-subscription","title":"-Subscription","text":"

    Optionally filter resources by subscription, Id or Name.

    Type: String[]\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-tag","title":"-Tag","text":"

    Optionally filter resources based on tag.

    Type: Hashtable\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-tenant","title":"-Tenant","text":"

    Optionally filter resources by a unique Tenant identifer.

    Type: String[]\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-resourceid","title":"-ResourceId","text":"

    A list of resource Ids to expand.

    Type: String[]\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByValue)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-skipdiscovery","title":"-SkipDiscovery","text":"

    Determines if resource discovery is skipped. When skipped resources are expanded based on provided resource Ids.

    Type: SwitchParameter\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-confirm","title":"-Confirm","text":"

    Prompts you for confirmation before running the cmdlet.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases: cf\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-whatif","title":"-WhatIf","text":"

    Shows what would happen if the cmdlet runs. The cmdlet is not run.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases: wi\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleData/#none","title":"None","text":""},{"location":"commands/Export-AzRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":"

    Return FileInfo for each of the output files created, one per subscription. This is the default.

    "},{"location":"commands/Export-AzRuleData/#psobject","title":"PSObject","text":"

    Return an object for each Azure resource, and configuration exported. This is returned when the -PassThru switch is used.

    "},{"location":"commands/Export-AzRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleTemplateData/","title":"Export-AzRuleTemplateData","text":"

    Export resource configuration data from Azure templates.

    "},{"location":"commands/Export-AzRuleTemplateData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleTemplateData/#template-default","title":"Template (Default)","text":"
    Export-AzRuleTemplateData [[-Name] <String>] -TemplateFile <String> [-ParameterFile <String[]>]\n [-ResourceGroup <ResourceGroupReference>] [-Subscription <SubscriptionReference>] [-OutputPath <String>]\n [-PassThru] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleTemplateData/#source","title":"Source","text":"
    Export-AzRuleTemplateData [[-Name] <String>] -SourceFile <String> [-ResourceGroup <ResourceGroupReference>]\n [-Subscription <SubscriptionReference>] [-OutputPath <String>] [-PassThru] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleTemplateData/#description","title":"Description","text":"

    Export resource configuration data by merging Azure Resource Manager (ARM) template and parameter files. Template and parameters are merged by resolving template parameters, variables and functions.

    This function does not check template files for strict compliance with Azure schemas.

    By default this is an offline process, requiring no connectivity to Azure. Some functions that may be included in templates dynamically query Azure for current state. For these functions standard placeholder values are used by default. Functions that use placeholders include reference, list*.

    The subscription() function will return the following unless overridden:

    • subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • displayName: 'PSRule Test Subscription'
    • state: 'NotDefined'

    The resourceGroup() function will return the following unless overridden:

    • name: 'ps-rule-test-rg'
    • location: 'eastus'
    • tags: { }
    • properties:
      • provisioningState: 'Succeeded'

    To override, set the AZURE_SUBSCRIPTION and AZURE_RESOURCE_GROUP in configuration.

    Currently the following limitations apply:

    • Nested templates are expanded, external templates are not.
      • Deployment resources that link to an external template are returned as a resource.
    • Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:
      • The parent resource is defined in the same template.
      • The sub-resource depends on the parent resource.
    • The environment template function always returns values for Azure public cloud.
    • References to Key Vault secrets are not expanded. A placeholder value is used instead.
    • The reference() function will return objects for resources within the same template. For resources that are not in the same template, a placeholder value is used instead.
    • Multi-line strings are not supported.
    • Template expressions up to a maximum of 100,000 characters are supported.
    "},{"location":"commands/Export-AzRuleTemplateData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleTemplateData/#example-1","title":"Example 1","text":"
    Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n

    Export resource configuration data based on merging a template and parameter file together.

    "},{"location":"commands/Export-AzRuleTemplateData/#example-2","title":"Example 2","text":"
    Get-AzRuleTemplateLink | Export-AzRuleTemplateData;\n

    Recursively scan the current working path and export linked templates.

    "},{"location":"commands/Export-AzRuleTemplateData/#example-3","title":"Example 3","text":"
    $subscription = @{\nsubscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\ndisplayName = 'My Azure Subscription'\ntenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -Subscription $subscription;\n

    Export linked templates from the current working path using a specific subscription.

    "},{"location":"commands/Export-AzRuleTemplateData/#example-4","title":"Example 4","text":"
    $rg = @{\nname = 'my-test-rg'\nlocation = 'australiaeast'\ntags = @{\nenv = 'prod'\n}\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -ResourceGroup $rg;\n

    Export linked templates from the current working path using a specific resource group.

    "},{"location":"commands/Export-AzRuleTemplateData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleTemplateData/#-name","title":"-Name","text":"

    The name of the deployment. If not specified export-<xxxxxxxx> will be used as the name of the deployment.

    This parameter is used by the deployment() function and is also used to name the output file.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-templatefile","title":"-TemplateFile","text":"

    The absolute or relative file path to an Azure Resource Manager template file.

    Type: String\nParameter Sets: Template\nAliases:\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-parameterfile","title":"-ParameterFile","text":"

    The absolute or relative file path to one or more Azure Resource Manager template parameter files.

    Type: String[]\nParameter Sets: Template\nAliases: TemplateParameterFile\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-sourcefile","title":"-SourceFile","text":"

    The absolute or relative file path to a file of a Bicep file.

    Type: String\nParameter Sets: Source\nAliases: f, FullName\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing resources.

    If this parameter is not specified, output will be written to the current working path. The file name resources-<name>.json will be used when this parameter is not set or a directory is specified. Where <name> is the name of the deployment specified by -Name.

    This parameter has no affect when -PassThru is used.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-resourcegroup","title":"-ResourceGroup","text":"

    A name or hashtable of the Resource Group where the deployment will occur. This Resource Group specified here will be used to resolve the resourceGroup() function.

    When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.

    Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-subscription","title":"-Subscription","text":"

    The name or hashtable of the Subscription where the deployment will occur. This subscription specified here will be used to resolve the subscription() function.

    When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.

    Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzRuleTemplateData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring_1","title":"System.String[]","text":""},{"location":"commands/Export-AzRuleTemplateData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzRuleTemplateData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleTemplateData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/","title":"Get-AzPolicyAssignmentDataSource","text":"

    Get policy assignment sources.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#syntax","title":"SYNTAX","text":"
    Get-AzPolicyAssignmentDataSource [-InputPath <String[]>] [[-Path] <String>] [<CommonParameters>]\n
    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#description","title":"Description","text":"

    This is an experimental cmdlet.

    Get policy assignment sources. By default *.assignment.json sources are discovered from the current working directory.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#examples","title":"Examples","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#example-1","title":"Example 1","text":"
    Get-AzPolicyAssignmentDataSource\n
    AssignmentFile\n--------------\nC:\\00000000-0000-0000-0000-000000000001.assignment.json\nC:\\Users\\user\\00000000-0000-0000-0000-000000000002.assignment.json\n

    Gets policy assignment sources from any *.assignment.json sources within any folder in the current working directory path.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-inputpath","title":"-InputPath","text":"

    A path or filter to search for assignment files within the path specified by -Path. By default, files with *.assignment.json suffix will be used.

    When searching for assignment files all sub-directories will be scanned. To perform a shallow search, prefix input paths with ./.

    Type: String[]\nParameter Sets: (All)\nAliases: f, AssignmentFile, FullName\nRequired: False\nPosition: Named\nDefault value: '*.assignment.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n
    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-path","title":"-Path","text":"

    Sets the path to search for assignment files in. By default, this is the current working path.

    Type: String\nParameter Sets: (All)\nAliases: p\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#psrulerulesazurepipelinepolicyassignmentsource","title":"PSRule.Rules.Azure.Pipeline.PolicyAssignmentSource","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#notes","title":"Notes","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzRuleTemplateLink/","title":"Get-AzRuleTemplateLink","text":"

    Get a metadata link to a Azure template file.

    "},{"location":"commands/Get-AzRuleTemplateLink/#syntax","title":"SYNTAX","text":"
    Get-AzRuleTemplateLink [[-InputPath] <String[]>] [-SkipUnlinked] [[-Path] <String>] [<CommonParameters>]\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#description","title":"Description","text":"

    Gets a link between an Azure Resource Manager (ARM) parameter file and its referenced template file. Parameter files reference a template file by defining metadata. Alternatively, template files are discovered by naming convention.

    By default, when parameter files without a matching template are discovered an error is raised.

    To reference a template, set the metadata.template property to a file path. Referencing templates outside of the path specified with -Path is not permitted.

    To discover template files by naming convention:

    • Both template and parameter files must be in the same sub-directory.
    • The parameter file must end with .parameters.json.
    • The parameter file must be named <templateName>.parameters.json.
    • The template file must be named <templateName>.json.

    For more information see the about_PSRule_Azure_Metadata_Link topic.

    "},{"location":"commands/Get-AzRuleTemplateLink/#examples","title":"Examples","text":""},{"location":"commands/Get-AzRuleTemplateLink/#example-1","title":"Example 1","text":"
    Get-AzRuleTemplateLink\n

    Get links from any *.parameters.json files within any folder in the current working path.

    "},{"location":"commands/Get-AzRuleTemplateLink/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#-inputpath","title":"-InputPath","text":"

    A path or filter to search for parameter files within the path specified by -Path. By default, files with *.parameters.json suffix will be used.

    When searching for parameter files all sub-directories will be scanned. To perform a shallow search, prefix input paths with ./.

    Type: String[]\nParameter Sets: (All)\nAliases: f, TemplateParameterFile, FullName\nRequired: False\nPosition: 1\nDefault value: '*.parameters.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#-skipunlinked","title":"-SkipUnlinked","text":"

    Use this option to ignore parameter files that have no matching template. By default, when parameter files without a matching template are discovered an error is raised.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#-path","title":"-Path","text":"

    Sets the path to search for parameter files in. By default, this is the current working path.

    Type: String\nParameter Sets: (All)\nAliases: p\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Get-AzRuleTemplateLink/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzRuleTemplateLink/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#psrulerulesazuredatametadataitemplatelink","title":"PSRule.Rules.Azure.Data.Metadata.ITemplateLink","text":""},{"location":"commands/Get-AzRuleTemplateLink/#notes","title":"Notes","text":""},{"location":"commands/Get-AzRuleTemplateLink/#related-links","title":"RELATED LINKS","text":"

    about_PSRule_Azure_Metadata_Link

    "},{"location":"commands/PSRule.Rules.Azure/","title":"PSRule.Rules.Azure Module","text":""},{"location":"commands/PSRule.Rules.Azure/#description","title":"Description","text":"

    Validate Azure resources and infrastructure as code using PSRule.

    "},{"location":"commands/PSRule.Rules.Azure/#psrule-cmdlets","title":"PSRule Cmdlets","text":""},{"location":"commands/PSRule.Rules.Azure/#export-azruledata","title":"Export-AzRuleData","text":"

    Export resource configuration data from one or more Azure subscriptions.

    "},{"location":"commands/PSRule.Rules.Azure/#export-azruletemplatedata","title":"Export-AzRuleTemplateData","text":"

    Export resource configuration data from Azure templates.

    "},{"location":"commands/PSRule.Rules.Azure/#get-azruletemplatelink","title":"Get-AzRuleTemplateLink","text":"

    Get a metadata link to a Azure template file.

    "},{"location":"concepts/about_PSRule_Azure_Configuration/","title":"Configuration options","text":"

    Describes PSRule configuration options specific to PSRule for Azure.

    "},{"location":"concepts/about_PSRule_Azure_Configuration/#description","title":"Description","text":"

    PSRule exposes configuration options that can be used to customize execution of PSRule.Rules.Azure. This topic describes what configuration options are available.

    PSRule configuration options can be specified by setting the configuration option in ps-rule.yaml. Additionally, configuration options can be configured in a baseline or set at runtime. For details of setting configuration options see PSRule options.

    The following configurations options are available for use:

    • AZURE_AKS_CLUSTER_MINIMUM_VERSION
    • Azure_AKSNodeMinimumMaxPods
    • Azure_AllowedRegions
    • Azure_MinimumCertificateLifetime
    • AZURE_PARAMETER_FILE_EXPANSION
    • AZURE_POLICY_WAIVER_MAX_EXPIRY
    • AZURE_RESOURCE_GROUP
    • AZURE_SUBSCRIPTION
    • AZURE_POLICY_IGNORE_LIST
    • AZURE_POLICY_RULE_PREFIX
    • AZURE_APIM_MIN_API_VERSION
    • AZURE_COSMOS_DEFENDER_PER_ACCOUNT
    • AZURE_STORAGE_DEFENDER_PER_ACCOUNT

    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"

    This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.

    Syntax:

    configuration:\nAzure_AKSMinimumVersion: string # A version string\n

    Default:

    # YAML: The default Azure_AKSMinimumVersion configuration option\nconfiguration:\nAzure_AKSMinimumVersion: 1.20.5\n

    Example:

    # YAML: Set the Azure_AKSMinimumVersion configuration option to 1.19.7\nconfiguration:\nAzure_AKSMinimumVersion: 1.19.7\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aksnodeminimummaxpods","title":"Azure_AKSNodeMinimumMaxPods","text":"

    This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a maxPods option is used to determine the maximum number of pods for each node in the node pool.

    Syntax:

    configuration:\nAzure_AKSNodeMinimumMaxPods: integer\n

    Default:

    # YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 50\n

    Example:

    # YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 30\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_allowedregions","title":"Azure_AllowedRegions","text":"

    This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.

    By default, Azure_AllowedRegions is not configured. The rule Azure.Resource.AllowedRegions is skipped when no allowed locations are configured.

    Syntax:

    configuration:\nAzure_AllowedRegions: array # An array of regions\n

    Default:

    # YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\nAzure_AllowedRegions: []\n

    Example:

    # YAML: Set the Azure_AllowedRegions configuration option to Australia East, Australia South East\nconfiguration:\nAzure_AllowedRegions:\n- 'australiaeast'\n- 'australiasoutheast'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"

    This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.

    Syntax:

    configuration:\nAzure_MinimumCertificateLifetime: integer\n

    Default:

    # YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\nAzure_MinimumCertificateLifetime: 30\n

    Example:

    # YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\nAzure_MinimumCertificateLifetime: 90\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_parameter_file_expansion","title":"AZURE_PARAMETER_FILE_EXPANSION","text":"

    This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded.

    Parameter files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_PARAMETER_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"

    This configuration option determines the maximum number of days in the future for a waiver policy exemption.

    Syntax:

    configuration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n

    Default:

    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n

    Example:

    # YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_resource_group","title":"AZURE_RESOURCE_GROUP","text":"

    This configuration option sets the resource group object used by the resourceGroup() function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -ResourceGroup is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_RESOURCE_GROUP:\nname: string\nlocation: string\ntags: object\nproperties:\nprovisioningState: string\n

    Default:

    # YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\nAZURE_RESOURCE_GROUP:\nname: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\nprovisioningState: 'Succeeded'\n

    Example:

    # YAML: Override the location of the resource group object.\nconfiguration:\nAZURE_RESOURCE_GROUP:\nlocation: 'australiasoutheast'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_subscription","title":"AZURE_SUBSCRIPTION","text":"

    This configuration option sets the subscription object used by the subscription() function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -Subscription is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: string\ntenantId: string\ndisplayName: string\nstate: string\n

    Default:

    # YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n

    Example:

    # YAML: Override the display name of the subscription object\nAZURE_SUBSCRIPTION:\ndisplayName: 'My test subscription'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"

    This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.

    Configure this option to ignore policy definitions that:

    • Already have a rule defined.
    • Are not relevant to testing Infrastructure as Code.

    Syntax:

    configuration:\nAZURE_POLICY_IGNORE_LIST: array\n

    Default:

    # YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\nAZURE_POLICY_IGNORE_LIST: []\n

    Example:

    # YAML: Add a custom policy definition to ignore\nAZURE_POLICY_IGNORE_LIST:\n- '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n- '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"

    This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to Azure.

    This configuration option will be ignored when -Prefix is used with Export-AzPolicyAssignmentRuleData.

    Syntax:

    configuration:\nAZURE_POLICY_RULE_PREFIX: string\n

    Default:

    # YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\nAZURE_POLICY_RULE_PREFIX: 'Azure'\n

    Example:

    # YAML: Override the prefix of exported policy rules\nAZURE_POLICY_RULE_PREFIX: 'AzureCustomPrefix'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"

    This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to '2021-08-01'.

    Syntax:

    configuration:\nAZURE_APIM_MIN_API_VERSION: string\n

    Default:

    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-08-01'\n

    Example:

    # YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"

    This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"

    This configuration option enables validation for that each storage account is associated with a Microsoft Defender for Storage resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"concepts/about_PSRule_Azure_Metadata_Link/","title":"PSRule_Azure_Metadata_Link","text":""},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#about_psrule_azure_metadata_link","title":"about_PSRule_Azure_Metadata_Link","text":"

    Describes how Azure Resource Manager (ARM) parameter files reference a template file.

    "},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#description","title":"Description","text":"

    Azure Resource Manager (ARM) supports storing additional metadata within parameter files. PSRule uses this metadata to link template and parameter files together to improve unit testing of templates.

    To reference a template within a parameter file:

    • Set the metadata.template property to the template.
    • Prefix a template file relative to the parameter file with ./. When ./ is not used, the template with is relative to the -Path parameter.

    For example:

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./Resources.Template.json\"\n},\n\"parameters\": {\n}\n}\n
    "},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#see-also","title":"SEE ALSO","text":"
    • Get-AzRuleTemplateLink
    "},{"location":"concepts/policy-as-rules/","title":"Policy as rules","text":"

    PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:

    • Reuse controls \u2014 that have already deployed with implementation of guardrails in your environment. For example: Azure Cloud Adoption Framework or regulatory compliance standards.
    • Reduce deployment issues \u2014 by identifying Azure Policy controls that could prevent a deployment from succeeding.

    Abstract

    This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.

    Experimental - Learn more

    Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.

    "},{"location":"concepts/policy-as-rules/#limitations","title":"Limitations","text":"

    This feature does not support:

    • Resource provider modes \u2014 evaluate data plane information exposed at runtime. Policies that target resource provider modes are automatically ignored.
    • Disabled policies \u2014 Policy definitions with the effect Disabled are ignored.
    • Unassigned policies \u2014 Only policy definitions assigned to a scope are exported.
    • Policies that check for assessment status \u2014 Some policies use additional detection tools to check for compliance. Policies that check for assessment status are ignored.
    • Importing rules \u2014 Rules generated from policy assignments cannot be imported back into Azure Policy.
    "},{"location":"concepts/policy-as-rules/#using-policy-as-rules","title":"Using policy as rules","text":"

    Using policy as rules is a two step process:

    1. Export assignment data from Azure.
    2. Convert assignments to rules.
    "},{"location":"concepts/policy-as-rules/#export-assignment-data","title":"Export assignment data","text":"

    Run Export-AzPolicyAssignmentData to export assignments from Azure to an *.assignment.json file.

    Key points:

    • Before running this command, connect to an Azure subscription by installing the Az PowerShell module and using Connect-AzAccount.
    • This command has no required parameters, and by default will export all assignments from you current Azure subscription. You can change the current Azure subscription by using Set-AzContext.
    "},{"location":"concepts/policy-as-rules/#convert-assignments-to-rules","title":"Convert assignments to rules","text":"

    Run Export-AzPolicyAssignmentRuleData to convert assignments to rules. To run this command an -AssignmentFile parameter with the path to the assignment JSON file generated in the previous step.

    After the command completes a new file *.Rule.jsonc should be generated containing generated rules.

    "},{"location":"concepts/suppression/","title":"Suppression and excluding rules","text":"

    By default, PSRule will attempt to read and test all files. You can configure options to:

    • Control which files PSRule tests.
    • Disable specific rules that don't apply to your environment.
    • Configure exceptions for special cases.

    Abstract

    This topic covers how you can configure PSRule to ignore files, specific rules, or rules for special cases.

    "},{"location":"concepts/suppression/#excluding-a-rule","title":"Excluding a rule","text":"

    Docs

    You can exclude a rule to effectively disable the rule. When excluded, a rule is not used to test any Azure resources.

    To exclude a rule, set the Rule.Exclude option within the ps-rule.yaml file.

    ps-rule.yaml
    rule:\nexclude:\n# Ignore the following rules for all resources\n- Azure.VM.UseHybridUseBenefit\n- Azure.VM.Standalone\n
    "},{"location":"concepts/suppression/#suppress-a-rule-individually","title":"Suppress a rule individually","text":"

    Docs

    You can suppress a rule to effectively skip or ignore a rule for a specific case or exception.

    To suppress a rule, set Suppression option within the ps-rule.yaml file. PSRule allows you to specify the name of the rule and the name of the resources that will be suppressed.

    ps-rule.yaml
    suppression:\nAzure.Storage.SoftDelete:\n# Ignore soft delete on the following non-production storage accounts\n- storagedeveus6jo36t\n- storagedeveus1df278\n

    Tip

    Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

    "},{"location":"concepts/suppression/#suppressing-common-cases","title":"Suppressing common cases","text":"

    Docs

    If you need to commonly suppress a rule for multiple resources you can use a Suppression Group. A Suppression Group allow you to define a condition for when a rule should be suppressed.

    Example

    For example, suppose you want to suppress the Azure.Storage.SoftDelete rule for Storage Accounts based on a tag.

    A Suppression Group can be defined within a .Rule.yaml file within the .ps-rule/ sub-directory. Create this directory in your repository or current working path if it doesn't already exist.

    .ps-rule/Suppression.Rule.yaml
    ---\n# Synopsis: Ignore soft delete for development storage accounts\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\nname: Local.IgnoreNonProdStorage\nspec:\nrule:\n- Azure.Storage.SoftDelete\nif:\nfield: tags.env\nequals: dev\n

    Learn

    To learn more, see suppression groups and expressions.

    "},{"location":"concepts/suppression/#ignoring-files","title":"Ignoring files","text":"

    Docs

    To exclude or ignore files from being processed, configure the Input.PathIgnore option. This option allows you to ignore files using a path spec.

    To ignore files with common extensions, set the Input.PathIgnore option within the ps-rule.yaml file.

    ps-rule.yaml
    input:\npathIgnore:\n# Exclude files with these extensions\n- '*.md'\n- '*.png'\n# Exclude specific configuration files\n- 'bicepconfig.json'\n

    To ignore all files with some exceptions, set the Input.PathIgnore option within the ps-rule.yaml file.

    ps-rule.yaml
    input:\npathIgnore:\n# Exclude all files\n- '*'\n# Only process deploy.bicep files\n- '!**/deploy.bicep'\n

    Tip

    Some common file exclusions are recommended for working with Azure Bicep source files. See Configuring path exclusions for details.

    "},{"location":"customization/enforce-codeowners/","title":"Enforcing code ownership","text":"

    With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.

    Pull requests are a key concept within common Git workflows used with DevOps to enforce peer review. To support peer review across a team tools such as GitHub and Azure DevOps provide code ownership. Code ownership, allows mix discipline teams to direct peer reviews based the path of a changed file.

    For sensitive changes such as firewall or policy exemptions, peer reviews may form a security control. In these cases, it may be important that specific paths are used for Infrastructure as Code artifacts.

    Info

    Code ownership is implemented through CODEOWNERS in GitHub and required reviewers in Azure Repos.

    Abstract

    The following scenario shows how to create a custom rule to validate the file path of code artifacts. The scenario walks you through the process so that you can apply the same concepts for similar requirements.

    "},{"location":"customization/enforce-codeowners/#creating-a-new-rule","title":"Creating a new rule","text":"

    Within the .ps-rule sub-directory create a new file called Org.Azure.Rule.ps1. Use the following snippet to populate the rule file:

    # Synopsis: Policy exemptions must be stored under designated paths for review.\nRule 'Org.Azure.Policy.Path' -Type 'Microsoft.Authorization/policyExemptions' {\n$Assert.WithinPath($PSRule.Source['Parameter'], '.', @(\n'deployments/policy/'\n));\n}\n

    Some key points to call out with the rule snippet include:

    • The name of the rule is Org.Azure.Policy.Path. Each rule name must be unique.
    • The rule applies to resources with the type of Microsoft.Authorization/policyExemptions. i.e. Policy exemptions.
    • The synopsis comment above the rule is read and used as the default recommendation if the rule fails. The rule recommendation appears in output and is intended as an instruction to remediate the failure.
    • The assertion $Assert.WithinPath ensures the specifies path is within the deployments/policy/ sub-directory.
    • The automatic variable $PSRule.Source exposes the source path for the resource. PSRule for Azure exposes a Template and Parameter source for resources originating from a template.

    Tip

    For recommendations on naming and storing rules see storing custom rules.

    "},{"location":"customization/enforce-codeowners/#binding-type","title":"Binding type","text":"

    Rules packaged within PSRule for Azure will automatically detect Policy Exemptions by their type properties. Standalone rules will get their type binding configuration from ps-rule.yaml instead.

    To configure type binding:

    • Create/ update the ps-rule.yaml file within the root of the repository.
    • Add the following configuration snippet.
    # Configure binding options\nbinding:\ntargetType:\n- 'resourceType'\n- 'type'\n

    Some key points to call out include:

    • Configuring the binding for targetType allows rules to use the -Type parameter. Our custom rule uses -Type 'Microsoft.Authorization/policyExemptions'.
    • The binding configuration will use the resourceType property if it exists, alternative it will use type. If neither property exists, PSRule will use the object type.
    "},{"location":"customization/enforce-codeowners/#testing-locally","title":"Testing locally","text":"

    To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.

    Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File\n
    "},{"location":"customization/enforce-codeowners/#sample-code","title":"Sample code","text":"

    Grab the full sample code for each of these files from:

    • Org.Azure.Rule.ps1
    • ps-rule.yaml
    • policy-exemption.parameters.json
    • template.json
    "},{"location":"customization/enforce-custom-tags/","title":"Enforcing custom tags","text":"

    With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.

    Use of resource and resource group tags is recommended in the WAF, however implementations may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.

    Abstract

    The following scenario shows how to create a custom rule to validate Resource Group tags. The scenario walks you through the process so that you can apply the same concepts for similar requirements.

    "},{"location":"customization/enforce-custom-tags/#creating-a-new-rule","title":"Creating a new rule","text":"

    Within the .ps-rule sub-directory create a new file called Org.Azure.Rule.ps1. Use the following snippet to populate the rule file:

    # Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n$hasTags = $Assert.HasField($TargetObject, 'Tags')\nif (!$hasTags.Result) {\nreturn $hasTags\n}\n# <Code for custom tags goes here>\n}\n

    Some key points to call out with the rule snippet include:

    • The name of the rule is Org.Azure.RG.Tags. Each rule name must be unique.
    • The rule applies to resources with the type of Microsoft.Resources/resourceGroups. i.e. Resource Groups.
    • The synopsis comment above the rule is read and used as the default recommendation if the rule fails. The rule recommendation appears in output and is intended as an instruction to remediate the failure.
    • The assertion $Assert.HasField ensures that Resource Group has a tags property.
    • The automatic variable $TargetObject automatically exposes the current resource being processed.

    Tip

    For recommendations on naming and storing rules see storing custom rules.

    "},{"location":"customization/enforce-custom-tags/#adding-mandatory-tags","title":"Adding mandatory tags","text":"

    To require specific tags to be configured on Resource Groups append this code to the rule.

    # Require tags be case-sensitive\n$Assert.HasField($TargetObject.tags, 'costCentre', <# case-sensitive #> $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n

    Some key points to call out include:

    • The $Assert.HasField assertions are case-sensitive which differs from the previous snippet.
    • A list of supported assertions can be found here.
    • Comments can be added just like normal PowerShell code.
    Updated Rule

    The updated rule should look like:

    # Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n$hasTags = $Assert.HasField($TargetObject, 'Tags')\nif (!$hasTags.Result) {\nreturn $hasTags\n}\n# Require tags be case-sensitive\n$Assert.HasField($TargetObject.tags, 'costCentre', <# case-sensitive #> $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n}\n
    "},{"location":"customization/enforce-custom-tags/#limiting-tags-values","title":"Limiting tags values","text":"

    To require these tags to only accept allowed values, append this code to the rule.

    <#\nThe costCentre tag must:\n- Start with a letter.\n- Be followed by a number between 10000-9999999999.\n#>\n$Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n# Require specific values for environment tag\n$Assert.In($TargetObject, 'tags.env', @(\n'dev',\n'prod',\n'uat'\n), $True)\n

    Some key points to call out include:

    • Each of these assertions for the field value are case-sensitive.
    • Assertions can automatically traverse fields be using the dotted syntax. i.e. tags.costCentre.
    Completed rule

    The completed rule should look like:

    # Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n$hasTags = $Assert.HasField($TargetObject, 'Tags')\nif (!$hasTags.Result) {\nreturn $hasTags\n}\n# Require tags be case-sensitive.\n$Assert.HasField($TargetObject.tags, 'costCentre', <# case-sensitive #> $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n<#\n    The costCentre tag must:\n    - Start with a letter.\n    - Be followed by a number between 10000-9999999999.\n    #>\n$Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n# Require specific values for environment tag.\n$Assert.In($TargetObject, 'tags.env', @(\n'dev',\n'prod',\n'uat'\n), $True)\n}\n
    "},{"location":"customization/enforce-custom-tags/#binding-type","title":"Binding type","text":"

    Rules packaged within PSRule for Azure will automatically detect Resource Groups by their type properties. Standalone rules will get their type binding configuration from ps-rule.yaml instead.

    To configure type binding:

    • Create/ update the ps-rule.yaml file within the root of the repository.
    • Add the following configuration snippet.
    # Configure binding options\nbinding:\ntargetType:\n- 'resourceType'\n- 'type'\n

    Some key points to call out include:

    • Configuring the binding for targetType allows rules to use the -Type parameter. Our custom rule uses -Type 'Microsoft.Resources/resourceGroups'.
    • The binding configuration will use the resourceType property if it exists, alternative it will use type. If neither property exists, PSRule will use the object type.
    "},{"location":"customization/enforce-custom-tags/#testing-locally","title":"Testing locally","text":"

    To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.

    Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File\n
    "},{"location":"customization/enforce-custom-tags/#sample-code","title":"Sample code","text":"

    Grab the full sample code for each of these files from:

    • Org.Azure.Rule.ps1
    • ps-rule.yaml
    "},{"location":"customization/permit-outbound-management/","title":"Permit outbound management","text":"

    As discussed in Azure.NSG.LateralTraversal, outbound management traffic is expected from some subnets. Subnets that are expected allow outbound management traffic may include:

    • Privileged access workstations (PAWs)
    • Bastion hosts
    • Jump boxes

    As a result, you may want to suppress the Azure.NSG.LateralTraversal rule on NSGs for these special cases.

    Abstract

    This topic provides an example you can use to configure PSRule to ignore special case NSGs.

    "},{"location":"customization/permit-outbound-management/#create-a-suppression-group","title":"Create a suppression group","text":"

    Within the .ps-rule sub-directory create a file called Org.Azure.Suppressions.Rule.yaml. If the .ps-rule sub-directory does not exist, create it in the root of your repository.

    Use the following snippet to populate the suppression group:

    ---\n# Synopsis: Ignore NSG lateral movement for management subnet NSGs such as Azure Bastion.\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\nname: Org.Azure.PermitOutboundManagement\nspec:\nrule:\n- PSRule.Rules.Azure\\Azure.NSG.LateralTraversal\nif:\nallOf:\n- type: '.'\nin:\n- Microsoft.Network/networkSecurityGroups\n# Suppress NSGs with bastion or management in thier name\n- name: '.'\ncontains:\n- bastion\n- management\n

    Some key points to call out with the suppression group snippet include:

    • The name of the suppression group is Org.Azure.PermitOutboundManagement. Each resource name must be unique.
    • The suppression group applies to:
      • The rule PSRule.Rules.Azure\\Azure.NSG.LateralTraversal.
      • Run against NSGs with the type Microsoft.Network/networkSecurityGroups.
      • When the name of the NSG contains bastion or management. The suppression group uses expressions to determine when a resource is suppressed. Update this condition to match your environment. For example, the following NSGs would be suppressed by this suppression group:
        • nsg-bastion-prod-eus-001
        • nsg-hub-management-prod-001
    • The synopsis comment above the suppression group is included in output as the explaination for the suppression.

    Tip

    Expressions can be combined within a suppression group using allOf or anyOf operators.

    "},{"location":"customization/storing-custom-rules/","title":"Storing custom rules","text":"

    PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework (WAF). In addition to WAF alignment you may have a requirement to enforce organization specific rules.

    For example:

    • Required tags on a resource group.
    • Code ownership for sensitive resource types.

    PSRule allows custom rules to be layered on. These custom rules work side-by-side with PSRule for Azure.

    "},{"location":"customization/storing-custom-rules/#using-a-standard-file-path","title":"Using a standard file path","text":"

    Rules can be standalone or packaged within a module. Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository. To reuse rules across multiple projects consider packaging these as a module.

    The instructions for packaging rules in a module can be found here:

    • Packaging rules in a module

    To store standalone rules we recommend that you:

    • Use .ps-rule/ \u2014 Create a sub-directory called .ps-rule in the root of your repository. Use all lower-case in the sub-directory name. Put any custom rules within this sub-directory.
    • Use files ending with .Rule.ps1 \u2014 PSRule uses a file naming convention to discover rules. We recommend using a file name that ends in .Rule.ps1.

    Note

    Build pipelines are often case-sensitive or run on Linux-based systems. Using the casing rule above reduces confusion latter when you configure continuous integration (CI).

    "},{"location":"customization/storing-custom-rules/#naming-rules","title":"Naming rules","text":"

    When running PSRule, rule names must be unique. PSRule for Azure uses the name prefix of Azure. on all rules and resources included in the module.

    Example

    The following names are examples of rules included within PSRule for Azure:

    • Azure.AKS.Version
    • Azure.AKS.AuthorizedIPs
    • Azure.SQL.MinTLS

    When naming custom rules we recommend that you:

    • Use a standard prefix \u2014 You can use the Local. or Org. prefix for standalone rules.
      • Alternatively choose a short prefix that identifies your organization.
    • Use dotted notation \u2014 Use dots to separate rule name.
    • Use a maximum length of 35 characters \u2014 The default view of Invoke-PSRule truncates longer names. PSRule supports longer rule names however if Invoke-PSRule is called directly consider using Format-List.
    "},{"location":"en/mcsb-v1/","title":"Microsoft cloud security benchmark","text":"

    Microsoft cloud security benchmark (MCSB) is a set of controls and recommendations that help improve the security of workloads on Azure and your multi-cloud environment. Controls from the MCSB are also mapped to industry frameworks, such as CIS, PCI-DSS, and NIST.

    If you are new to MCSB or are looking for guidance on how to use it, please see the Introduction to the Microsoft cloud security benchmark.

    "},{"location":"en/mcsb-v1/#microsoft-cloud-security-benchmark-v1","title":"Microsoft cloud security benchmark v1","text":"

    Is the latest version of the MCSB. Rules included within PSRule for Azure have been mapped to v1 so that you are able to understand the impact of the rules. This is particularly useful when you are looking to understand how to address a compliance requirement specific to your organization.

    The following controls are included in the Microsoft cloud security benchmark v1:

    • Network security (NS)
    • Identity Management (IM)
    • Privileged Access (PA)
    • Data Protection (DP)
    • Asset Management (AM)
    • Logging and Threat Detection (LT)
    • Incident Response (IR)
    • Posture and Vulnerability Management (PV)
    • Endpoint Security (ES)
    • Backup and Recovery (BR)
    • DevOps Security (DS)
    • Governance and Strategy (GS)

    "},{"location":"en/mcsb-v1/#using-the-mcsb-v1-baseline","title":"Using the MCSB v1 baseline","text":"

    Experimental \u00b7 v1.25.0

    To start using the MCSB v1 baseline with PSRule, configure the baseline parameter to use Azure.MCSB.v1. View the list of rules associated with the MCSB v1 baseline.

    Experimental - Learn more

    MCSB baselines are a work in progress and subject to change. We hope to add more rules to the baseline in the future. Join or start a discussion to let us know how we can improve this feature going forward.

    Note

    It's important to note that the MCSB v1 baseline is subset of rules from the Well-Architected Framework. Not all rules for the Well-Architected Framework are included in MCSB. Using the MCSB v1 baseline is useful to understand alignment with the MCSB and other industry frameworks / standards. For a complete set of rules for the Well-Architected Framework, consider using a quarterly baseline.

    "},{"location":"en/mcsb-v1/#recommended-content","title":"Recommended content","text":"
    • Overview of Microsoft cloud security benchmark (v1)
    • Using baselines
    "},{"location":"en/baselines/Azure.All/","title":"Azure.All","text":"

    Includes all Azure rules.

    "},{"location":"en/baselines/Azure.All/#rules","title":"Rules","text":"

    The following rules are included within Azure.All. This baseline includes a total of 401 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Default/","title":"Azure.Default","text":"

    Default baseline for Azure rules.

    "},{"location":"en/baselines/Azure.Default/#rules","title":"Rules","text":"

    The following rules are included within Azure.Default. This baseline includes a total of 385 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2020_06/","title":"Azure.GA_2020_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2020 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2020_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2020_06. This baseline includes a total of 137 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_09/","title":"Azure.GA_2020_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2020 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2020_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2020_09. This baseline includes a total of 153 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_12/","title":"Azure.GA_2020_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2020 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2020_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2020_12. This baseline includes a total of 177 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_03/","title":"Azure.GA_2021_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_03. This baseline includes a total of 192 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_06/","title":"Azure.GA_2021_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_06. This baseline includes a total of 206 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_09/","title":"Azure.GA_2021_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_09. This baseline includes a total of 225 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_12/","title":"Azure.GA_2021_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_12. This baseline includes a total of 251 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness"},{"location":"en/baselines/Azure.GA_2022_03/","title":"Azure.GA_2022_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_03. This baseline includes a total of 267 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_06/","title":"Azure.GA_2022_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_06. This baseline includes a total of 271 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_09/","title":"Azure.GA_2022_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_09. This baseline includes a total of 303 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_12/","title":"Azure.GA_2022_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_12. This baseline includes a total of 341 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_03/","title":"Azure.GA_2023_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2023 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2023_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2023_03. This baseline includes a total of 361 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_06/","title":"Azure.GA_2023_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2023 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2023_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2023_06. This baseline includes a total of 376 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_09/","title":"Azure.GA_2023_09","text":"

    Include rules released September 2023 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2023_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2023_09. This baseline includes a total of 385 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.MCSB.v1/","title":"Azure.MCSB.v1","text":"

    Experimental

    This baseline is experimental and subject to change.

    Microsoft Cloud Security Benchmark v1.

    "},{"location":"en/baselines/Azure.MCSB.v1/#controls","title":"Controls","text":"

    The following rules are included within Azure.MCSB.v1. This baseline includes a total of 118 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important"},{"location":"en/baselines/Azure.Preview/","title":"Azure.Preview","text":"

    Includes rules for Azure GA and preview features.

    "},{"location":"en/baselines/Azure.Preview/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview. This baseline includes a total of 401 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Preview_2021_09/","title":"Azure.Preview_2021_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2021 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2021_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2021_09. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2021_12/","title":"Azure.Preview_2021_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2021 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2021_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2021_12. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2022_03/","title":"Azure.Preview_2022_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_03. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2022_06/","title":"Azure.Preview_2022_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_06. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2022_09/","title":"Azure.Preview_2022_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_09. This baseline includes a total of 5 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important"},{"location":"en/baselines/Azure.Preview_2022_12/","title":"Azure.Preview_2022_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_12. This baseline includes a total of 5 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important"},{"location":"en/baselines/Azure.Preview_2023_03/","title":"Azure.Preview_2023_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2023 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2023_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2023_03. This baseline includes a total of 5 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important"},{"location":"en/baselines/Azure.Preview_2023_06/","title":"Azure.Preview_2023_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2023 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2023_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2023_06. This baseline includes a total of 15 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2023_09/","title":"Azure.Preview_2023_09","text":"

    Include rules released September 2023 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2023_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2023_09. This baseline includes a total of 16 rules.

    Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/rules/","title":"Reference","text":"

    The following rules and features are included in PSRule for Azure.

    Info

    The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.

    "},{"location":"en/rules/#rules","title":"Rules","text":"

    The following rules are included in PSRule for Azure.

    Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Preview AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Front Door. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.VM.NICAttached Network interfaces (NICs) should be attached. GA AZR-000258 Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. GA AZR-000281 Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. GA AZR-000283 Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Preview AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. Preview AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Preview AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000384 Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000385 Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Preview AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA"},{"location":"en/rules/Azure.ACR.AdminUser/","title":"Disable ACR admin user","text":"Azure.ACR.AdminUserAZR-000005Error

    Security \u00b7 Container Registry \u00b7 2020_06

    Use Azure AD identities instead of using the registry admin user.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#description","title":"Description","text":"

    Azure Container Registry (ACR) includes a built-in admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.

    Instead use role-based access control (RBAC). RBAC can be used to delegate registry permissions to an Azure AD (AAD) identity.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#recommendation","title":"Recommendation","text":"

    Consider disabling the admin user account and only use identity-based authentication for registry operations.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#examples","title":"Examples","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.adminUserEnabled to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.adminUserEnabled to false.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az acr update --admin-enabled false -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#links","title":"Links","text":"
    • Use identity-based authentication
    • Authenticate with a private Docker container registry
    • Best practices for Azure Container Registry
    • Use an Azure managed identity to authenticate to an Azure container registry
    • Azure Container Registry roles and permissions
    • What is Azure role-based access control (Azure RBAC)?
    • IM-1: Use centralized identity and authentication system
    • IM-3: Manage application identities securely and automatically
    • PA-1: Separate and limit highly privileged/administrative users
    • Azure Policy Regulatory Compliance controls for Azure Container Registry
    • Azure deployment reference
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/","title":"Anonymous pull access","text":"Azure.ACR.AnonymousAccessAZR-000401Error

    Security \u00b7 Container Registry \u00b7 Preview \u00b7 2023_09

    Disable anonymous pull access.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#description","title":"Description","text":"

    Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).

    By default, access to pull or push content from an Azure container registry is only available to authenticated users.

    Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#recommendation","title":"Recommendation","text":"

    Consider disabling anonymous pull access in scenarios that require user authentication.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#examples","title":"Examples","text":"","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.anonymousPullEnabled property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"anonymousPullEnabled\": false\n}\n}\n
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.anonymousPullEnabled property to false.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    anonymousPullEnabled: false\n  }\n}\n
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az acr update --name myregistry --anonymous-pull-enabled false\n
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#notes","title":"Notes","text":"

    The anonymous pull access feature is currently in preview. Anonymous pull access is only available in the Standard and Premium service tiers.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#links","title":"Links","text":"
    • Authentication with Azure AD
    • Make your container registry content publicly available
    • Azure security baseline for Container Registry
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.ContainerScan/","title":"Scan Container Registry images","text":"Azure.ACR.ContainerScanAZR-000002Error

    Security \u00b7 Container Registry \u00b7 2020_12

    Enable vulnerability scanning for container images.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#description","title":"Description","text":"

    A potential risk with container-based workloads is un-patched security vulnerabilities in:

    • Operating System base images.
    • Frameworks and runtime dependencies used by application code.

    It is important to adopt a strategy to actively scan images for security vulnerabilities. One option for scanning container images is to use Microsoft Defender for container registries. Microsoft Defender for container registries scans each container image pushed to the registry.

    Microsoft Defender for container registries scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.

    Container image vulnerability scanning with Microsoft Defender for container registries:

    • Is currently only available for Linux-hosted ACR registries.
    • The container registry must be accessible by Microsoft Defender for Container registries. Network access can not be restricted by firewall, Service Endpoints, or Private Endpoints.
    • Is supported in commercial clouds. Is not currently supported in sovereign or national clouds (e.g. US Gov, China Gov, etc.).
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable container image scanning:

    • Set the Standard pricing tier for Microsoft Defender for container registries.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"ContainerRegistry\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable container image scanning:

    • Set the Standard pricing tier for Microsoft Defender for container registries.

    For example:

    Azure Bicep snippet
    resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'ContainerRegistry' --tier 'standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for container registries
    • Container security in Microsoft Defender for Cloud
    • Secure the images and run time
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContentTrust/","title":"Use trusted container images","text":"Azure.ACR.ContentTrustAZR-000009Error

    Security \u00b7 Container Registry \u00b7 2020_12

    Use container images signed by a trusted image publisher.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#description","title":"Description","text":"

    Azure Container Registry (ACR) content trust enables pushing and pulling of signed images. Signed images provides additional assurance that they have been built on a trusted source.

    To enable content trust, the container registry must be using a Premium SKU.

    Content trust is currently not supported in a registry that's encrypted with a customer-managed key. When using customer-managed keys, content trust can not be enabled.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#recommendation","title":"Recommendation","text":"

    Consider enabling content trust on registries, clients, and sign container images.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.trustPolicy.status to enabled.
    • Set properties.trustPolicy.type to Notary.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.trustPolicy.status to enabled.
    • Set properties.trustPolicy.type to Notary.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#links","title":"Links","text":"
    • Follow best practices for container security
    • Content trust in Azure Container Registry
    • Content trust in Docker
    • Overview of customer-managed keys
    • Azure deployment reference
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.Firewall/","title":"Restrict network access to container registries","text":"Azure.ACR.FirewallAZR-000402Error

    Security \u00b7 Container Registry \u00b7 2023_09

    Limit network access of container registries to only trusted clients.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#description","title":"Description","text":"

    Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.

    Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.

    In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#recommendation","title":"Recommendation","text":"

    Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#examples","title":"Examples","text":"","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled. OR
    • Set the properties.networkRuleSet.defaultAction property to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"properties\": {\n\"publicNetworkAccess\": \"Enabled\",\n\"networkRuleBypassOptions\": \"AzureServices\",\n\"networkRuleSet\": {\n\"defaultAction\": \"Deny\",\n\"ipRules\": [\n{\n\"action\": \"Allow\",\n\"value\": \"_PublicIPv4Address_\"\n}\n]\n}\n}\n}\n
    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled. OR
    • Set the properties.networkRuleSet.defaultAction property to Deny.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    publicNetworkAccess: 'Enabled'\n    networkRuleBypassOptions: 'AzureServices'\n    networkRuleSet: {\n      defaultAction: 'Deny'\n      ipRules: [\n        {\n          action: 'Allow'\n          value: '_PublicIPv4Address_'\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#notes","title":"Notes","text":"

    Configuring firewall rules or using private endpoints is only available for the Premium SKU.

    When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Restrict access using private endpoint
    • Restrict access using firewall rules
    • Allow trusted services to securely access a network-restricted container registry
    • Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
    • Azure security baseline for Container Registry
    • NS-2: Secure cloud services with network controls
    • Azure deployment reference
    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.GeoReplica/","title":"Geo-replicate container images","text":"Azure.ACR.GeoReplicaAZR-000004Error

    Reliability \u00b7 Container Registry \u00b7 2020_12

    Use geo-replicated container registries to compliment a multi-region container deployments.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#description","title":"Description","text":"

    A container registry is stored and maintained by default in a single region. Optionally geo-replication to one or more additional regions can be enabled.

    Geo-replicating container registries provides the following benefits:

    • Single registry/ image/ tag names can be used across multiple regions.
    • Network-close registry access within the region reduces latency.
    • As images are pulled from a local replicated registry, each pull does not incur additional egress costs.
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#recommendation","title":"Recommendation","text":"

    Consider using a geo-replicated container registry for multi-region deployments.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable geo-replication for Container Registries that pass this rule:

    • Set sku.name to Premium (required for geo-replication).
    • Add replications child resource with location set to the region to replicate to.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"_generator\": {\n\"name\": \"bicep\",\n\"version\": \"0.5.6.12127\",\n\"templateHash\": \"12610175857982700190\"\n}\n},\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"acrAdminUserEnabled\": {\n\"type\": \"bool\",\n\"defaultValue\": false,\n\"metadata\": {\n\"description\": \"Enable admin user that has push / pull permission to the registry.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\n\"Premium\"\n],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n}\n},\n\"acrReplicaLocation\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"Short name for registry replica location.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n},\n\"properties\": {\n\"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n}\n},\n{\n\"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n\"location\": \"[parameters('acrReplicaLocation')]\",\n\"properties\": {},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n]\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set sku.name to Premium (required for geo-replication).
    • Add replications child resource with location set to the region to replicate to.

    For example:

    Azure Bicep snippet
    resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Geo-replicate multi-region deployments
    • Geo-replication in Azure Container Registry
    • Tutorial: Prepare a geo-replicated Azure container registry
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.ImageHealth/","title":"Remove vulnerable container images","text":"Azure.ACR.ImageHealthAZR-000003Error

    Security \u00b7 Container Registry \u00b7 2020_12

    Remove container images with known vulnerabilities.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#description","title":"Description","text":"

    When Microsoft Defender for container registries is enabled, Microsoft Defender scans container images. Container images are scanned for known vulnerabilities and marked as healthy or unhealthy. Vulnerable container images should not be used.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#recommendation","title":"Recommendation","text":"

    Consider using removing container images with known vulnerabilities.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#links","title":"Links","text":"
    • Review and remediate recommendations
    • Introduction to Azure Defender for container registries
    • Overview of Microsoft Defender for Containers
    • Secure the images and run time
    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.MinSku/","title":"Use ACR production SKU","text":"Azure.ACR.MinSkuAZR-000006Error

    Reliability \u00b7 Container Registry \u00b7 2020_06

    ACR should use the Premium or Standard SKU for production deployments.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#description","title":"Description","text":"

    Azure Container Registry (ACR) provides a range of different service tiers (also known as SKUs). These service tiers provide different levels of performance and features.

    Three service tiers are available: Basic, Standard, and Premium. Basic container registries are only recommended for non-production deployments. Use a minimum of Standard for production container registries.

    The Premium SKU provides higher image throughput and included storage, and is required for:

    • Geo-replication
    • Availability zones
    • Private Endpoints
    • Firewall restrictions
    • Tokens and scope-maps
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#recommendation","title":"Recommendation","text":"

    Consider using the Premium Container Registry SKU for production deployments.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#examples","title":"Examples","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy registries that pass this rule:

    • Set the sku.name property to Premium or Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy registries that pass this rule:

    • Set the sku.name property to Premium or Standard.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Container Registry SKUs
    • Geo-replication in Azure Container Registry
    • Best practices for Azure Container Registry
    • Azure deployment reference
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.Name/","title":"Use valid registry names","text":"Azure.ACR.NameAZR-000007Error

    Operational Excellence \u00b7 Container Registry \u00b7 2020_06

    Container registry names should meet naming requirements.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for container registry names are:

    • Between 5 and 50 characters long.
    • Alphanumerics.
    • Container registry names must be globally unique.
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#examples","title":"Examples","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    You could ensure that acrName parameter meets naming requirements by using MinLength and maxLength parameter properties. You could also use a uniqueString() function to ensure the name is globally unique.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\n\"Standard\"\n\"Premium\"\n],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n}\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    You could ensure that acrName parameter meets naming requirements by using @MinLength and @maxLength parameter decorators. You could also use a uniqueString() function to ensure the name is globally unique.

    For example:

    Azure Bicep snippet
    @description('Globally unique name of your Azure Container Registry')\n@minLength(5)\n@maxLength(50)\nparam acrName string = 'acr${uniqueString(resourceGroup().id)}'\n\n@description('Location for registry home replica.')\nparam location string = resourceGroup().location\n\n@description('Tier of your Azure Container Registry. Geo-replication requires Premium SKU.')\n@allowed([\n  'Standard'\n  'Premium'\n])\nparam acrSku string = 'Premium'\n\nresource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: acrSku\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n}\n\noutput acrLoginServer string = containerRegistry.properties.loginServer\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#notes","title":"Notes","text":"

    This rule does not check if container registry names are unique.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Quarantine/","title":"Use container image quarantine pattern","text":"Azure.ACR.QuarantineAZR-000008Error

    Security \u00b7 Container Registry \u00b7 Preview \u00b7 2020_12

    Enable container image quarantine, scan, and mark images as verified.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#description","title":"Description","text":"

    Image quarantine is a configurable option for Azure Container Registry (ACR). When enabled, images pushed to the container registry are not available by default. Each image must be verified and marked as Passed before it is available to pull.

    To verify container images, integrate with an external security tool that supports this feature.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#recommendation","title":"Recommendation","text":"

    Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#examples","title":"Examples","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.quarantinePolicy.status to enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.quarantinePolicy.status to enabled.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#notes","title":"Notes","text":"

    Image quarantine for Azure Container Registry is currently in preview.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • How do I enable automatic image quarantine for a registry?
    • Quarantine Pattern
    • Secure the images and run time
    • Azure deployment reference
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Retention/","title":"Configure ACR retention policies","text":"Azure.ACR.RetentionAZR-000010Error

    Cost Optimization \u00b7 Container Registry \u00b7 Preview \u00b7 2020_12

    Use a retention policy to cleanup untagged manifests.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#description","title":"Description","text":"

    Retention policy is a configurable option of Premium Azure Container Registry (ACR). When a retention policy is configured, untagged manifests in the registry are automatically deleted. A manifest is untagged when a more recent image is pushed using the same tag. i.e. latest.

    The retention policy (in days) can be set to 0-365. The default is 7 days.

    To configure a retention policy, the container registry must be using a Premium SKU.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#recommendation","title":"Recommendation","text":"

    Consider enabling a retention policy for untagged manifests.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#examples","title":"Examples","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.retentionPolicy.status to enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.retentionPolicy.status to enabled.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#notes","title":"Notes","text":"

    Retention policies for Azure Container Registry is currently in preview.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#links","title":"Links","text":"
    • Scalable storage
    • Set a retention policy for untagged manifests
    • Lock a container image in an Azure container registry
    • Azure deployment reference
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.SoftDelete/","title":"Use ACR soft delete policy","text":"Azure.ACR.SoftDeleteAZR-000310Error

    Reliability \u00b7 Container Registry \u00b7 Preview \u00b7 2022_09

    Azure Container Registries should have soft delete policy enabled.

    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#description","title":"Description","text":"

    Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.

    This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.

    Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.

    Current preview limitations:

    • ACR currently doesn't support manually purging soft deleted artifacts.
    • The soft delete policy doesn't support a geo-replicated registry.
    • ACR doesn't allow enabling both the retention policy and the soft delete policy. See retention policy for untagged manifests.
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#recommendation","title":"Recommendation","text":"

    Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.

    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an Azure Container Registry that pass this rule:

    • Set the properties.policies.softDeletePolicy.status property to enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an Azure Container Registry that pass this rule:

    • Set the properties.policies.softDeletePolicy.status property to enabled.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az acr config soft-delete update -r '<name>' --days 90 --status enabled\n
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#links","title":"Links","text":"
    • Data Management for Reliability
    • Azure Container Registry (ACR) soft delete policy
    • Azure Container Registry service tiers
    • Policy for untagged manifests
    • Azure deployment reference
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.Usage/","title":"Container registry storage usage","text":"Azure.ACR.UsageAZR-000001Error

    Cost Optimization \u00b7 Container Registry \u00b7 2020_12

    Regularly remove deprecated and unneeded images to reduce storage usage.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#description","title":"Description","text":"

    Each ACR SKU has an amount of included storage. When the amount of included storage is exceeded, additional storage costs per GiB are accrued.

    It is good practice to regularly clean-up orphaned (or dangling) images. These images are a result of pushing updated images with the same tag.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Azure Container Registry service tiers
    • Scalable storage
    • Manage registry size
    • Delete container images in Azure Container Registry using the Azure CLI
    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ADX.DiskEncryption/","title":"Use disk encryption for Azure Data Explorer clusters","text":"Azure.ADX.DiskEncryptionAZR-000013Error

    Security \u00b7 Data Explorer \u00b7 2022_03

    Use disk encryption for Azure Data Explorer (ADX) clusters.

    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#description","title":"Description","text":"

    Azure storage is encrypted at rest, however computing resources can additionally use disk encryption. Disk encryption provides additional security for data at rest.

    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#recommendation","title":"Recommendation","text":"

    Consider enabling disk encryption on Azure Data Explorer clusters.

    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#examples","title":"Examples","text":"","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set properties.enableDiskEncryption to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Kusto/clusters\",\n\"apiVersion\": \"2021-08-27\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D11_v2\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"enableDiskEncryption\": true\n}\n}\n
    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set properties.enableDiskEncryption to true.

    For example:

    Azure Bicep snippet
    resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n
    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#links","title":"Links","text":"
    • Data encryption in Azure
    • Secure your cluster using Disk Encryption in Azure Data Explorer
    • Azure deployment reference
    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/","title":"Use managed identities for Data Explorer clusters","text":"Azure.ADX.ManagedIdentityAZR-000012Error

    Security \u00b7 Data Explorer \u00b7 2022_03

    Configure Data Explorer clusters to use managed identities to access Azure resources securely.

    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#description","title":"Description","text":"

    A managed identity allows your cluster to access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Kusto/clusters\",\n\"apiVersion\": \"2021-08-27\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D11_v2\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"enableDiskEncryption\": true\n}\n}\n
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities overview
    • Configure managed identities for your Azure Data Explorer cluster
    • Managed identities for Azure resources
    • Azure deployment reference
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.SLA/","title":"Use an SLA for Azure Data Explorer clusters","text":"Azure.ADX.SLAAZR-000014Error

    Reliability \u00b7 Data Explorer \u00b7 2022_03

    Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.

    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#description","title":"Description","text":"

    When choosing a SKU for an ADX cluster you should consider the SLA that is included in the SKU. ADX clusters offer a range of offerings. Development SKUs are designed for early non-production use and do not include any SLA.

    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#recommendation","title":"Recommendation","text":"

    Consider using a production ready SKU that includes a SLA.

    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#examples","title":"Examples","text":"","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set sku.tier to Standard.
    • Set sku.name to non-development SKU such as Standard_D11_v2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Kusto/clusters\",\n\"apiVersion\": \"2021-08-27\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D11_v2\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"enableDiskEncryption\": true\n}\n}\n
    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set sku.tier to Standard.
    • Set sku.name to non-development SKU such as Standard_D11_v2.

    For example:

    Azure Bicep snippet
    resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n
    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Data Explorer pricing
    • Azure deployment reference
    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.Usage/","title":"Remove unused Data Explorer clusters","text":"Azure.ADX.UsageAZR-000011Error

    Cost Optimization \u00b7 Data Explorer \u00b7 2022_03

    Regularly remove unused resources to reduce costs.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#description","title":"Description","text":"

    Billing starts for an Azure Data Explorer (ADX) cluster after it is provisioned. To store data in an ADX cluster, you must first create a database. Clusters without any databases are considered unused.

    Additionally, ADX clusters can stopped. Stopping an ADX cluster deallocates and removes compute resources. While in the stopped state, compute charges are not incurred. Any data stored in the cluster is persisted while the cluster is stopped.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing Data Explorer clusters that are not used.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing ADX clusters deployed (in-flight) and running within Azure. If the cluster is stopped, this rule is ignored.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Pricing
    • Stop and restart the cluster
    • Automatic stop of inactive Azure Data Explorer clusters
    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.AKS.AuditLogs/","title":"AKS clusters should collect security-based audit logs","text":"Azure.AKS.AuditLogsAZR-000022Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_09

    AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.

    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#description","title":"Description","text":"

    To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:

    • kube-audit or kube-audit-admin, or both.
      • kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.
      • kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log.
    • guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out.
    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.

    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the kube-audit/kube-audit-admin and guard categories.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n},\n\"resources\": [\n{\n\"apiVersion\": \"2016-09-01\",\n\"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n\"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"kube-audit\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"kube-audit-admin\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"guard\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n],\n\"metrics\": []\n}\n}\n]\n}\n
    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Monitoring AKS data reference
    • Collect resource logs
    • Template reference
    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/","title":"Restrict access to AKS API server endpoints","text":"Azure.AKS.AuthorizedIPsAZR-000030Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_06

    Restrict access to API server endpoints to authorized IP addresses.

    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#description","title":"Description","text":"

    In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.

    All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.

    Restricting authorized IP addresses for the API server as the following limitations:

    • Requires AKS clusters configured with a Standard Load Balancer SKU.
    • This feature is not compatible with clusters that use Public IP per Node.

    When configuring this feature you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32.

    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#recommendation","title":"Recommendation","text":"

    Consider restricting network traffic to the API server endpoints to trusted IP addresses. Include output IP addresses for cluster nodes and any range where administration will occur from.

    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --api-server-authorized-ip-ranges '0.0.0.0/32'\n
    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#links","title":"Links","text":"
    • Network security
    • Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)
    • Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AutoScaling/","title":"Enable AKS cluster autoscaler","text":"Azure.AKS.AutoScalingAZR-000019Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 2021_09

    Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present.

    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#description","title":"Description","text":"

    In addition to perform manual scaling, AKS clusters support autoscaling. Autoscaling reduces manual intervention required to scale a cluster to keep up with application demands.

    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#recommendation","title":"Recommendation","text":"

    Consider enabling autoscaling for AKS clusters deployed with virtual machine scale sets.

    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set enable autoscaling for an AKS cluster:

    • Set properties.agentPoolProfiles[*].enableAutoScaling to true.
    • Set properties.agentPoolProfiles[*].type to VirtualMachineScaleSets.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-autoscaler","title":"Enable cluster autoscaler","text":"Azure CLI snippet
    az aks update \\\n--name '<name>' \\\n--resource-group '<resource_group>' \\\n--enable-cluster-autoscaler \\\n--min-count '<min_count>' \\\n--max-count '<max_count>'\n
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-nodepool-autoscaler","title":"Enable cluster nodepool autoscaler","text":"Azure CLI snippet
    az aks nodepool update \\\n--name '<name>' \\\n--resource-group '<resource_group>' \\\n--cluster-name '<cluster_name>' \\\n--enable-cluster-autoscaler \\\n--min-count '<min_count>' \\\n--max-count '<max_count>'\n
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#links","title":"Links","text":"
    • Autoscale with Azure compute services
    • Autoscaling
    • Automatically scale a cluster to meet application demands on Azure Kubernetes Service (AKS)
    • Scaling options for applications in Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/","title":"Set AKS auto-upgrade channel","text":"Azure.AKS.AutoUpgradeAZR-000036Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 2021_12

    Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.

    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#description","title":"Description","text":"

    In additional to performing manual upgrades, AKS supports auto-upgrades. Auto-upgrades reduces manual intervention required to maintain an AKS cluster.

    To configure auto-upgrades select a release channel instead of the default none. The following release channels are available:

    • none - Disables auto-upgrades. The default setting.
    • patch - Automatically upgrade to the latest supported patch version of the current minor version.
    • stable - Automatically upgrade to the latest supported patch release of the recommended minor version. This is N-1 of the current AKS non-preview minor version.
    • rapid - Automatically upgrade to the latest supported patch of the latest support minor version.
    • node-image - Automatically upgrade to the latest node image version. Normally upgraded weekly.
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#recommendation","title":"Recommendation","text":"

    Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.

    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to an upgrade channel such as stable.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to an upgrade channel such as stable.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'\n
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#links","title":"Links","text":"
    • Automation overview
    • Supported Kubernetes versions in Azure Kubernetes Service
    • Support policies for Azure Kubernetes Service
    • Set auto-upgrade channel
    • Azure deployment reference
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/","title":"AKS clusters should use Availability zones in supported regions","text":"Azure.AKS.AvailabilityZoneAZR-000021Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 2021_09

    AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.

    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#description","title":"Description","text":"

    AKS clusters using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.

    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for AKS clusters deployed with virtual machine scale sets.

    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"availabilityZones\" is null, [] or not set when the AKS cluster is deployed to a virtual machine scale set and there are supported availability zones for the given region.

    Configure AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Compute and resource type virtualMachineScaleSets.

    # YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for an AKS cluster:

    • Set properties.agentPoolProfiles[*].availabilityZones to any or all of [\"1\", \"2\", \"3\"].
    • Set properties.agentPoolProfiles[*].type to VirtualMachineScaleSets.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\",\n\"availabilityZones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#create-aks-cluster-in-zone-1-2-and-3","title":"Create AKS Cluster in Zone 1, 2 and 3","text":"Azure CLI snippet
    az aks create \\\n--resource-group '<resource_group>' \\\n--name '<cluster_name>' \\\n--generate-ssh-keys \\\n--vm-set-type VirtualMachineScaleSets \\\n--load-balancer-sku standard \\\n--node-count '<node_count>' \\\n--zones 1 2 3\n
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Create an Azure Kubernetes Service (AKS) cluster that uses availability zones
    • Use zone-aware services
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/","title":"Use Azure Policy Add-on with AKS clusters","text":"Azure.AKS.AzurePolicyAddOnAZR-000028Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2020_12

    Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.

    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#description","title":"Description","text":"

    AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints.

    Examples of policies include:

    • Enforce HTTPS ingress in Kubernetes cluster.
    • Do not allow privileged containers in Kubernetes cluster.
    • Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster.
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#recommendation","title":"Recommendation","text":"

    Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.

    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.addonProfiles.azurepolicy.enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.addonProfiles.azurepolicy.enabled to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#notes","title":"Notes","text":"

    Azure Policy for AKS clusters is generally available (GA). Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.

    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#links","title":"Links","text":"
    • Governance, risk, and compliance
    • Understand Azure Policy for Kubernetes clusters
    • Secure your cluster with Azure Policy
    • Azure deployment reference
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzureRBAC/","title":"Use Azure RBAC for Kubernetes Authorization","text":"Azure.AKS.AzureRBACAZR-000032Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_06

    Use Azure RBAC for Kubernetes Authorization with AKS clusters.

    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#description","title":"Description","text":"

    Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.

    • Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
    • Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.

    Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).

    When Azure RBAC is enabled:

    • Azure AD principals will be validated exclusively by Azure RBAC.
    • Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#recommendation","title":"Recommendation","text":"

    Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.

    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.aadProfile.enableAzureRBAC to true.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --enable-azure-rbac\n
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#links","title":"Links","text":"
    • Authorization with Azure AD
    • Use Azure RBAC for Kubernetes Authorization
    • Access and identity options for Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/","title":"AKS clusters using Azure CNI should use large subnets","text":"Azure.AKS.CNISubnetSizeAZR-000020Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 2021_09

    AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.

    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#description","title":"Description","text":"

    In addition to kubenet, AKS clusters support Azure Container Networking Interface (CNI). This enables every pod to be accessed directly from the subnet via an IP address. Each node supports a maximum number of pods, which are reserved as IP addresses. This approach requires more capacity planning ahead of time, and can result in IP address exhaustion or the need to rebuild AKS clusters into larger subnets as application workloads begin to grow.

    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#recommendation","title":"Recommendation","text":"

    Consider allocating a larger subnet (/23 or bigger) to your AKS cluster.

    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using Export in-flight resource data.

    This rule fails when the CNI subnet size is smaller than /23.

    Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to set the minimum AKS CNI cluster subnet size.

    # YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n
    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#links","title":"Links","text":"
    • Plan for growth
    • Configure Azure CNI networking in Azure Kubernetes Service (AKS)
    • Use kubenet networking with your own IP address ranges in Azure Kubernetes Service (AKS)
    • Tutorial: Configure Azure CNI networking in Azure Kubernetes Service (AKS) using Ansible
    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.ContainerInsights/","title":"Enable AKS Container insights","text":"Azure.AKS.ContainerInsightsAZR-000041Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 2021_09

    Enable Container insights to monitor AKS cluster workloads.

    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#description","title":"Description","text":"

    With Container insights, you can use performance charts and health status to monitor AKS clusters, nodes and pods. Container insights delivers quick, visual and actionable information: from the CPU and memory pressure of your nodes to the logs of individual Kubernetes pods.

    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#recommendation","title":"Recommendation","text":"

    Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.

    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#examples","title":"Examples","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Container insights for an AKS cluster:

    • Set properties.addonProfiles.omsAgent.enabled to true.
    • Set Log Analytics workspace ID with properties.addonProfiles.omsAgent.config.logAnalyticsWorkspaceResourceID.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-default-log-analytics-workspace","title":"Enable for default Log Analytics workspace","text":"Azure CLI snippet
    az aks enable-addons \\\n--addons monitoring \\\n--name '<cluster_name>' \\\n--resource-group '<cluster_resource_group>'\n
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-an-existing-log-analytics-workspace","title":"Enable for an existing Log Analytics workspace","text":"Azure CLI snippet
    az aks enable-addons \\\n--addons monitoring \\\n--name '<cluster_name>' \\\n--resource-group '<cluster_resource_group>' \\\n--workspace-resource-id '<workspace_id>'\n
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#links","title":"Links","text":"
    • Container Insights
    • Monitor your Kubernetes cluster performance with Container insights
    • Container insights overview
    • Enable monitoring of a new Azure Kubernetes Service (AKS) cluster
    • Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed
    • Azure deployment reference
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.DNSPrefix/","title":"Use valid AKS cluster DNS prefix","text":"Azure.AKS.DNSPrefixAZR-000040Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.

    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#description","title":"Description","text":"

    The DNS prefix for AKS clusters has different requirements then the cluster name. The requirements for DNS prefixes are:

    • Between 1 and 54 characters long.
    • Alphanumerics and hyphens.
    • Start and end with alphanumeric.
    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#recommendation","title":"Recommendation","text":"

    Consider using a DNS prefix that meets naming requirements.

    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DefenderProfile/","title":"Enable Defender profile","text":"Azure.AKS.DefenderProfileAZR-000370Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2023_03

    Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#description","title":"Description","text":"

    To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.

    These components are installed when the Defender profile is enabled on the cluster.

    The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#recommendation","title":"Recommendation","text":"

    Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#examples","title":"Examples","text":"","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable the Defender profile with Azure Kubernetes Service clusters:

    • Set the properties.securityProfile.defender.securityMonitoring.enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-01-02-preview\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityProfile\": {\n\"defender\": {\n\"logAnalyticsWorkspaceResourceId\": \"[parameters('logAnalyticsWorkspaceResourceId')]\",\n\"securityMonitoring\": {\n\"enabled\": true\n}\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable the Defender profile with Azure Kubernetes Service clusters:

    • Set the properties.securityProfile.defender.securityMonitoring.enabled to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2023-01-02-preview' = {\n  location: location\n  name: clusterName\n  properties: {\n    securityProfile: {\n      defender: {\n        logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId\n        securityMonitoring: {\n          enabled: true\n        }\n      }\n    }\n  } \n}\n
    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#notes","title":"Notes","text":"

    Outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events is required.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for Containers
    • Defender for Containers architecture
    • Deploy the Defender profile
    • Required FQDN / application rules
    • Azure deployment reference
    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/","title":"Use AKS Ephemeral OS disk","text":"Azure.AKS.EphemeralOSDiskAZR-000287Warning

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 2022_09

    AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.

    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#description","title":"Description","text":"

    By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss if the VM needs to be relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency.

    By contrast, ephemeral OS disks are stored only on the host machine, just like a temporary disk. This provides lower read/write latency, along with faster node scaling and cluster upgrades.

    Like the temporary disk, an ephemeral OS disk is included in the price of the virtual machine, so you incur no additional storage costs.

    NB: When a user does not explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given node pool configuration. The rule is therefore configured with -Level Warning as it can give inaccurate information.

    When using ephemeral OS, the OS disk must fit in the VM cache. The sizes for VM cache are available in the Azure documentation in parentheses next to IO throughput (\"cache size in GiB\").

    Examples:

    • Using the AKS default VM size Standard_DS2_v2 with the default OS disk size of 100GB as an example, this VM size supports ephemeral OS but only has 86GB of cache size. This configuration would default to managed disks if the user does not specify explicitly. If a user explicitly requested ephemeral OS, they would receive a validation error.
    • If a user requests the same Standard_DS2_v2 with a 60GB OS disk, this configuration would default to ephemeral OS: the requested size of 60GB is smaller than the maximum cache size of 86GB.
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#recommendation","title":"Recommendation","text":"

    AKS clusters should use ephemeral OS disks.

    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#examples","title":"Examples","text":"","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an AKS cluster that pass this rule:

    • Set properties.agentPoolProfiles.osDiskType to Ephemeral.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2022-06-02-preview\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Basic\",\n\"tier\": \"Paid\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"agentpool\",\n\"osDiskSizeGB\": 60,\n\"count\": \"[parameters('agentCount')]\",\n\"vmSize\": \"[parameters('agentVMSize')]\",\n\"osDiskType\": \"Ephemeral\",\n\"osType\": \"Linux\",\n\"mode\": \"System\"\n}\n],\n\"linuxProfile\": {\n\"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n\"ssh\": {\n\"publicKeys\": [\n{\n\"keyData\": \"[parameters('sshRSAPublicKey')]\"\n}\n]\n}\n}\n}\n}\n

    To deploy an AKS agent pool that pass this rule:

    • Set properties.osDiskType to Ephemeral.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters/agentPools\",\n\"apiVersion\": \"2022-07-01\",\n\"name\": \"[format('{0}/{1}', parameters('clusterName'), variables('poolName'))]\",\n\"properties\": {\n\"count\": \"[variables('minCount')]\",\n\"vmSize\": \"[variables('vmSize')]\",\n\"osDiskSizeGB\": 60,\n\"osType\": \"Linux\",\n\"osDiskType\": \"Ephemeral\",\n\"maxPods\": 50,\n\"mode\": \"User\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an AKS cluster that pass this rule:

    • Set properties.agentPoolProfiles.osDiskType to Ephemeral.

    For example:

    Azure Bicep snippet
    resource aks 'Microsoft.ContainerService/managedClusters@2022-06-02-preview' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Paid'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: 60\n        count: agentCount\n        vmSize: agentVMSize\n        osDiskType: 'Ephemeral'\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n

    To deploy an AKS agent pool that pass this rule:

    • Set properties.osDiskType to Ephemeral.

    For example:

    Azure Bicep snippet
    resource userPool 'Microsoft.ContainerService/managedClusters/agentPools@2022-07-01' = {\n  parent: cluster\n  name: poolName\n  properties: {\n    count: minCount\n    vmSize: vmSize\n    osDiskSizeGB: 60\n    osType: 'Linux'\n    osDiskType: 'Ephemeral'\n    maxPods: 50\n    mode: 'User'\n  }\n}\n
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#links","title":"Links","text":"
    • Performance efficiency checklist
    • Azure Kubernetes Service (AKS) Ephemeral OS
    • Azure deployment reference (managedclusters)
    • Azure deployment reference (agentpools)
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/","title":"Disable HTTP application routing add-on","text":"Azure.AKS.HttpAppRoutingAZR-000035Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_12

    Disable HTTP application routing add-on in AKS clusters.

    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#description","title":"Description","text":"

    The HTTP application routing add-on is designed to quickly expose HTTP endpoints to the public internet. This may be helpful in some limited scenarios, but should not be used in production.

    When exposing application endpoints consider using an ingress controller that supports:

    • Security filtering behind web application firewall (WAF).
    • Encyption in transit over TLS.
    • Multiple replicas.

    Azure provides a production ready ingress controller Application Gateway Ingress Controller (AGIC).

    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#recommendation","title":"Recommendation","text":"

    Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.

    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#examples","title":"Examples","text":"","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.httpApplicationRouting.enabled to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.httpApplicationRouting.enabled to false.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • HTTP application routing
    • Enable Application Gateway Ingress Controller add-on for an existing AKS cluster
    • Azure deployment reference
    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.LocalAccounts/","title":"Disable AKS local accounts","text":"Azure.AKS.LocalAccountsAZR-000031Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Preview \u00b7 2021_06

    Enforce named user accounts with RBAC assigned permissions.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#description","title":"Description","text":"

    AKS clusters support Role-based Access Control (RBAC). RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.

    Additionally some default cluster local account credentials are enabled by default. When enabled, an identity with permissions can perform cluster actions using local account credentials. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts.

    In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '<resource-group>' -n '<cluster-name>' --admin will fail.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#recommendation","title":"Recommendation","text":"

    Consider enforcing usage of named accounts by disabling local Kubernetes account credentials.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#examples","title":"Examples","text":"","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.disableLocalAccounts to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.disableLocalAccounts to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-object-ids '<aad-group-id>' --disable-local\n
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#notes","title":"Notes","text":"

    This Azure feature is currently in preview. To use this feature you must first opt-in by registering the feature on a per-subscription basis.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#links","title":"Links","text":"
    • Authorization with Azure AD
    • Security design principles
    • Disable local accounts (preview)
    • Access and identity options for Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.ManagedAAD/","title":"Enable AKS-managed Azure AD","text":"Azure.AKS.ManagedAADAZR-000029Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_06

    Use AKS-managed Azure AD to simplify authorization and improve security.

    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#description","title":"Description","text":"

    AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.

    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#recommendation","title":"Recommendation","text":"

    Consider configuring AKS-managed Azure AD integration for AKS clusters.

    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#examples","title":"Examples","text":"","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.aadProfile.managed to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.aadProfile.managed to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-object-ids '<group_id>'\n
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#links","title":"Links","text":"
    • Authorization with Azure AD
    • Security design principles
    • Access and identity options for Azure Kubernetes Service (AKS)
    • AKS-managed Azure Active Directory integration
    • Azure deployment reference
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/","title":"Use managed identities for AKS cluster authentication","text":"Azure.AKS.ManagedIdentityAZR-000025Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Configure AKS clusters to use managed identities for managing cluster infrastructure.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#description","title":"Description","text":"

    During the lifecycle of an AKS cluster, the control plane configures a number of Azure resources. This includes node pools, networking, storage and other supporting services.

    When making calls against the Azure REST APIs, an identity must be used to authenticate requests. The type of identity the control plane will use is configurable at cluster creation. Either a service principal or system-assigned managed identity can be used.

    By default, the service principal credentials are valid for one year. Service principal credentials must be rotated before expiry to prevent issues. You can update or rotate the service principal credentials at any time.

    Using a system-assigned managed identity abstracts the process of managing a service principal. The managed identity is automatically created/ removed with the cluster. Managed identities also reduce maintenance (and improve security) by automatically rotating credentials.

    Separately, applications within an AKS cluster may use managed identities with AAD Pod Identity.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#notes","title":"Notes","text":"

    AKS clusters can not be updated to use managed identities for cluster infrastructure after deployment.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Use managed identities in Azure Kubernetes Service
    • What are managed identities for Azure resources?
    • Azure deployment reference
    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.MinNodeCount/","title":"Azure.AKS.MinNodeCount","text":"Azure.AKS.MinNodeCountAZR-000024Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 2020_06

    AKS clusters should have minimum number of nodes for failover and updates.

    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#description","title":"Description","text":"

    Kubernetes clusters should have minimum number of three (3) nodes for high availability and planned maintenance.

    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#recommendation","title":"Recommendation","text":"

    Use at least three (3) agent nodes. Consider deploying additional nodes as required to provide enough resiliency during nodes failures or planned maintenance.

    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#links","title":"Links","text":"
    • Baseline architecture for an Azure Kubernetes Service (AKS) cluster
    • Create an AKS cluster
    • Azure deployment reference
    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.Name/","title":"Use valid AKS cluster names","text":"Azure.AKS.NameAZR-000039Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Azure Kubernetes Service (AKS) cluster names should meet naming requirements.

    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for AKS cluster names are:

    • Between 1 and 63 characters long.
    • Alphanumerics, underscores, and hyphens.
    • Start and end with alphanumeric.
    • Cluster names must be unique within a resource group.
    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#notes","title":"Notes","text":"

    This rule does not check if cluster names are unique.

    Cluster DNS prefix has different naming requirements then cluster name. The requirements for DNS prefixes are:

    • Between 1 and 54 characters long.
    • Alphanumerics and hyphens.
    • Start and end with alphanumeric.
    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/","title":"AKS clusters use Network Policies","text":"Azure.AKS.NetworkPolicyAZR-000027Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Deploy AKS clusters with Network Policies enabled.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#description","title":"Description","text":"

    AKS clusters provides a platform to host containerized workloads. The running of these applications or services is orchestrated by Kubernetes. Workloads may elasticly scale or change network addressing.

    By default, all pods in an AKS cluster can send and receive traffic without limitations. Network Policy defines access policies for limiting network communication of pods. Using Network Policies allows network controls to be applied with the context of the workload.

    For improved security, define network policy rules to control the flow of traffic. For example, only permit backend components to receive traffic from frontend components.

    To use Network Policy it must be enabled at cluster deployment time. AKS supports two implementations of network policies, Azure Network Policies and Calico Network Policies. Azure Network Policies are supported by Azure support and engineering teams.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#recommendation","title":"Recommendation","text":"

    Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#examples","title":"Examples","text":"","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.networkProfile.networkPolicy to azure or calico.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"[parameters('upgradeChannel')]\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"[string(parameters('useSecretRotation'))]\"\n}\n},\n\"openServiceMesh\": {\n\"enabled\": \"[parameters('useOpenServiceMesh')]\"\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.networkProfile.networkPolicy to azure or calico.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: upgradeChannel\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: string(useSecretRotation)\n        }\n      }\n      openServiceMesh: {\n        enabled: useOpenServiceMesh\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#notes","title":"Notes","text":"

    Network Policy is a deployment time configuration. AKS clusters must be redeployed to enable Network Policy.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)
    • Best practices for network connectivity and security in Azure Kubernetes Service (AKS)
    • Network Policies
    • Azure deployment reference
    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NodeMinPods/","title":"Nodes use a minimum number of pods","text":"Azure.AKS.NodeMinPodsAZR-000018Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.

    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#description","title":"Description","text":"

    Node pools within a Azure Kubernetes Cluster (AKS) support between 30 and 250 pods per node. The maximum number of pods for nodes within a node pool is set at deployment time.

    When deploying AKS clusters with kubernet networking the default maximum number of pods is 110. For Azure CNI AKS clusters, the default maximum number of pods is 30.

    In many environments, deploying DaemonSets for monitoring and management tools can exhaust the CNI default.

    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#recommendation","title":"Recommendation","text":"

    Consider deploying node pools with a minimum number of pods per node.

    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#examples","title":"Examples","text":"","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].maxPods property to at least 50 by default.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 5,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\"\n},\n{\n\"name\": \"user\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 20,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"User\",\n\"osDiskType\": \"Ephemeral\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"oidcIssuerProfile\": {\n\"enabled\": true\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"dependsOn\": [\n\"identity\"\n]\n}\n
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].maxPods property to at least 50 by default.

    For example:

    Azure Bicep snippet
    resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#notes","title":"Notes","text":"

    By default, this rule fails when node pools have maxPods set to less than 50.

    To configure this rule:

    • Override the Azure_AKSNodeMinimumMaxPods configuration value with the minimum maxPods.
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#links","title":"Links","text":"
    • Plan for growth
    • Plan IP addressing for your cluster
    • Azure deployment reference
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.PlatformLogs/","title":"AKS clusters should collect platform diagnostic logs","text":"Azure.AKS.PlatformLogsAZR-000023Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 2021_09

    AKS clusters should collect platform diagnostic logs to monitor the state of workloads.

    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#description","title":"Description","text":"

    To capture platform logs from AKS clusters, the following diagnostic log/metric categories should be enabled:

    • cluster-autoscaler
      • Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster.
    • kube-apiserver
      • Logs from the Kubernetes API server.
    • kube-controller-manager
      • Gain deeper visibility of issues that may arise between Kubernetes and the Azure control plane. A typical example is the AKS cluster having a lack of permissions to interact with Azure.
    • kube-scheduler
      • Logs from the Kubernetes scheduler.
    • AllMetrics
      • Includes all platform metrics. Sends these values to Log Analytics workspace where it can be evaluated with other data using log queries.
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to capture platform logs from AKS clusters.

    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#notes","title":"Notes","text":"

    Configure AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST to enable selective log categories. By default all log categories are selected, as shown below.

    # YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', 'AllMetrics']\n
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the cluster-autoscaler, kube-apiserver, kube-controller-manager, kube-scheduler and AllMetrics categories.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n},\n\"resources\": [\n{\n\"apiVersion\": \"2016-09-01\",\n\"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n\"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"kube-apiserver\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"kube-controller-manager\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"kube-scheduler\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"cluster-autoscaler\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n],\n\"metrics\": [\n{\n\"category\": \"AllMetrics\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#links","title":"Links","text":"
    • Platform Monitoring
    • Monitoring AKS data reference
    • Collect resource logs
    • Template reference
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/","title":"AKS clusters use VM scale sets","text":"Azure.AKS.PoolScaleSetAZR-000017Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Deploy AKS clusters with nodes pools based on VM scale sets.

    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#description","title":"Description","text":"

    When deploying AKS clusters, Azure node pool VMs can be deployed using Availability Sets or VM Scale Sets. New AKS clusters default to VM scale set node pools.

    Deploying AKS clusters with scale set node pools is required for some cluster features such as multiple node pools and cluster autoscaler.

    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#recommendation","title":"Recommendation","text":"

    Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.

    Using VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.

    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#examples","title":"Examples","text":"","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].type property to VirtualMachineScaleSets for each node pool.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 5,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\"\n},\n{\n\"name\": \"user\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 20,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"User\",\n\"osDiskType\": \"Ephemeral\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"oidcIssuerProfile\": {\n\"enabled\": true\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"dependsOn\": [\n\"identity\"\n]\n}\n
    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].type property to VirtualMachineScaleSets for each node pool.

    For example:

    Azure Bicep snippet
    resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#links","title":"Links","text":"
    • Plan for growth
    • Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)
    • Scaling options for applications in Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolVersion/","title":"Upgrade AKS node pool version","text":"Azure.AKS.PoolVersionAZR-000016Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 2020_06

    AKS node pools should match Kubernetes control plane version.

    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#description","title":"Description","text":"

    AKS supports multiple node pools. In a multi-node pool configuration, it is possible that the control plane and node pools could be running a different version of Kubernetes.

    Different versions of Kubernetes between the control plane and node pools is intended as a short term option to allow rolling upgrades. For general operation, the control plane and node pool Kubernetes versions should match.

    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#recommendation","title":"Recommendation","text":"

    Consider upgrading node pools to match AKS control plan version.

    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Upgrade a cluster control plane with multiple node pools
    • Supported Kubernetes versions in Azure Kubernetes Service
    • Azure deployment reference
    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.SecretStore/","title":"AKS clusters use Key Vault to store secrets","text":"Azure.AKS.SecretStoreAZR-000033Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_12

    Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.

    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#description","title":"Description","text":"

    AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.

    The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation.

    Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal.

    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#recommendation","title":"Recommendation","text":"

    Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.

    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks enable-addons --addons azure-keyvault-secrets-provider -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#links","title":"Links","text":"
    • Key and secret management considerations in Azure
    • Operational considerations
    • Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster
    • Automate the rotation of a secret for resources that use one set of authentication credentials
    • Automate the rotation of a secret for resources that have two sets of authentication credentials
    • Azure deployment reference
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/","title":"AKS clusters refresh secrets from Key Vault","text":"Azure.AKS.SecretStoreRotationAZR-000034Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2021_12

    Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.

    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#description","title":"Description","text":"

    AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.

    When secrets are updated in Key Vault, pods may need to be restarted to pick up the new secrets. Enabling autorotation with the Secrets Store CSI Driver, automatically refreshed pods with new secrets. It does this by periodically polling for updates to the secrets in Key Vault. The default interval is every 2 minutes.

    The Secrets Store CSI Driver does not automatically change secrets in Key Vault. Updating the secrets in Key Vault must be done by an external process, such as an Azure Function.

    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#recommendation","title":"Recommendation","text":"

    Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.

    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update --enable-secret-rotation -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#links","title":"Links","text":"
    • Key and secret management considerations in Azure
    • Operational considerations
    • Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster
    • Automate the rotation of a secret for resources that use one set of authentication credentials
    • Automate the rotation of a secret for resources that have two sets of authentication credentials
    • Azure deployment reference
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.StandardLB/","title":"Use the Standard load balancer SKU","text":"Azure.AKS.StandardLBAZR-000026Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.

    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#description","title":"Description","text":"

    When deploying an AKS cluster, either a Standard or Basic load balancer SKU can be configured. A Standard load balancer SKU is required for several AKS features including:

    • Multiple node pools
    • Availability zones
    • Authorized IP ranges

    These features improve the scalability and reliability of the cluster.

    AKS clusters can not be updated to use a Standard load balancer SKU after deployment. For switch to an Standard load balancer SKU, the cluster must be redeployed.

    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#recommendation","title":"Recommendation","text":"

    Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.

    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#examples","title":"Examples","text":"","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the properties.networkProfile.loadBalancerSku property to standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"oidcIssuerProfile\": {\n\"enabled\": true\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"dependsOn\": [\n\"identity\"\n]\n}\n
    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the properties.networkProfile.loadBalancerSku property to standard.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#links","title":"Links","text":"
    • Plan for growth
    • Use a Standard SKU load balancer in Azure Kubernetes Service (AKS)
    • LoadBalancer annotations
    • Azure deployment reference
    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.UptimeSLA/","title":"Azure.AKS.UptimeSLA","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#online-version-httpsazuregithubiopsrulerulesazureenrulesazureaksuptimesla","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UptimeSLA/","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#use-aks-uptime-sla","title":"Use AKS Uptime SLA","text":"

    AKS clusters should have Uptime SLA enabled for a financially backed SLA.

    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#description","title":"Description","text":"

    Azure Kubernetes Service (AKS) offers two pricing tiers for cluster management.

    The Standard tier is suitable for financially backed SLA scenarios as it enables Uptime SLA by default on the cluster.

    Benefits:

    • The Free tier SKU imposes in-flight request limits of 50 mutating and 100 read-only calls. The Standard tier SKU automatically scales out based on the load.
    • The Free tier SKU is recommended only for cost-sensitive non-production workloads with 10 or fewer agent nodes. The Standard tier SKU configures more resources for the control plane and will dynamically scale to handle the request load from more nodes.
    • AKS recommends the use of the Standard tier for production workloads to ensure availability of control plane components. Clusters on the Free tier, by contrast come with limited resources for the control plane and are not suitable for production workloads.
    • Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use Availability Zones.
    • Uptime SLA guarantees 99.9% of availability for clusters that don't use Availability Zones.
    • AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.
    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#recommendation","title":"Recommendation","text":"

    Consider enabling Uptime SLA for a financially backed SLA.

    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an AKS cluster that pass this rule:

    • Set sku.tier to Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Basic\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"agentpool\",\n\"osDiskSizeGB\": \"[parameters('osDiskSizeGB')]\",\n\"count\": \"[parameters('agentCount')]\",\n\"vmSize\": \"[parameters('agentVMSize')]\",\n\"osType\": \"Linux\",\n\"mode\": \"System\"\n}\n],\n\"linuxProfile\": {\n\"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n\"ssh\": {\n\"publicKeys\": [\n{\n\"keyData\": \"[parameters('sshRSAPublicKey')]\"\n}\n]\n}\n}\n}\n}\n
    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an AKS cluster that pass this rule:

    • Set sku.tier to Standard.

    For example:

    Azure Bicep snippet
    resource aks 'Microsoft.ContainerService/managedClusters@2023-02-01' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: osDiskSizeGB\n        count: agentCount\n        vmSize: agentVMSize\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n
    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#notes","title":"Notes","text":"

    Basic and Paid are removed in the 2023-02-01 and 2023-02-02 Preview API version, and this will be a breaking change in API versions 2023-02-01 and 2023-02-02 Preview or newer.

    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Kubernetes Service (AKS) Uptime SLA
    • Free and Standard pricing tiers for Azure Kubernetes Service (AKS) cluster management
    • Azure deployment reference
    "},{"location":"en/rules/Azure.AKS.UseRBAC/","title":"AKS clusters use RBAC","text":"Azure.AKS.UseRBACAZR-000038Error

    Security \u00b7 Azure Kubernetes Service \u00b7 2020_06

    Deploy AKS cluster with role-based access control (RBAC) enabled.

    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#description","title":"Description","text":"

    AKS supports granting access to cluster resources using role-based access control (RBAC). Additionally Azure Active Directory (AAD) integration with AKS allows, RBAC to be granted based on AAD user or group.

    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#recommendation","title":"Recommendation","text":"

    Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.

    RBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.

    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#links","title":"Links","text":"
    • Access and identity options for Azure Kubernetes Service (AKS)
    • Authorization with Azure AD
    • Best practices for authentication and authorization in Azure Kubernetes Service (AKS)
    • Using RBAC Authorization
    • Azure deployment reference
    • Use role-based access control (RBAC)
    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.Version/","title":"Upgrade Kubernetes version","text":"Azure.AKS.VersionAZR-000015Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 2020_06

    AKS control plane and nodes pools should use a current stable release.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#description","title":"Description","text":"

    The AKS Kubernetes support policy provides support for the latest generally available (GA) three minor versions (N-2). This version support policy is based on the Kubernetes community support policy, who maintain the Kubernetes project. As the Kubernetes releases new minor versions, the old minor versions are deprecated and eventually removed from support.

    When your cluster or cluster nodes are running a version that is no longer supported, you may:

    • Encounter issues that may adversely affect the reliability of your cluster and cause down time.
    • Have bugs or security vulnerabilities that have already been mitigated by the Kubernetes community.
    • Introduce additional risk to your cluster and applications when you upgrade to a supported version.

    Additionally, AKS provides Platform Support for subset of components following an N-3.

    AKS supports a feature called cluster auto-upgrade, which can be used to reduce operational overhead of upgrading your cluster. This feature allows you to configure your cluster to automatically upgrade to the latest supported minor version of Kubernetes. When you enable cluster auto-upgrade, the control plane and node pools are upgraded to the latest supported minor version. Two channels are available for cluster auto-upgrade that maintain Kubernetes minor versions stable and rapid. For details on the differences between the two channels, see the references below.

    You are able to define a planned maintenance window to schedule and control upgrades to your cluster. Use the Planned Maintenance window to schedule upgrades to your cluster during times of low business impact. Alternatively, consider using blue / green clusters.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#recommendation","title":"Recommendation","text":"

    Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#examples","title":"Examples","text":"","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to rapid or stable. OR
    • Set properties.kubernetesVersion to a newer stable version.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"1.26.6\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to rapid or stable. OR
    • Set properties.kubernetesVersion to a newer stable version.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: '1.26.6'\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'\n
    Azure CLI snippet
    az aks upgrade -n '<name>' -g '<resource_group>' --kubernetes-version '1.26.6'\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzAksCluster -Name '<name>' -ResourceGroupName '<resource_group>' -KubernetesVersion '1.26.6'\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#notes","title":"Notes","text":"

    A list of available Kubernetes versions can be found using the az aks get-versions -o table --location <location> CLI command. To configure this rule:

    • Override the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration value with the minimum Kubernetes version.

    If you must maintain AKS clusters for longer then the community support period, consider switch to Long Term Support (LTS). AKS LTS provides support for a specific Kubernetes version for a longer period of time. The first LTS release is 1.27.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Automatically upgrade an Azure Kubernetes Service cluster
    • Supported Kubernetes versions in Azure Kubernetes Service
    • Support policies for Azure Kubernetes Service
    • Platform support policy
    • Blue-green deployment of AKS clusters
    • Long Term Support (LTS)
    • Azure deployment reference
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.APIM.APIDescriptors/","title":"Use API descriptors","text":"Azure.APIM.APIDescriptorsAZR-000043Warning

    Operational Excellence \u00b7 API Management \u00b7 2020_09

    API Management APIs should have a display name and description.

    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#description","title":"Description","text":"

    Each API created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assist identification for management and usage.

    During monitoring from service provider and consumer perspectives:

    • Having a clear understanding of the purpose of an API is often important to during analysis.
    • Allows for accurate management and clean up of unused APIs.

    This information is visible within the developer portal and exported OpenAPI definitions.

    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#recommendation","title":"Recommendation","text":"

    Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.

    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#examples","title":"Examples","text":"","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management APIs that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/apis\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n\"properties\": {\n\"displayName\": \"Echo API\",\n\"description\": \"An echo API service.\",\n\"type\": \"http\",\n\"path\": \"echo\",\n\"serviceUrl\": \"https://echo.contoso.com\",\n\"protocols\": [\n\"https\"\n],\n\"apiVersion\": \"v1\",\n\"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n\"subscriptionRequired\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n\"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n]\n}\n
    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management APIs that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Bicep snippet
    resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    type: 'http'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n
    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#links","title":"Links","text":"
    • Human-readable data
    • Import and publish your first API
    • Azure deployment reference
    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/","title":"API management services should use Availability zones in supported regions","text":"Azure.APIM.AvailabilityZoneAZR-000052Error

    Reliability \u00b7 API Management \u00b7 2021_12

    API management services deployed with Premium SKU should use availability zones in supported regions for high availability.

    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#description","title":"Description","text":"

    API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.

    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for API management services deployed with Premium SKU.

    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is null, [] or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.

    Configure AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.ApiManagement and resource type services.

    # YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for a API management service

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match sku.capacity.
    • Set properties.additionalLocations[*].zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match properties.additionalLocations[*].sku.capacity.
    • Set sku.name and/or properties.additionalLocations[*].sku.name to Premium.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-01-01-preview\",\n\"name\": \"[parameters('service_api_mgmt_test2_name')]\",\n\"location\": \"Australia East\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 3\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"properties\": {\n\"publisherEmail\": \"john.doe@contoso.com\",\n\"publisherName\": \"contoso\",\n\"notificationSenderEmail\": \"apimgmt-noreply@mail.windowsazure.com\",\n\"hostnameConfigurations\": [\n{\n\"type\": \"Proxy\",\n\"hostName\": \"[concat(parameters('service_api_mgmt_test2_name'), '.azure-api.net')]\",\n\"negotiateClientCertificate\": false,\n\"defaultSslBinding\": true,\n\"certificateSource\": \"BuiltIn\"\n}\n],\n\"additionalLocations\": [\n{\n\"location\": \"East US\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 3\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"disableGateway\": false\n}\n],\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"false\"\n},\n\"virtualNetworkType\": \"None\",\n\"disableGateway\": false,\n\"apiVersionConstraint\": {}\n}\n}\n
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for a API management service

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match sku.capacity.
    • Set properties.additionalLocations[*].zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match properties.additionalLocations[*].sku.capacity.
    • Set sku.name and/or properties.additionalLocations[*].sku.name to Premium.

    For example:

    Azure Bicep snippet
    resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2021-01-01-preview' = {\n  name: service_api_mgmt_test2_name\n  location: 'Australia East'\n  sku: {\n    name: 'Premium'\n    capacity: 3\n  }\n  zones: [\n    '1',\n    '2',\n    '3'\n  ]\n  properties: {\n    publisherEmail: 'john.doe@contoso.com'\n    publisherName: 'contoso'\n    notificationSenderEmail: 'apimgmt-noreply@mail.windowsazure.com'\n    hostnameConfigurations: [\n      {\n        type: 'Proxy'\n        hostName: '${service_api_mgmt_test2_name}.azure-api.net'\n        negotiateClientCertificate: false\n        defaultSslBinding: true\n        certificateSource: 'BuiltIn'\n      }\n    ]\n    additionalLocations: [\n      {\n        location: 'East US'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        zones: [\n          '1'\n        ]\n        disableGateway: false\n      }\n    ]\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'false'\n    }\n    virtualNetworkType: 'None'\n    disableGateway: false\n    apiVersionConstraint: {}\n  }\n}\n
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Availability zone support for Azure API Management
    • Use zone-aware services
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.CORSPolicy/","title":"Avoid wildcards in APIM CORS policies","text":"Azure.APIM.CORSPolicyAZR-000365Error

    Security \u00b7 API Management \u00b7 2023_03

    Avoid using wildcard for any configuration option in CORS policies.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#description","title":"Description","text":"

    The API Management cors policy adds cross-origin resource sharing (CORS) support to an operation or APIs.

    CORS is not a security feature. CORS is a W3C standard that allows a server to relax the same-origin policy enforced by modern browsers. CORS uses HTTP headers that allows API Management (and other HTTP servers) to indicate any allowed origins.

    Using wildcard (*) in any policy is overly permissive and may reduce the effectiveness of browser same-origin policy enforcement.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#recommendation","title":"Recommendation","text":"

    Consider configuring the CORS policy by specifying explicit values for each property.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#examples","title":"Examples","text":"","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-api-management-policy","title":"Configure API Management policy","text":"

    To deploy API Management CORS policies that pass this rule:

    • When configuring cors policies provide the exact values for all propeties.
    • Avoid using wildcards for any property of the cors policy including:
      • allowed-origins
      • allowed-methods
      • allowed-headers
      • expose-headers

    For example a global scoped policy:

    API Management policy
    <policies>\n<inbound>\n<cors allow-credentials=\"true\">\n<allowed-origins>\n<origin>https://contoso.developer.azure-api.net</origin>\n<origin>https://developer.contoso.com</origin>\n</allowed-origins>\n<allowed-methods preflight-result-max-age=\"300\">\n<method>GET</method>\n<method>PUT</method>\n<method>POST</method>\n<method>PATCH</method>\n<method>HEAD</method>\n<method>DELETE</method>\n<method>OPTIONS</method>\n</allowed-methods>\n<allowed-headers>\n<header>Content-Type</header>\n<header>Cache-Control</header>\n<header>Authorization</header>\n</allowed-headers>\n</cors>\n</inbound>\n<backend>\n<forward-request />\n</backend>\n<outbound />\n<on-error />\n</policies>\n
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management CORS policies that pass this rule:

    • Configure an policy sub-resource.
    • Avoid using wildcards * for any CORS policy element in properties.value property. Instead provide exact values.

    For example a global scoped policy:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/policies\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n\"properties\": {\n\"value\": \"<policies><inbound><cors allow-credentials=\\\"true\\\"><allowed-origins><origin>https://contoso.developer.azure-api.net</origin><origin>https://developer.contoso.com</origin></allowed-origins><allowed-methods preflight-result-max-age=\\\"300\\\"><method>GET</method><method>PUT</method><method>POST</method><method>PATCH</method><method>HEAD</method><method>DELETE</method><method>OPTIONS</method></allowed-methods><allowed-headers><header>Content-Type</header><header>Cache-Control</header><header>Authorization</header></allowed-headers></cors></inbound><backend><forward-request /></backend><outbound /><on-error /></policies>\",\n\"format\": \"xml\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management CORS policies that pass this rule:

    • Configure an policy sub-resource.
    • Avoid using wildcards * for any CORS policy element in properties.value property. Instead provide exact values.

    For example a global scoped policy:

    Azure Bicep snippet
    resource globalPolicy 'Microsoft.ApiManagement/service/policies@2022-08-01' = {\n  parent: service\n  name: 'policy'\n  properties: {\n    value: '<policies><inbound><cors allow-credentials=\"true\"><allowed-origins><origin>https://contoso.developer.azure-api.net</origin><origin>https://developer.contoso.com</origin></allowed-origins><allowed-methods preflight-result-max-age=\"300\"><method>GET</method><method>PUT</method><method>POST</method><method>PATCH</method><method>HEAD</method><method>DELETE</method><method>OPTIONS</method></allowed-methods><allowed-headers><header>Content-Type</header><header>Cache-Control</header><header>Authorization</header></allowed-headers></cors></inbound><backend><forward-request /></backend><outbound /><on-error /></policies>'\n    format: 'xml'\n  }\n}\n
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#notes","title":"Notes","text":"

    The rule only checks against rawxml and xml policy formatted content.

    When using Azure Bicep, the policy XML can be loaded from an external file by using the loadTextContent function.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#links","title":"Links","text":"
    • Application threat analysis
    • CORS policy
    • Mitigate OWASP API threats
    • How CORS works
    • Policies in Azure API Management
    • File functions for Bicep
    • Azure deployment reference
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/","title":"API Management uses current certificates","text":"Azure.APIM.CertificateExpiryAZR-000051Error

    Operational Excellence \u00b7 API Management \u00b7 2020_06

    Renew certificates used for custom domain bindings.

    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#description","title":"Description","text":"

    When custom domains are configured within an API Management service. A certificate must be assigned to allow traffic to be transmitted using TLS.

    Each certificate has an expiry date, after which the certificate is not valid. After expiry, client connections to the API Management service will reject the certificate.

    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#recommendation","title":"Recommendation","text":"

    Consider renewing certificates before expiry to prevent service issues.

    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#notes","title":"Notes","text":"

    By default, this rule fails when certificates have less than 30 days remaining before expiry.

    To configure this rule:

    • Override the Azure_MinimumCertificateLifetime configuration value with the minimum number of days until expiry.
    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#links","title":"Links","text":"
    • Configure a custom domain name
    • Azure deployment reference
    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.Ciphers/","title":"Use secure ciphers for API Management","text":"Azure.APIM.CiphersAZR-000055Error

    Security \u00b7 API Management \u00b7 2022_03

    API Management should not accept weak or deprecated ciphers for client or backend communication.

    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#description","title":"Description","text":"

    API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'.

    The following ciphers are considered weak or deprecated:

    • TripleDes168
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#recommendation","title":"Recommendation","text":"

    Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.

    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#examples","title":"Examples","text":"","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to \"False\" (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to 'False' (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#links","title":"Links","text":"
    • Data encryption in Azure
    • Manage protocols and ciphers in Azure API Management
    • Cryptographic Recommendations
    • Azure deployment reference
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.DefenderCloud/","title":"Onboard Defender for APIs","text":"Azure.APIM.DefenderCloudAZR-000387Error

    Security \u00b7 API Management \u00b7 2023_06

    APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.

    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#description","title":"Description","text":"

    Microsoft Defender for APIs provides additional security for APIs published in Azure API Management. Protection is provided by analyzing onboarded APIs.

    Which allows Microsoft Defender for Cloud to produce security findings. These security findings includes API recommendations and runtime threats.

    The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard. Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.

    To use Microsoft Defender for APIs:

    1. Enable the plan at the subscription level.
    2. Onboard each API to Microsoft Defender for APIs.
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.

    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management APIs that pass this rule:

    • Deploy a Microsoft.Security/apiCollections sub-resource (extension resource).
    • Set the name property to the name as the API.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/apiCollections\",\n\"apiVersion\": \"2022-11-20-preview\",\n\"scope\": \"[format('Microsoft.ApiManagement/service/{0}', parameters('apiManagementServiceName'))]\",\n\"name\": \"[parameters('apiName')]\"\n}\n
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management APIs that pass this rule:

    • Deploy a Microsoft.Security/apiCollections sub-resource (extension resource).
    • Set the name property to the name as the API.

    For example:

    Azure Bicep snippet
    resource apiManagementService 'Microsoft.ApiManagement/service@2022-08-01' existing = {\n  name: apiManagementServiceName\n}\n\nresource onboardDefender 'Microsoft.Security/apiCollections@2022-11-20-preview' = {\n  name: apiName\n  scope: apiManagementService\n}\n
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#notes","title":"Notes","text":"

    Microsoft Defender for APIs is a preview feature and has the following limitations:

    • Not all regions are supported.
    • Only REST APIs published through Azure API Management are supported.
    • APIs published through a self-hosted gateway are not supported.
    • APIs defined within an API Management workspace are not supported.

    This rule may currently generate false positive results for APIs only hosted on self-hosted gateways or managed using workspaces.

    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for APIs
    • Support and prerequisites for Defender for APIs
    • Onboard Defender for APIs
    • Quickstart: Enable enhanced security features
    • Azure security baseline for API Management
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.EncryptValues/","title":"Use encrypted named values","text":"Azure.APIM.EncryptValuesAZR-000045Error

    Security \u00b7 API Management \u00b7 2023_06

    Encrypt all API Management named values with Key Vault secrets.

    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#description","title":"Description","text":"

    Named values can be used to manage constant string values and secrets across all API configurations and policies.

    Named values are a global collection of name/value pairs in each API Management instance, which may contain sensitive information.

    Secret values can be stored either as encrypted strings in API Management (custom secrets) or by referencing secrets in Azure Key Vault.

    All secrets in Key Vault are stored encrypted.

    Using Key Vault secrets is recommended because it helps improve API Management security by:

    • Granular access policies and audit logs can be used with secrets.
    • Making it easier to rotate secrets within Key Vault.
    • Secrets that are rotated in Key Vault are automatically refreshed within API Management within 4 hours. You can also manually refresh the secret using the Azure portal or via the management REST API.
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#recommendation","title":"Recommendation","text":"

    Consider encrypting all API Management named values with Key Vault secrets.

    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management named values that pass this rule:

    • Configure a named value sub-resource.
    • Configure the properties.keyVault.secretIdentifier property.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/namedValues\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('namedValue'))]\",\n\"properties\": {\n\"displayName\": \"[parameters('namedValue')]\",\n\"keyVault\": {\n\"identityClientId\": null,\n\"secretIdentifier\": \"[format('https://myVault.vault.azure.net/secrets/{0}', parameters('namedValue'))]\"\n},\n\"tags\": []\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management named values that pass this rule:

    • Configure a named value sub-resource.
    • Configure the properties.keyVault.secretIdentifier property.

    For example:

    Azure Bicep snippet
    resource apimNamedValue 'Microsoft.ApiManagement/service/namedValues@2022-08-01' = {\n  name: namedValue\n  parent: apim\n  properties: {\n    displayName: namedValue\n    keyVault: {\n      identityClientId: null\n      secretIdentifier: 'https://myVault.vault.azure.net/secrets/${namedValue}'\n    }\n    tags: []\n  }\n}\n
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#notes","title":"Notes","text":"

    Using Key Vault secrets requires a system-assigned or user-assigned managed identity assigned to the API Management instance. The identity needs permissions to get and list secrets from the Key Vault. Also make sure to read the Prerequisites for key vault integration section in links.

    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#links","title":"Links","text":"
    • Key storage
    • Prerequisites for key vault integration
    • Azure deployment reference
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.HTTPBackend/","title":"Use HTTPS backend connections","text":"Azure.APIM.HTTPBackendAZR-000044Error

    Security \u00b7 API Management \u00b7 2020_06

    Use HTTPS for communication to backend services.

    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#description","title":"Description","text":"

    When API Management connects to the backend API it can use HTTP or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.

    Additionally, when configuring backends:

    • Use a newer version of TLS such as TLS 1.2.
    • Use client certificate authentication from API Management to authenticate to the backend.
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#recommendation","title":"Recommendation","text":"

    Consider configuring only backend services configured with HTTPS-based URLs.

    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#examples","title":"Examples","text":"","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy APIs that pass this rule:

    • Set the properties.serviceUrl property to a URL that starts with https://.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/apis\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n\"properties\": {\n\"displayName\": \"Echo API\",\n\"description\": \"An echo API service.\",\n\"path\": \"echo\",\n\"serviceUrl\": \"https://echo.contoso.com\",\n\"protocols\": [\n\"https\"\n],\n\"apiVersion\": \"v1\",\n\"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n\"subscriptionRequired\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n\"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n]\n}\n

    To deploy API backends that pass this rule:

    • Set the properties.url property to a URL that starts with https://.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/backends\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n\"properties\": {\n\"title\": \"echo\",\n\"description\": \"A backend service for the Each API.\",\n\"protocol\": \"http\",\n\"url\": \"https://echo.contoso.com\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy APIs that pass this rule:

    • Set the properties.serviceUrl property to a URL that starts with https://.

    For example:

    Azure Bicep snippet
    resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n

    To deploy API backends that pass this rule:

    • Set the properties.url property to a URL that starts with https://.

    For example:

    Azure Bicep snippet
    resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    title: 'echo'\n    description: 'A backend service for the Each API.'\n    protocol: 'http'\n    url: 'https://echo.contoso.com'\n  }\n}\n
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#links","title":"Links","text":"
    • Data encryption in Azure
    • Manage protocols and ciphers in Azure API Management
    • Secure backend services using client certificate authentication in Azure API Management
    • Azure deployment reference for APIs
    • Azure deployment reference for backends
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/","title":"Publish APIs through HTTPS connections","text":"Azure.APIM.HTTPEndpointAZR-000042Error

    Security \u00b7 API Management \u00b7 2020_06

    Enforce HTTPS for communication to API clients.

    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#description","title":"Description","text":"

    When an client connects to API Management it can use HTTP or HTTPS. Each API can be configured to accept connection for HTTP and/ or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.

    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#recommendation","title":"Recommendation","text":"

    Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.

    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#links","title":"Links","text":"
    • Data encryption in Azure
    • Import and publish a back-end API
    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/","title":"API Management uses a managed identity","text":"Azure.APIM.ManagedIdentityAZR-000053Error

    Security \u00b7 API Management \u00b7 2020_06

    Configure managed identities to access Azure resources.

    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#description","title":"Description","text":"

    API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management.

    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Use managed identities in Azure API Management
    • Authenticate with managed identity
    • Azure deployment reference
    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/","title":"API Management API versions prior to 2021-08-01 will be retired","text":"Azure.APIM.MinAPIVersionAZR-000321Error

    Operational Excellence \u00b7 API Management \u00b7 2022_12

    API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.

    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#description","title":"Description","text":"

    On 30 September 2023, all API versions prior to 2021-08-01 will be retired and API calls using those API versions will fail. This means you'll no longer be able to create or manage your API Management services using your existing templates, tools, scripts, and programs until they've been updated. Data operations (such as accessing the APIs or Products configured on Azure API Management) will be unaffected by this update, including after 30 September 2023.

    From now through 30 September 2023, you can continue to use the templates, tools, and programs without impact. You can transition to API version 2021-08-01 or later at any point prior to 30 September 2023.

    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#recommendation","title":"Recommendation","text":"

    Limit control plane API calls to API Management with version '2021-08-01' or newer.

    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management services that pass this rule:

    • Set the apiVersion property to '2021-08-01' or newer.
    • Set the properties.apiVersionConstraint.minApiVersion property to '2021-08-01' or newer.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management services that pass this rule:

    • Use the API Version Microsoft.ApiManagement/service@2021-08-01 or newer.
    • Set the properties.apiVersionConstraint.minApiVersion property to '2021-08-01' or newer.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#notes","title":"Notes","text":"

    This rule fails:

    • When the properties.apiVersionConstraint.minApiVersion property is not configured.
    • When the properties.apiVersionConstraint.minApiVersion property value is less than the default value 2021-08-01 and no configuration option property value is set to overwrite the default value.
    • When the properties.apiVersionConstraint.minApiVersion property value is less than the configuration option property value specified.

    Important Currently, depending on how you delete an API Management instance, the instance is either soft-deleted and recoverable during a retention period, or it's permanently deleted:

    • When you use the Azure portal or REST API version 2020-06-01-preview or later to delete an API Management instance, it's soft-deleted.
    • An API Management instance deleted using a REST API version before 2020-06-01-preview is permanently deleted.

    Configure AZURE_APIM_MIN_API_VERSION to set the minimum API version used for control plane API calls to the API Management instance.

    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-08-01'\n
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#links","title":"Links","text":"
    • Repeatable Infrastructure
    • Azure API Management API version retirements
    • Azure API Management soft-delete API versions
    • Azure deployment reference
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MultiRegion/","title":"Multi-region deployment","text":"Azure.APIM.MultiRegionAZR-000340Error

    Reliability \u00b7 API Management \u00b7 2022_12

    API Management instances should use multi-region deployment to improve service availability.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#description","title":"Description","text":"

    Azure API Management supports multi-region deployment. Multi-region deployment provides availability of the API gateway in more than one region and provides service availability if one region goes offline.

    This feature is currently only available for the Premium tier of API Management.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#recommendation","title":"Recommendation","text":"

    Consider deploying an API Management service across multiple regions to improve service availability.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management instances that pass this rule:

    • Configure the properties.additionalLocations property.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-12-01-preview\",\n\"name\": \"[parameters('apiManagementServiceName')]\",\n\"location\": \"eastus\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"properties\": {\n\"additionalLocations\": [\n{\n\"location\": \"westeurope\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"disableGateway\": false\n}\n]\n}\n}\n
    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management instances that pass this rule:

    • Configure the properties.additionalLocations property.

    For example:

    Azure Bicep snippet
    resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#notes","title":"Notes","text":"

    This rule is only applicable for API Management instances configured with a Premium tier.

    It is recommended to configure zone redundancy if the region supports it.

    Virtual network settings must be configured in the added region, if networking is configured in the existing region or regions. The rule does not take this into consideration.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Azure API Management instance multi-region
    • Azure deployment reference
    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/","title":"Multi-region deployment gateways","text":"Azure.APIM.MultiRegionGatewayAZR-000341Error

    Reliability \u00b7 API Management \u00b7 2022_12

    API Management instances should have multi-region deployment gateways enabled.

    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#description","title":"Description","text":"

    Azure API Management supports multi-region deployment. Deploy API Management in multiple locations to:

    • Provide active-active redundancy for API gateway requests across Azure regions.
    • Serve the request from the closest API gateway region to the original request.

    API gateways can be disabled to enabled you to test failover of your API workloads to another region. When disabled, an API gateway will not route API traffic. You should reenable API gateways after you have concluded failover testing to ensure that the API gateway is available for failover if another region becomes unavailable.

    If a region goes offline, API requests are automatically routed around the failed region to the next closest gateway.

    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#recommendation","title":"Recommendation","text":"

    Consider enabling each regional API gateway location for multi-region redundancy.

    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management instances that pass this rule:

    • Set the properties.additionalLocations.disableGateway property to false for each additional location.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-12-01-preview\",\n\"name\": \"[parameters('apiManagementServiceName')]\",\n\"location\": \"eastus\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"properties\": {\n\"additionalLocations\": [\n{\n\"location\": \"westeurope\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"disableGateway\": false\n}\n]\n}\n}\n
    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management instances that pass this rule:

    • Set the properties.additionalLocations.disableGateway property to false for each additional location.

    For example:

    Azure Bicep snippet
    resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#links","title":"Links","text":"
    • Resiliency and dependencies
    • About multi-region deployment
    • Azure deployment reference
    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.Name/","title":"Use valid API Management service names","text":"Azure.APIM.NameAZR-000056Error

    Operational Excellence \u00b7 API Management \u00b7 2020_09

    API Management service names should meet naming requirements.

    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for API Management service names are:

    • Between 1 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start with letter.
    • End with letter or number.
    • API Management service names must be globally unique.
    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#notes","title":"Notes","text":"

    This rule does not check if API Management service names are unique.

    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.PolicyBase/","title":"Base element","text":"Azure.APIM.PolicyBaseAZR-000371Error

    Security \u00b7 API Management \u00b7 2023_06

    Base element for any policy element in a section should be configured.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#description","title":"Description","text":"

    Determine the policy evaluation order by placement of the base (<base />) element in each section in the policy definition at each scope.

    API Management supports the following scopes Global (all API), Workspace, Product, API, or Operation.

    The base element inherits the policies configured in that section at the next broader (parent) scope. Otherwise inherited security or other controls may not apply. The base element can be placed before or after any policy element in a section, depending on the wanted evaluation order. However, if security controls are defined in inherited scopes it may decrease the effectiveness of these controls. For most cases, unless otherwise specified in the policy reference (such as cors) the base element should be specified as the first element in each section.

    A specific exception is at the Global scope. The Global scope does not need the base element because this is the peak scope from which all others inherit.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#recommendation","title":"Recommendation","text":"

    Consider configuring the base element for any policy element in a section.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#examples","title":"Examples","text":"","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management policies that pass this rule:

    • Configure an policy sub-resource.
    • Configure the base element before or after any policy element in a section in properties.value property.

    For example an API policy:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/apis/policies\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n\"properties\": {\n\"value\": \"<policies><inbound><base /><ip-filter action=\\\"allow\\\"><address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>\",\n\"format\": \"xml\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service/apis', parameters('name'))]\"\n],\n}\n
    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management policies that pass this rule:

    • Configure an policy sub-resource.
    • Configure the base element before or after any policy element in a section in properties.value property.

    For example an API policy:

    Azure Bicep snippet
    resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {\n  parent: api\n  name: 'policy'\n  properties: {\n    value: '<policies><inbound><base /><ip-filter action=\\\"allow\\\"><address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>'\n    format: 'xml'\n  }\n}\n
    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#notes","title":"Notes","text":"

    The rule only checks against rawxml and xml policy formatted content. Global policies are excluded since they don't benefit from the base element.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#links","title":"Links","text":"
    • Secure application configuration and dependencies
    • Things to know
    • Mitigate OWASP API threats
    • Apply policies specified at different scopes
    • Azure deployment reference
    • Azure deployment reference
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.ProductApproval/","title":"Require approval for products","text":"Azure.APIM.ProductApprovalAZR-000047Error

    Security \u00b7 API Management \u00b7 2020_06

    Configure products to require approval.

    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#description","title":"Description","text":"

    When publishing APIs through Azure API Management (APIM), APIs are assigned to products. Access to use an API is delegated through a product.

    When products do not require approval, users can create a subscription for a product without approval.

    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#recommendation","title":"Recommendation","text":"

    Consider configuring all API Management products to require approval.

    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#links","title":"Links","text":"
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/","title":"Use product descriptors","text":"Azure.APIM.ProductDescriptorsAZR-000049Warning

    Operational Excellence \u00b7 API Management \u00b7 2020_09

    API Management products should have a display name and description.

    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#description","title":"Description","text":"

    Each product created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assist identification for management and usage.

    During monitoring from service provider perspective:

    • Having a clear understanding of the purpose of a product is often important to during analysis.
    • Allows for accurate management and clean up of unused or old products.
    • Allows for accurate access control decisions.

    This information is visible within the developer portal.

    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#recommendation","title":"Recommendation","text":"

    Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.

    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#examples","title":"Examples","text":"","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management Products that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/products\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n\"properties\": {\n\"displayName\": \"Echo\",\n\"description\": \"Echo API services for Contoso.\",\n\"approvalRequired\": true,\n\"subscriptionRequired\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management Products that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Bicep snippet
    resource product 'Microsoft.ApiManagement/service/products@2021-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n
    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#links","title":"Links","text":"
    • Human-readable data
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductSubscription/","title":"Require a subscription for products","text":"Azure.APIM.ProductSubscriptionAZR-000046Error

    Security \u00b7 API Management \u00b7 2020_06

    Configure products to require a subscription.

    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#description","title":"Description","text":"

    When publishing APIs through Azure API Management (APIM), APIs can be secured using subscription keys. Client applications that consume published APIs must subscribe before making calls to those APIs.

    When combined with policies, subscriptions allow controls such as throttling to be implemented.

    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#recommendation","title":"Recommendation","text":"

    Consider configuring all API Management products to require a subscription.

    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#links","title":"Links","text":"
    • Subscriptions in Azure API Management
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductTerms/","title":"Use API product legal terms","text":"Azure.APIM.ProductTermsAZR-000050Error

    Operational Excellence \u00b7 API Management \u00b7 2020_09

    Set legal terms for each product registered in API Management.

    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#description","title":"Description","text":"

    Within API Management a product is created to publish one or more APIs. For each product legal terms can be specified. When set, developers using the developer portal are required to accept the terms to subscribe to a product. Use these terms to set expectations on acceptable use of the included APIs.

    Acceptance of legal terms is bypassed when an administrator creates a subscription.

    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#recommendation","title":"Recommendation","text":"

    Consider configuring legal terms for all products to declare acceptable use of included APIs.

    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#links","title":"Links","text":"
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.Protocols/","title":"Use secure TLS versions for API Management","text":"Azure.APIM.ProtocolsAZR-000054Error

    Security \u00b7 API Management \u00b7 2020_06

    API Management should only accept a minimum of TLS 1.2 for client and backend communication.

    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#description","title":"Description","text":"

    API Management provides support for older TLS/ SSL protocols, which are disabled by default. These older versions are provided for compatibility but are not consider secure.

    The following protocols are considered weak or deprecated:

    • SSL 3.0
    • TLS 1.0
    • TLS 1.1
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.

    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#examples","title":"Examples","text":"","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to \"False\" (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to 'False' (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#links","title":"Links","text":"
    • Data encryption in Azure
    • Manage protocols and ciphers in Azure API Management
    • Cryptographic Recommendations
    • Azure deployment reference
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.SampleProducts/","title":"Remove default products","text":"Azure.APIM.SampleProductsAZR-000048Error

    Operational Excellence \u00b7 API Management \u00b7 2020_06

    Remove starter and unlimited sample products.

    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#description","title":"Description","text":"

    API Management includes two sample products Starter and Unlimited. Accidentally adding APIs to these sample products may expose APIs more than intended.

    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#recommendation","title":"Recommendation","text":"

    Consider removing starter and unlimited sample products from API Management.

    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#links","title":"Links","text":"
    • Create and publish a product
    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.ASE.MigrateV3/","title":"Migrate to App Service Environment v3","text":"Azure.ASE.MigrateV3AZR-000319Error

    Operational Excellence \u00b7 App Service Environment \u00b7 2022_12

    Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.

    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#description","title":"Description","text":"

    The classic App Service Environment version 1 (ASEv1) and version 2 (ASEv2) will be retired on August 31, 2024. To avoid service disruption, migrate to App Service Environment version 3 (ASEv3). App Service Environment v3 has advantages and feature differences that provide enhanced support for your workloads and can reduce overall costs.

    App Service Environment v3 differs from earlier versions in the following ways:

    • There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.
    • You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. In this case, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see Migrate App Service Environment to availability zone support.
    • You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant.
    • Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multi-tenant service, it's a lot faster.
    • Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts.
    • Scaling no longer blocks other scale operations within the App Service Environment v3. Only one scale operation can be in effect for a combination of OS and size. For example, while your Windows small App Service plan is scaling, you could kick off a scale operation to run at the same time on a Windows medium or anything else other than Windows small.
    • You can reach apps in an internal-VIP App Service Environment v3 across global peering. Such access wasn't possible in earlier versions.

    A few features that were available in earlier versions of App Service Environment aren't available in App Service Environment v3. For example, you can no longer do the following:

    • Monitor your traffic with Network Watcher or network security group (NSG) flow logs.
    • Perform a backup and restore operation on a storage account behind a firewall.
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#recommendation","title":"Recommendation","text":"

    Classic App Service Environments should migrate to App Service Environment v3.

    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#examples","title":"Examples","text":"","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy app service environments pass this rule:

    • Set kind to 'ASEV3'.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"_generator\": {\n\"name\": \"bicep\",\n\"version\": \"0.11.1.770\",\n\"templateHash\": \"13381170219553357893\"\n}\n},\n\"parameters\": {\n\"aseName\": {\n\"type\": \"string\",\n\"defaultValue\": \"001-ase\",\n\"metadata\": {\n\"description\": \"Name of the App Service Environment\"\n}\n},\n\"virtualNetworkName\": {\n\"type\": \"string\",\n\"defaultValue\": \"ase-001-vnet\",\n\"metadata\": {\n\"description\": \"The name of the vnet\"\n}\n},\n\"vnetResourceGroupName\": {\n\"type\": \"string\",\n\"defaultValue\": \"ase-001-rg\",\n\"metadata\": {\n\"description\": \"The resource group name that contains the vnet\"\n}\n},\n\"subnetName\": {\n\"type\": \"string\",\n\"defaultValue\": \"ase-001-sn\",\n\"metadata\": {\n\"description\": \"Subnet name that will contain the App Service Environment\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for the resources\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Web/hostingEnvironments\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('aseName')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"ASEV3\",\n\"tags\": {\n\"displayName\": \"App Service Environment\",\n\"usage\": \"Hosting awesome applications\",\n\"owner\": \"Platform\"\n},\n\"properties\": {\n\"virtualNetwork\": {\n\"id\": \"[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('vnetResourceGroupName')), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]\"\n}\n}\n}\n]\n}\n
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy app service environments pass this rule:

    • Set kind to 'ASEV3'.

    For example:

    Azure Bicep snippet
    @description('Name of the App Service Environment')\nparam aseName string = '001-ase'\n\n@description('The name of the vnet')\nparam virtualNetworkName string = 'ase-001-vnet'\n\n@description('The resource group name that contains the vnet')\nparam vnetResourceGroupName string = 'ase-001-rg'\n\n@description('Subnet name that will contain the App Service Environment')\nparam subnetName string = 'ase-001-sn'\n\n@description('Location for the resources')\nparam location string = resourceGroup().location\n\nresource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-05-01' existing = {\n  scope: resourceGroup(vnetResourceGroupName)\n  name: virtualNetworkName\n}\n\nresource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-05-01' existing = {\n  parent: virtualNetwork\n  name: subnetName\n}\n\nresource hostingEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' = {\n  name: aseName\n  location: location\n  kind: 'ASEV3'\n  tags: {\n    displayName: 'App Service Environment'\n    usage: 'Hosting awesome applications'\n    owner: 'Platform'\n  }\n  properties: {\n    virtualNetwork: {\n      id: subnet.id\n    }\n  }\n}\n
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#links","title":"Links","text":"
    • Infrastructure provisioning
    • App Service Environment version 1 and version 2 will be retired on 31 August 2024
    • Migrate to App Service Environment v3
    • Azure deployment reference
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASG.Name/","title":"Use valid ASG names","text":"Azure.ASG.NameAZR-000085Error

    Operational Excellence \u00b7 Application Security Group \u00b7 2021_12

    Application Security Group (ASG) names should meet naming requirements.

    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for ASG names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • ASG names must be unique within a resource group.
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#examples","title":"Examples","text":"","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Security Groups that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('asgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Security Groups that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Bicep snippet
    resource asg 'Microsoft.Network/applicationSecurityGroups@2022-01-01' = {\n  name: asgName\n  location:location\n  properties: {}\n}\n
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#notes","title":"Notes","text":"

    This rule does not check if ASG names are unique.

    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/","title":"Audit App Configuration Store","text":"Azure.AppConfig.AuditLogsAZR-000311Error

    Security \u00b7 App Configuration \u00b7 2022_09

    Ensure app configuration store audit diagnostic logs are enabled.

    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#description","title":"Description","text":"

    To capture logs that record interactions with data or the settings of the app configuration store, diagnostic settings must be configured.

    When configuring diagnostic settings, enable one of the following:

    • Audit category.
    • audit category group.
    • allLogs category group.

    Management operations for App Configuration Store are captured automatically within Azure Activity Logs.

    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.

    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an App Configuration Store that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable Audit category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"name\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The name of the App Configuration Store.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n},\n\"workspaceId\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The resource id of the Log Analytics workspace to send diagnostic logs to.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true\n}\n},\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"scope\": \"[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]\",\n\"name\": \"[format('{0}-diagnostic', parameters('name'))]\",\n\"properties\": {\n\"logs\": [\n{\n\"categoryGroup\": \"audit\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 90,\n\"enabled\": true\n}\n}\n],\n\"workspaceId\": \"[parameters('workspaceId')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an App Configuration Store that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable Audit category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n\nresource diagnostic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  scope: store\n  name: '${name}-diagnostic'\n  properties: {\n    logs: [\n      {\n        categoryGroup: 'audit'\n        enabled: true\n        retentionPolicy: {\n          days: 90\n          enabled: true\n        }\n      }\n    ]\n    workspaceId: workspaceId\n  }\n}\n
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy an App Configuration Store that pass this rule:

    • Configure the diagnosticSettingsProperties.logs parameter.
    • Enable Audit category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    diagnosticSettingsProperties: {\n      diagnosticReceivers: {\n        workspaceId: workspaceId\n      }\n      logs: [\n        {\n          categoryGroup: 'audit'\n          enabled: true\n          retentionPolicy: {\n            days: 90\n            enabled: true\n          }\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/","title":"Use identity-based authentication for App Configuration","text":"Azure.AppConfig.DisableLocalAuthAZR-000291Error

    Security \u00b7 App Configuration \u00b7 2022_09

    Authenticate App Configuration clients with Azure AD identities.

    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#description","title":"Description","text":"

    Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials, or by using an access key. Of these two types of authentication schemes, Azure AD provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.

    When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Azure AD will succeed.

    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy configuration stores that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2023-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true,\n\"publicNetworkAccess\": \"Disabled\"\n}\n}\n
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy configuration stores that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the params.disableLocalAuth parameter to true.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#links","title":"Links","text":"
    • Centralize all identity systems
    • IM-1: Use centralized identity and authentication system
    • Authorize access to Azure App Configuration using Azure Active Directory
    • Disable access key authentication
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/","title":"Geo-replicate app configuration store","text":"Azure.AppConfig.GeoReplicaAZR-000312Error

    Reliability \u00b7 App Configuration \u00b7 2022_09

    Consider replication for app configuration store to ensure resiliency to region outages.

    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#description","title":"Description","text":"

    A app configuration store is stored and maintained by default in a single region.

    The app configuration geo-replication feature allows you to replicate your configuration store at-will to the regions of your choice. Each new replica will be in a different region and creates a new endpoint for your applications to send requests to. The original endpoint of your configuration store is called the Origin. The origin can't be removed, but otherwise behaves like any replica.

    Replicating your configuration store adds the following benefits:

    • Added resiliency for Azure outages.
    • Redistribution of request limits.
    • Regional compartmentalization.

    Geo-replication is currently a preview feature. During the preview geo-replication has additional limitations including support and regional availability.

    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#recommendation","title":"Recommendation","text":"

    Consider replication for app configuration store to ensure resiliency to region outages.

    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set sku.name to Standard (required for geo-replication).
    • Deploy a replica sub-resource (child resource).
    • Set location on replica sub-resource to a different location than the app configuration store.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"appConfigName\": {\n\"type\": \"string\",\n\"defaultValue\": \"configstore01\",\n\"metadata\": {\n\"description\": \"The name of the app configuration store.\"\n}\n},\n\"replicaName\": {\n\"type\": \"string\",\n\"defaultValue\": \"replica01\",\n\"metadata\": {\n\"description\": \"The name of the replica.\"\n}\n},\n\"appConfigLocation\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n},\n\"replicaLocation\": {\n\"type\": \"string\",\n\"defaultValue\": \"northeurope\",\n\"metadata\": {\n\"description\": \"The location where the replica will be deployed.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('appConfigName')]\",\n\"location\": \"[parameters('appConfigLocation')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true\n}\n},\n{\n\"type\": \"Microsoft.AppConfiguration/configurationStores/replicas\",\n\"apiVersion\": \"2022-03-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('appConfigName'), parameters('replicaName'))]\",\n\"location\": \"[parameters('replicaLocation')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('appConfigName'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set sku.name to Standard (required for geo-replication).
    • Deploy a replica sub-resource (child resource).
    • Set location on replica sub-resource to a different location than the app configuration store.

    For example:

    Azure Bicep snippet
    @description('The name of the app configuration store.')\nparam appConfigName string = 'configstore01'\n\n@description('The name of the replica.')\nparam replicaName string = 'replica01'\n\n@description('The location resources will be deployed.')\nparam appConfigLocation string = resourceGroup().location\n\n@description('The location where the replica will be deployed.')\nparam replicaLocation string = 'northeurope'\n\nresource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {\n  name: appConfigName\n  location: appConfigLocation\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n  }\n}\n\nresource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2022-03-01-preview' = {\n  name: replicaName\n  location: replicaLocation\n  parent: store\n}\n
    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Resiliency and diaster recovery
    • Geo-replication overview
    • Enable geo-replication
    • Azure deployment reference
    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.Name/","title":"Use valid App Configuration store names","text":"Azure.AppConfig.NameAZR-000058Error

    Operational Excellence \u00b7 App Configuration \u00b7 2020_12

    App Configuration store names should meet naming requirements.

    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for App Configuration store names are:

    • Between 5 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start and end with a letter or number.
    • App Configuration store names must be unique within a resource group.
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy configuration stores that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true\n}\n}\n
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy configuration stores that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n  }\n}\n
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#notes","title":"Notes","text":"

    This rule does not check if App Configuration store names are unique.

    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/","title":"Purge Protect App Configuration Stores","text":"Azure.AppConfig.PurgeProtectAZR-000313Error

    Reliability \u00b7 App Configuration \u00b7 2022_12

    Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.

    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#description","title":"Description","text":"

    With purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.

    Purge protection is only available for configuration stores that use the standard SKU.

    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#recommendation","title":"Recommendation","text":"

    Consider enabling purge protection for app configuration stores.

    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2023-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true,\n\"publicNetworkAccess\": \"Disabled\"\n}\n}\n
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the params.enablePurgeProtection parameter to true.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#links","title":"Links","text":"
    • Data management for reliability
    • Purge protection
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.SKU/","title":"Use production App Configuration SKU","text":"Azure.AppConfig.SKUAZR-000057Error

    Reliability \u00b7 App Configuration \u00b7 2020_12

    App Configuration should use a minimum size of Standard.

    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#description","title":"Description","text":"

    App Configuration is offered in two different SKUs; Free, and Standard. Standard includes additional features, increases scalability, and 99.9% SLA. The Free SKU does not include a SLA.

    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#recommendation","title":"Recommendation","text":"

    Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.

    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy configuration stores that pass this rule:

    • Set the sku.name property to standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2023-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true,\n\"publicNetworkAccess\": \"Disabled\"\n}\n}\n
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy configuration stores that pass this rule:

    • Set the sku.name property to standard.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the params.skuName parameter to Standard.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#links","title":"Links","text":"
    • Meet application platform requirements
    • App Configuration pricing
    • Which App Configuration tier should I use?
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/","title":"Application gateways should use Availability zones in supported regions","text":"Azure.AppGw.AvailabilityZoneAZR-000060Error

    Reliability \u00b7 Application Gateway \u00b7 2021_09

    Application gateways should use availability zones in supported regions for high availability.

    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#description","title":"Description","text":"

    Application gateways using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Application gateway or Web Application Firewall (WAF) deployment can spread across multiple availability zones, which ensures the application gateway will continue running even if another zone has gone down. Backend pools for applications can be similarly distributed across availability zones.

    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).

    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is null, [] or not set when the Application gateway is deployed with V2 SKU (Standard_v2, WAF_v2) and there are supported availability zones for the given region.

    Configure AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Network and resource type applicationGateways.

    # YAML: The default AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for an Application gateway

    • Set zones to any or all of [\"1\", \"2\", \"3\"].
    • Set properties.sku.name and properties.sku.tier to Standard_v2 or WAF_v2.

    For example:

    Azure Template snippet
      {\n\"name\": \"appGw-001\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2019-09-01\",\n\"location\": \"[resourceGroup().location]\",\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"tags\": {},\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"autoscaleConfiguration\": {\n\"minCapacity\": 2,\n\"maxCapacity\": 3\n}\n}\n}\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for an Application gateway

    • Set zones to any or all of [\"1\", \"2\", \"3\"].
    • Set properties.sku.name and properties.sku.tier to Standard_v2 or WAF_v2.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: {\n      minCapacity: 2\n      maxCapacity: 3\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#create-wafv2-application-gateway-in-zone-1-2-and-3","title":"Create WAFv2 Application Gateway in Zone 1, 2 and 3","text":"Azure CLI snippet
    az network application-gateway create \\\n--name '<application_gateway_name>' \\\n--location '<location>' \\\n--resource-group '<resource_group>' \\\n--capacity '<capacity>' \\\n--sku WAF_v2 \\\n--public-ip-address '<public_ip_address>' \\\n--vnet-name '<virtual_network_name>' \\\n--subnet '<subnet_name>' \\\n--zones 1 2 3 \\\n--servers '<address_1>' '<address_2>'\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Autoscaling and Zone-redundant Application Gateway v2
    • Use zone-aware services
    • Azure Well-Architected Framework - Reliability
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.MigrateV2/","title":"Migrate to Application Gateway v2","text":"Azure.AppGw.MigrateV2AZR-000376Error

    Operational Excellence \u00b7 Application Gateway \u00b7 2023_06

    Use a Application Gateway v2 SKU.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#description","title":"Description","text":"

    The Application Gateway v1 SKUs (Standard and WAF) will be retired on April 28, 2026. To avoid service disruption, migrate to Application Gateway v2 SKUs.

    The v2 SKUs offers performance enhancements, security controls and adds support for critical new features like autoscaling, zone redundancy, support for static VIPs, header rewrite, key vault integration, mutual authentication (mTLS), Azure Kubernetes Service ingress controller and private link.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#recommendation","title":"Recommendation","text":"

    Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set properties.sku.tier or properties.sku.name to Standard_v2 (Application Gateway) or WAF_v2 (Web Application Firewall).

    For example:

    Azure Template snippet
    {\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2022-07-01\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"capacity\": 2,\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n}\n}\n}\n
    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set properties.sku.tier or properties.sku.name to Standard_v2 (Application Gateway) or WAF_v2 (Web Application Firewall).

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2022-07-01' = {\n  name: \n  location: location\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#notes","title":"Notes","text":"

    This rule is applicable for both Application Gateways and Application Gateways with Web Application Firewall (WAF).

    Not all existing features under the v1 SKUs are supported in the v2 SKUs. The v2 SKUs are not currently available in all regions.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#links","title":"Links","text":"
    • Infrastructure provisioning
    • Migrate your Application Gateways
    • What is Azure Application Gateway v2?
    • Azure deployment reference
    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MinInstance/","title":"Use two or more Application Gateway instances","text":"Azure.AppGw.MinInstanceAZR-000061Error

    Reliability \u00b7 Application Gateway \u00b7 2020_06

    Application Gateways should use a minimum of two instances.

    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#description","title":"Description","text":"

    Application Gateways should use two or more instances to be covered by the Service Level Agreement (SLA). By having two or more instances this allows the App Gateway to meet high availability requirements and reduce downtime.

    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#recommendation","title":"Recommendation","text":"

    When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.

    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set capacity for an Application gateway

    Autoscaling:

    • Set autoscaleConfiguration.minCapacity to any or all of 2.

    Manual Scaling:

    • Set sku.capacitiy to 2 or more.

    For example:

    Azure Template snippet
    {\n\"name\": \"appGw-001\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2019-09-01\",\n\"location\": \"[resourceGroup().location]\",\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"properties\": {\n\"sku\": {\n\"capacity\": 2, // Manual Scale\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"autoscaleConfiguration\": { //Autoscale\n\"minCapacity\": 2,\n\"maxCapacity\": 3\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Detection\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.0\"\n}\n}\n}\n
    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set capacity for an Application gateway

    Autoscaling:

    • Set autoscaleConfiguration.minCapacity to any or all of 2.

    Manual Scaling:

    • Set sku.capacitiy to 2 or more.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      capacity: 2 // Manual scale\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: { // Autoscale\n      minCapacity: 1\n      maxCapacity: 2\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Detection'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.0'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#links","title":"Links","text":"
    • Azure Application Gateway SLA
    • Azure deployment reference
    • Azure Well-Architected Framework - Reliability
    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinSku/","title":"Use production Application Gateway SKU","text":"Azure.AppGw.MinSkuAZR-000062Error

    Operational Excellence \u00b7 Application Gateway \u00b7 2020_06

    Application Gateway should use a minimum instance size of Medium.

    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#description","title":"Description","text":"

    An Application Gateway is offered in different versions v1 and v2. When deploying an Application Gateway v1, three different instance sizes are available: Small, Medium and Large.

    Application Gateway v2, Standard_v2 and WAF_v2 SKUs don't offer different instance sizes.

    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#recommendation","title":"Recommendation","text":"

    Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.

    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set the instance size for an Application Gateway V1:

    • Set properties.sku.name to Standard_Medium or Standard_Large.

    For example:

    Azure Template snippet
    {\n\"name\": \"appGw-001\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2019-09-01\",\n\"location\": \"[resourceGroup().location]\",\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"tags\": {},\n\"properties\": {\n\"sku\": {\n\"capacity\": 2,\n\"name\": \"Standard_Large\",\n\"tier\": \"Standard\"\n},\n\"enableHttp2\": false\n}\n}\n
    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set the instance size for an Application Gateway V1:

    • Set properties.sku.name to Standard_Medium or Standard_Large.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'Standard_Large'\n      tier: 'Standard'\n    }\n    enableHttp2: false\n  }\n}\n
    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#links","title":"Links","text":"
    • Azure Application Gateway sizing
    • Azure Application Gateway SLA
    • Azure deployment reference
    • Azure Well-Architected Framework - Reliability
    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.Name/","title":"Use valid names","text":"Azure.AppGw.NameAZR-000348Error

    Operational Excellence \u00b7 Application Gateway \u00b7 2022_12

    Application Gateways should meet naming requirements.

    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Application Gateway names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods and hyphens.
    • Start with alphanumeric.
    • End with alphanumeric or underscore.
    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#notes","title":"Notes","text":"

    This rule does not check if Application Gateways names are unique.

    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Application Gateway
    • Template reference
    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.OWASP/","title":"Use OWASP 3.x rules","text":"Azure.AppGw.OWASPAZR-000067Error

    Security \u00b7 Application Gateway \u00b7 2020_06

    Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.

    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#description","title":"Description","text":"

    Application Gateways deployed with WAF features support configuration of OWASP rule sets for detection and / or prevention of malicious attacks. Two rule set versions are available; OWASP 2.x and OWASP 3.x.

    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.

    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#examples","title":"Examples","text":"","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.ruleSetType property to OWASP.
    • Set the properties.webApplicationFirewallConfiguration.ruleSetVersion property to a minimum of 3.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.ruleSetType property to OWASP.
    • Set the properties.webApplicationFirewallConfiguration.ruleSetVersion property to a minimum of 3.2.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true --rule-set-type OWASP --rule-set-version '3.2' -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention' -RuleSetType 'OWASP' -RuleSetVersion '3.2'\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • OWASP ModSecurity Core Rule Set
    • Azure deployment reference
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.Prevention/","title":"Use WAF prevention mode","text":"Azure.AppGw.PreventionAZR-000065Error

    Security \u00b7 Application Gateway \u00b7 2020_06

    Internet exposed Application Gateways should use prevention mode to protect backend resources.

    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#description","title":"Description","text":"

    Application Gateways with Web Application Firewall (WAF) enabled support two modes of operation:

    • Detection - Monitors and logs all threat alerts. In this mode, the WAF doesn't block incoming requests that are potentially malicious.
    • Protection - Blocks potentially malicious attack patterns that the rules detect.
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#recommendation","title":"Recommendation","text":"

    Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.

    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#examples","title":"Examples","text":"","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.firewallMode property to Prevention.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.firewallMode property to Prevention.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: []\n      requestBodyCheck: true\n      maxRequestBodySizeInKb: 128\n      fileUploadLimitInMb: 100\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true --firewall-mode Prevention -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Application Gateway WAF modes
    • Azure deployment reference
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/","title":"Application Gateways use a minimum TLS 1.2","text":"Azure.AppGw.SSLPolicyAZR-000064Error

    Security \u00b7 Application Gateway \u00b7 2020_06

    Application Gateway should only accept a minimum of TLS 1.2.

    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#description","title":"Description","text":"

    Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.

    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateway to accept a minimum of TLS 1.2.

    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule use a predefined or custom policy:

    • Custom \u2014 Set the properties.sslPolicy.policyType property to Custom.
      • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
      • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • Predefined \u2014 Set the properties.sslPolicy.policyType property to Predefined.
      • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"sslPolicy\": {\n\"policyType\": \"Custom\",\n\"minProtocolVersion\": \"TLSv1_2\",\n\"cipherSuites\": [\n\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n]\n}\n}\n}\n
    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule use a predefined or custom policy:

    • Custom \u2014 Set the properties.sslPolicy.policyType property to Custom.
      • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
      • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • Predefined \u2014 Set the properties.sslPolicy.policyType property to Predefined.
      • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      policyType: 'Custom'\n      minProtocolVersion: 'TLSv1_2'\n      cipherSuites: [\n        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'\n        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#links","title":"Links","text":"
    • Data encryption in Azure
    • Application Gateway SSL policy overview
    • Configure SSL policy versions and cipher suites on Application Gateway
    • Overview of TLS termination and end to end TLS with Application Gateway
    • Azure deployment reference
    • Predefined TLS policy
    • Cipher suites
    • Limitations
    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/","title":"Expose frontend HTTP endpoints over HTTPS","text":"Azure.AppGw.UseHTTPSAZR-000059Error

    Security \u00b7 Application Gateway \u00b7 2021_09

    Application Gateways should only expose frontend HTTP endpoints over HTTPS.

    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#description","title":"Description","text":"

    Application Gateways support HTTP and HTTPS endpoints for backend and frontend traffic. When using frontend HTTP (80) endpoints, traffic between client and Application Gateway is not encrypted.

    Unencrypted communication could allow disclosure of information to an un-trusted party.

    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.

    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.frontendPorts.properties.port property to 443.

    Fors example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"sslPolicy\": {\n\"minProtocolVersion\": \"TLSv1_2\"\n},\n\"frontendPorts\": [\n{\n\"name\": \"https\",\n\"properties\": {\n\"Port\": 443\n}\n}\n]\n}\n}\n
    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.frontendPorts.properties.port property to 443.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      minProtocolVersion: 'TLSv1_2'\n    }\n    frontendPorts: [\n      {\n        name: 'https'\n        properties: {\n          Port: 443\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Create an application gateway with HTTP to HTTPS redirection using the Azure portal
    • Azure deployment reference
    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseWAF/","title":"Application Gateway uses WAF SKU","text":"Azure.AppGw.UseWAFAZR-000063Error

    Security \u00b7 Application Gateway \u00b7 2020_06

    Internet accessible Application Gateways should use protect endpoints with WAF.

    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#description","title":"Description","text":"

    Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.

    To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.

    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#recommendation","title":"Recommendation","text":"

    Consider deploying Application Gateways with a WAF SKU to protect against common attacks.

    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#examples","title":"Examples","text":"","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Deploy an Application Gateway with the WAF or WAF_v2 SKU.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Deploy an Application Gateway with the WAF or WAF_v2 SKU.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway update --sku WAF_v2 -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\n$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Azure deployment reference
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGw.WAFEnabledAZR-000066Error

    Security \u00b7 Application Gateway \u00b7 2020_06

    Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#description","title":"Description","text":"

    Security features of Application Gateways deployed with WAF may be toggled on or off.

    When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.

    To protect backend resources from potentially malicious network traffic, WAF must be enabled.

    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.

    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Azure deployment reference
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFRules/","title":"Application Gateway rules are enabled","text":"Azure.AppGw.WAFRulesAZR-000068Error

    Security \u00b7 Application Gateway \u00b7 2020_06

    Application Gateway Web Application Firewall (WAF) should have all rules enabled.

    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#description","title":"Description","text":"

    Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

    When OWASP rules are turned off, the protection they provide is disabled.

    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#recommendation","title":"Recommendation","text":"

    Consider enabling all OWASP rules within Application Gateway instances.

    Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.

    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupName property to $ruleName.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [\n{\n\"ruleGroupName\": \"exampleRule\",\n\"rules\": []\n}\n],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: [\n        {\n          ruleGroupName: 'exampleRule',\n          rules: []\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Web Application Firewall CRS rule groups and rules
    • Azure deployment reference
    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGwWAF.EnabledAZR-000309Error

    Security \u00b7 Application Gateway \u00b7 2022_09

    Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#description","title":"Description","text":"

    Security features of Application Gateways deployed with WAF may be toggled on or off.

    When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.

    To protect backend resources from potentially malicious network traffic, WAF must be enabled.

    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.

    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.policySettings.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"agwwaf\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\"\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"0.1\"\n}\n]\n},\n\"policySettings\": {\n\"state\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.policySettings.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-01-01' = {\n  name: 'agwwaf'\n  location: location\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'OWASP'\n          ruleSetVersion: '3.2'\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '0.1'\n        }\n      ]\n    }\n    policySettings: {\n      state: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Azure deployment reference
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/","title":"Application Gateway rules are enabled","text":"Azure.AppGwWAF.ExclusionsAZR-000303Error

    Security \u00b7 Application Gateway \u00b7 2022_09

    Application Gateway Web Application Firewall (WAF) should have all rules enabled.

    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#description","title":"Description","text":"

    Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

    When OWASP rules are turned off, the protection they provide is disabled.

    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#recommendation","title":"Recommendation","text":"

    Consider enabling all OWASP rules within Application Gateway instances.

    Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.

    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Web Application Firewall CRS rule groups and rules
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/","title":"Use Application Gateway WAF policy in prevention mode","text":"Azure.AppGwWAF.PreventionModeAZR-000302Error

    Security \u00b7 Application Gateway \u00b7 2022_09

    Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#description","title":"Description","text":"

    Application Gateway WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

    • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Application Gateway instance must be configured.
    • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#recommendation","title":"Recommendation","text":"

    Consider setting Application Gateway WAF policy to use protection mode.

    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/","title":"Use Recommended Application Gateway WAF policy rule groups","text":"Azure.AppGwWAF.RuleGroupsAZR-000304Error

    Security \u00b7 Application Gateway \u00b7 2022_09

    Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#description","title":"Description","text":"

    Application Gateway WAF policies support two main Rule Groups.

    • OWASP - Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
    • Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.
    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateway WAF policy to use the recommended rule sets.

    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Web Application Firewall CRS rule groups and rules
    • Bot protection overview
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppInsights.Name/","title":"Use valid Application Insights resource names","text":"Azure.AppInsights.NameAZR-000070Error

    Operational Excellence \u00b7 Application Insights \u00b7 2021_06

    Azure Application Insights resources names should meet naming requirements.

    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Application Insights resource names are:

    • Between 1 and 255 characters long.
    • Letters, numbers, hyphens, periods, underscores, and parenthesis.
    • Must not end in a period.
    • Resource names must be unique within a resource group.
    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#notes","title":"Notes","text":"

    This rule does not check if Application Insights resource names are unique.

    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Define your naming convention
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Workspace/","title":"Use workspace-based App Insights resources","text":"Azure.AppInsights.WorkspaceAZR-000069Error

    Operational Excellence \u00b7 Application Insights \u00b7 2021_06

    Configure Application Insights resources to store data in workspaces.

    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#description","title":"Description","text":"

    Application Insights (App Insights) can be deployed as either classic or workspace-based resources. When configured as workspace-based, telemetry is sent from App Insights to a common Log Analytics workspace.

    Using a Log Analytics workspace for App Insights:

    • Makes it easier to query across applications.
    • Adds support for additional features of Log Analytics workspaces including:
      • Customer-Managed Keys (CMK).
      • Support for Azure Private Link.
      • Capacity Reservation tiers.
      • Faster data ingestion.

    App Insights resources can be configured as workspace-based either during or after initial deployment.

    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#recommendation","title":"Recommendation","text":"

    Consider using workspace-based Application Insights resources to collect telemetry in shared storage.

    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#examples","title":"Examples","text":"","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Insights resources that pass this rule:

    • Set the properties.WorkspaceResourceId property to a valid Log Analytics workspace.

    For example:

    Azure Template snippet
    {\n\"type\": \"microsoft.insights/components\",\n\"apiVersion\": \"2020-02-02\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"Application_Type\": \"web\",\n\"Flow_Type\": \"Redfield\",\n\"Request_Source\": \"IbizaAIExtension\",\n\"WorkspaceResourceId\": \"[parameters('workspaceId')]\"\n}\n}\n
    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Insights resources that pass this rule:

    • Set the properties.WorkspaceResourceId property to a valid Log Analytics workspace.

    For example:

    Azure Bicep snippet
    resource appInsights 'Microsoft.Insights/components@2020-02-02' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    Application_Type: 'web'\n    Flow_Type: 'Redfield'\n    Request_Source: 'IbizaAIExtension'\n    WorkspaceResourceId: workspaceId\n  }\n}\n
    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#links","title":"Links","text":"
    • Collection and storage
    • Migrate to workspace-based Application Insights resources
    • Azure resource template
    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppService.ARRAffinity/","title":"Disable Application Request Routing","text":"Azure.AppService.ARRAffinityAZR-000083Error

    Performance Efficiency \u00b7 App Service \u00b7 2020_06

    Disable client affinity for stateless services.

    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#description","title":"Description","text":"

    Azure App Service apps use Application Request Routing (ARR) by default. ARR uses a cookie to route subsequent client requests back to the same instance when an app is scaled to two or more instances. This benefits stateful applications, which may hold session information in instance memory.

    For stateless applications, disabling ARR allows Azure App Service more evenly distribute load.

    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#recommendation","title":"Recommendation","text":"

    Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.

    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#links","title":"Links","text":"
    • Design for performance efficiency
    • Configure an App Service app
    • Azure deployment reference
    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.AlwaysOn/","title":"Use App Service Always On","text":"Azure.AppService.AlwaysOnAZR-000077Error

    Reliability \u00b7 App Service \u00b7 2020_12

    Configure Always On for App Service apps.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#description","title":"Description","text":"

    Azure App Service apps are automatically unloaded when there's no traffic. Unloading apps reduces resource consumption when apps share a single App Services Plan. After an app have been unloaded, the next web request will trigger a cold start of the app. A cold start of the app can cause request timeouts.

    Web apps using continuous WebJobs or WebJobs triggered with a CRON expression must use always on to start.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#recommendation","title":"Recommendation","text":"

    Consider enabling Always On for each App Services app.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#examples","title":"Examples","text":"","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.alwaysOn to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.alwaysOn to true.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#notes","title":"Notes","text":"

    The Always On feature of App Service is not applicable to Azure Functions and Standard Logic Apps under most circumstances. To reduce false positives, this rule ignores apps based on Azure Functions and Standard Logic Apps.

    When running in a Consumption Plan or Premium Plan you should not enable Always On. On a Consumption plan the platform activates function apps automatically. On a Premium plan the platform keeps your desired number of pre-warmed instances always on automatically.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#links","title":"Links","text":"
    • Azure App Service and reliability
    • Configure an App Service app
    • The Ultimate Guide to Running Healthy Apps in the Cloud
    • Always on with Azure Functions
    • Dedicated hosting plans for Azure Functions
    • Azure deployment reference
    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.HTTP2/","title":"Use HTTP/2 connections for App Service apps","text":"Azure.AppService.HTTP2AZR-000078Error

    Performance Efficiency \u00b7 App Service \u00b7 2020_12

    Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.

    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#description","title":"Description","text":"

    Azure App Service has native support for HTTP/2, but by default it is disabled. HTTP/2 offers a number of improvements over HTTP/1.1, including:

    • Connections are fully multiplexed, instead of ordered and blocking.
    • Connections are reused, reducing connection establishment overhead.
    • Headers are compressed to reduce overhead.
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#recommendation","title":"Recommendation","text":"

    Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.

    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#examples","title":"Examples","text":"","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.http20Enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.http20Enabled to true.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#links","title":"Links","text":"
    • Performance efficiency checklist
    • Configure an App Service app
    • Azure deployment reference
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/","title":"App Service apps uses a managed identity","text":"Azure.AppService.ManagedIdentityAZR-000082Error

    Security \u00b7 App Service \u00b7 2020_12

    Configure managed identities to access Azure resources.

    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#description","title":"Description","text":"

    Azure App Service apps must authenticate to Azure resources such as Azure SQL Databases. App Service can use managed identities to authenticate to Azure resource without storing credentials.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • What are managed identities for Azure resources?
    • Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
    • How to use managed identities for App Service and Azure Functions
    • Azure deployment reference
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.MinPlan/","title":"Use App Service production SKU","text":"Azure.AppService.MinPlanAZR-000072Error

    Performance Efficiency \u00b7 App Service \u00b7 2020_06

    Use at least a Standard App Service Plan.

    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#description","title":"Description","text":"

    Azure App Services provide a range of different plans that can be used to scale your application. Each plan provides different levels of performance and features.

    To get you started a number of entry level plans are available. The Free, Shared, and Basic plans can be used for limited testing and development. However these plans are not suitable for production use. Production workloads are best suited to standard and premium plans with PremiumV3 the newest plan.

    This rule does not apply to consumption or elastic App Services Plans used for Azure Functions.

    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#recommendation","title":"Recommendation","text":"

    Consider using a standard or premium plan for hosting apps on Azure App Service.

    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.tier to a plan equal to or greater than Standard. For example: PremiumV3, PremiumV2, Premium, Standard

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/serverfarms\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('planName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"S1\",\n\"tier\": \"Standard\",\n\"capacity\": 2\n}\n}\n
    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.tier to a plan equal to or greater than Standard. For example: PremiumV3, PremiumV2, Premium, Standard

    For example:

    Azure Bicep snippet
    resource plan 'Microsoft.Web/serverfarms@2022-09-01' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n
    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#links","title":"Links","text":"
    • Choose the right resources
    • Azure App Service plan overview
    • Manage an App Service plan in Azure
    • Configure PremiumV3 tier for Azure App Service
    • App Service pricing
    • Azure deployment reference
    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinTLS/","title":"App Service minimum TLS version","text":"Azure.AppService.MinTLSAZR-000073Error

    Security \u00b7 App Service \u00b7 2020_06

    App Service should reject TLS versions older than 1.2.

    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure App Service accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    App Service lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.

    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.minTlsVersion to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.minTlsVersion to 1.2.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Enforce TLS versions
    • Preparing for TLS 1.2 in Microsoft Azure
    • Insecure protocols
    • Azure Policy built-in definitions for Azure App Service
    • Azure deployment reference
    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.NETVersion/","title":"Use a newer .NET version","text":"Azure.AppService.NETVersionAZR-000075Error

    Security \u00b7 App Service \u00b7 2020_12

    Configure applications to use newer .NET versions.

    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#description","title":"Description","text":"

    Within a App Service app, the version of .NET used to run application/ site code is configurable. Older versions of .NET may not use the latest security features.

    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#recommendation","title":"Recommendation","text":"

    Consider updating the site to use a newer .NET version such as v6.0.

    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.netFrameworkVersion to a minimum of v4.0.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.netFrameworkVersion to a minimum of v4.0.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#links","title":"Links","text":"
    • Security design principles
    • Set .NET Framework runtime version
    • Azure deployment reference
    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.PHPVersion/","title":"Use a newer PHP runtime version","text":"Azure.AppService.PHPVersionAZR-000076Error

    Security \u00b7 App Service \u00b7 2020_12

    Configure applications to use newer PHP runtime versions.

    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#description","title":"Description","text":"

    Within a App Service app, the version of PHP runtime used to run application/ site code is configurable. Older versions of PHP may not use the latest security features.

    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#recommendation","title":"Recommendation","text":"

    Consider updating the site to use a newer PHP runtime version such as 7.4.

    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.phpVersion to a minimum of 7.0.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"OFF\",\n\"phpVersion\": \"7.4\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.phpVersion to a minimum of 7.0.

    For example:

    Azure Bicep snippet
    resource webAppPHP 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'OFF'\n      phpVersion: '7.4'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#links","title":"Links","text":"
    • Security design principles
    • Set PHP Version
    • Azure deployment reference
    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/","title":"Use two or more App Service Plan instances","text":"Azure.AppService.PlanInstanceCountAZR-000071Error

    Reliability \u00b7 App Service \u00b7 2020_06

    App Service Plan should use a minimum number of instances for failover.

    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#description","title":"Description","text":"

    App Services Plans provides a configurable number of instances that will run apps. When a single instance is configured your app may be temporarily unavailable during unplanned interruptions. In most circumstances, Azure will self heal faulty app service instances automatically. However during this time there may interruptions to your workload.

    This rule does not apply to consumption or elastic App Services Plans.

    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#recommendation","title":"Recommendation","text":"

    Consider using an App Service Plan with at least two (2) instances.

    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#examples","title":"Examples","text":"","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.capacity to 2 or more.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/serverfarms\",\n\"apiVersion\": \"2021-01-15\",\n\"name\": \"[parameters('planName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"S1\",\n\"tier\": \"Standard\",\n\"capacity\": 2\n}\n}\n
    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.capacity to 2 or more.

    For example:

    Azure Bicep snippet
    resource appPlan 'Microsoft.Web/serverfarms@2021-01-15' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n
    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Get started with Autoscale in Azure
    • Azure deployment reference
    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.RemoteDebug/","title":"Disable App Service remote debugging","text":"Azure.AppService.RemoteDebugAZR-000074Error

    Security \u00b7 App Service \u00b7 2020_12

    Disable remote debugging on App Service apps when not in use.

    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#description","title":"Description","text":"

    Remote debugging can be enabled on apps running within Azure App Services.

    To enable remote debugging, App Service allows connectivity to additional ports. While access to remote debugging ports is authenticated, the attack service for an app is increased.

    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#recommendation","title":"Recommendation","text":"

    Consider disabling remote debugging when not in use.

    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#examples","title":"Examples","text":"","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.remoteDebuggingEnabled to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.remoteDebuggingEnabled to false.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#links","title":"Links","text":"
    • Configure general settings
    • Azure deployment reference
    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.UseHTTPS/","title":"Enforce encrypted App Service connections","text":"Azure.AppService.UseHTTPSAZR-000084Error

    Security \u00b7 App Service \u00b7 2020_06

    Azure App Service apps should only accept encrypted connections.

    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#description","title":"Description","text":"

    Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.

    Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.

    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#recommendation","title":"Recommendation","text":"

    When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#examples","title":"Examples","text":"","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.httpsOnly to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.httpsOnly to true.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Enforce HTTPS
    • Azure Policy built-in definitions for Azure App Service
    • Azure deployment reference
    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.WebProbe/","title":"Web apps use health probes","text":"Azure.AppService.WebProbeAZR-000079Error

    Reliability \u00b7 App Service \u00b7 2022_06

    Configure and enable instance health probes.

    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#description","title":"Description","text":"

    Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.

    Regular checks of the monitored path allow Azure App Service to route traffic based on availability.

    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#recommendation","title":"Recommendation","text":"

    Consider configuring a health probe to monitor instance availability.

    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a valid application path such as /healthz.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\",\n\"healthCheckPath\": \"/healthz\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a valid application path such as /healthz.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n      healthCheckPath: '/healthz'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#links","title":"Links","text":"
    • Creating good health probes
    • Route traffic to healthy instances (App Service)
    • Health Check is now Generally Available
    • Azure deployment reference
    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbePath/","title":"Web apps use a dedicated health probe path","text":"Azure.AppService.WebProbePathAZR-000080Error

    Reliability \u00b7 App Service \u00b7 2022_06

    Configure a dedicated path for health probe requests.

    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#description","title":"Description","text":"

    Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.

    Regular checks of the monitored path allow Azure App Service to route traffic based on availability.

    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#recommendation","title":"Recommendation","text":"

    Consider using a dedicated health probe endpoint that implements functional checks.

    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a dedicated application path such as /healthz.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\",\n\"healthCheckPath\": \"/healthz\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a dedicated application path such as /healthz.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n      healthCheckPath: '/healthz'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#links","title":"Links","text":"
    • Creating good health probes
    • Health check path
    • Health Check is now Generally Available
    • Azure deployment reference
    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/","title":"Web apps disable insecure FTP","text":"Azure.AppService.WebSecureFtpAZR-000081Error

    Security \u00b7 App Service \u00b7 2022_06

    Web apps should disable insecure FTP and configure SFTP when required.

    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#description","title":"Description","text":"

    Azure App Service supports configuration of FTP and SFTP for uploading site content. By default, both FTP and SFTP are enabled. In many circumstances, use of FTP or SFTP is not required for automated deployments.

    When interactive deployments are required consider using SFTP instead of FTP. Use of FTP alone is not sufficient to prevent disclosure of sensitive information that may be transferred.

    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#recommendation","title":"Recommendation","text":"

    Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.ftpsState to FtpsOnly or Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\",\n\"healthCheckPath\": \"/healthz\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.ftpsState to FtpsOnly or Disabled.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n      healthCheckPath: '/healthz'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#links","title":"Links","text":"
    • Data encryption in Azure
    • Deploy your app to Azure App Service using FTP/S
    • Azure deployment reference
    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/","title":"Use Microsoft Defender","text":"Azure.Arc.Kubernetes.DefenderAZR-000373Error

    Security \u00b7 Arc \u00b7 2023_06

    Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.

    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#description","title":"Description","text":"

    Defender for Containers relies on the Defender extension for several features.

    To collect and provide data plane protections of Microsoft Defender for Containers, the extension must be deployed to the Arc connected Kubernetes cluster. The extension will deploy some additional daemon set and deployments to the cluster.

    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#recommendation","title":"Recommendation","text":"

    Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.

    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#examples","title":"Examples","text":"","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Arc-enabled Kubernetes clusters that pass this rule:

    • Deploy a Microsoft.KubernetesConfiguration/extensions sub-resource (extension resource).
    • Set the properties.extensionType property to microsoft.azuredefender.kubernetes.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KubernetesConfiguration/extensions\",\n\"apiVersion\": \"2022-11-01\",\n\"scope\": \"[format('Microsoft.Kubernetes/connectedClusters/{0}', parameters('name'))]\",\n\"name\": \"microsoft.azuredefender.kubernetes\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"extensionType\": \"microsoft.azuredefender.kubernetes\",\n\"configurationSettings\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('logAnalyticsWorkspaceResourceID')]\",\n\"auditLogPath\": \"/var/log/kube-apiserver/audit.log\"\n},\n\"configurationProtectedSettings\": {\n\"omsagent.secret.wsid\": \"[parameters('wsid')]\",\n\"omsagent.secret.key\": \"[parameters('key')]\"\n},\n\"autoUpgradeMinorVersion\": true,\n\"releaseTrain\": \"Stable\",\n\"scope\": {\n\"cluster\": {\n\"releaseNamespace\": \"azuredefender\"\n}\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Kubernetes/connectedClusters', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Arc-enabled Kubernetes clusters that pass this rule:

    • Deploy a Microsoft.KubernetesConfiguration/extensions sub-resource (extension resource).
    • Set the properties.extensionType property to microsoft.azuredefender.kubernetes.

    For example:

    Azure Bicep snippet
    resource defenderExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = {\n  name: 'microsoft.azuredefender.kubernetes'\n  scope: arcKubernetesCluster\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    extensionType: 'microsoft.azuredefender.kubernetes'\n    configurationSettings: {\n      logAnalyticsWorkspaceResourceID: logAnalyticsWorkspaceResourceID\n      auditLogPath: '/var/log/kube-apiserver/audit.log'\n    }\n    configurationProtectedSettings: {\n      'omsagent.secret.wsid': wsid\n      'omsagent.secret.key': key\n    }\n    autoUpgradeMinorVersion: true\n    releaseTrain: 'Stable'\n    scope: {\n      cluster: {\n        releaseNamespace: 'azuredefender'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#links","title":"Links","text":"
    • Security operations
    • Defender for Containers architecture
    • Enable Microsoft Defender for Containers
    • LT-1: Enable threat detection capabilities
    • Azure deployment reference
    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.Arc.Server.MaintenanceConfigAZR-000374Error

    Operational Excellence \u00b7 Arc \u00b7 2023_06

    Use a maintenance configuration for Arc-enabled servers.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#description","title":"Description","text":"

    Arc-enabled servers can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#recommendation","title":"Recommendation","text":"

    Consider automatically managing and applying operating system updates with a maintenance configuration.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Arc-enabled servers that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Maintenance/configurationAssignments\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('assignmentName')]\",\n\"location\": \"[parameters('location')]\",\n\"scope\": \"[format('Microsoft.HybridCompute/machines/{0}', parameters('name'))]\",\n\"properties\": {\n\"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.HybridCompute/machines', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Arc-enabled servers that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Bicep snippet
    resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: arcServer\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n
    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#notes","title":"Notes","text":"

    Operating system updates with Update Managment center is a preview feature. Not all regions or operating systems are supported, check out the LINKS section for supported regions. Update management center doesn't support driver updates.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#links","title":"Links","text":"
    • Repeatable infrastructure
    • About Update management center
    • How to programmatically manage updates for Azure Arc-enabled servers
    • Manage Update configuration settings
    • Supported regions
    • Supported operating systems
    • Azure deployment reference
    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Automation.AuditLogs/","title":"Audit Automation Account data access","text":"Azure.Automation.AuditLogsAZR-000088Error

    Security \u00b7 Automation Account \u00b7 2021_12

    Ensure automation account audit diagnostic logs are enabled.

    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#description","title":"Description","text":"

    To capture logs that record interactions with data or the settings of the automation account, diagnostic settings must be configured.

    When configuring diagnostic settings, enabled one of the following:

    • AuditEvent category.
    • audit category group.
    • allLogs category group.

    Management operations for Automation Account is captured automatically within Azure Activity Logs.

    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.

    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"automationAccountName\": {\n\"defaultValue\": \"automation-account1\",\n\"type\": \"String\"\n},\n\"location\": {\n\"type\": \"String\"\n},\n\"workspaceId\": {\n\"type\": \"String\"\n}\n},\n\"variables\": {},\n\"resources\": [\n{\n\"type\": \"Microsoft.Automation/automationAccounts\",\n\"apiVersion\": \"2021-06-22\",\n\"name\": \"[parameters('automationAccountName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": false,\n\"sku\": {\n\"name\": \"Basic\"\n},\n\"encryption\": {\n\"keySource\": \"Microsoft.Automation\",\n\"identity\": {}\n}\n}\n},\n{\n\"comments\": \"Enable monitoring of Automation Account operations.\",\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"dependsOn\": [\n\"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n],\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"AuditEvent\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n
    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Template Reference
    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.EncryptVariables/","title":"Encrypt automation variables","text":"Azure.Automation.EncryptVariablesAZR-000086Error

    Security \u00b7 Automation Account \u00b7 2020_06

    Azure Automation variables should be encrypted.

    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#description","title":"Description","text":"

    Azure Automation allows configuration properties to be saved as variables. Variables are a key/ value pairs, which may contain sensitive information.

    When variables are encrypted they can only be access from within the runbook context. Variables not encrypted are visible to anyone with read permissions.

    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#recommendation","title":"Recommendation","text":"

    Consider encrypting all automation account variables.

    Additionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.

    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#links","title":"Links","text":"
    • Variable assets in Azure Automation
    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.Automation.ManagedIdentityAZR-000090Error

    Security \u00b7 Automation Account \u00b7 2021_12

    Ensure Managed Identity is used for authentication.

    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#description","title":"Description","text":"

    Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.

    Using managed identities have the following benefits:

    • Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
    • Managed Identities can be used without any additional cost.
    • You don't have to specify the Run As connection object in your runbook code. You can access resources using your Automation Account's Managed Identity from a runbook.
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity for each Automation Account.

    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Automation Accounts that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Automation/automationAccounts\",\n\"apiVersion\": \"2021-06-22\",\n\"name\": \"[parameters('automation_account_name')]\",\n\"location\": \"australiaeast\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": false,\n\"sku\": {\n\"name\": \"Basic\"\n},\n\"encryption\": {\n\"keySource\": \"Microsoft.Automation\",\n\"identity\": {}\n}\n}\n}\n
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Automation Accounts that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automation_account_name\n  location: 'australiaeast'\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities
    • Using a system-assigned managed identity for an Azure Automation account
    • Using a user-assigned managed identity for an Azure Automation account
    • Azure deployment reference
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.PlatformLogs/","title":"Automation accounts should collect platform diagnostic logs","text":"Azure.Automation.PlatformLogsAZR-000089Error

    Operational Excellence \u00b7 Automation Account \u00b7 2021_12

    Ensure automation account platform diagnostic logs are enabled.

    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#description","title":"Description","text":"

    To capture platform logs from Automation Accounts, the following diagnostic log categories should be enabled:

    • JobLogs
    • JobStreams
    • DSCNodeStatus

    We can also enable all the above with the allLogs category group.

    To capture metric log categories, th following must be enabled as well:

    • AllMetrics - Total Jobs, Total Update Deployment Machine Runs, Total Update Deployment Runs
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to capture platform logs from Automation accounts.

    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#notes","title":"Notes","text":"

    Configure AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST to enable selective log categories. By default all log categories are selected, as shown below.

    # YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AllMetrics']\n
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the JobLogs, JobStreams, DSCNodeStatus and AllMetrics categories.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"automationAccountName\": {\n\"defaultValue\": \"automation-account1\",\n\"type\": \"String\"\n},\n\"location\": {\n\"type\": \"String\"\n},\n\"workspaceId\": {\n\"type\": \"String\"\n}\n},\n\"variables\": {},\n\"resources\": [\n{\n\"type\": \"Microsoft.Automation/automationAccounts\",\n\"apiVersion\": \"2021-06-22\",\n\"name\": \"[parameters('automationAccountName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": false,\n\"sku\": {\n\"name\": \"Basic\"\n},\n\"encryption\": {\n\"keySource\": \"Microsoft.Automation\",\n\"identity\": {}\n}\n}\n},\n{\n\"comments\": \"Enable monitoring of Automation Account operations.\",\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"dependsOn\": [\n\"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n],\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"JobLogs\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"JobStreams\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"DSCNodeStatus\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n],\n\"metrics\": [\n{\n\"category\": \"AllMetrics\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the JobLogs, JobStreams, DSCNodeStatus and AllMetrics categories.

    For example:

    Azure Bicep snippet
    param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'JobLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'JobStreams'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'DSCNodeStatus'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n    metrics: [\n      {\n        category: 'AllMetrics'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#links","title":"Links","text":"
    • Platform Monitoring
    • Forward Azure Automation job data to Azure Monitor logs
    • Template Reference
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/","title":"Use short lived web hooks","text":"Azure.Automation.WebHookExpiryAZR-000087Error

    Security \u00b7 Automation Account \u00b7 2020_06

    Do not create webhooks with an expiry time greater than 1 year (default).

    ","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#description","title":"Description","text":"

    Do not create webhooks with an expiry time greater than 1 year (default).

    ","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#recommendation","title":"Recommendation","text":"

    An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.

    ","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.BV.Immutable/","title":"Immutability","text":"Azure.BV.ImmutableAZR-000398Error

    Security \u00b7 Backup Vault \u00b7 2023_09

    Ensure immutability is configured to protect backup data.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#description","title":"Description","text":"

    Immutability is supported for Backup vaults by configuring the Immutable vault setting.

    Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

    For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.

    The Immutable vault setting is not enabled per default.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#recommendation","title":"Recommendation","text":"

    Consider configuring immutability to protect backup data from accidental or malicious deletion.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Backup vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DataProtection/backupVaults\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('vaultName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securitySettings\": {\n\"immutabilitySettings\": {\n\"state\": \"Locked\"\n}\n}\n}\n}\n
    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Backup vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Bicep snippet
    resource backupVault 'Microsoft.DataProtection/backupVaults@2022-11-01-preview' = {\n  name: vaultName\n  location: location\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#notes","title":"Notes","text":"

    Note that immutability locking Locked is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using Locked. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider Unlocked.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#links","title":"Links","text":"
    • Security design principles
    • Immutable vault for Azure Backup
    • Restricted operations
    • Manage Azure Backup Immutable vault operations
    • Azure security baseline for Azure Backup
    • Backup and restore plan to protect against ransomware
    • BR-2: Protect backup and recovery data
    • Azure deployment reference
    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.Bastion.Name/","title":"Use valid names","text":"Azure.Bastion.NameAZR-000349Error

    Operational Excellence \u00b7 Bastion \u00b7 2022_12

    Bastion hosts should meet naming requirements.

    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Bastion host names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods and hyphens.
    • Start with alphanumeric.
    • End with alphanumeric or underscore.
    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#notes","title":"Notes","text":"

    This rule does not check if Bastion host names are unique.

    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Bastion host
    • Azure deployment reference
    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.CDN.EndpointName/","title":"Use valid CDN endpoint names","text":"Azure.CDN.EndpointNameAZR-000091Error

    Operational Excellence \u00b7 Content Delivery Network \u00b7 2020_09

    Azure CDN Endpoint names should meet naming requirements.

    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for CDN endpoint names are:

    • Between 1 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start and end with a letter or number.
    • CDN endpoint names must be globally unique.
    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#notes","title":"Notes","text":"

    This rule does not check if CDN endpoint names are unique.

    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.HTTP/","title":"Use HTTPS client connections","text":"Azure.CDN.HTTPAZR-000093Error

    Security \u00b7 Content Delivery Network \u00b7 2020_06

    Enforce HTTPS for client connections.

    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#description","title":"Description","text":"

    When a client connect to CDN content it can use HTTP or HTTPS. Support for both HTTP and HTTPS is enabled by default. When using HTTP, sensitive information may be exposed to an untrusted party.

    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#recommendation","title":"Recommendation","text":"

    Consider disabling HTTP support on the CDN endpoint origin.

    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#links","title":"Links","text":"
    • Data encryption in Azure
    • Configure HTTPS on an Azure CDN custom domain
    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.MinTLS/","title":"Azure CDN endpoint minimum TLS version","text":"Azure.CDN.MinTLSAZR-000092Error

    Security \u00b7 Content Delivery Network \u00b7 2020_09

    Azure CDN endpoints should reject TLS versions older than 1.2.

    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure CDN endpoints accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    To configure the minimum TLS version, a custom domain must be configured.

    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.

    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Preparing for TLS 1.2 in Microsoft Azure
    • REST API Custom Domains - Enable Custom Https
    • Azure deployment reference
    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/","title":"Use Front Door Standard Or Premium SKU","text":"Azure.CDN.UseFrontDoorAZR-000286Error

    Performance Efficiency \u00b7 Front Door \u00b7 2022_09

    Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.

    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#description","title":"Description","text":"

    Using a CDN is a good way to minimize the load on your application, and maximize availability and performance.

    Standard content delivery network (CDN) capability includes the ability to cache files closer to end users to speed up delivery of static files. However, with dynamic web applications, caching that content in edge locations isn't possible because the server generates the content in response to user behavior. Speeding up the delivery of such content is more complex than traditional edge caching and requires an end-to-end solution that finely tunes each element along the entire data path from inception to delivery. With Azure CDN dynamic site acceleration (DSA) optimization, the performance of web pages with dynamic content is measurably improved.

    Azure Front Door Standard or Premium SKU offers modern cloud Content Delivery Network (CDN). These SKUs in particular provides fast, reliable, and secure access between users and dynamic web content across the globe.

    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#recommendation","title":"Recommendation","text":"

    Consider using Front Door Standard or Premium SKU to improve performance.

    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#examples","title":"Examples","text":"","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an front door profile that pass this rule:

    • Set sku.name to Standard_AzureFrontDoor or Premium_AzureFrontDoor.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"myFrontDoor\",\n\"location\": \"global\",\n\"sku\": {\n\"name\": \"Standard_AzureFrontDoor\"\n}\n}\n
    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an front door profile that pass this rule:

    • Set sku.name to Standard_AzureFrontDoor or Premium_AzureFrontDoor.

    For example:

    Azure Bicep snippet
    resource frontDoorProfile 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n}\n
    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#links","title":"Links","text":"
    • Performance efficiency checklist
    • Azure Front Door tiers
    • What are the comparisons between Azure CDN product features?
    • Azure deployment reference
    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/","title":"Use identity-based authentication for Cogitive Services accounts","text":"Azure.Cognitive.DisableLocalAuthAZR-000282Error

    Security \u00b7 Cognitive Services \u00b7 2022_09

    Authenticate requests to Cognitive Services with Azure AD identities.

    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#description","title":"Description","text":"

    To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits.

    With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys.

    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to authenticate requests to Cogitive Services accounts. Once configured, disable authentication based on access keys.

    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • Authenticate with Azure Active Directory
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/","title":"Use Managed Identity for Cognitive Services accounts","text":"Azure.Cognitive.ManagedIdentityAZR-000281Error

    Security \u00b7 Cognitive Services \u00b7 2022_09

    Configure managed identities to access Azure resources.

    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#description","title":"Description","text":"

    Cognitive Services must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Cognitive Services can use managed identities.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Cognitive Services account.

    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/","title":"Use Cognitive Service Private Endpoints","text":"Azure.Cognitive.PrivateEndpointsAZR-000283Error

    Security \u00b7 Cognitive Services \u00b7 2022_09

    Use Private Endpoints to access Cognitive Services accounts.

    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#description","title":"Description","text":"

    By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.

    Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.

    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#recommendation","title":"Recommendation","text":"

    Consider accessing Cognitive Services accounts by Private Endpoints and disabling public endpoints.

    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#links","title":"Links","text":"
    • Traffic flow security in Azure
    • Configure Azure Cognitive Services virtual networks
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/","title":"Restrict Cognitive Service endpoints","text":"Azure.Cognitive.PublicAccessAZR-000280Error

    Security \u00b7 Cognitive Services \u00b7 2022_09

    Restrict access of Cognitive Services accounts to authorized virtual networks.

    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#description","title":"Description","text":"

    By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.

    Configure service endpoints and private links where appropriate.

    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#recommendation","title":"Recommendation","text":"

    Consider configuring network access restrictions for Cognitive Services accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.

    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny, or
    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny, or
    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Configure Azure Cognitive Services virtual networks
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/","title":"Retired API version","text":"Azure.ContainerApp.APIVersionAZR-000400Error

    Operational Excellence \u00b7 Container App \u00b7 2023_09

    Migrate from retired API version to a supported version.

    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#description","title":"Description","text":"

    The API Azure Container Apps control plane API versions 2022-06-01-preview and 2022-11-01-preview are on the retirement path and will be retired on the November 16, 2023.

    This means you'll no longer be able to create or manage your Azure Container Apps using your existing templates, tools, scripts and programs until they've been updated to a supported API version.

    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#recommendation","title":"Recommendation","text":"

    Consider migrating from retired API version to a supported version.

    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set apiVersion to a supported version.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\"\n}\n
    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set apiVersion to a supported version.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n}\n
    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#links","title":"Links","text":"
    • Repeatable Infrastructure
    • Azure Container Apps API versions retirements
    • Azure Container Apps latest API versions
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/","title":"Disable session affinity","text":"Azure.ContainerApp.DisableAffinityAZR-000378Error

    Performance Efficiency \u00b7 Container App \u00b7 2023_06

    Disable session affinity to prevent unbalanced distribution.

    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#description","title":"Description","text":"

    Container apps allows you to configure session affinity (sticky sessions). When enabled, this feature route requests from the same client to the same replica.

    This feature might be useful for stateful applications that require a consistent connection to the same replica. However, if your application does not store large amounts of state or cached data in memory (stateless application design pattern), session affinity might decrease your throughput because one replica could get overloaded with requests, while others are dormant.

    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#recommendation","title":"Recommendation","text":"

    Consider disabling session affinity to evenly distribute requests across each replica.

    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.stickySessions.affinity to none or don't specify the property at all.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"external\": false,\n\"stickySessions\": {\n\"affinity\": \"None\"\n}\n}\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.stickySessions.affinity to none or don't specify the property at all.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n        stickySessions: {\n          affinity: 'none'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#links","title":"Links","text":"
    • Avoid a requirement to store server-side session state
    • Session affinity
    • Session Affinity in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/","title":"Disable external ingress","text":"Azure.ContainerApp.ExternalIngressAZR-000362Error

    Security \u00b7 Container App \u00b7 2023_03

    Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.

    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#description","title":"Description","text":"

    Container apps allows you to expose your container app to the Internet, your VNET, or to other container apps within the same environment by enabling ingress.

    When inbound access to the app is required, configure the ingress. Applications that do batch processing or consume events may not require ingress to be enabled.

    When external ingress is configured, communication outside the container apps environment is enabled from your private VNET or the Internet. To restrict communication to a private VNET your Container App Environment must be deployed on a custom VNET with an Internal load balancer.

    If communication outside your Container Apps Environment is not required, disable external ingress.

    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#recommendation","title":"Recommendation","text":"

    Consider disabling external ingress.

    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.external to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"external\": false\n}\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.external to false.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#notes","title":"Notes","text":"

    This rule is skipped by default because there are common cases where external ingress is required. If you don't need external ingress, enable this rule by:

    • Setting the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to true.
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#links","title":"Links","text":"
    • Networking architecture in Azure Container Apps
    • Set up HTTPS or TCP ingress in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.Insecure/","title":"Disable insecure container app ingress","text":"Azure.ContainerApp.InsecureAZR-000094Error

    Security \u00b7 Container App \u00b7 2023_06

    Ensure insecure inbound traffic is not permitted to the container app.

    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#description","title":"Description","text":"

    Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.

    Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.

    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#recommendation","title":"Recommendation","text":"

    Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.

    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resource that pass this rule:

    • Set properties.configuration.ingress.allowInsecure to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"managedEnvironmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"allowInsecure\": false\n}\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n]\n}\n
    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resource that pass this rule:

    • Set properties.configuration.ingress.allowInsecure to false.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  properties: {\n    managedEnvironmentId: containerEnv.id\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#links","title":"Links","text":"
    • Data encryption in Azure
    • Ingress in Azure Container Apps
    • Container Apps ARM template API specification
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.ContainerApp.ManagedIdentityAZR-000361Error

    Security \u00b7 Container App \u00b7 2023_03

    Ensure managed identity is used for authentication.

    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#description","title":"Description","text":"

    Using managed identities have the following benefits:

    • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
    • You can use role-based access control to grant specific permissions to a managed identity.
    • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
    • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
    • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
    • You can use managed identity to create connections for Dapr-enabled applications via Dapr components.
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity for each container app.

    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {}\n}\n
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {}\n}\n
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#notes","title":"Notes","text":"

    Using managed identities in scale rules isn't supported.

    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.Name/","title":"Use valid container app names","text":"Azure.ContainerApp.NameAZR-000360Error

    Operational Excellence \u00b7 Container App \u00b7 2023_03

    Container Apps should meet naming requirements.

    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for container app names are:

    • Between 2 and 32 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Start with letter and end with alphanumeric.
    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#recommendation","title":"Recommendation","text":"

    Consider using container app names thas meets naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#notes","title":"Notes","text":"

    This rule does not check if container app names are unique.

    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for container app resource
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/","title":"Disable public access","text":"Azure.ContainerApp.PublicAccessAZR-000363Error

    Security \u00b7 Container App \u00b7 2023_03

    Ensure public network access for Container Apps environment is disabled.

    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#description","title":"Description","text":"

    Container apps environments allows you to expose your container app to the Internet.

    Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.

    Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.

    This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.

    To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#recommendation","title":"Recommendation","text":"

    Consider disabling public network access.

    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps environments that pass this rule:

    • Set a custom VNET by configuring properties.vnetConfiguration.infrastructureSubnetId with the resource Id of a subnet.
    • Set properties.vnetConfiguration.internal to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('envName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"vnetConfiguration\": {\n\"dockerBridgeCidr\": \"[parameters('dockerBridgeCidr')]\",\n\"infrastructureSubnetId\": \"[parameters('infrastructureSubnetId')]\",\n\"internal\": true,\n\"outboundSettings\": {},\n\"platformReservedCidr\": \"[parameters('platformReservedCidr')]\",\n\"platformReservedDnsIP\": \"[parameters('platformReservedDnsIP')]\",\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps environments that pass this rule:

    • Set a custom VNET by configuring properties.vnetConfiguration.infrastructureSubnetId with the resource Id of a subnet.
    • Set properties.vnetConfiguration.internal to true.

    For example:

    Azure Bicep snippet
    resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {\n  name: envName\n  location: location\n  properties: {\n    vnetConfiguration: {\n      dockerBridgeCidr: dockerBridgeCidr\n      infrastructureSubnetId: infrastructureSubnetId\n      internal: true\n      outboundSettings: {}\n      platformReservedCidr: platformReservedCidr\n      platformReservedDnsIP: platformReservedDnsIP\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Networking architecture in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/","title":"IP ingress restrictions mode","text":"Azure.ContainerApp.RestrictIngressAZR-000380Error

    Security \u00b7 Container App \u00b7 2023_06

    IP ingress restrictions mode should be set to allow action for all rules defined.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#description","title":"Description","text":"

    Container apps supports restricting inbound traffic by IP addresses.

    This allows container apps to restrict inbound HTTP or TCP traffic by allowing or denying access to a specific list of IP address ranges.

    However, configuring a rule with the Deny action leads to traffic being denied from the IPv4 address or range, but allows all other traffic.

    Instead by configuring a rule or multiple rules with the Allow action traffic is allowed from the IPv4 address or range, but denies all other traffic.

    When no IP restriction rules are defined, all inbound traffic is allowed.

    IP ingress restrictions mode can be used for container apps within external and internal environments, but internal ones are limited to private addresses only, where external ones supports both public and private addresses.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#recommendation","title":"Recommendation","text":"

    Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Create one or more rules to allow traffic by configuring properties.configuration.ingress.ipSecurityRestrictions.
    • For each rule defined in properties.configuration.ingress.ipSecurityRestrictions to action Allow.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"external\": false,\n\"ipSecurityRestrictions\": [\n{\n\"action\": \"Allow\",\n\"description\": \"ClientIPAddress_1\",\n\"ipAddressRange\": \"10.1.1.1/32\",\n\"name\": \"ClientIPAddress_1\"\n},\n{\n\"action\": \"Allow\",\n\"description\": \"ClientIPAddress_2\",\n\"ipAddressRange\": \"10.1.2.1/32\",\n\"name\": \"ClientIPAddress_2\"\n}\n]\n}\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Create one or more rules to allow traffic by configuring properties.configuration.ingress.ipSecurityRestrictions.
    • For each rule defined in properties.configuration.ingress.ipSecurityRestrictions to action Allow.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n        ipSecurityRestrictions: [\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_1'\n            ipAddressRange: '10.1.1.1/32'\n            name: 'ClientIPAddress_1'\n          }\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_2'\n            ipAddressRange: '10.1.2.1/32'\n            name: 'ClientIPAddress_2'\n          }\n        ]\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#notes","title":"Notes","text":"

    All rules must be the same type. It is not supported to combine allow rules and deny rules. If no rules are defined at all, the rule will not pass as it expects at least one allow rule to be configured.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#links","title":"Links","text":"
    • Network security and containment
    • Networking architecture in Azure Container Apps
    • IP restrictions
    • Set up IP ingress restrictions in Azure Container Apps
    • Azure security baseline for Azure Container Apps
    • NS-2: Secure cloud services with network controls
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.Storage/","title":"Persistant storage","text":"Azure.ContainerApp.StorageAZR-000364Error

    Reliability \u00b7 Container App \u00b7 2023_03

    Use of Azure Files volume mounts to persistent storage container data.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#description","title":"Description","text":"

    Container apps allows you to use different types of storage. This can be achieved by using volume mounts.

    There are considerations to be taken, whether persistant storage is suitable for your app or if non-persistant storage is suitable. Apps may require no storage.

    By default all files created inside a container are stored on a writable container layer.

    Some considerations when using container file system storage:

    • The data doesn\u2019t persist when that container no longer exists, and it can be difficult to get the data out of the container if another process needs it.
    • There are no capacity guarantees. The available storage depends on the amount of disk space available in the container.

    Usage examples for this can be a stateless web API or a single page application (that just calls APIs).

    Some considerations when using storage volume mounts:

    • Ephemeral volume
      • Files are persisted for the lifetime of the replica.
        • If a container in a replica restarts, the files in the volume remain.
      • Any containers in the replica can mount the same volume.
      • A container can mount multiple ephemeral volumes.
    • Azure Files volume
      • Files written under the mount location are persisted to the file share.
      • Files in the share are available via the mount location.
      • Multiple containers can mount the same file share, including ones that are in another replica, revision, or container app
      • All containers that mount the share can access files written by any other container or method.
      • More than one Azure Files volume can be mounted in a single container.

    Usage examples for this can be a main app container that write log files that are processed by a sidecar container or writing files to a file share to make data accessible by other systems.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#recommendation","title":"Recommendation","text":"

    Consider using Azure File volume mounts to persistent storage across containers and replicas.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Configure the properties.template.volumes array to define a volume or several volumes.
    • For each volume use the storageType of AzureFile.
    • For each container in the template that you want to mount storage, define a volume mount in the properties.template.containers.volumeMounts array.

    For example with an Azure Files volume:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": [\n{\n\"image\": \"mcr.microsoft.com/azuredocs/containerapps-helloworld:latest\",\n\"name\": \"simple-hello-world-container\",\n\"resources\": {\n\"cpu\": \"[json('.25')]\",\n\"memory\": \".5Gi\"\n},\n\"volumeMounts\": [\n{\n\"mountPath\": \"/myfiles\",\n\"volumeName\": \"azure-files-volume\"\n}\n]\n}\n],\n\"scale\": {\n\"minReplicas\": 1,\n\"maxReplicas\": 3\n},\n\"volumes\": [\n{\n\"name\": \"azure-files-volume\",\n\"storageType\": \"AzureFile\",\n\"storageName\": \"myazurefiles\"\n}\n]\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Configure the properties.template.volumes array to define a volume or several volumes.
    • For each volume use the storageType of AzureFile.
    • For each container in the template that you want to mount storage, define a volume mount in the properties.template.containers.volumeMounts array.

    For example with an Azure Files volume:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: [\n        {\n          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'\n          name: 'simple-hello-world-container'\n          resources: {\n            cpu: json('.25')\n            memory: '.5Gi'\n          }\n          volumeMounts: [\n            {\n              mountPath: '/myfiles'\n              volumeName: 'azure-files-volume'\n            }\n          ]\n        }\n      ]\n      scale: {\n        minReplicas: 1\n        maxReplicas: 3\n      }\n      volumes: [\n        {\n          name: 'azure-files-volume'\n          storageType: 'AzureFile'\n          storageName: 'myazurefiles'\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#notes","title":"Notes","text":"

    To enable Azure Files storage, a storage definition must be defined in the Container Apps Environment.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#links","title":"Links","text":"
    • Reliability design principles
    • Use storage mounts in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.Cosmos.AccountName/","title":"Use valid Cosmos DB account names","text":"Azure.Cosmos.AccountNameAZR-000096Error

    Operational Excellence \u00b7 Cosmos DB \u00b7 2021_09

    Cosmos DB account names should meet naming requirements.

    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Cosmos DB account names are:

    • Between 3 and 44 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Start and end with letters and numbers.
    • Cosmos DB account names must be globally unique.
    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#notes","title":"Notes","text":"

    This rule does not check if Cosmos DB account names are unique.

    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Cosmos.DefenderCloudAZR-000382Error

    Security \u00b7 Cosmos DB \u00b7 2023_06

    Enable Microsoft Defender for Azure Cosmos DB.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#description","title":"Description","text":"

    Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.

    Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

    Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

    Microsoft Defender for Cosmos DB can be enabled at the resource level, but the general recommandation is to enable it at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones. However, enabling it at resource level can be done to protect a specific Azure Cosmos DB account.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/advancedThreatProtectionSettings\",\n\"apiVersion\": \"2019-01-01\",\n\"scope\": \"[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('accountName'))]\",\n\"name\": \"current\",\n\"properties\": {\n\"isEnabled\": true\n},\n\"dependsOn\": [\n\"cosmosDbAccount\"\n]\n}\n
    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForCosmosDb 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {\n  scope: cosmosDbAccount\n  name: 'current'\n  properties: {\n    isEnabled: true\n  }\n}\n
    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#notes","title":"Notes","text":"

    Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API. When Microsoft Defender for Cosmos DB is enabled at the subscription level, the resource level enablement has no effect as it will be handled by the plan at the subscription level.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Azure Cosmos DB
    • Enable Microsoft Defender for Azure Cosmos DB
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Cosmos DB
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/","title":"Restrict user access to data operations in Azure Cosmos DB","text":"Azure.Cosmos.DisableMetadataWriteAZR-000095Error

    Security \u00b7 Cosmos DB \u00b7 2021_09

    Use Azure AD identities for management place operations in Azure Cosmos DB.

    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#description","title":"Description","text":"

    Cosmos DB provides two authorization options for interacting with the database:

    • Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations.
    • Keys and resource tokens. Can be used to authorize resource management and data operations.

    Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.

    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#recommendation","title":"Recommendation","text":"

    Consider limiting key and resource tokens to data plane operations only. Use Azure AD identities for authorizing account and resource management operations.

    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cosmos DB accounts that pass this rule:

    • Set the Properties.disableKeyBasedMetadataWriteAccess property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DocumentDB/databaseAccounts\",\n\"apiVersion\": \"2021-06-15\",\n\"name\": \"[parameters('dbAccountName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"consistencyPolicy\": {\n\"defaultConsistencyLevel\": \"Session\"\n},\n\"databaseAccountOfferType\": \"Standard\",\n\"locations\": [\n{\n\"locationName\": \"[parameters('location')]\",\n\"failoverPriority\": 0,\n\"isZoneRedundant\": false\n}\n],\n\"disableKeyBasedMetadataWriteAccess\": true\n}\n}\n
    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cosmos DB accounts that pass this rule:

    • Set the Properties.disableKeyBasedMetadataWriteAccess property to true.

    For example:

    Azure Bicep snippet
    resource dbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' = {\n  name: dbAccountName\n  location: location\n  properties: {\n    consistencyPolicy: {\n      defaultConsistencyLevel: 'Session'\n    }\n    databaseAccountOfferType: 'Standard'\n    locations: [\n      {\n        locationName: location\n        failoverPriority: 0\n        isZoneRedundant: false\n      }\n    ]\n    disableKeyBasedMetadataWriteAccess: true\n  }\n}\n
    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#links","title":"Links","text":"
    • Use identity-based authentication
    • Restrict user access to data operations in Azure Cosmos DB
    • Secure access to data in Azure Cosmos DB
    • How does Azure Cosmos DB secure my database?
    • Access control in the Azure Cosmos DB SQL API
    • Azure resource template
    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.DataFactory.Version/","title":"Use Data Factory v2","text":"Azure.DataFactory.VersionAZR-000097Error

    Operational Excellence \u00b7 Data Factory \u00b7 2020_06

    Consider migrating to DataFactory v2.

    ","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#description","title":"Description","text":"

    Consider migrating to DataFactory v2.

    ","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#recommendation","title":"Recommendation","text":"

    Consider migrating to DataFactory v2.

    ","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/","title":"Enable secure connectivity for Databricks workspaces","text":"Azure.Databricks.SecureConnectivityAZR-000393Error

    Security \u00b7 Databricks \u00b7 2023_09

    Use Databricks workspaces configured for secure cluster connectivity.

    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#description","title":"Description","text":"

    An Azure Databricks workspace uses one or more runtime clusters to execute data processing workloads.

    When configuring Databricks workspaces, runtime clusters can be configured with or without public IP addresses. Secure cluster connectivity is used when a Databricks workspace is deployed without public IP addresses. Use secure cluster connectivity to simplify security and administration of Databricks networking within Azure.

    With secure cluster connectivity enabled:

    • An outbound connection over HTTPS from the runtime cluster is used to communicate to the control plane.
    • No open ports or IP public addressing is required.
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#recommendation","title":"Recommendation","text":"

    Consider configuring Databricks workspaces to use secure cluster connectivity.

    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#examples","title":"Examples","text":"","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy workspaces that pass this rule:

    • Set the properties.parameters.enableNoPublicIp.value property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Databricks/workspaces\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n\"parameters\": {\n\"enableNoPublicIp\": {\n\"value\": true\n}\n}\n}\n}\n
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy workspaces that pass this rule:

    • Set the properties.parameters.enableNoPublicIp.value property to true.

    For example:

    Azure Bicep snippet
    resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    managedResourceGroupId: managedRg.id\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#links","title":"Links","text":"
    • Public endpoints
    • Secure cluster connectivity (No Public IP / NPIP)
    • Network access
    • Azure Databricks architecture overview
    • Azure resource deployment
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Defender.Api/","title":"Set Microsoft Defender for APIs to the Standard tier","text":"Azure.Defender.ApiAZR-000377Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_06

    Enable Microsoft Defender for APIs.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#description","title":"Description","text":"

    Microsoft Defender for APIs provides additional security for APIs published in Azure API Management.

    Protection is provided by analyzing onboarded APIs. Which allows Microsoft Defender for Cloud to produce security findings.

    The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard.

    These security findings includes API recommendations and runtime threats.

    Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.

    Microsoft Defender for APIs can be enabled at the subscription level.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#examples","title":"Examples","text":"","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Api\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure Bicep snippet
    resource defenderForApi 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Api'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Api' --tier 'standard'\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Api' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#notes","title":"Notes","text":"

    Microsoft Defender for APIs is a preview feature. Currently only REST APIs published in Azure API Management is supported. Not all regions are supported.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for APIs
    • Support and prerequisites for Defender for APIs
    • Onboard Defender for APIs
    • Quickstart: Enable enhanced security features
    • Azure security baseline for API Management
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.AppServices/","title":"Configure Microsoft Defender for App Services to the Standard tier","text":"Azure.Defender.AppServicesAZR-000295Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2022_09

    Enable Microsoft Defender for App Service.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#description","title":"Description","text":"

    Many attacks are performed first by probing web applications to find and exploit weaknesses. It is crucial to secure your applications, even while running in PaaS services like App Service.

    Microsoft Defender for App Service identifies attacks over App Service thanks to cloud scale data analysis. It offers:

    • Hardening capabilities for your App Services through assessments and security recommendations.
    • Detection of threats at different levels such as underlying VMs, internal logs, I/O to your App Service, etc.
    • Protection against common attack patterns like MITRE ATT&CK or even dangling DNS.

    The solution is particularly efficient as it can can identify attack methodologies applying to multiple targets. The log data and the infrastructure together are used to enhance Defender for App Service globally.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for App Service to protect your web apps and APIs.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#examples","title":"Examples","text":"","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for App Service:

    • Set the Standard pricing tier for Microsoft Defender for App Service.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"AppServices\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for App Service:

    • Set the Standard pricing tier for Microsoft Defender for App Service.

    For example:

    Azure Bicep snippet
    resource defenderForAppService 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'AppServices'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'AppServices' --tier 'standard'\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#links","title":"Links","text":"
    • Securing applications and PaaS deployments
    • Introduction to Microsoft Defender for App Service
    • App Service security best practices
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.Arm/","title":"Set Microsoft Defender for ARM to the Standard tier","text":"Azure.Defender.ArmAZR-000354Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_03

    Enable Microsoft Defender for Azure Resource Manager (ARM).

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#description","title":"Description","text":"

    Microsoft Defender for ARM provides additional protection for control plane activities. It does this by detecting suspicious activities such as disabling security features or attempts at lateral movement.

    Protection is provided by analyzing telemetry from Azure Resource Manager operations. Which allows Microsoft Defender for Cloud to detect anomalous activities regardless of the tool used to perform the operation. For example: Azure CLI, Azure Portal, PowerShell, REST API, Terraform, etc.

    When anomalous activities occur, Microsoft Defender for ARM shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

    Microsoft Defender for ARM can be enabled at the subscription level.

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Arm\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure Bicep snippet
    resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Arm'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Arm' --tier 'standard'\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Resource Manager
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Resource Manager
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Containers/","title":"Set Microsoft Defender for Containers to the Standard tier","text":"Azure.Defender.ContainersAZR-000290Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2022_09

    Enable Microsoft Defender for Containers.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#description","title":"Description","text":"

    Container-based workloads should be carefully monitored the following three core security aspects:

    • Environment hardening : continuously assess your clusters to provide visibility into misconfigurations and threats.
    • Runtime threat protection : to generate security alerts for suspicious activities.
    • Vulnerability assessment : for images stored in ACR registries and running in Azure Kubernetes Service.

    It is important to adopt a strategy to actively perform those three aspects. One option for doing so is to use Microsoft Defender for Containers.

    Defender for Cloud continuously assesses the configurations of your clusters. If any misconfigurations is found, it generates security recommendations. The recommendations available in the Recommendations page allow you to investigate and remediate issues.

    Defender for Containers also provides real-time threat protection for your containerized environments. If any suspicious activities is detected, Defender for Container generates an alert. Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs.

    Defender for Containers scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Containers to protect your container-based workloads.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Containers\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure Bicep snippet
    resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Containers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Containers' --tier 'standard'\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for Containers
    • Secure the images and run time
    • Azure security baseline for Container Registry
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.CosmosDb/","title":"Set Microsoft Defender for Cosmos DB to the Standard tier","text":"Azure.Defender.CosmosDbAZR-000379Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_06

    Enable Microsoft Defender for Azure Cosmos DB.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#description","title":"Description","text":"

    Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.

    Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

    Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

    Microsoft Defender for Cosmos DB can be enabled at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#examples","title":"Examples","text":"","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"CosmosDbs\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure Bicep snippet
    resource defenderForCosmosDb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CosmosDbs'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure CLI snippet
    az security pricing create -n 'CosmosDbs' --tier 'standard'\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#notes","title":"Notes","text":"

    Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Azure Cosmos DB
    • Enable Microsoft Defender for Azure Cosmos DB
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Cosmos DB
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.Cspm/","title":"Set Microsoft Defender Cloud Security Posture Management to the Standard plan","text":"Azure.Defender.CspmAZR-000372Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_06

    Enable Microsoft Defender Cloud Security Posture Management Standard plan.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#description","title":"Description","text":"

    Microsoft Defender Cloud Security Posture Management (CSPM) provides additional visibility across cloud environments to quickly detect configuration errors and remediate them through automation. It does this by keeping constant eye on the security state of your cloud resources in different environments.

    By enabling the Defender Cloud CSPM Standard plan, Microsoft Defender provides advanced posture management capabilities such as:

    • Attack path analysis
    • Cloud security explorer
    • Advanced threat hunting
    • Security governance capabilities
    • Tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region

    Microsoft Defender Cloud Security Posture Management (CSPM) can be enabled at the subscription level.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"CloudPosture\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure Bicep snippet
    resource defenderCspm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CloudPosture'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    TTo enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure CLI snippet
    az security pricing create -n 'CloudPosture' --tier 'standard'\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'CloudPosture' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#notes","title":"Notes","text":"

    This rule applies when analyzing resources before deployed (pre-flight) and deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Cloud Security Posture Management (CSPM)
    • Quickstart: Enable enhanced security features
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Dns/","title":"Set Microsoft Defender for DNS to the Standard tier","text":"Azure.Defender.DnsAZR-000353Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_03

    Enable Microsoft Defender for DNS.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#description","title":"Description","text":"

    Microsoft Defender for DNS provides additional protection for virtual networks and resources. It does this by monitoring Azure-provided DNS for suspicious and anomalous activity. By analyzing telemetry for DNS, Microsoft Defender for DNS can detect and alert on persistent threats such as:

    • Data exfiltration from your Azure resources using DNS tunneling.
    • Malware communicating with command and control servers.
    • DNS attacks - communication with malicious DNS resolvers.
    • Communication with domains used for malicious activities such as phishing and crypto mining.

    Microsoft Defender for DNS can be enabled at the subscription level.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#examples","title":"Examples","text":"","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Dns\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure Bicep snippet
    resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Dns'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Dns' --tier 'standard'\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Dns' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for DNS
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure DNS
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.KeyVault/","title":"Set Microsoft Defender for Key Vault to the Standard tier","text":"Azure.Defender.KeyVaultAZR-000352Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_03

    Enable Microsoft Defender for Key Vault.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#description","title":"Description","text":"

    Microsoft Defender for Key Vault provides additional protection for keys and secrets stored in Key Vaults. It does this by detecting unusual and potentially harmful attempts to access or exploit Key Vault accounts. This protection is provided by analyzing telemetry from Key Vault and Microsoft Defender for Cloud.

    When anomalous activities occur, Defender for Key Vault shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

    Microsoft Defender for Key Vault can be enabled at the subscription level for all Key Vaults in the subscription. Azure Policy can be used to automatically enable Microsoft Defender for Key Vault a subscription.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#examples","title":"Examples","text":"","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"KeyVaults\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure Bicep snippet
    resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'KeyVaults'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure CLI snippet
    az security pricing create -n 'KeyVaults' --tier 'standard'\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Key Vault
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Key Vault
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.OssRdb/","title":"Set Microsoft Defender for open-source relational databases to the Standard tier","text":"Azure.Defender.OssRdbAZR-000381Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_06

    Enable Microsoft Defender for open-source relational databases.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#description","title":"Description","text":"

    Microsoft Defender for open-source relational databases provides additional security for open-source relational databases.

    The following open-source relational databases are supported:

    • Azure Database for PostgreSQL
    • Azure Database for MySQL
    • Azure Database for MariaDB

    Protection is provided by analyzing onboarded databases for unusual and potentially harmful attempts to access or exploit databases. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

    Security alerts for onboarded databases shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

    Microsoft Defender for open-source relational databases can be enabled at the subscription level and by doing so ensures all supported databases in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#examples","title":"Examples","text":"","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"OpenSourceRelationalDatabases\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure Bicep snippet
    resource defenderForOssRdb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'OpenSourceRelationalDatabases'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure CLI snippet
    az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard'\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#notes","title":"Notes","text":"

    Microsoft Defender for open-source relational databases is currently available only for the single server deployment model for PostgreSQL and the single server deployment model for MySQL. For PostgreSQL, MySQL and MariaDB General Purpose and Memory Optimized tiers are required in order to be protected.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for open-source relational databases
    • Enable Defender for OSS RDBs
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Database for PostgreSQL - Single Server
    • Azure security baseline for Azure Database for MySQL - Single Server
    • Azure security baseline for Azure Database for MariaDB
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.SQL/","title":"Configure Microsoft Defender for SQL to the Standard tier","text":"Azure.Defender.SQLAZR-000294Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2022_09

    Enable Microsoft Defender for SQL servers.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#description","title":"Description","text":"

    SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL represents a single go-to location to manage security capabilities.

    Enabling Defender for SQL automatically enables the following advanced SQL security capabilities:

    • Vulnerability Assessment: discover, track, and provide guidance to remediate potential database vulnerabilities.
    • Advanced Threat Protection: continuous monitoring of your databases, detection of suspect activities and more.

    When enable at subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for SQL to protect your SQL databases.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"SqlServers\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure Bicep snippet
    resource defenderForSQL 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure CLI snippet
    az security pricing create -n 'SqlServers' --tier 'standard'\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#links","title":"Links","text":"
    • Security operations in Azure
    • Azure SQL Database and security
    • Introduction to Microsoft Defender for SQL
    • Azure security baseline for Azure SQL
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQLOnVM/","title":"Configure Microsoft Defender for SQL Servers on machines to the Standard tier","text":"Azure.Defender.SQLOnVMAZR-000297Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2022_09

    Enable Microsoft Defender for SQL servers on machines.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#description","title":"Description","text":"

    SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL Servers on machines represents a single go-to location to manage security capabilities.

    Enabling Defender for SQL automatically enables vulnerability Assessment for your SQL databases hosted in a VM. It discovers, tracks, and provides guidance to remediate potential database vulnerabilities.

    Enabling at subscription level doesn't protect all your SQL servers. A Log Analytics agent must be deployed on the machine and the Log Analytics workspace must have Defender for SQL enabled.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for SQL servers on machines:

    • Set the Standard pricing tier for Microsoft Defender for SQL servers on machines.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"SqlServerVirtualMachines\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for SQL servers on machines:

    • Set the Standard pricing tier for Microsoft Defender for SQL servers on machines.

    For example:

    Azure Bicep snippet
    resource defenderForSQLOnVM 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServerVirtualMachines'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'SqlServerVirtualMachines' --tier 'standard'\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for SQL Servers on machines
    • Security considerations for SQL Server on Azure Virtual Machines
    • Azure Security Benchmark - Data protection
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.Servers/","title":"Configure Microsoft Defender for Servers to the Standard tier and P2","text":"Azure.Defender.ServersAZR-000293Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2022_09

    Enable Microsoft Defender for Servers.

    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#description","title":"Description","text":"

    Microsoft Defender for Servers automatically deploys an agent into your Windows and Linux machines to protect them.

    With the unified integration of Microsoft Defender for Endpoint (MDE) you benefit from features like:

    • Threat and vulnerability management : to discover vulnerabilities and misconfigurations in real time
    • Security Policy and Regulatory Compliance integration
    • Qualys integration for real time identification of vulnerabilities without any license needed
    • Threat detection at OS level, network layer and control plane
    • Just-in-time (JIT) access : to reduce your machine's surface attack
    • And more.
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Servers P2 to protect your virtual machines.

    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for Servers:

    • Set the Standard pricing tier for Microsoft Defender for Servers and set the P2 sub plan.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"VirtualMachines\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"P2\"\n}\n}\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for Servers:

    • Set the Standard pricing tier for Microsoft Defender for Servers and set the P2 sub plan.

    For example:

    Azure Bicep snippet
    resource defenderForServers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'VirtualMachines'\n  properties: {\n    pricingTier: 'Standard',\n    subPlan: 'P2'\n  }\n}\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'VirtualMachines' --tier 'standard'\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for Containers
    • Azure Monitor agent auto-provisioning
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/","title":"Malware Scanning","text":"Azure.Defender.Storage.MalwareScanAZR-000383Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_06

    Enable Malware Scanning in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#description","title":"Description","text":"

    Microsoft Defender for Storage provides additional security for storage accounts.

    One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

    Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

    Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

    This can be helpful when:

    • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
    • To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

    When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

    Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#recommendation","title":"Recommendation","text":"

    Consider using Malware Scanning in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Malware Scanning in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an OnUploadMalwareScanning extension.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"StorageAccounts\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"DefenderForStorageV2\",\n\"extensions\": [\n{\n\"name\": \"OnUploadMalwareScanning\",\n\"isEnabled\": \"True\",\n\"additionalExtensionProperties\": {\n\"CapGBPerMonthPerStorageAccount\": \"5000\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Malware Scanning in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an OnUploadMalwareScanning extension.

    For example:

    Azure Bicep snippet
    resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#notes","title":"Notes","text":"

    This feature is currently in preview.

    The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as Malware Scanning.

    Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Malware Scanning in Defender for Storage
    • Limitations
    • Setting up response to Malware Scanning
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/","title":"Sensitive data threat detection","text":"Azure.Defender.Storage.SensitiveDataAZR-000385Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2023_06

    Enable sensitive data threat detection in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#description","title":"Description","text":"

    Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.

    The sensitive data threat detection capability helps teams:

    • Identity where sensitive data is stored.
    • Detect possible security incidents resulting is data exposure.

    When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).

    Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#recommendation","title":"Recommendation","text":"

    Consider using sensitive data threat detection in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable sensitive data threat detection in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an SensitiveDataDiscovery extension.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"StorageAccounts\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"DefenderForStorageV2\",\n\"extensions\": [\n{\n\"name\": \"SensitiveDataDiscovery\",\n\"isEnabled\": \"True\",\n}\n]\n}\n}\n
    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable sensitive data threat detection in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an SensitiveDataDiscovery extension.

    For example:

    Azure Bicep snippet
    resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#notes","title":"Notes","text":"

    This feature is currently in preview.

    The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as sensitive data threat detection.

    Sensitive data threat detection is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Sensitive data threat detection in Defender for Storage
    • Support and prerequisites for data-aware security posture
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage/","title":"Azure.Defender.Storage","text":""},{"location":"en/rules/Azure.Defender.Storage/#online-version-httpsazuregithubiopsrulerulesazureenrulesazuredefenderstorage","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage/","text":""},{"location":"en/rules/Azure.Defender.Storage/#configure-microsoft-defender-for-storage-to-the-standard-tier","title":"Configure Microsoft Defender for Storage to the Standard tier","text":"

    Enable Microsoft Defender for Storage.

    "},{"location":"en/rules/Azure.Defender.Storage/#description","title":"Description","text":"

    Microsoft Defender for Storage provides additional security for storage accounts.

    Protection is provided by:

    • Continuously analyzing data and control plane logs from protected storage accounts.
    • Malicious scanning by performing a full malware scan on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
    • Sensitive data threat detection by a smart sampling method to find resources with sensitive data.

    Which allows Microsoft Defender for Cloud to discover and mitigate potential threats.

    Security findings for onboarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.

    Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    "},{"location":"en/rules/Azure.Defender.Storage/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.

    "},{"location":"en/rules/Azure.Defender.Storage/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"StorageAccounts\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"DefenderForStorageV2\"\n}\n}\n
    "},{"location":"en/rules/Azure.Defender.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.

    For example:

    Azure Bicep snippet
    resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n  }\n}\n
    "},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'\n
    "},{"location":"en/rules/Azure.Defender.Storage/#notes","title":"Notes","text":"

    The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption. Some features within the new plan is still in preview, but these are configurable.

    Currently only the Blob Storage, Azure Files and Azure Data Lake Storage Gen2 service is supported by Defender for Storage.

    "},{"location":"en/rules/Azure.Defender.Storage/#links","title":"Links","text":"
    • Storage security guide
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Storage
    • Migrate from Defender for Storage (classic) to the new plan
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    "},{"location":"en/rules/Azure.DefenderCloud.Contact/","title":"Set Security Center contact details","text":"Azure.DefenderCloud.ContactAZR-000209Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2020_06

    Microsoft Defender for Cloud email and phone contact details should be set.

    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#description","title":"Description","text":"

    Security contact details configured in Microsoft Defender for Cloud are used by Microsoft to notify you in response to certain security events.

    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#recommendation","title":"Recommendation","text":"

    Consider configuring Microsoft Defender for Cloud email and phone contact details.

    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#link","title":"LINK","text":"
    • Quickstart: Configure email notifications for security alerts
    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/","title":"Enable Microsoft Defender for Cloud auto-provisioning","text":"Azure.DefenderCloud.ProvisioningAZR-000210Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 2020_06

    Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.

    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#description","title":"Description","text":"

    Select resources such as virtual machines (VMs) and VM scale sets require an agent to be installed to collect additional information from the operating system (OS). This information is used to identify missing security updates and additional threats.

    By turning auto-provisioning on, Microsoft Defender for Cloud automatically deploys an Azure Monitor agent to VMs on a regular basis.

    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#recommendation","title":"Recommendation","text":"

    Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.

    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#links","title":"Links","text":"
    • Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.Deployment.AdminUsername/","title":"Administrator Username Types","text":"Azure.Deployment.AdminUsernameAZR-000284Error

    Security \u00b7 Deployment \u00b7 2022_09

    Use secure parameters for sensitive resource properties.

    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#description","title":"Description","text":"

    Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions. When specifing sensitive values use secure parameters such as secureString or secureObject.

    Sensitive values that use deterministic expressions such as hardcodes string literals or variables are not secure.

    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#recommendation","title":"Recommendation","text":"

    Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.

    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#examples","title":"Examples","text":"","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resources that pass this rule:

    • Use parameters to specify sensitive properties.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"zones\": [\n\"1\"\n],\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"Standard_D2s_v3\"\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('name')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\"\n},\n\"storageProfile\": {\n\"imageReference\": {\n\"publisher\": \"MicrosoftWindowsServer\",\n\"offer\": \"WindowsServer\",\n\"sku\": \"[parameters('sku')]\",\n\"version\": \"latest\"\n},\n\"osDisk\": {\n\"name\": \"[format('{0}-disk0', parameters('name'))]\",\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\",\n\"managedDisk\": {\n\"storageAccountType\": \"Premium_LRS\"\n}\n}\n},\n\"licenseType\": \"Windows_Server\",\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n}\n]\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n]\n}\n
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resources that pass this rule:

    • steps

    For example:

    Azure Bicep snippet
    @secure()\n@description('The name of the local administrator account.')\nparam adminUsername string\n\n@secure()\n@description('A password for the local administrator account.')\nparam adminPassword string\n\nresource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#notes","title":"Notes","text":"

    Configure AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES to specify sensitive property names. By default the following values are used:

    • adminUsername
    • administratorLogin
    • administratorLoginPassword
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#links","title":"Links","text":"
    • Infrastructure provisioning considerations in Azure
    • Use Azure Key Vault to pass secure parameter value during Bicep deployment
    • Integrate Azure Key Vault in your ARM template deployment
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.Name/","title":"Use valid nested deployments names","text":"Azure.Deployment.NameAZR-000359Error

    Operational Excellence \u00b7 Deployment \u00b7 2023_03

    Nested deployments should meet naming requirements of deployments.

    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure deployments names are:

    • Between 1 and 64 characters long.
    • Alphanumerics, underscores, parentheses, hyphens, and periods.
    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#recommendation","title":"Recommendation","text":"

    Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#notes","title":"Notes","text":"

    This rule does not check if nested deployment names are unique.

    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions deployments resource
    • Using linked and nested templates when deploying Azure resources
    • Template reference
    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.OuterSecret/","title":"Secret value in deployment output","text":"Azure.Deployment.OuterSecretAZR-000331Error

    Security \u00b7 Deployment \u00b7 2022_12

    Do not use Outer deployments when references SecureString or SecureObject parameters.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#description","title":"Description","text":"

    Template child deployments can be scoped as either outer or inner. When using outer scope evaluated deployments, parameters from the parent template are used directly within nested templates instead of enforcing secureString and secureObject types.

    When passing secure values to nested deployments always use inner scope deployments to ensure secure values are not logging. Bicep modules always use inner scope evaluated deployments.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#recommendation","title":"Recommendation","text":"

    Consider using inner deployments to prevent secure values from being exposed.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-azure-template","title":"Configure with Azure template","text":"

    Nested Deployments within an ARM template need the property expressionEvaluationOptions.Scope to be set to inner.

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminUsername\": {\n\"type\": \"securestring\",\n\"defaultValue\": \"admin\"\n}\n},\n\"resources\": [\n{\n\"name\": \"nestedDeployment-A\",\n\"type\": \"Microsoft.Resources/deployments\",\n\"apiVersion\": \"2020-10-01\",\n\"properties\": {\n\"expressionEvaluationOptions\": {\n\"scope\": \"inner\"\n},\n\"mode\": \"Incremental\",\n\"template\": {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminUsername\": {\n\"type\": \"securestring\",\n\"defaultValue\": \"password\"\n}\n},\n\"variables\": {},\n\"resources\": [\n{\n\"apiVersion\": \"2019-12-01\",\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"name\": \"vm-example\",\n\"location\": \"australiaeast\",\n\"properties\": {\n\"osProfile\": {\n\"computerName\": \"vm-example\",\n\"adminUsername\": \"[parameters('adminUsername')]\"\n}\n}\n}\n]\n}\n}\n}\n]\n}\n
    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-bicep","title":"Configure with Bicep","text":"

    Bicep templates will do this by default when performing nested deployments.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#links","title":"Links","text":"
    • Azure deployment reference
    • Deployment Function Scopes
    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/","title":"Secret value in deployment output","text":"Azure.Deployment.OutputSecretValueAZR-000279Error

    Security \u00b7 Deployment \u00b7 2022_06

    Avoid outputting sensitive deployment values.

    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#description","title":"Description","text":"

    Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.

    Examples of secrets are:

    • Parameters using the secureString or secureObject type.
    • Output from list* functions such as listKeys.
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#recommendation","title":"Recommendation","text":"

    Consider removing any output values that return secret values in code.

    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy securely pass secrets within Infrastructure as Code:

    • Define parameters with the secureString or secureObject type.
    • Avoid returning a secret in output values.

    Example using secureString type:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminPassword\": {\n\"type\": \"secureString\",\n\"metadata\": {\n\"description\": \"Local administrator password for virtual machine.\"\n}\n}\n},\n\"resources\": []\n}\n

    The following example fails because it returns a secret:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminPassword\": {\n\"type\": \"secureString\",\n\"metadata\": {\n\"description\": \"Local administrator password for virtual machine.\"\n}\n}\n},\n\"resources\": [],\n\"outputs\": {\n\"accountPassword\": {\n\"type\": \"string\",\n\"value\": \"[parameters('adminPassword')]\"\n}\n}\n}\n
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy securely pass secrets within Infrastructure as Code:

    • Mark secrets with the @secure() annotation.
    • Avoid returning a secret in output values.

    Example using @secure() annotation:

    Azure Bicep snippet
    @secure()\n@description('Local administrator password for virtual machine.')\nparam adminPassword string\n

    The following example fails because it returns a secret:

    Azure Bicep snippet
    output accountPassword string = adminPassword\n
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#links","title":"Links","text":"
    • Pipeline secret management
    • Test cases for ARM templates
    • Outputs should not contain secrets
    • List function
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.SecureValue/","title":"Use secure resource values","text":"Azure.Deployment.SecureValueAZR-000316Error

    Security \u00b7 Deployment \u00b7 2022_12

    Use secure parameters for setting properties of resources that contain sensitive information.

    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#description","title":"Description","text":"

    Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.

    Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.

    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#recommendation","title":"Recommendation","text":"

    Consider using secure parameters for sensitive resource properties.

    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure deployments that pass this rule:

    • Set the type of parameters used set sensitive resource properties to secureString or secureObject.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"secret\": {\n\"type\": \"secureString\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.KeyVault/vaults/secrets\",\n\"apiVersion\": \"2022-07-01\",\n\"name\": \"keyvault/good\",\n\"properties\": {\n\"value\": \"[parameters('secret')]\"\n}\n}\n]\n}\n
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure deployments that pass this rule:

    • Add the @secure() attribute on parameters used to set sensitive resource properties.

    For example:

    Azure Bicep snippet
    @secure()\nparam secret string\n\nresource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {\n  name: 'keyvault/good'\n  properties: {\n    value: secret\n  }\n}\n
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#notes","title":"Notes","text":"

    This rule checks the following resource type properties:

    • Microsoft.KeyVault/vaults/secrets:
      • properties.value
    • Microsoft.Compute/virtualMachineScaleSets:
      • properties.virtualMachineProfile.osProfile.adminPassword
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#links","title":"Links","text":"
    • Infrastructure provisioning considerations in Azure
    • Use Azure Key Vault to pass secure parameter value during Bicep deployment
    • Integrate Azure Key Vault in your ARM template deployment
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/","title":"Use identity-based authentication for Event Grid topics","text":"Azure.EventGrid.DisableLocalAuthAZR-000100Error

    Security \u00b7 Event Grid \u00b7 2022_09

    Authenticate publishing clients with Azure AD identities.

    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#description","title":"Description","text":"

    To publish events to Event Grid access keys, SAS tokens, or Azure AD identities can be used. With Azure AD authentication, the identity is validated against the Microsoft Identity Platform. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.

    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventGrid/topics\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('topicName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"publicNetworkAccess\": \"Disabled\",\n\"inputSchema\": \"CloudEventSchemaV1_0\"\n}\n}\n
    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {\n  name: topicName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n
    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • IM-1: Use centralized identity and authentication system
    • Authentication and authorization with Azure Active Directory
    • Disable key and shared access signature authentication
    • Azure deployment reference
    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/","title":"Use Managed Identity for Event Grid Topics","text":"Azure.EventGrid.ManagedIdentityAZR-000099Error

    Security \u00b7 Event Grid \u00b7 2021_12

    Use managed identities to deliver Event Grid Topic events.

    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#description","title":"Description","text":"

    When delivering events you can use Managed Identities to authenticate event delivery. You can enable either system-assigned identity or user-assigned identity but not both. You can have at most two user-assigned identities assigned to a topic or domain.

    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Event Grid Topic.

    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventGrid/topics\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('topicName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"publicNetworkAccess\": \"Disabled\",\n\"inputSchema\": \"CloudEventSchemaV1_0\"\n}\n}\n
    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {\n  name: topicName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n
    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Assign a managed identity to an Event Grid custom topic or domain
    • Authenticate event delivery to event handlers
    • Azure deployment reference
    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/","title":"Use Event Grid Private Endpoints","text":"Azure.EventGrid.TopicPublicAccessAZR-000098Error

    Security \u00b7 Event Grid \u00b7 2021_12

    Use Private Endpoints to access Event Grid topics and domains.

    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#description","title":"Description","text":"

    By default, public network access is enabled for an Event Grid topic or domain. To allow access via private endpoints only, disable public network access.

    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#recommendation","title":"Recommendation","text":"

    Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.

    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventGrid/topics\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('topicName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"publicNetworkAccess\": \"Disabled\",\n\"inputSchema\": \"CloudEventSchemaV1_0\"\n}\n}\n
    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {\n  name: topicName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n
    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#links","title":"Links","text":"
    • Traffic flow security in Azure
    • Private Endpoints
    • Azure deployment reference
    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/","title":"Use identity-based authentication for Event Hub namespaces","text":"Azure.EventHub.DisableLocalAuthAZR-000102Error

    Security \u00b7 Event Hub \u00b7 2022_03

    Authenticate Event Hub publishers and consumers with Azure AD identities.

    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#description","title":"Description","text":"

    To publish or consume events from Event Hubs cryptographic keys, or Azure AD identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Azure AD authentication, the identity is validated against Azure AD. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.

    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventHub/namespaces\",\n\"apiVersion\": \"2021-11-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"isAutoInflateEnabled\": true,\n\"maximumThroughputUnits\": 10,\n\"zoneRedundant\": true\n}\n}\n
    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource ns 'Microsoft.EventHub/namespaces@2021-11-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    isAutoInflateEnabled: true\n    maximumThroughputUnits: 10\n    zoneRedundant: true\n  }\n}\n
    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • Authorize access to Event Hubs resources using Azure Active Directory
    • Disabling Local/SAS Key authentication
    • Azure deployment reference
    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.MinTLS/","title":"Minimum TLS version","text":"Azure.EventHub.MinTLSAZR-000356Error

    Security \u00b7 Event Hub \u00b7 2023_03

    Event Hub namespaces should reject TLS versions older than 1.2.

    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#recommendation","title":"Recommendation","text":"

    Configure the minimum supported TLS version to be 1.2.

    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.minimumlTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventHub/namespaces\",\n\"apiVersion\": \"2022-01-01-preview\",\n\"name\": \"[parameters('eventHubNamespaceName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('eventHubSku')]\",\n\"tier\": \"[parameters('eventHubSku')]\",\n\"capacity\": 1,\n},\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n}\n}\n
    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.minimumlTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' = {\n  name: eventHubNamespaceName\n  location: location\n  sku: {\n    name: eventHubSku\n    tier: eventHubSku\n    capacity: 1\n  }\n  properties: {\n    minimumTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.Usage/","title":"Remove unused Event Hub namespaces","text":"Azure.EventHub.UsageAZR-000101Error

    Cost Optimization \u00b7 Event Hub \u00b7 2022_03

    Regularly remove unused resources to reduce costs.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#description","title":"Description","text":"

    Billing starts for an Event Hub namespace after it is provisioned. To receive events in a Event Hub namespace, you must first create an Event Hub. Namespaces without any Event Hubs are considered unused.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing Event Hub namespaces that are not used.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Pricing
    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.Firewall.Mode/","title":"Configure deny on threat intel for classic managed Azure Firewalls","text":"Azure.Firewall.ModeAZR-000105Error

    Security \u00b7 Firewall \u00b7 2020_06

    Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.

    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#description","title":"Description","text":"

    Threat intelligence-based filtering can optionally be enabled on Azure Firewall. When enabled, Azure Firewall alerts and deny traffic to/ from known malicious IP addresses and domains.

    By default, Azure Firewall alerts on triggered threat intelligence rules.

    Specifically, this rule only applies using an Azure Firewall in classic management mode. If the Azure Firewall is connected to a Secured Virtual Hub this rule will not apply.

    Classic managed Azure Firewalls are standalone. Alternatively you can manage Azure Firewalls at scale through Firewall Manager by using policy. When using firewall policies, threat intelligence is configured centrally instead of on each firewall.

    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#recommendation","title":"Recommendation","text":"

    Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.

    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Firewalls that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/azureFirewalls\",\n\"apiVersion\": \"2021-05-01\",\n\"name\": \"[format('{0}_classic', parameters('name'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"AZFW_VNet\"\n},\n\"threatIntelMode\": \"Deny\"\n}\n}\n
    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Firewalls that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Bicep snippet
    resource firewall_classic 'Microsoft.Network/azureFirewalls@2021-05-01' = {\n  name: '${name}_classic'\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n
    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Azure Firewall threat intelligence-based filtering
    • Azure network security overview
    • Azure deployment reference
    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Name/","title":"Use valid Firewall names","text":"Azure.Firewall.NameAZR-000103Error

    Operational Excellence \u00b7 Firewall \u00b7 2021_12

    Firewall names should meet naming requirements.

    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Firewall names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Firewall names must be unique within a resource group.
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#examples","title":"Examples","text":"","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy firewalls that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/azureFirewalls\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"AZFW_VNet\",\n\"tier\": \"Premium\"\n},\n\"firewallPolicy\": {\n\"id\": \"[resourceId('Microsoft.Network/firewallPolicies', format('{0}_policy', parameters('name')))]\"\n}\n},\n\"dependsOn\": [\n\"firewall_policy\"\n]\n}\n
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy firewalls that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Bicep snippet
    resource firewall 'Microsoft.Network/azureFirewalls@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n      tier: 'Premium'\n    }\n    firewallPolicy: {\n      id: firewall_policy.id\n    }\n  }\n}\n
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#notes","title":"Notes","text":"

    This rule does not check if Firewall names are unique.

    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.PolicyMode/","title":"Threat intelligence-based filtering","text":"Azure.Firewall.PolicyModeAZR-000399Error

    Security \u00b7 Firewall \u00b7 2023_09

    Deny high confidence malicious IP addresses, domains and URLs.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#description","title":"Description","text":"

    Threat intelligence-based filtering can optionally be enabled on Azure Firewall, by associating one or more policies with threat intelligence-based filtering configured.

    When configured, Azure Firewall alerts and deny traffic to/from known malicious IP addresses, domains and URLs.

    By default, threat intelligence-based filtering is enabled and in alert mode on each policy unless otherwise is specified.

    By configuring threat intelligence-based filtering in alert and deny mode, threat intelligence-based filtering may deny traffic before any configured rules are processed.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#recommendation","title":"Recommendation","text":"

    Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Firewall polices that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/firewallPolicies\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"tier\": \"Premium\"\n},\n\"threatIntelMode\": \"Deny\"\n}\n}\n
    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Firewall polices that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Bicep snippet
    resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      tier: 'Premium'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n
    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#notes","title":"Notes","text":"

    Azure Firewall Premium SKU is required for associating standalone resource firewall policies. Only Standard and Premium firewall policies supports threat intelligence-based filtering in alert and deny mode.

    In order to take advantage of URL filtering with HTTPS traffic included in threat intelligence-based filtering, TLS inspection must be configured first.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Azure Firewall threat intelligence-based filtering
    • Rule processing logic
    • Azure security baseline for Azure Firewall
    • NS-1: Establish network segmentation boundaries
    • Azure network security overview
    • Azure deployment reference
    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyName/","title":"Use valid Firewall policy names","text":"Azure.Firewall.PolicyNameAZR-000104Error

    Operational Excellence \u00b7 Firewall \u00b7 2021_12

    Firewall policy names should meet naming requirements.

    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Firewall policy names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Firewall policy names must be unique within a resource group.
    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#notes","title":"Notes","text":"

    This rule does not check if Firewall policy names are unique.

    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.FrontDoor.Logs/","title":"Audit Front Door Access","text":"Azure.FrontDoor.LogsAZR-000107Error

    Security \u00b7 Front Door \u00b7 2020_06

    Audit and monitor access through Front Door.

    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#description","title":"Description","text":"

    To capture network activity through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable FrontdoorAccessLog logs.

    Enable FrontdoorWebApplicationFirewallLog when web application firewall (WAF) policy is configured.

    Management operations for Front Door is captured automatically within Azure Activity Logs.

    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostics setting to log network activity through Front Door.

    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy a Front Door resource that passes this rule:

    • Deploy a diagnostic settings sub-resource.
      • Enable logging for the FrontdoorAccessLog category.
      • Enable logging for the FrontdoorWebApplicationFirewallLog category.

    For example:

    Azure Template snippet
    {\n\"resources\": [\n{\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('frontDoorName')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Standard_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2020-05-01-preview\",\n\"scope\": \"[format('Microsoft.Cdn/profiles/{0}', parameters('frontDoorName'))]\",\n\"name\": \"service\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workSpaceId')]\",\n\"logs\": [\n{\n\"category\": \"FrontdoorAccessLog\",\n\"enabled\": true\n},\n{\n\"category\": \"FrontdoorWebApplicationFirewallLog\",\n\"enabled\": true\n}\n]\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy a Front Door resource that passes this rule:

    • Deploy a diagnostic settings sub-resource.
      • Enable logging for the FrontdoorAccessLog category.
      • Enable logging for the FrontdoorWebApplicationFirewallLog category.

    For example:

    Azure Bicep snippet
    targetScope = 'resourceGroup'\nresource frontDoorResource 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: frontDoorName\n  location: 'Global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n}\n\nresource frontDoorInsightsResource 'Microsoft.Insights/diagnosticSettings@2020-05-01-preview' = {\n  name: 'frontDoorInsights'\n  scope: frontDoorResource\n  location: 'Global'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'FrontdoorAccessLog'\n        enabled: true\n      }\n      {\n        category: 'FrontdoorWebApplicationFirewallLog'\n        enabled: true\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#links","title":"Links","text":"
    • Monitoring metrics and logs in Azure Front Door Service
    • Create a Front Door Standard/Premium using Bicep
    • Security logs and alerts using Azure services
    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/","title":"Managed identity","text":"Azure.FrontDoor.ManagedIdentityAZR-000396Error

    Security \u00b7 Front Door \u00b7 2023_09

    Ensure Front Door uses a managed identity to authorize access to Azure resources.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#description","title":"Description","text":"

    When configuring a Standard or Premium SKU with a custom domain using bring your own certificate (BYOC) access to a Key Vault is required. Standard and Premium Front Door profiles support two methods for authorizing access to Azure resources:

    1. Using the Microsoft managed multi-tenant app registration.
      • Standard SKU profiles use the client ID 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8.
      • Premium SKU profiles use the client ID d4631ece-daab-479b-be77-ccb713491fc0.
    2. With a system or user assigned managed identity.

    The multi-tenant app registration has a number of challenges:

    • Only a single client ID is used for each SKU for all Azure Front Door profiles. If multiple Front Door profiles are deployed into a single subscription, it is not possible to restrict access so that each profile has access to it's own Key Vault.
    • A Entra ID (Azure AD) Global Administrator of must register the multi-tenant application for each tenant once before it can be used.

    Using an managed identity allows access to Key Vault to be granted using RBAC on an individual basis.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity to allow support for Azure AD authentication.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Front Door instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"myFrontDoor\",\n\"location\": \"global\",\n\"sku\": {\n\"name\": \"Standard_AzureFrontDoor\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n}\n}\n
    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Front Door instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource frontDoorProfile 'Microsoft.Cdn/profiles@2022-11-01-preview' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n}\n
    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#notes","title":"Notes","text":"

    Currently Azure Front Door only supports authentication using an Entra ID (Azure AD) to Key Vault. To use a managed identity, the Standard or Premium SKU is required. Managed identities are not supported with the Classic SKU.

    If you only use Azure Front Door (AFD) managed certificates for custom domains, a managed identity is not required.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities for Azure Front Door
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/","title":"Front Door Minimum TLS","text":"Azure.FrontDoor.MinTLSAZR-000106Error

    Security \u00b7 Front Door \u00b7 2020_06

    Front Door Classic instances should reject TLS versions older than 1.2.

    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure Front Door accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Front Door lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.

    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.

    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy a Front Door resource that passes this rule:

    • Set each properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": [\n{\n\"name\": \"[variables('frontEndEndpointName')]\",\n\"properties\": {\n\"hostName\": \"[format('{0}.azurefd.net', parameters('name'))]\",\n\"sessionAffinityEnabledState\": \"Disabled\",\n\"customHttpsConfiguration\": {\n\"minimumTlsVersion\": \"1.2\"\n}\n}\n}\n],\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy a Front Door resource that passes this rule:

    • Set each properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${name}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n          customHttpsConfiguration: {\n            minimumTlsVersion: '1.2'\n          }\n        }\n      }\n    ]\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Preparing for TLS 1.2 in Microsoft Azure
    • Supported TLS versions
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.Name/","title":"Use valid Front Door names","text":"Azure.FrontDoor.NameAZR-000113Error

    Operational Excellence \u00b7 Front Door \u00b7 2020_06

    Front Door names should meet naming requirements.

    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Front Door names are:

    • Between 5 and 64 characters long.
    • Alphanumerics and hyphens.
    • Start and end with alphanumeric.
    • Front Door names must be globally unique.
    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#notes","title":"Notes","text":"

    This rule does not check if Front Door names are unique.

    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Probe/","title":"Use Health Probes for Front Door backends","text":"Azure.FrontDoor.ProbeAZR-000108Error

    Reliability \u00b7 Front Door \u00b7 2021_03

    Use health probes to check the health of each backend.

    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#description","title":"Description","text":"

    The health and performance of an application can degrade over time. Degradation might not be noticeable until the application fails.

    Azure Front Door can use periodic health probes against backend endpoints to determine health status. When one or more backend in a pool is healthy traffic is routed to healthy endpoints only. If all endpoints in a pool is unhealthy Front Door sends the request to any enabled endpoint.

    Health probes allow Front Door to select a backend endpoint able to respond to the request.

    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#recommendation","title":"Recommendation","text":"

    Consider configuring and enabling a health probe for each Front Door backend.

    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Configure the properties.healthProbeSettings property of the originGroups sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Cdn/profiles/originGroups\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n\"properties\": {\n\"loadBalancingSettings\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 3\n},\n\"healthProbeSettings\": {\n\"probePath\": \"/healthz\",\n\"probeRequestType\": \"HEAD\",\n\"probeProtocol\": \"Http\",\n\"probeIntervalInSeconds\": 100\n}\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.enabledState property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"path\": \"/healthz\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120,\n\"healthProbeMethod\": \"HEAD\"\n}\n}\n],\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Configure the properties.healthProbeSettings property of the originGroups sub-resource.

    For example:

    Azure Bicep snippet
    resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.enabledState property to Enabled.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network front-door probe update --front-door-name '<front_door>' -n '<probe_name>' -g '<resource_group>' --enabled 'Enabled' --path '/healthz'\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '<probe_name>' -EnabledState 'Enabled' -Path '/healthz'\nSet-AzFrontDoor -Name '<front_door>' -ResourceGroupName '<resource_group>' -HealthProbeSetting $probeSetting\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#links","title":"Links","text":"
    • Creating good health probes
    • Health probes
    • Supported HTTP methods for health probes
    • How Front Door determines backend health
    • Health Endpoint Monitoring pattern
    • Azure deployment reference (Premium / Standard)
    • Azure deployment reference (Classic)
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/","title":"Use HEAD health probes for Front Door backends","text":"Azure.FrontDoor.ProbeMethodAZR-000109Error

    Reliability \u00b7 Front Door \u00b7 2021_03

    Configure health probes to use HEAD requests to reduce performance overhead.

    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#description","title":"Description","text":"

    Azure Front Door supports sending HEAD or GET requests for health probes to backend endpoints. HTTP HEAD requests are identical to GET requests except that the server does not send a response body. As a result, HEAD request typically have a lower performance impact then GET request.

    By eliminating a response body:

    • The server has a smaller payload to return.
    • May be able to further optimize the request by reducing calls to APIs or databases.
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#recommendation","title":"Recommendation","text":"

    Consider configuring health probes to query backend health endpoints using HEAD requests to reduce performance overhead.

    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probeRequestType property to HEAD of the originGroups sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Cdn/profiles/originGroups\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n\"properties\": {\n\"loadBalancingSettings\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 3\n},\n\"healthProbeSettings\": {\n\"probePath\": \"/healthz\",\n\"probeRequestType\": \"HEAD\",\n\"probeProtocol\": \"Http\",\n\"probeIntervalInSeconds\": 100\n}\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.healthProbeMethod property to HEAD.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"path\": \"/healthz\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120,\n\"healthProbeMethod\": \"HEAD\"\n}\n}\n],\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probeRequestType property to HEAD of the originGroups sub-resource.

    For example:

    Azure Bicep snippet
    resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.healthProbeMethod property to HEAD.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network front-door probe update --front-door-name '<front_door>' -n '<probe_name>' -g '<resource_group>' --probeMethod 'HEAD' --path '/healthz'\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '<probe_name>' -HealthProbeMethod 'HEAD' -Path '/healthz'\nSet-AzFrontDoor -Name '<front_door>' -ResourceGroupName '<resource_group>' -HealthProbeSetting $probeSetting\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#links","title":"Links","text":"
    • Creating good health probes
    • Health probes
    • Supported HTTP methods for health probes
    • How Front Door determines backend health
    • Health Endpoint Monitoring pattern
    • Azure deployment reference (Premium / Standard)
    • Azure deployment reference (Classic)
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/","title":"Use a Dedicated Health Endpoint for Front Door backends","text":"Azure.FrontDoor.ProbePathAZR-000110Error

    Reliability \u00b7 Front Door \u00b7 2021_03

    Configure a dedicated path for health probe requests.

    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#description","title":"Description","text":"

    Azure Front Door monitors a specific path for each backend to determine health status. The monitored path should implement functional checks to determine if the backend is performing correctly. The checks should include dependencies including those that may not be regularly called.

    Regular checks of the monitored path allow Front Door to make load balancing decisions based on status.

    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#recommendation","title":"Recommendation","text":"

    Consider using a dedicated health probe endpoint that implements functional checks.

    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probePath property to a dedicated path of the originGroups sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Cdn/profiles/originGroups\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n\"properties\": {\n\"loadBalancingSettings\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 3\n},\n\"healthProbeSettings\": {\n\"probePath\": \"/healthz\",\n\"probeRequestType\": \"HEAD\",\n\"probeProtocol\": \"Http\",\n\"probeIntervalInSeconds\": 100\n}\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.path property to a dedicated path.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"path\": \"/healthz\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120,\n\"healthProbeMethod\": \"HEAD\"\n}\n}\n],\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probePath property to a dedicated path of the originGroups sub-resource.

    For example:

    Azure Bicep snippet
    resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.path property to a dedicated path.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network front-door probe update --front-door-name '<front_door>' -n '<probe_name>' -g '<resource_group>' --path '/healthz'\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '<probe_name>' -Path '/healthz'\nSet-AzFrontDoor -Name '<front_door>' -ResourceGroupName '<resource_group>' -HealthProbeSetting $probeSetting\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#links","title":"Links","text":"
    • Creating good health probes
    • Health probes
    • Supported HTTP methods for health probes
    • How Front Door determines backend health
    • Health Endpoint Monitoring pattern
    • Azure deployment reference (Premium / Standard)
    • Azure deployment reference (Classic)
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.State/","title":"Enable Front Door Classic instance","text":"Azure.FrontDoor.StateAZR-000112Error

    Cost Optimization \u00b7 Front Door \u00b7 2020_06

    Enable Azure Front Door Classic instance.

    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#description","title":"Description","text":"

    The operational state of a Front Door Classic instance is configurable, either enabled or disabled. By default, a Front Door is enabled.

    Optionally, a Front Door Classic instance may be disabled to temporarily prevent traffic being processed.

    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#recommendation","title":"Recommendation","text":"

    Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.

    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy a Front Door resource that passes this rule:

    • Set the properties.enabledState property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy a Front Door resource that passes this rule:

    • Set the properties.enabledState property to Enabled.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#links","title":"Links","text":"
    • Checklist - Optimize cost
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/","title":"Use caching","text":"Azure.FrontDoor.UseCachingAZR-000320Error

    Performance Efficiency \u00b7 Front Door \u00b7 2022_12

    Use caching to reduce retrieving contents from origins.

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#description","title":"Description","text":"

    Azure Front Door delivers large files without a cap on file size. Front Door uses a technique called object chunking. When a large file is requested, Front Door retrieves smaller pieces of the file from the backend. After receiving a full or byte-range file request, the Front Door environment requests the file from the backend in chunks of 8 MB.

    After the chunk arrives at the Front Door environment, it's cached and immediately served to the user. Front Door then pre-fetches the next chunk in parallel. This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency. This process continues until the entire file gets downloaded (if requested) or the client closes the connection.

    For more information on the byte-range request, read RFC 7233. Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache. Ensuing requests for the file or byte ranges are served from the cache. If the chunks aren't all cached, pre-fetching is used to request chunks from the backend. This optimization relies on the backend's ability to support byte-range requests. If the backend doesn't support byte-range requests, this optimization isn't effective.

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#recommendation","title":"Recommendation","text":"

    Use caching to reduce retrieving contents from origins and improve overall performance.

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy front door instances pass this rule:

    • Configure properties.routingRules.properties.routeConfiguration.cacheConfiguration.

    Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link Routing architecture overview for more information around this.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('frontDoorName')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": [\n{\n\"name\": \"[variables('frontEndEndpointName')]\",\n\"properties\": {\n\"hostName\": \"[format('{0}.azurefd.net', parameters('frontDoorName'))]\",\n\"sessionAffinityEnabledState\": \"Disabled\"\n}\n}\n],\n\"loadBalancingSettings\": [\n{\n\"name\": \"[variables('loadBalancingSettingsName')]\",\n\"properties\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 2\n}\n}\n],\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"path\": \"/\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120\n}\n}\n],\n\"backendPools\": [\n{\n\"name\": \"[variables('backendPoolName')]\",\n\"properties\": {\n\"backends\": [\n{\n\"address\": \"[parameters('backendAddress')]\",\n\"backendHostHeader\": \"[parameters('backendAddress')]\",\n\"httpPort\": 80,\n\"httpsPort\": 443,\n\"weight\": 50,\n\"priority\": 1,\n\"enabledState\": \"Enabled\"\n}\n],\n\"loadBalancingSettings\": {\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', parameters('frontDoorName'), variables('loadBalancingSettingsName'))]\"\n},\n\"healthProbeSettings\": {\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/healthProbeSettings', parameters('frontDoorName'), variables('healthProbeSettingsName'))]\"\n}\n}\n}\n],\n\"routingRules\": [\n{\n\"name\": \"[variables('routingRuleName')]\",\n\"properties\": {\n\"frontendEndpoints\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', parameters('frontDoorName'), variables('frontEndEndpointName'))]\"\n}\n],\n\"acceptedProtocols\": [\n\"Http\",\n\"Https\"\n],\n\"patternsToMatch\": [\n\"/*\"\n],\n\"routeConfiguration\": {\n\"@odata.type\": \"#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration\",\n\"cacheConfiguration\": {\n\"cacheDuration\": \"P12DT1H\",\n\"dynamicCompression\": \"Disabled\",\n\"queryParameters\": \"customerId\",\n\"queryParameterStripDirective\": \"StripAll\"\n},\n\"forwardingProtocol\": \"MatchRequest\",\n\"backendPool\": {\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/backEndPools', parameters('frontDoorName'), variables('backendPoolName'))]\"\n}\n},\n\"enabledState\": \"Enabled\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy front door instances pass this rule:

    • Configure properties.routingRules.properties.routeConfiguration.cacheConfiguration.

    Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link Routing architecture overview for more information around this.

    For example:

    Azure Bicep snippet
    @description('The name of the frontdoor resource.')\nparam frontDoorName string\n\n@description('The hostname of the backend. Must be an IP address or FQDN.')\nparam backendAddress string\n\nvar frontEndEndpointName = 'frontEndEndpoint'\nvar loadBalancingSettingsName = 'loadBalancingSettings'\nvar healthProbeSettingsName = 'healthProbeSettings'\nvar routingRuleName = 'routingRule'\nvar backendPoolName = 'backendPool'\n\nresource frontDoor 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: frontDoorName\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${frontDoorName}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n        }\n      }\n    ]\n\n    loadBalancingSettings: [\n      {\n        name: loadBalancingSettingsName\n        properties: {\n          sampleSize: 4\n          successfulSamplesRequired: 2\n        }\n      }\n    ]\n\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          path: '/'\n          protocol: 'Http'\n          intervalInSeconds: 120\n        }\n      }\n    ]\n\n    backendPools: [\n      {\n        name: backendPoolName\n        properties: {\n          backends: [\n            {\n              address: backendAddress\n              backendHostHeader: backendAddress\n              httpPort: 80\n              httpsPort: 443\n              weight: 50\n              priority: 1\n              enabledState: 'Enabled'\n            }\n          ]\n          loadBalancingSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', frontDoorName, loadBalancingSettingsName)\n          }\n          healthProbeSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/healthProbeSettings', frontDoorName, healthProbeSettingsName)\n          }\n        }\n      }\n    ]\n\n    routingRules: [\n      {\n        name: routingRuleName\n        properties: {\n          frontendEndpoints: [\n            {\n              id: resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', frontDoorName, frontEndEndpointName)\n            }\n          ]\n          acceptedProtocols: [\n            'Http'\n            'Https'\n          ]\n          patternsToMatch: [\n            '/*'\n          ]\n          routeConfiguration: {\n            '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration'\n            cacheConfiguration: {\n              cacheDuration: 'P12DT1H'\n              dynamicCompression: 'Disabled'\n              queryParameters: 'customerId'\n              queryParameterStripDirective: 'StripAll'\n            }\n            forwardingProtocol: 'MatchRequest'\n            backendPool: {\n              id: resourceId('Microsoft.Network/frontDoors/backEndPools', frontDoorName, backendPoolName)\n            }\n          }\n          enabledState: 'Enabled'\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#notes","title":"Notes","text":"

    This rule only applies to Front Door Classic (Microsoft.Network/frontDoors).

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#links","title":"Links","text":"
    • Performance patterns
    • Caching with Azure Front Door
    • Routing architecture overview
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/","title":"Front Door endpoints should use WAF","text":"Azure.FrontDoor.UseWAFAZR-000111Error

    Security \u00b7 Front Door \u00b7 2020_06

    Enable Web Application Firewall (WAF) policies on each Front Door endpoint.

    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#description","title":"Description","text":"

    Front Door endpoints can optionally be configured with a WAF policy. When configured, every incoming request through Front Door is filtered by the WAF policy.

    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#recommendation","title":"Recommendation","text":"

    Consider enabling a WAF policy on each Front Door endpoint.

    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Azure Web Application Firewall on Azure Front Door
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoor.WAF.EnabledAZR-000115Error

    Security \u00b7 Front Door \u00b7 2020_06

    Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#description","title":"Description","text":"

    The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.

    When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.

    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF policy.

    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoor.WAF.ModeAZR-000114Error

    Security \u00b7 Front Door \u00b7 2020_06

    Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#description","title":"Description","text":"

    Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

    • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.
    • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#recommendation","title":"Recommendation","text":"

    Consider setting Front Door WAF policy to use protection mode.

    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/","title":"Use valid Front Door WAF policy names","text":"Azure.FrontDoor.WAF.NameAZR-000116Error

    Operational Excellence \u00b7 Front Door \u00b7 2020_12

    Front Door WAF policy names should meet naming requirements.

    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Front Door Web Application Firewall (WAF) policy names are:

    • Between 1 and 128 characters long.
    • Letters or numbers.
    • Start with a letter.
    • Unique within a resource group.
    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#notes","title":"Notes","text":"

    This rule does not check if Front Door WAF policy names are unique.

    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoorWAF.EnabledAZR-000305Error

    Security \u00b7 Front Door \u00b7 2022_09

    Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#description","title":"Description","text":"

    The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.

    When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.

    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF policy.

    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.enabledState property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.enabledState property to Enabled.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/","title":"Avoid configuring Front Door WAF rule exclusions","text":"Azure.FrontDoorWAF.ExclusionsAZR-000307Error

    Security \u00b7 Front Door \u00b7 2022_09

    Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.

    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#description","title":"Description","text":"

    Front Door WAF supports exclusions lists.

    Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. However, it should be allowed and only used as a last resort.

    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#recommendation","title":"Recommendation","text":"

    Avoid configuring Front Door WAF rule exclusions.

    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Remove any rule exclusions by:
      • Set the exclusions property for each managed rule group to an empty array. OR
      • Remove the exclusions property for each managed rule group.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Remove any rule exclusions by:
      • Set the exclusions property for each managed rule group to an empty array. OR
      • Remove the exclusions property for each managed rule group.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall CRS rule groups and rules
    • Bot protection overview
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoorWAF.PreventionModeAZR-000306Error

    Security \u00b7 Front Door \u00b7 2022_09

    Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#description","title":"Description","text":"

    Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

    • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.
    • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#recommendation","title":"Recommendation","text":"

    Consider setting Front Door WAF policy to use protection mode.

    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.mode property to Prevention.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.mode property to Prevention.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/","title":"Use Recommended Front Door WAF policy rule groups","text":"Azure.FrontDoorWAF.RuleGroupsAZR-000308Error

    Security \u00b7 Front Door \u00b7 2022_09

    Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#description","title":"Description","text":"

    Front Door WAF policies support two main Rule Groups.

    • OWASP - Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
    • Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#recommendation","title":"Recommendation","text":"

    Consider configuring Front Door WAF policy to use the recommended rule sets.

    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Add the Microsoft_DefaultRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 2.0 or greater.
    • Add the Microsoft_BotManagerRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 1.0 or greater.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Add the Microsoft_DefaultRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 2.0 or greater.
    • Add the Microsoft_BotManagerRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 1.0 or greater.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall CRS rule groups and rules
    • Bot protection overview
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.Identity.UserAssignedName/","title":"Use valid Managed Identity names","text":"Azure.Identity.UserAssignedNameAZR-000117Error

    Operational Excellence \u00b7 User Assigned Managed Identity \u00b7 2021_12

    Managed Identity names should meet naming requirements.

    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Managed Identity names are:

    • Between 3 and 128 characters long.
    • Letters, numbers, underscores, and hyphens.
    • Start with letters and numbers.
    • Managed Identity names must be unique within a resource group.
    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#notes","title":"Notes","text":"

    This rule does not check if Managed Identity names are unique.

    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.IoTHub.MinTLS/","title":"Minimum TLS version","text":"Azure.IoTHub.MinTLSAZR-000357Error

    Security \u00b7 IoT Hub \u00b7 2023_03

    IoT Hubs should reject TLS versions older than 1.2.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#recommendation","title":"Recommendation","text":"

    Configure the minimum supported TLS version to be 1.2.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy IoT Hubs that pass this rule:

    • Set the properties.minTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Devices/IotHubs\",\n\"apiVersion\": \"2022-04-30-preview\",\n\"name\": \"[parameters('iotHubName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"S1\",\n\"capacity\": 1,\n},\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n}\n}\n
    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy IoT Hubs that pass this rule:

    • Set the properties.minTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {\n  name: iotHubName\n  location: location\n  sku: {\n    name: 'S1'\n    capacity: 1\n  }\n  properties: {\n    minTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#notes","title":"Notes","text":"

    The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia

    The minTlsVersion property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Transport Layer Security (TLS) support in IoT Hub
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/","title":"Limit access to Key Vault data","text":"Azure.KeyVault.AccessPolicyAZR-000118Error

    Security \u00b7 Key Vault \u00b7 2020_06

    Use the principal of least privilege when assigning access to Key Vault.

    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#description","title":"Description","text":"

    Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.

    The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.

    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#recommendation","title":"Recommendation","text":"

    Consider assigning access to Key Vault data based on the principle of least privilege.

    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#azure-templates","title":"Azure templates","text":"

    To deploy Key Vaults that pass this rule:

    • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2022-07-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"accessPolicies\": [\n{\n\"objectId\": \"[parameters('objectId')]\",\n\"permissions\": {\n\"secrets\": [\n\"get\",\n\"list\",\n\"set\"\n]\n},\n\"tenantId\": \"[tenant().tenantId]\"\n}\n]\n}\n}\n
    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    accessPolicies: [\n      {\n        objectId: objectId\n        permissions: {\n          secrets: [\n            'get'\n            'list'\n            'set'\n          ]\n        }\n        tenantId: tenant().tenantId\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#links","title":"Links","text":"
    • Automate and use least privilege
    • Best practices to use Key Vault
    • Azure deployment reference
    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/","title":"Enable Key Vault key auto-rotation","text":"Azure.KeyVault.AutoRotationPolicyAZR-000123Error

    Security \u00b7 Key Vault \u00b7 2022_09

    Key Vault keys should have auto-rotation enabled.

    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#description","title":"Description","text":"

    Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.

    Key rotation is often a cause of many application outages. It's critical that the rotation of keys be scheduled and automated to ensure effectiveness.

    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#recommendation","title":"Recommendation","text":"

    Consider enabling auto-rotation on Key Vault keys.

    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set auto-rotation for a key:

    • Set properties.rotationPolicy.lifetimeActions[*].action.type to Rotate.
    • Set properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate to the time duration after key creation to rotate.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults/keys\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[concat(parameters('vaultName'), '/', 'key1')]\",\n\"properties\": {\n\"keyOps\": [\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\",\n\"encrypt\",\n\"decrypt\"\n],\n\"keySize\": 2048,\n\"kty\": \"RSA\",\n\"rotationPolicy\": {\n\"lifetimeActions\": [\n{\n\"action\": {\n\"type\": \"Rotate\"\n},\n\"trigger\": {\n\"timeAfterCreate\": \"P18D\"\n}\n},\n{\n\"action\": {\n\"type\": \"Notify\"\n},\n\"trigger\": {\n\"timeAfterCreate\": \"P30D\"\n}\n}\n]\n}\n}\n}\n
    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set auto-rotation for a key:

    • Set properties.rotationPolicy.lifetimeActions[*].action.type to Rotate.
    • Set properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate to the time duration after key creation to rotate.

    For example:

    Azure Bicep snippet
    resource vaultName_key1 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = {\n  parent: vaultName_resource\n  name: 'key1'\n  properties: {\n    keyOps: [\n      'sign'\n      'verify'\n      'wrapKey'\n      'unwrapKey'\n      'encrypt'\n      'decrypt'\n    ]\n    keySize: 2048\n    kty: 'RSA'\n    rotationPolicy: {\n      lifetimeActions: [\n        {\n          action: {\n            type: 'rotate'\n          }\n          trigger: {\n            timeAfterCreate: 'P18D'\n          }\n        }\n        {\n          action: {\n            type: 'notify'\n          }\n          trigger: {\n            timeAfterCreate: 'P30D'\n          }\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#links","title":"Links","text":"
    • Operational considerations
    • IM-3: Manage application identities securely and automatically
    • Configure cryptographic key auto-rotation in Azure Key Vault
    • Azure deployment reference
    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.Firewall/","title":"Configure Azure Key Vault firewall","text":"Azure.KeyVault.FirewallAZR-000355Error

    Security \u00b7 Key Vault \u00b7 2023_03

    Key Vault should only accept explicitly allowed traffic.

    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#description","title":"Description","text":"

    By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

    After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

    • Azure services on the trusted service list.
    • IP address or CIDR range.
    • Private endpoint connections.
    • Azure virtual network subnets with a Service Endpoint.

    If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:

    • enabledForDeployment - Azure Virtual Machines for deployment.
    • enabledForDiskEncryption - Azure Disk Encryption for volume encryption.
    • enabledForTemplateDeployment - Azure Resource Manager for template deployment.
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#recommendation","title":"Recommendation","text":"

    Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"enableRbacAuthorization\": true,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\",\n\"bypass\": \"AzureServices\"\n}\n}\n}\n
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#links","title":"Links","text":"
    • Public endpoints
    • Configure Azure Key Vault firewalls and virtual networks
    • Azure security baseline for Key Vault - Disable Public Network Access
    • Azure Policies - Azure Key Vault should have firewall enabled
    • Azure Key Vault should have firewall enabled
    • Trusted services
    • Azure deployment reference
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.KeyName/","title":"Use valid Key Vault Key names","text":"Azure.KeyVault.KeyNameAZR-000122Error

    Operational Excellence \u00b7 Key Vault \u00b7 2021_03

    Key Vault Key names should meet naming requirements.

    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Key names are:

    • Between 1 and 127 characters long.
    • Alphanumerics and hyphens (dash).
    • Keys must be unique within a Key Vault.
    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#recommendation","title":"Recommendation","text":"

    Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#notes","title":"Notes","text":"

    This rule does not check if Key names are unique.

    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.Logs/","title":"Audit Key Vault Data Access","text":"Azure.KeyVault.LogsAZR-000119Error

    Security \u00b7 Key Vault \u00b7 2020_06

    Ensure audit diagnostics logs are enabled to audit Key Vault access.

    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#description","title":"Description","text":"

    To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.

    When configuring diagnostics settings, enable one of the following:

    • AuditEvent category.
    • audit category group.
    • allLogs category group.

    Management operations for Key Vault is captured automatically within Azure Activity Logs.

    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#recommendation","title":"Recommendation","text":"

    Configure audit diagnostics logs to audit Key Vault access.

    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy key vaults that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"enableRbacAuthorization\": true,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\",\n\"bypass\": \"AzureServices\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"scope\": \"[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]\",\n\"name\": \"logs\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"AuditEvent\",\n\"enabled\": true\n}\n]\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n]\n}\n
    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy key vaults that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'logs'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#links","title":"Links","text":"
    • Security logs and alerts using Azure services
    • Best practices to use Key Vault
    • Azure Key Vault logging
    • Azure Key Vault security
    • Monitoring your Key Vault service with Key Vault insights
    • Azure deployment reference
    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Name/","title":"Use valid Key Vault names","text":"Azure.KeyVault.NameAZR-000120Error

    Operational Excellence \u00b7 Key Vault \u00b7 2021_03

    Key Vault names should meet naming requirements.

    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault names are:

    • Between 3 and 24 characters long.
    • Alphanumerics and hyphens (dash).
    • Start with a letter.
    • End with a letter or digit.
    • Can not contain consecutive hyphens.
    • Key Vault names must be globally unique.
    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#notes","title":"Notes","text":"

    This rule does not check if Key Vault names are unique.

    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/","title":"Use Key Vault Purge Protection","text":"Azure.KeyVault.PurgeProtectAZR-000125Error

    Reliability \u00b7 Key Vault \u00b7 2020_06

    Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.

    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#description","title":"Description","text":"

    Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.

    When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.

    Purge protection is not enabled by default.

    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#recommendation","title":"Recommendation","text":"

    Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.

    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[subscription().tenantId]\",\n\"enableSoftDelete\": true,\n\"softDeleteRetentionInDays\": 90,\n\"enablePurgeProtection\": true\n}\n}\n
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: subscription().tenantId\n    enableSoftDelete: true\n    softDeleteRetentionInDays: 90\n    enablePurgeProtection: true\n  }\n}\n
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az keyvault update -n '<name>' -g '<resource_group>' --enable-purge-protection\n
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#links","title":"Links","text":"
    • Azure Key Vault soft-delete overview
    • Azure Key Vault security
    • Azure deployment reference
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.RBAC/","title":"Use Azure role-based access control","text":"Azure.KeyVault.RBACAZR-000388Warning

    Security \u00b7 Key Vault \u00b7 2023_06

    Key Vaults should use Azure RBAC as the authorization system for the data plane.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#description","title":"Description","text":"

    Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.

    Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.

    Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.

    The Azure RBAC permission model is not enabled by default.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#recommendation","title":"Recommendation","text":"

    Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableRbacAuthorization property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"enableRbacAuthorization\": true,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\",\n\"bypass\": \"AzureServices\"\n}\n}\n}\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableRbacAuthorization property to true.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az keyvault update -n '<name>' -g '<resource_group>' --enable-rbac-authorization\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#notes","title":"Notes","text":"

    The RBAC permission model may not be suitable for all use cases. If this rule is not suitable for your use case, you can exclude or suppress the rule. For information about limitations see Azure role-based access control vs. access policies in the LINKS section.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#links","title":"Links","text":"
    • Role-based authorization
    • What is Azure role-based access control?
    • Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
    • Azure role-based access control vs. access policies
    • Migrate from vault access policy to an Azure role-based access control permission model
    • Azure security baseline for Key Vault
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.SecretName/","title":"Use valid Key Vault Secret names","text":"Azure.KeyVault.SecretNameAZR-000121Error

    Operational Excellence \u00b7 Key Vault \u00b7 2021_03

    Key Vault Secret names should meet naming requirements.

    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Secret names are:

    • Between 1 and 127 characters long.
    • Alphanumerics and hyphens (dash).
    • Secrets must be unique within a Key Vault.
    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#recommendation","title":"Recommendation","text":"

    Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#notes","title":"Notes","text":"

    This rule does not check if Secret names are unique.

    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/","title":"Use Key Vault Soft Delete","text":"Azure.KeyVault.SoftDeleteAZR-000124Error

    Reliability \u00b7 Key Vault \u00b7 2020_06

    Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#description","title":"Description","text":"

    Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.

    By default, new Key Vaults created through the portal will have soft delete for 90 days configured.

    Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.

    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.

    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableSoftDelete property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[subscription().tenantId]\",\n\"enableSoftDelete\": true,\n\"softDeleteRetentionInDays\": 90,\n\"enablePurgeProtection\": true\n}\n}\n
    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableSoftDelete property to true.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: subscription().tenantId\n    enableSoftDelete: true\n    softDeleteRetentionInDays: 90\n    enablePurgeProtection: true\n  }\n}\n
    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#links","title":"Links","text":"
    • Azure Key Vault soft-delete overview
    • Azure Key Vault security
    • Azure deployment reference
    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.LB.AvailabilityZone/","title":"Load balancers should be zone-redundant","text":"Azure.LB.AvailabilityZoneAZR-000127Error

    Reliability \u00b7 Load Balancer \u00b7 2021_09

    Load balancers deployed with Standard SKU should be zone-redundant for high availability.

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#description","title":"Description","text":"

    Load balancers using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A single zone redundant frontend IP address will survive zone failure. The frontend IP may be used to reach all (non-impacted) backend pool members no matter the zone. One or more availability zones can fail and the data path survives as long as one zone in the region remains healthy.

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using zone-redundant load balancers deployed with Standard SKU.

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is constrained to a single(zonal) zone, and passes when set to null, [] or [\"1\", \"2\", \"3\"].

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure zone-redundancy for a load balancer.

    • Set sku.name to Standard.
    • Set properties.frontendIPConfigurations[*].zones to [\"1\", \"2\", \"3\"].

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-07-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/loadBalancers\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [],\n\"tags\": {},\n\"properties\": {\n\"frontendIPConfigurations\": [\n{\n\"name\": \"frontend-ip-config\",\n\"properties\": {\n\"privateIPAddress\": null,\n\"privateIPAddressVersion\": \"IPv4\",\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n}\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n],\n\"backendAddressPools\": [],\n\"probes\": [],\n\"loadBalancingRules\": [],\n\"inboundNatRules\": [],\n\"outboundRules\": []\n},\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"[parameters('tier')]\"\n}\n}\n
    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure zone-redundancy for a load balancer.

    • Set sku.name to Standard.
    • Set properties.frontendIPConfigurations[*].zones to ['1', '2', '3'].

    For example:

    Azure Bicep snippet
    resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Load Balancer and Availability Zones
    • Use zone-aware services
    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.Name/","title":"Use valid Load Balancer names","text":"Azure.LB.NameAZR-000129Error

    Operational Excellence \u00b7 Load Balancer \u00b7 2020_06

    Load Balancer names should meet naming requirements.

    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Load Balancer names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Load Balancer names must be unique within a resource group.
    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#notes","title":"Notes","text":"

    This rule does not check if Load Balancer names are unique.

    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Probe/","title":"Use specific load balancer probe","text":"Azure.LB.ProbeAZR-000126Error

    Reliability \u00b7 Load Balancer \u00b7 2020_06

    Use a specific probe for web protocols.

    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#description","title":"Description","text":"

    A load balancer probe can be configured as TCP/ HTTP or HTTPS.

    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#recommendation","title":"Recommendation","text":"

    Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.

    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#links","title":"Links","text":"
    • Load Balancer health probes
    • Creating good health probes
    • Health Endpoint Monitoring pattern
    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.StandardSKU/","title":"Load balancers should use Standard SKU","text":"Azure.LB.StandardSKUAZR-000128Error

    Reliability \u00b7 Load Balancer \u00b7 2021_09

    Load balancers should be deployed with Standard SKU for production workloads.

    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#description","title":"Description","text":"

    Standard Load Balancer enables you to scale your applications and create high availability for small scale deployments to large and complex multi-zone architectures. It supports inbound as well as outbound connections, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. It enables Availability Zones with zone-redundant and zonal front ends as well as cross-zone load balancing for public and internal scenarios. You can scale Network Virtual Appliance scenarios and make them more resilient by using internal HA Ports load balancing rules. It also provides new diagnostics insights with multi-dimensional metrics in Azure Monitor.

    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#recommendation","title":"Recommendation","text":"

    Consider using Standard SKU for load balancers deployed in production.

    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure Standard SKU for a load balancer.

    • Set sku.name to Standard.

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-07-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/loadBalancers\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [],\n\"tags\": {},\n\"properties\": {\n\"frontendIPConfigurations\": [\n{\n\"name\": \"frontend-ip-config\",\n\"properties\": {\n\"privateIPAddress\": null,\n\"privateIPAddressVersion\": \"IPv4\",\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n}\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n],\n\"backendAddressPools\": [],\n\"probes\": [],\n\"loadBalancingRules\": [],\n\"inboundNatRules\": [],\n\"outboundRules\": []\n},\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"[parameters('tier')]\"\n}\n}\n
    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure Standard SKU for a load balancer.

    • Set sku.name to Standard.

    For example:

    Azure Bicep snippet
    resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#links","title":"Links","text":"
    • Azure deployment reference
    • Why use Azure Load Balancer?
    • Azure Load Balancer SKUs
    • Meet application platform requirements
    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/","title":"Limit Logic App HTTP request triggers","text":"Azure.LogicApp.LimitHTTPTriggerAZR-000130Error

    Security \u00b7 Logic App \u00b7 2020_12

    Limit HTTP request trigger access to trusted IP addresses.

    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#description","title":"Description","text":"

    When a Logic App uses a HTTP request trigger by default any source IP address can trigger the workflow. Logic Apps can be configured to limit the IP addresses that are accepted to trigger the workflow.

    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#recommendation","title":"Recommendation","text":"

    Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.

    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#links","title":"Links","text":"
    • Secure access and data in Azure Logic Apps
    • Azure security baseline for Logic Apps
    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/","title":"Disable MariaDB Allow access to Azure services firewall rule","text":"Azure.MariaDB.AllowAzureAccessAZR-000342Error

    Security \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Determine if access from Azure services is required.

    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same Azure Database for MariaDB server instance. If network based access is permitted, authentication is still required.

    Enabling access from Azure services is useful in certain cases where fixed outgoing IP addresses isn't available for the services.

    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.

    Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Deploy a Microsoft.DBforMariaDB servers/firewallRules sub-resource (child resource).
    • Set the properties.startIpAddress and properties.endIpAddress property to a valid IPv4 address format.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"[parameters('skuTier')]\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mariadbVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": \"[parameters('backupRetentionDays')]\",\n\"geoRedundantBackup\": \"[parameters('geoRedundantBackup')]\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforMariaDB/servers/firewallRules\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"MariaDbServer001/FunctionApp\",\n\"properties\": {\n\"startIpAddress\": \"20.67.176.40\",\n\"endIpAddress\": \"20.67.176.40\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.DBforMariaDB/servers', parameters('serverName'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-bicep","title":"Configure with Bicep","text":"
    • Deploy a Microsoft.DBforMariaDB servers/firewallRules sub-resource (child resource).
    • Set the properties.startIpAddress and properties.endIpAddress property to a valid IPv4 address format.

    For example:

    Azure Bicep snippet
    resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: backupRetentionDays\n      geoRedundantBackup: geoRedundantBackup\n    }\n  }\n}\n\nresource mariaDbServerFirewallRule 'Microsoft.DBforMariaDB/servers/firewallRules@2018-06-01' = {\n  name: 'MariaDbServer001/FunctionApp'\n  parent: mariaDbServer\n  properties: {\n    startIpAddress: '20.67.176.40'\n    endIpAddress: '20.67.176.40'\n  }\n}\n
    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#links","title":"Links","text":"
    • Network security and containment
    • Azure Database for MariaDB firewall rules
    • Template reference
    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/","title":"Use valid database names","text":"Azure.MariaDB.DatabaseNameAZR-000337Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB databases should meet naming requirements.

    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB database names are:

    • Between 1 and 63 characters long.
    • Alphanumerics and hyphens.
    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB database names are unique.

    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MariaDB.DefenderCloudAZR-000330Error

    Security \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for MariaDB.

    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#description","title":"Description","text":"

    Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Enable Microsoft Defender for Cloud for Azure Database for MariaDB.

    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Deploy a Microsoft.DBforMariaDB/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('SkuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mariadbVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforMariaDB/servers/securityAlertPolicies\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"Default\",\n\"dependsOn\": [\"[parameters('serverName')]\"],\n\"properties\": {\n\"emailAccountAdmins\": true,\n\"emailAddresses\": [\"soc@contoso.com\"],\n\"retentionDays\": 14,\n\"state\": \"Enabled\",\n\"storageAccountAccessKey\": \"account-key\",\n\"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n}\n}\n]\n}\n
    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Deploy a Microsoft.DBforMariaDB/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mariaDbDefender 'Microsoft.DBforMariaDB/servers/securityAlertPolicies@2018-06-01' = {\n  name: 'Default'\n  parent: MariaDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n
    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#links","title":"Links","text":"
    • Security operations
    • Enable Microsoft Defender for open-source relational databases
    • Azure deployment reference
    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/","title":"Review Azure MariaDB server firewall permitted public IP addresses","text":"Azure.MariaDB.FirewallIPRangeAZR-000344Error

    Security \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Determine if there is an excessive number of permitted IP addresses.

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity.

    Server-level firewall permitted IP addresses apply to all databases on the Azure Database for MariaDB server.

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#notes","title":"Notes","text":"

    This rule fails when the number of configured public IP addresses exceeds ten (10).

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#links","title":"Links","text":"
    • Network security and containment
    • Azure Database for MariaDB server firewall rules
    • Create and manage Azure Database for MariaDB firewall rules by using the Azure portal
    • Azure deployment reference
    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/","title":"Review Azure MariaDB server firewall rules","text":"Azure.MariaDB.FirewallRuleCountAZR-000343Error

    Security \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity.

    Server-level firewall rules apply to all databases on the Azure Database for MariaDB server.

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#notes","title":"Notes","text":"

    This rule fails when the number of configured firewall rules exceeds ten (10).

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#links","title":"Links","text":"
    • Network security and containment
    • Azure Database for MariaDB server firewall rules
    • Create and manage Azure Database for MariaDB firewall rules by using the Azure portal
    • Azure deployment reference
    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/","title":"Use valid firewall rule names","text":"Azure.MariaDB.FirewallRuleNameAZR-000338Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB firewall rules should meet naming requirements.

    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB firewall rule names are:

    • Between 1 and 128 characters long.
    • Alphanumerics, hyphens, and underscores.
    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB firewall rule names are unique.

    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Template reference
    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MariaDB.GeoRedundantBackupAZR-000329Error

    Reliability \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB should store backups in a geo-redundant storage.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#description","title":"Description","text":"

    Geo-redundant backup helps to protect your Azure Database for MariaDB Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.

    When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center.

    Check out the NOTES and the LINKS section for more details about geo-redundant backup.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"

    Configure geo-redundant backup for Azure Database for MariaDB.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to Enabled.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#notes","title":"Notes","text":"

    This rule is only applicable for Azure Database for Maria DB Servers with General Purpose and Memory Optimized tiers. The Basic tier does not support geo-redundant backup storage.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Backup and restore in Azure Database for MariaDB
    • Azure deployment reference
    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.MinTLS/","title":"Minimum TLS version","text":"Azure.MariaDB.MinTLSAZR-000335Error

    Security \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB servers should reject TLS versions older than 1.2.

    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure Database for MariaDB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#recommendation","title":"Recommendation","text":"

    Configure the minimum supported TLS version to be 1.2.

    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.minimalTlsVersion property to TLS1_2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.minimalTlsVersion property to TLS1_2.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS enforcement in Azure Database for MariaDB
    • Set TLS configurations for Azure Database for MariaDB
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.ServerName/","title":"Use valid server names","text":"Azure.MariaDB.ServerNameAZR-000336Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB servers should meet naming requirements.

    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB server names are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • MariaDB server names must be globally unique.
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy servers that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy servers that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB server names are unique.

    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.UseSSL/","title":"Encrypted connections","text":"Azure.MariaDB.UseSSLAZR-000334Error

    Security \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB servers should only accept encrypted connections.

    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#description","title":"Description","text":"

    Azure Database for MariaDB is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

    Unencrypted communication to MariaDB server instances could allow disclosure of information to an untrusted party.

    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#recommendation","title":"Recommendation","text":"

    Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

    Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.sslEnforcement property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.sslEnforcement property to Enabled.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#links","title":"Links","text":"
    • Data encryption in Azure
    • SSL connectivity in Azure Database for MariaDB
    • Template reference
    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/","title":"Use valid VNET rule names","text":"Azure.MariaDB.VNETRuleNameAZR-000339Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 2022_12

    Azure Database for MariaDB VNET rules should meet naming requirements.

    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB VNET rule names are:

    • Between 1 and 128 characters long.
    • Alphanumerics and hyphens.
    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB VNET rule names are unique.

    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/","title":"Alert on service events","text":"Azure.Monitor.ServiceHealthAZR-000211Error

    Operational Excellence \u00b7 Monitor \u00b7 2020_06

    Configure Service Health alerts to notify administrators.

    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#description","title":"Description","text":"

    Azure provides events and can alert administrators when one of the following occurs in your subscriptions:

    • Service issue
    • Planned maintenance
    • Health advisories
    • Security advisory
    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#recommendation","title":"Recommendation","text":"

    Consider configuring an alert to notify administrators when services you are using are potentially impacted.

    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#links","title":"Links","text":"
    • Service Health overview
    • Create activity log alerts on service notifications
    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.MySQL.AAD/","title":"Use AAD authentication with MySQL databases","text":"Azure.MySQL.AADAZR-000392Error

    Security \u00b7 Azure Database for MySQL \u00b7 2023_06

    Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#description","title":"Description","text":"

    Azure Database for MySQL offer two authentication models, Azure Active Directory (AAD) and MySQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over MySQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable MySQL authentication entirely for the flexible server deployment model.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.identityResourceId to the resource ID of the user-assigned identity used for AAD authentication.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/flexibleServers/administrators\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"identityResourceId\": \"[parameters('identityResourceId')]\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"mySqlFlexibleServer\"\n]\n}\n

    To deploy Azure Database for MySQL single servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/servers/administrators\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"mySqlSingleServer\"\n]\n}\n
    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.identityResourceId to the resource ID of the user-assigned identity used for AAD authentication.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview' = {\n  name: 'activeDirectory'\n  parent: mySqlFlexibleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    identityResourceId: identityResourceId\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n

    To deploy Azure Database for MySQL single servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforMySQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: mySqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n
    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#notes","title":"Notes","text":"

    For the flexible server deployment model a user-assigned identity is required in order to use AAD-authentication. The single server deployment model does not support enforcing AAD-authentication only.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Use Azure Active Directory for authenticating with MySQL - Flexible Server
    • Use Azure Active Directory for authenticating with MySQL - Single Server
    • Azure security baseline for Azure Database for MySQL - Flexible Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference Flexible Server
    • Azure deployment reference Single Server
    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.MySQL.AADOnlyAZR-000394Error

    Security \u00b7 Azure Database for MySQL \u00b7 2023_09

    Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#description","title":"Description","text":"

    Azure Database for MySQL supports authentication with MySQL logins and Azure AD authentication.

    By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    Once you decide to use Azure AD authentication, you can disable authentication with MySQL logins.

    Azure AD-only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
    • Set the name to aad_auth_only.
    • Set the properties.value to ON.
    • Set the properties.source to user-override.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/flexibleServers/configurations\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]\",\n\"properties\": {\n\"value\": \"ON\",\n\"source\": \"user-override\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]\"\n]\n}\n
    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
    • Set the name to aad_auth_only.
    • Set the properties.value to ON.
    • Set the properties.source to user-override.

    For example:

    Azure Bicep snippet
    resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {\n  name: 'aad_auth_only'\n  parent: mySqlFlexibleServer\n  properties: {\n    value: 'ON'\n    source: 'user-override'\n  }\n}\n
    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Active Directory authentication for Azure Database for MySQL - Flexible Server
    • Azure security baseline for Azure Database for MySQL - Flexible Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/","title":"Disable MySQL Allow Azure access firewall rule","text":"Azure.MySQL.AllowAzureAccessAZR-000134Error

    Security \u00b7 Azure Database for MySQL \u00b7 2020_06

    Determine if access from Azure services is required.

    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same MySQL server instance. If network based access is permitted, authentication is still required.

    Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.

    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.

    Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#links","title":"Links","text":"
    • Azure Database for MySQL server firewall rules
    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MySQL.DefenderCloudAZR-000328Error

    Security \u00b7 Azure Database for MySQL \u00b7 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for MySQL.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#description","title":"Description","text":"

    Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Enable Microsoft Defender for Cloud for Azure Database for MySQL.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mysqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('SkuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforMySQL/servers/securityAlertPolicies\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"Default\",\n\"dependsOn\": [\"[parameters('serverName')]\"],\n\"properties\": {\n\"emailAccountAdmins\": true,\n\"emailAddresses\": [\"soc@contoso.com\"],\n\"retentionDays\": 14,\n\"state\": \"Enabled\",\n\"storageAccountAccessKey\": \"account-key\",\n\"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n}\n}\n]\n}\n
    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mysqlDefender 'Microsoft.DBforMySQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: mysqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n
    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#notes","title":"Notes","text":"

    This rule is only applicable for the Azure Database for MySQL Single Server deployment model.

    Azure Database for MySQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#links","title":"Links","text":"
    • Security operations
    • Enable Microsoft Defender for open-source relational databases
    • Azure deployment reference
    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/","title":"Limit MySQL server firewall rule range","text":"Azure.MySQL.FirewallIPRangeAZR-000135Error

    Security \u00b7 Azure Database for MySQL \u00b7 2020_06

    Determine if there is an excessive number of permitted IP addresses.

    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.

    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#links","title":"Links","text":"
    • Create and manage Azure Database for MySQL firewall rules by using the Azure portal
    • Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal
    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/","title":"Cleanup MySQL server firewall rules","text":"Azure.MySQL.FirewallRuleCountAZR-000133Error

    Security \u00b7 Azure Database for MySQL \u00b7 2020_06

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#links","title":"Links","text":"
    • Create and manage Azure Database for MySQL firewall rules by using the Azure portal
    • Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal
    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MySQL.GeoRedundantBackupAZR-000323Error

    Reliability \u00b7 Azure Database for MySQL \u00b7 2022_12

    Azure Database for MySQL should store backups in a geo-redundant storage.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#description","title":"Description","text":"

    Geo-redundant backup helps to protect your Azure Database for MySQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.

    When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for MySQL Flexible Server and the Azure Database for MySQL Single Server deployment model supports geo-redundant backup.

    For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either General Purpose or Memory Optimized tier is required.

    Check out the NOTES section for more details about geo-redundant backup for each of the deployment models.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"

    Configure geo-redundant backup for Azure Database for MySQL.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/flexibleServers\",\n\"apiVersion\": \"2021-12-01-preview\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D16as\",\n\"tier\": \"GeneralPurpose\"\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storage\": {\n\"autoGrow\": \"Enabled\",\n\"iops\": \"[parameters('StorageIops')]\",\n\"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n},\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mysqlVersion')]\",\n\"backup\": {\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n},\n\"highAvailability\": {\n\"mode\": \"Disabled\"\n}\n}\n}\n

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mysqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('SkuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource mysqlDbServer 'Microsoft.DBforMySQL/flexibleServers@2021-12-01-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      autoGrow: 'Enabled'\n      iops: StorageIops\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: mysqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#notes","title":"Notes","text":"

    This rule is applicable for both the Azure Database for MySQL Flexible Server deployment model and the Azure Database for MySQL Single Server deployment model.

    For the Single Server deployment model, it runs only against 'General Purpose' and 'Memory Optimized' tiers. The 'Basic' tier does not support geo-redundant backup storage.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Backup and restore in Azure Database for MySQL flexible servers
    • Backup and restore in Azure Database for MySQL single servers
    • Azure deployment reference flexible servers
    • Azure deployment reference single servers
    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.MinTLS/","title":"MySQL DB server minimum TLS version","text":"Azure.MySQL.MinTLSAZR-000132Error

    Security \u00b7 Azure Database for MySQL \u00b7 2020_09

    MySQL DB servers should reject TLS versions older than 1.2.

    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that MySQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2.

    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS enforcement in Azure Database for MySQL
    • Set TLS configurations for Azure Database for MySQL
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.ServerName/","title":"Use valid MySQL DB server names","text":"Azure.MySQL.ServerNameAZR-000136Error

    Operational Excellence \u00b7 Azure Database for MySQL \u00b7 2020_12

    Azure MySQL DB server names should meet naming requirements.

    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for MySQL DB server names are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • MySQL DB server names must be globally unique.
    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure MySQL DB server names are unique.

    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.UseFlexible/","title":"Use Azure Database for MySQL Flexible Server","text":"Azure.MySQL.UseFlexibleAZR-000325Warning

    Operational Excellence \u00b7 Azure Database for MySQL \u00b7 2022_12

    Use Azure Database for MySQL Flexible Server deployment model.

    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#description","title":"Description","text":"

    Azure Database for MySQL Single Server is on the retirement path. Upgrade to Azure Database for MySQL Flexible Server.

    Azure Database for MySQL Flexible Server provides additional options for resilience and scalability above the Single Server deployment model.

    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#recommendation","title":"Recommendation","text":"

    Migrate to Azure Database for MySQL Flexible Server deployment model.

    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#links","title":"Links","text":"
    • Infrastructure provisioning
    • Azure Database for MySQL Single Server deployment model retirement
    • Migrate from Single Server to Flexible Server
    • Comparing the MySQL deployment options in Azure
    • Azure deployment reference flexible servers
    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseSSL/","title":"Enforce encrypted MySQL connections","text":"Azure.MySQL.UseSSLAZR-000131Error

    Security \u00b7 Azure Database for MySQL \u00b7 2020_06

    Enforce encrypted MySQL connections.

    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#description","title":"Description","text":"

    Azure Database for MySQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

    Unencrypted communication to MySQL server instances could allow disclosure of information to an untrusted party.

    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#recommendation","title":"Recommendation","text":"

    Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

    Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#links","title":"Links","text":"
    • Data encryption in Azure
    • SSL connectivity in Azure Database for MySQL
    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.NSG.AKSRules/","title":"No custom NSG rules for AKS managed NSGs","text":"Azure.NSG.AKSRulesAZR-000292Error

    Operational Excellence \u00b7 Network Security Group \u00b7 2022_09

    AKS Network Security Group (NSG) should not have custom rules.

    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#description","title":"Description","text":"

    AKS manages the Network Security Group (NSG) allocated to the cluster. There should be no custom rules added as it may cause conflicts, break the AKS cluster or have an unexpected result.

    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#recommendation","title":"Recommendation","text":"

    Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.

    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#links","title":"Links","text":"
    • AKS Network Security
    • Azure deployment reference
    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/","title":"Avoid rules that allow any as an inbound source","text":"Azure.NSG.AnyInboundSourceAZR-000137Error

    Security \u00b7 Network Security Group \u00b7 2020_06

    Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.

    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#description","title":"Description","text":"

    NSGs filter network traffic for Azure services connected to a virtual network subnet. In addition to the built-in security rules, a number of custom rules may be defined. Custom security rules can be defined that allow or deny inbound or outbound communication.

    When defining custom rules, avoid using rules that allow any as the inbound source. The intent of custom rules that allow any inbound source may not be clearly understood by support teams. Additionally, custom rules with any inbound source may expose services if a public IP address is attached.

    When inbound network traffic from the Internet is intended also consider the following:

    • Use Application Gateway in-front of any web application workloads.
    • Use DDoS Protection Standard to protect public IP addresses.
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#recommendation","title":"Recommendation","text":"

    Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.

    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#examples","title":"Examples","text":"","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the sourceAddressPrefix or sourceAddressPrefixes to a value other then * for inbound allow rules.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('nsgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"AllowLoadBalancerHealthInbound\",\n\"properties\": {\n\"description\": \"Allow inbound Azure Load Balancer health check.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 100,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"AzureLoadBalancer\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"AllowApplicationInbound\",\n\"properties\": {\n\"description\": \"Allow internal web traffic into application.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 300,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"10.0.0.0/8\",\n\"destinationPortRange\": \"443\",\n\"destinationAddressPrefix\": \"VirtualNetwork\"\n}\n},\n{\n\"name\": \"DenyAllInbound\",\n\"properties\": {\n\"description\": \"Deny all other inbound traffic.\",\n\"access\": \"Deny\",\n\"direction\": \"Inbound\",\n\"priority\": 4000,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"*\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"DenyTraversalOutbound\",\n\"properties\": {\n\"description\": \"Deny outbound double hop traversal.\",\n\"access\": \"Deny\",\n\"direction\": \"Outbound\",\n\"priority\": 200,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n

    To create an Application Security Group, use the Microsoft.Network/applicationSecurityGroups resource. For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('asgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the sourceAddressPrefix or sourceAddressPrefixes to a value other then * for inbound allow rules.

    For example:

    Azure Bicep snippet
    resource nsg 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {\n  name: nsgName\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n

    To create an Application Security Group, use the Microsoft.Network/applicationSecurityGroups resource. For example:

    resource asg 'Microsoft.Network/applicationSecurityGroups@2022-01-01' = {\n  name: asgName\n  location:location\n  properties: {}\n}\n
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Service Tags Overview
    • Network Security Groups
    • Logically segment subnets
    • What is Azure Application Gateway?
    • Azure DDoS Protection Standard overview
    • Azure deployment reference
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.Associated/","title":"Associate NSGs or clean them up","text":"Azure.NSG.AssociatedAZR-000140Error

    Operational Excellence \u00b7 Network Security Group \u00b7 2020_06

    Network Security Groups (NSGs) should be associated to a subnet or network interface.

    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#description","title":"Description","text":"

    NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.

    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#recommendation","title":"Recommendation","text":"

    Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads

    To find orphaned NSG's run the following Azure CLI command

    Azure CLI snippet
    az network nsg list -g $rgName --query \"[?(subnets==null) && (networkInterfaces==null)].id\" -o tsv\n
    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#links","title":"Links","text":"
    • Operational excellence principles
    • Orphaned Resources Workbook
    • Modify, create and delete NSG's using the CLI
    • Azure deployment reference
    • Network security groups
    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/","title":"Avoid denying all inbound traffic","text":"Azure.NSG.DenyAllInboundAZR-000138Error

    Operational Excellence \u00b7 Network Security Group \u00b7 2020_06

    Avoid denying all inbound traffic.

    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#description","title":"Description","text":"

    Network Security Groups (NSGs) are configured to block all inbound network traffic by default. Blocking all inbound traffic will fail load balancer health probes and other required traffic.

    When using a custom deny all inbound rule, also add rules to allow permitted traffic. To permit network traffic, add a custom allow rule with a lower priority number then the deny all rule. Rules with a lower priority number will be processed first. 100 is the lowest priority number.

    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#recommendation","title":"Recommendation","text":"

    Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.

    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#examples","title":"Examples","text":"","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the priority of rules to a number less than a deny all rule.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('nsgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"AllowLoadBalancerHealthInbound\",\n\"properties\": {\n\"description\": \"Allow inbound Azure Load Balancer health check.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 100,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"AzureLoadBalancer\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"AllowApplicationInbound\",\n\"properties\": {\n\"description\": \"Allow internal web traffic into application.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 300,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"10.0.0.0/8\",\n\"destinationPortRange\": \"443\",\n\"destinationAddressPrefix\": \"VirtualNetwork\"\n}\n},\n{\n\"name\": \"DenyAllInbound\",\n\"properties\": {\n\"description\": \"Deny all other inbound traffic.\",\n\"access\": \"Deny\",\n\"direction\": \"Inbound\",\n\"priority\": 4000,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"*\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"DenyTraversalOutbound\",\n\"properties\": {\n\"description\": \"Deny outbound double hop traversal.\",\n\"access\": \"Deny\",\n\"direction\": \"Outbound\",\n\"priority\": 200,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n
    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the priority of rules to a number less than a deny all rule.

    For example:

    Azure Bicep snippet
    resource nsg 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {\n  name: nsgName\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#links","title":"Links","text":"
    • Network security groups
    • Introduction to flow logging for network security groups
    • Virtual network service tags
    • Azure deployment reference
    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.LateralTraversal/","title":"Limit lateral traversal within subnets","text":"Azure.NSG.LateralTraversalAZR-000139Error

    Security \u00b7 Network Security Group \u00b7 2020_06

    Deny outbound management connections from non-management hosts.

    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#description","title":"Description","text":"

    Network Security Groups (NSGs) are basic stateful firewalls that provide network isolation and security. NSGs allow or deny network traffic to and from Azure resources in an Azure virtual network. i.e. Traffic between VMs on the same or different subnet can be restricted. NSGs do this by enforcing ordered access rules for all traffic in or out services attached to a subnet.

    This micro-segmentation approach provides a control to reduce lateral movement between services.

    Typically, a subset of trusted hosts such as privileged access workstations (PAWs), bastion hosts, or jump boxes will be used for management. Management protocols originating from application workload hosts should be blocked.

    For example:

    • An SQL Server should not be used as a management host to manage other SQL Servers, or File Servers.
    • Configure dedicated management hosts to manage other hosts.

    This helps improve security in two ways:

    1. Reduces the attack surface that can be used in lateral traversal attacks.
    2. Limits the likelihood that privileged credentials will be exposed for outbound management.
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#recommendation","title":"Recommendation","text":"

    Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.

    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#notes","title":"Notes","text":"

    Specifically this rule checks if either 3389 (RDP) or 22 (SSH) has been blocked for outbound traffic.

    To suppress this rule for NSGs protecting subnets expected to allow outbound management traffic see Permit outbound management.

    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#examples","title":"Examples","text":"","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy NSGs that pass this rule:

    • Add an outbound security rule that denies TCP port 3389 and/ or 22.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"name\": \"[parameters('nsgName')]\",\n\"apiVersion\": \"2019-04-01\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"deny-hop-outbound\",\n\"properties\": {\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n],\n\"access\": \"Deny\",\n\"priority\": 200,\n\"direction\": \"Outbound\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy NSGs that pass this rule:

    • Add an outbound security rule that denies TCP port 3389 and/ or 22.

    For example:

    Azure Bicep snippet
    resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {\n  name: 'nsg-001'\n  properties: {\n    securityRules: [\n      {\n        name: 'deny-hop-outbound'\n        properties: {\n          priority: 200\n          access: 'Deny'\n          protocol: 'Tcp'\n          direction: 'Outbound'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Logically segment subnets
    • Plan virtual networks
    • Network security groups
    • Permit outbound management
    • Azure deployment reference
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.Name/","title":"Use valid NSG names","text":"Azure.NSG.NameAZR-000141Error

    Operational Excellence \u00b7 Network Security Group \u00b7 2020_06

    Network Security Group (NSG) names should meet naming requirements.

    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for NSG names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • NSG names must be unique within a resource group.
    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell or Bicep

    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#notes","title":"Notes","text":"

    This rule does not check if NSG names are unique.

    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/","title":"Use assigned by for policy assignments","text":"Azure.Policy.AssignmentAssignedByAZR-000144Error

    Operational Excellence \u00b7 Policy \u00b7 2021_06

    Policy assignments should use assignedBy metadata.

    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#description","title":"Description","text":"

    When using the Azure Portal, policy assignment automatically set the assignedBy metadata. This metadata field is intended to indicate the person or team assigning the policy to a resource scope.

    When automating policy management, it may be helpful to identify assignments managed by code.

    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#recommendation","title":"Recommendation","text":"

    Consider setting assignedBy metadata for each policy assignment.

    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#azure-templates","title":"Azure templates","text":"

    To deploy policy assignments that pass this rule:

    • Set the properties.metadata.assignedBy property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Initiative assignment\",\n\"name\": \"assignment-001\",\n\"type\": \"Microsoft.Authorization/policyAssignments\",\n\"apiVersion\": \"2019-06-01\",\n\"properties\": {\n\"displayName\": \"Assignment 001\",\n\"description\": \"An example policy assignment.\",\n\"metadata\": {\n\"assignedBy\": \"DevOps pipeline\"\n},\n\"enforcementMode\": \"Default\"\n}\n}\n
    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#links","title":"Links","text":"
    • Azure Policy assignment structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/","title":"Use descriptive policy assignments","text":"Azure.Policy.AssignmentDescriptorsAZR-000143Error

    Operational Excellence \u00b7 Policy \u00b7 2021_06

    Policy assignments should use a display name and description.

    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#description","title":"Description","text":"

    Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the intent of the policy assignment.

    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#recommendation","title":"Recommendation","text":"

    Consider setting a display name and description for each policy assignment.

    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#azure-templates","title":"Azure templates","text":"

    To deploy policy assignments that pass this rule:

    • Set the properties.displayName property with a valid value.
    • Set the properties.description property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Initiative assignment\",\n\"name\": \"assignment-001\",\n\"type\": \"Microsoft.Authorization/policyAssignments\",\n\"apiVersion\": \"2019-06-01\",\n\"properties\": {\n\"displayName\": \"Assignment 001\",\n\"description\": \"An example policy assignment.\",\n\"metadata\": {\n\"assignedBy\": \"DevOps pipeline\"\n},\n\"enforcementMode\": \"Default\"\n}\n}\n
    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#links","title":"Links","text":"
    • Azure Policy assignment structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.Descriptors/","title":"Use descriptive policies","text":"Azure.Policy.DescriptorsAZR-000142Error

    Operational Excellence \u00b7 Policy \u00b7 2020_06

    Policy and initiative definitions should use a display name, description, and category.

    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#description","title":"Description","text":"

    Policy and initiative definitions can be configured with a display name, description, and category. Use these additional properties to clearly convey the purpose when creating custom definitions.

    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#recommendation","title":"Recommendation","text":"

    Consider setting a display name, description and category for each policy and initiatives definition.

    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#azure-templates","title":"Azure templates","text":"

    To deploy initiative and policy definitions that pass this rule:

    • Set the properties.displayName property with a valid value.
    • Set the properties.description property with a valid value.
    • Set the properties.metadata.category property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Initiative definition\",\n\"name\": \"initiative-001\",\n\"type\": \"Microsoft.Authorization/policySetDefinitions\",\n\"apiVersion\": \"2019-06-01\",\n\"properties\": {\n\"policyType\": \"Custom\",\n\"displayName\": \"Initiative 001\",\n\"description\": \"An example initiative.\",\n\"metadata\": {\n\"category\": \"Security\"\n},\n\"policyDefinitions\": []\n}\n}\n
    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#links","title":"Links","text":"
    • Azure Policy definition structure
    • Common metadata properties
    • Policy definition template reference
    • Initiative definition template reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/","title":"Use descriptive policy exemptions","text":"Azure.Policy.ExemptionDescriptorsAZR-000145Error

    Operational Excellence \u00b7 Policy \u00b7 2021_06

    Policy exemptions should use a display name and description.

    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#description","title":"Description","text":"

    Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the reason for the policy exemption. Additionally, consider providing a link or reference to track exemption conditions and approval.

    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#recommendation","title":"Recommendation","text":"

    Consider setting a display name and description for each policy exemption.

    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#azure-templates","title":"Azure templates","text":"

    To deploy policy exemptions that pass this rule:

    • Set the properties.displayName property with a valid value.
    • Set the properties.description property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"An example exemption.\",\n\"name\": \"exemption-001\",\n\"type\": \"Microsoft.Authorization/policyExemptions\",\n\"apiVersion\": \"2020-07-01-preview\",\n\"properties\": {\n\"policyAssignmentId\": \"<assignment_id>\",\n\"policyDefinitionReferenceIds\": [],\n\"exemptionCategory\": \"Waiver\",\n\"expiresOn\": \"2021-04-27T14:00:00Z\",\n\"displayName\": \"Exemption 001\",\n\"description\": \"An example exemption.\",\n\"metadata\": {\n\"requestedBy\": \"Apps team\",\n\"approvedBy\": \"Security team\",\n\"createdBy\": \"DevOps pipeline\"\n}\n}\n}\n
    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#links","title":"Links","text":"
    • Azure Policy exemption structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/","title":"Policy waiver exemptions must expire","text":"Azure.Policy.WaiverExpiryAZR-000146Error

    Operational Excellence \u00b7 Policy \u00b7 2021_06

    Configure policy waiver exemptions to expire.

    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#description","title":"Description","text":"

    Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the Mitigated category when the issue intent has been met through an another method.

    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#recommendation","title":"Recommendation","text":"

    Consider configuring an expiry for policy exemption waivers within the maximum threshold.

    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#examples","title":"Examples","text":"","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#azure-templates","title":"Azure templates","text":"

    To deploy policy assignments that pass this rule:

    • Set the properties.expiresOn property with a valid date earlier than the maximum number of days.

    For example:

    Azure Template snippet
    {\n\"comments\": \"An example exemption.\",\n\"name\": \"exemption-001\",\n\"type\": \"Microsoft.Authorization/policyExemptions\",\n\"apiVersion\": \"2020-07-01-preview\",\n\"properties\": {\n\"policyAssignmentId\": \"<assignment_id>\",\n\"policyDefinitionReferenceIds\": [],\n\"exemptionCategory\": \"Waiver\",\n\"expiresOn\": \"2021-04-27T14:00:00Z\",\n\"displayName\": \"Exemption 001\",\n\"description\": \"An example exemption.\",\n\"metadata\": {\n\"requestedBy\": \"Apps team\",\n\"approvedBy\": \"Security team\",\n\"createdBy\": \"DevOps pipeline\"\n}\n}\n}\n
    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#notes","title":"Notes","text":"

    This rule fails:

    • When the exemption is configured not to expire.
    • The exemption expiry date is greater than the maximum threshold.

    Configure AZURE_POLICY_WAIVER_MAX_EXPIRY to set the maximum expiry date threshold.

    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n
    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#links","title":"Links","text":"
    • Azure Policy exemption structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.PostgreSQL.AAD/","title":"Use AAD authentication with PostgreSQL databases","text":"Azure.PostgreSQL.AADAZR-000389Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2023_06

    Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#description","title":"Description","text":"

    Azure Database for PostgreSQL offer two authentication models, Azure Active Directory (AAD) and PostgreSQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over PostgreSQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable PostgreSQL authentication entirely for the flexible server deployment model.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/flexibleServers/administrators sub-resource.
    • Set the properties.principalName to the user principal name of the AAD administrator user, group, or application.
    • Set the properties.principalType to the principal type used to represent the type of AAD administrator.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/administrators\",\n\"apiVersion\": \"2022-12-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), parameters('name'))]\",\n\"properties\": {\n\"principalName\": \"[parameters('principalName')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"postgreSqlFlexibleServer\"\n]\n}\n

    To deploy Azure Database for PostgreSQL single servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/servers/administrators\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"postgreSqlSingleServer\"\n]\n}\n
    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/flexibleServers/administrators sub-resource.
    • Set the properties.principalName to the user principal name of the AAD administrator user, group, or application.
    • Set the properties.principalType to the principal type used to represent the type of AAD administrator.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {\n  name: name\n  parent: postgreSqlFlexibleServer\n  properties: {\n    principalName: principalName\n    principalType: principalType\n    tenantId: tenantId\n  }\n}\n

    To deploy Azure Database for PostgreSQL single servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: postgreSqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n
    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#notes","title":"Notes","text":"

    The single server deployment model is limited to only one Azure AD admin at a time and does not support enforcing AAD-authentication only.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Azure Active Directory Authentication with PostgreSQL Flexible Server
    • Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server
    • Use Azure AD for authentication with Azure Database for PostgreSQL - Single Server
    • Azure Active Directory Authentication (Single Server VS Flexible Server)
    • Azure security baseline for Azure Database for PostgreSQL - Flexible Server
    • Azure security baseline for Azure Database for PostgreSQL - Single Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference Flexible Server
    • Azure deployment reference Single Server
    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.PostgreSQL.AADOnlyAZR-000390Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2023_06

    Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#description","title":"Description","text":"

    Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.

    By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.

    Azure AD-only authentication is only supported for the flexible server deployment model.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Set the properties.authConfig.activeDirectoryAuth property to true.
    • Set the properties.authConfig.passwordAuth property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n\"apiVersion\": \"2022-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"authConfig\": {\n\"activeDirectoryAuth\": \"Enabled\",\n\"passwordAuth\": \"Disabled\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n
    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Set the properties.authConfig.activeDirectoryAuth property to true.
    • Set the properties.authConfig.passwordAuth property to false.

    For example:

    Azure Bicep snippet
    resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {\n  name: serverName\n  location: location\n  properties: {\n    authConfig: {\n      activeDirectoryAuth: 'Enabled'\n      passwordAuth: 'Disabled'\n      tenantId: tenantId\n    }\n  }\n}\n
    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server
    • Azure Active Directory Authentication (Single Server VS Flexible Server)
    • Azure security baseline for Azure Database for PostgreSQL - Flexible Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/","title":"Disable PostgreSQL Allow Azure access firewall rule","text":"Azure.PostgreSQL.AllowAzureAccessAZR-000150Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2020_06

    Determine if access from Azure services is required.

    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same PostgreSQL server instance. If network based access is permitted, authentication is still required.

    Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.

    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.

    Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#links","title":"Links","text":"
    • Firewall rules in Azure Database for PostgreSQL
    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.PostgreSQL.DefenderCloudAZR-000327Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#description","title":"Description","text":"

    Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforPostgreSQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('SkuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('postgresqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforPostgreSQL/servers/securityAlertPolicies\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"Default\",\n\"dependsOn\": [\"[parameters('serverName')]\"],\n\"properties\": {\n\"emailAccountAdmins\": true,\n\"emailAddresses\": [\"soc@contoso.com\"],\n\"retentionDays\": 14,\n\"state\": \"Enabled\",\n\"storageAccountAccessKey\": \"account-key\",\n\"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n}\n}\n]\n}\n
    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforPostgreSQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource postgresqlDefender 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: postgresqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n
    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#notes","title":"Notes","text":"

    This rule is only applicable for the Azure Database for PostgreSQL Single Server deployment model.

    Azure Database for PostgreSQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#links","title":"Links","text":"
    • Security operations
    • Enable Microsoft Defender for open-source relational databases
    • Azure deployment reference
    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/","title":"Limit PostgreSQL server firewall rule range","text":"Azure.PostgreSQL.FirewallIPRangeAZR-000151Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2020_06

    Determine if there is an excessive number of permitted IP addresses.

    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.

    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#links","title":"Links","text":"
    • Firewall rules in Azure Database for PostgreSQL - Single Server
    • Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal
    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/","title":"Cleanup PostgreSQL server firewall rules","text":"Azure.PostgreSQL.FirewallRuleCountAZR-000149Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2020_06

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#links","title":"Links","text":"
    • Firewall rules in Azure Database for PostgreSQL - Single Server
    • Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal
    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.PostgreSQL.GeoRedundantBackupAZR-000326Error

    Reliability \u00b7 Azure Database for PostgreSQL \u00b7 2022_12

    Azure Database for PostgreSQL should store backups in a geo-redundant storage.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#description","title":"Description","text":"

    Geo-redundant backup helps to protect your Azure Database for PostgreSQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.

    When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for PostgreSQL Flexible Server and the Azure Database for PostgreSQL Single Server deployment model supports geo-redundant backup.

    For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either General Purpose or Memory Optimized tier is required.

    Check out the NOTES and the LINKS section for more details about geo-redundant backup for each of the deployment models.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"

    Configure geo-redundant backup for Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n\"apiVersion\": \"2022-01-20-preview\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D16as\",\n\"tier\": \"GeneralPurpose\"\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storage\": {\n\"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n},\n\"createMode\": \"Default\",\n\"version\": \"[parameters('postgresqlVersion')]\",\n\"backup\": {\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n},\n\"highAvailability\": {\n\"mode\": \"Disabled\"\n}\n}\n}\n

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('SkuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('postgresqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: postgresqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#notes","title":"Notes","text":"

    This rule is applicable for both the Azure Database for PostgreSQL Flexible Server deployment model and the Azure Database for PostgreSQL Single Server deployment model.

    For the Single Server deployment model, it runs only against 'General Purpose' and 'Memory Optimized' tiers. The 'Basic' tier does not support geo-redundant backup storage.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Backup and restore in Azure Database for PostgreSQL flexible servers
    • Backup and restore in Azure Database for PostgreSQL single servers
    • Azure deployment reference flexible servers
    • Azure deployment reference single servers
    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/","title":"PostgreSQL DB server minimum TLS version","text":"Azure.PostgreSQL.MinTLSAZR-000148Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2020_09

    PostgreSQL DB servers should reject TLS versions older than 1.2.

    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that PostgreSQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2.

    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS enforcement in Azure Database for PostgreSQL Single server
    • Set TLS configurations for Azure Database for PostgreSQL - Single server
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/","title":"Use valid PostgreSQL DB server names","text":"Azure.PostgreSQL.ServerNameAZR-000152Error

    Operational Excellence \u00b7 Azure Database for PostgreSQL \u00b7 2020_12

    Azure PostgreSQL DB server names should meet naming requirements.

    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for PostgreSQL DB server names are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • PostgreSQL DB server names must be globally unique.
    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure PostgreSQL DB server names are unique.

    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/","title":"Enforce encrypted PostgreSQL connections","text":"Azure.PostgreSQL.UseSSLAZR-000147Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 2020_06

    Enforce encrypted PostgreSQL connections.

    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#description","title":"Description","text":"

    Azure Database for PostgreSQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

    Unencrypted communication to PostgreSQL server instances could allow disclosure of information to an untrusted party.

    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#recommendation","title":"Recommendation","text":"

    Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

    Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#links","title":"Links","text":"
    • Data encryption in Azure
    • Configure SSL connectivity in Azure Database for PostgreSQL
    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/","title":"Use valid Private Endpoint names","text":"Azure.PrivateEndpoint.NameAZR-000153Error

    Operational Excellence \u00b7 Private Endpoint \u00b7 2021_12

    Private Endpoint names should meet naming requirements.

    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Private Endpoint names are:

    • Between 2 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Private Endpoint names must be unique within a resource group.
    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#notes","title":"Notes","text":"

    This rule does not check if Private Endpoint names are unique.

    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/","title":"Public IP addresses should use availability zones","text":"Azure.PublicIP.AvailabilityZoneAZR-000157Error

    Reliability \u00b7 Public IP address \u00b7 2021_12

    Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.

    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#description","title":"Description","text":"

    Public IP addresses using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Public IP address can spread across multiple availability zones, which ensures the Public IP address will continue running even if another zone has gone down. Furthermore, this ensures Public Standard Load balancer frontend IPs using a zone-redundant Public IP address can survive zone failure.

    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using zone-redundant Public IP addresses deployed with Standard SKU.

    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure zone-redundancy for a Public IP address.

    • Set sku.name to Standard.
    • Set zones to [\"1\", \"2\", \"3\"].

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/publicIPAddresses\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"Regional\"\n},\n\"properties\": {\n\"publicIPAddressVersion\": \"IPv4\",\n\"publicIPAllocationMethod\": \"Static\",\n\"idleTimeoutInMinutes\": 4\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure zone-redundancy for a Public IP address.

    • Set sku.name to Standard.
    • Set zones to ['1', '2', '3'].

    For example:

    Azure Bicep snippet
    resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#notes","title":"Notes","text":"

    This rule is not applicable for public IP addresses used for Azure Bastion. Azure Bastion does not currently support Availability Zones. Public IP addresses with the following tags are automatically excluded from this rule:

    • resource-usage tag set to azure-bastion.

    This rule fails when \"zones\" is constrained to a single(zonal) zone, or set to null, [] when there are supported availability zones for the given region.

    This rule passes if no zones exist for a given region or \"zones\" is set to [\"1\", \"2\", \"3\"].

    Configure AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Network and resource type publicIpAddresses.

    # YAML: The default AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#links","title":"Links","text":"
    • Use zone-aware services
    • Load Balancer and Availability Zones
    • Azure deployment reference
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/","title":"Use valid Public IP DNS labels","text":"Azure.PublicIP.DNSLabelAZR-000156Error

    Operational Excellence \u00b7 Public IP address \u00b7 2020_06

    Public IP domain name labels should meet naming requirements.

    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#description","title":"Description","text":"

    When configuring Azure Public IP addresses domain name labels must meet naming requirements. The requirements for Public IP domain name labels are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Start with a letter.
    • End a letter or number.
    • Domain name labels must be globally unique within a region.
    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#recommendation","title":"Recommendation","text":"

    Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#notes","title":"Notes","text":"

    This rule does not check if Public IP domain name labels are unique.

    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.IsAttached/","title":"Remove unused Public IP addresses","text":"Azure.PublicIP.IsAttachedAZR-000154Error

    Cost Optimization \u00b7 Public IP address \u00b7 2020_06

    Public IP addresses should be attached or cleaned up if not in use.

    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#description","title":"Description","text":"

    Unattached static Public IP address are charged when not in use.

    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#recommendation","title":"Recommendation","text":"

    Consider removing Public IP addresses that are no longer required reduce complexity and costs.

    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#links","title":"Links","text":"
    • Cost optimization design principles
    • Public IP address pricing
    • Azure deployment reference
    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/","title":"Migrate to Standard SKU","text":"Azure.PublicIP.MigrateStandardAZR-000395Error

    Operational Excellence \u00b7 Public IP address \u00b7 2023_09

    Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.

    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#description","title":"Description","text":"

    The Basic SKU for Public IP addresses will be retired on September 30, 2025. To avoid service disruption, migrate to Standard SKU for Public IP addresses.

    The Standard SKU additionally offers security by default and supports redundancy.

    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#recommendation","title":"Recommendation","text":"

    Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.

    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Public IP addresses that pass this rule:

    • Set sku.name to Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/publicIPAddresses\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"Regional\"\n},\n\"properties\": {\n\"publicIPAddressVersion\": \"IPv4\",\n\"publicIPAllocationMethod\": \"Static\",\n\"idleTimeoutInMinutes\": 4\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Public IP addresses that pass this rule:

    • Set sku.name to Standard.

    For example:

    Azure Bicep snippet
    resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#links","title":"Links","text":"
    • Infrastructure provisioning
    • Basic SKU will be retired
    • Migrate a Basic SKU Public IP address to Standard SKU
    • Standard vs Basic SKU comparison
    • Azure deployment reference
    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.Name/","title":"Use valid Public IP names","text":"Azure.PublicIP.NameAZR-000155Error

    Operational Excellence \u00b7 Public IP address \u00b7 2020_06

    Public IP names should meet naming requirements.

    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Public IP names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Public IP names must be unique within a resource group.
    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#notes","title":"Notes","text":"

    This rule does not check if Public IP names are unique.

    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/","title":"Public IP addresses should use Standard SKU","text":"Azure.PublicIP.StandardSKUAZR-000158Error

    Reliability \u00b7 Public IP address \u00b7 2021_12

    Public IP addresses should be deployed with Standard SKU for production workloads.

    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#description","title":"Description","text":"

    Public IP addresses allow Internet resources to communicate inbound to Azure resources. Currently two SKUs are supported: Basic and Standard.

    However, the Basic SKU for Public IP addresses will be retired on September 30, 2025.

    The Standard SKU additionally offers security and redundancy improvements over the Basic SKU. Including:

    • Secure by default model and be closed to inbound traffic when used as a frontend. Network security groups are required to allow inbound traffic.
    • Support for zone-redundancy and zonal deployments at creation. Zone-redundancy should mach the zone-redundancy of the resource it is attached to.
    • Have an adjustable inbound originated flow idle timeout.
    • More granular control of how traffic is routed between Azure and the Internet.
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#recommendation","title":"Recommendation","text":"

    Consider using Standard SKU for Public IP addresses deployed in production.

    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure Standard SKU for a Public IP address.

    • Set sku.name to Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/publicIPAddresses\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"Regional\"\n},\n\"properties\": {\n\"publicIPAddressVersion\": \"IPv4\",\n\"publicIPAllocationMethod\": \"Static\",\n\"idleTimeoutInMinutes\": 4\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure Standard SKU for a Public IP address.

    • Set sku.name to Standard.

    For example:

    For example:

    Azure Bicep snippet
    resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#links","title":"Links","text":"
    • Meet application platform requirements
    • Standard Public IP addresses
    • Load Balancer and Availability Zones
    • Azure deployment reference
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/","title":"Use role-based access control","text":"Azure.RBAC.CoAdministratorAZR-000206Error

    Security \u00b7 Subscription \u00b7 2020_06

    Delegate access to manage Azure resources using role-based access control (RBAC).

    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#description","title":"Description","text":"

    Use of Co-administrator is intended to support management of resources deployed using the Classic deployment model. Resources deployed in the Resource Manager model do not require delegation of Co-administrators.

    Azure RBAC provides greater flexibility and control providing over 100 built-in roles. Additionally RBAC works with advanced advanced security features like Privileged Identity Management (PIM).

    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#recommendation","title":"Recommendation","text":"

    Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.

    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#links","title":"Links","text":"
    • Azure classic subscription administrators
    • Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles
    • What is Azure AD Privileged Identity Management?
    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/","title":"Limit Management Group delegation","text":"Azure.RBAC.LimitMGDelegationAZR-000205Error

    Security \u00b7 Subscription \u00b7 2020_06

    Limit Role-Base Access Control (RBAC) inheritance from Management Groups.

    ","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#description","title":"Description","text":"

    RBAC in Azure inherits from management group to subscription to resource group to resource. Management group RBAC assignments have broad impact.

    ","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#recommendation","title":"Recommendation","text":"

    Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.

    Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.

    ","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitOwner/","title":"Limit use of subscription scoped Owner role","text":"Azure.RBAC.LimitOwnerAZR-000204Error

    Security \u00b7 Subscription \u00b7 2020_06

    Limit the number of subscription Owners.

    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#description","title":"Description","text":"

    Azure provides a flexible delegation model using Role-Base Access Control (RBAC). RBAC allows administrators to grant fine grained permissions using roles to Azure resources. Over 100 built-in roles exist, and custom roles can be created to perform specific tasks. Permissions can be scoped to management group, subscription, resource group or individual resources.

    The Owner role provides the ability to create, delete, update and configure permissions for any resource. When assigned at the subscription scope, these permissions apply to the whole subscription and all resources in the subscription.

    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#recommendation","title":"Recommendation","text":"

    Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.

    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#links","title":"Links","text":"
    • What is Azure role-based access control (Azure RBAC)?
    • Limit the number of subscription owners
    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.PIM/","title":"Use JiT role activation with PIM","text":"Azure.RBAC.PIMAZR-000208Error

    Security \u00b7 Subscription \u00b7 2020_09

    Use just-in-time (JiT) activation of roles instead of persistent role assignment.

    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#description","title":"Description","text":"

    PIM helps manage the impact of identity compromise or misuse of permissions by reducing persistent access. With PIM, eligible identities can activate time-bound role assignments on an as needed basis (just-in-time). Activation typically occurs before a schedule change or management operation.

    PIM is an Azure Active Directory (AD) feature included in Azure AD Premium P2.

    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#recommendation","title":"Recommendation","text":"

    Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.

    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#links","title":"Links","text":"
    • What is Azure AD Privileged Identity Management?
    • Discover Azure resources to manage in Privileged Identity Management
    • Configure Azure resource role settings in Privileged Identity Management
    • Lower exposure of privileged accounts
    • No standing access / Just in Time privileges
    • Use Azure AD Privileged Identity Management
    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.UseGroups/","title":"Use groups","text":"Azure.RBAC.UseGroupsAZR-000203Error

    Security \u00b7 Subscription \u00b7 2020_06

    Use groups for assigning permissions instead of individual user accounts.

    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#description","title":"Description","text":"

    Granting access with individual user accounts can bypass existing on-premises identity management tools and processes.

    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#recommendation","title":"Recommendation","text":"

    Consider using groups for assigning permissions instead of individual user accounts.

    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#links","title":"Links","text":"
    • Avoid granular and custom permissions
    • What is Azure role-based access control (Azure RBAC)?
    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/","title":"Use Resource Group delegation","text":"Azure.RBAC.UseRGDelegationAZR-000207Error

    Security \u00b7 Subscription \u00b7 2020_06

    Use RBAC assignments on resource groups instead of individual resources.

    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#description","title":"Description","text":"

    Azure provides a flexible delegation model using RBAC that allows administrators to grant fine grained permissions using roles to Azure resources. Permissions can be scoped to management group, subscription, resource group or individual resources.

    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#recommendation","title":"Recommendation","text":"

    Consider using RBAC assignments on resource groups instead of individual resources.

    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#links","title":"Links","text":"
    • Avoid granular and custom permissions
    • What is Azure role-based access control (Azure RBAC)?
    • Best practices for Azure RBAC
    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RSV.Immutable/","title":"Immutability","text":"Azure.RSV.ImmutableAZR-000397Error

    Security \u00b7 Recovery Services Vault \u00b7 2023_09

    Ensure immutability is configured to protect backup data.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#description","title":"Description","text":"

    Immutability is supported for Recovery Services vaults by configuring the Immutable vault setting.

    Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

    For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.

    The Immutable vault setting is not enabled per default.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#recommendation","title":"Recommendation","text":"

    Consider configuring immutability to protect backup data from accidental or malicious deletion.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Recovery Services vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.RecoveryServices/vaults\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('vaultName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"[parameters('skuTier')]\"\n},\n\"properties\": {\n\"securitySettings\": {\n\"immutabilitySettings\": {\n\"state\": \"Locked\"\n}\n}\n}\n}\n
    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Recovery Services vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Bicep snippet
    resource recoveryServicesVault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {\n  name: vaultName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n  }\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#notes","title":"Notes","text":"

    Note that immutability locking Locked is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using Locked. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider Unlocked.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#links","title":"Links","text":"
    • Security design principles
    • Immutable vault for Azure Backup
    • Restricted operations
    • Manage Azure Backup Immutable vault operations
    • Azure security baseline for Azure Backup
    • Backup and restore plan to protect against ransomware
    • BR-2: Protect backup and recovery data
    • Azure deployment reference
    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Name/","title":"Use valid names","text":"Azure.RSV.NameAZR-000350Error

    Operational Excellence \u00b7 Recovery Services Vault \u00b7 2022_12

    Recovery Services vaults should meet naming requirements.

    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Recovery Services vault names are:

    • Between 2 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start with letter.
    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#notes","title":"Notes","text":"

    This rule does not check if Recovery Services vault names are unique.

    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Recovery Services vault
    • Azure deployment reference
    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/","title":"Use geo-replicated storage","text":"Azure.RSV.ReplicationAlertAZR-000171Error

    Reliability \u00b7 Recovery Services Vault \u00b7 2022_03

    Recovery Services Vaults (RSV) without replication alerts configured may be at risk.

    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#description","title":"Description","text":"

    Recovery Services Vaults (RSV) can be used to replicate virtual machines between Azure Regions. Alerts can be configured to send notifications when replication issues occur.

    The replication alerts can be configured for:

    • The resources owners (Based on RBAC permissions).
    • A list of email addresses.
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#recommendation","title":"Recommendation","text":"

    Configure replication alerts for Recovery Service Vaults that are performing replication tasks.

    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#examples","title":"Examples","text":"","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-azure-template","title":"Configure with Azure template","text":"

    By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via ARM templates either configure the sendToOwners or CustomerEmailAddress properties:

    • Set properties.sendToOwners to Send.
    • Set properties.customEmailAddresses to [ \"example@email.com\" ]

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.RecoveryServices/vaults/replicationAlertSettings\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"replicationAlert\",\n\"properties\": {\n\"sendToOwners\": \"Send\",\n\"customEmailAddresses\": [\n\"example@email.com\"\n],\n\"locale\": \"en-US\"\n}\n}\n
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-bicep","title":"Configure with Bicep","text":"

    By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via a Bicep either configure the sendToOwners or CustomerEmailAddress properties:

    • Set properties.sendToOwners to Send.
    • Set properties.customEmailAddresses to [ \"example@email.com\" ]

    For example:

    Azure Bicep snippet
    resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/replicationAlertSettings@2021-08-01' = {\n  name: 'replicationAlert'\n  parent: resourceSymbolicName\n  properties: {\n    sendToOwners: 'Sender'\n    customEmailAddresses: [\n      'example@email.com'\n    ]\n    locale: 'en-US'\n  }\n}\n
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#notes","title":"Notes","text":"

    With the locale property you can define the locale for the email notification.

    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#links","title":"Links","text":"
    • Recovery Services Vault - Overview
    • Recovery Services Vault - Replication Alerts
    • Azure deployment reference
    • Well Architected Framework - Reliability
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.StorageType/","title":"Use geo-replicated storage","text":"Azure.RSV.StorageTypeAZR-000170Error

    Reliability \u00b7 Recovery Services Vault \u00b7 2022_03

    Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.

    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#description","title":"Description","text":"

    Recovery Services Vaults can be configured with several different durability options. Azure provides a number of geo-replicated options for storage including; Geo-redundant storage and read access geo-zone-redundant storage. The default storage type used will be Geo-redundant Geo-zone-redundant storage is only available in supported regions.

    The following geo-replicated options are available for recovery services vaults:

    • GeoRedundant
    • ReadAccessGeoZoneRedundant
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#recommendation","title":"Recommendation","text":"

    Consider using GeoRedundant for recovery services vaults that contain data.

    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#examples","title":"Examples","text":"","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-azure-template","title":"Configure with Azure template","text":"

    The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config in an ARM template:

    • Set properties.storageType to either GeoRedundant or ReadAccessGeoZoneRedundant. For example:
    Azure Template snippet
    {\n\"type\": \"Microsoft.RecoveryServices/vaults/backupconfig\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"vaultconfig-a\",\n\"location\": \"australiaeast\",\n\"tags\": {},\n\"properties\": {\n\"storageType\": \"GeoRedundant\"\n}\n}\n
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-bicep","title":"Configure with Bicep","text":"

    The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config via Bicep:

    • Set properties.storageType to either GeoRedundant or ReadAccessGeoZoneRedundant.

    For example:

    Azure Bicep snippet
    resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/backupconfig@2021-10-01' = {\n  name: 'vaultconfig'\n  location: 'string'\n  parent: resourceSymbolicName\n  properties: {\n    storageType: 'GeoRedundant'\n  }\n}\n
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#links","title":"Links","text":"
    • Recovery Services Vault - Overview
    • Recovery Services Vault - Storage Settings
    • Azure deployment reference
    • Well Architected Framework - Reliability
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/","title":"Redis cache should use Availability zones in supported regions","text":"Azure.Redis.AvailabilityZoneAZR-000161Error

    Reliability \u00b7 Azure Cache for Redis \u00b7 2021_12

    Premium Redis cache should be deployed with availability zones for high availability.

    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#description","title":"Description","text":"

    Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.

    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for Premium Redis Cache deployed in supported regions.

    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is null, [] or less than two zones are used when there are availability zones for the given region.

    This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.

    Configure AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Cache and resource type Redis.

    # YAML: The default AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for Premium SKU Redis Cache:

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"].
    • Set Properties.replicasPerMaster to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.
    • Set Properties.sku.name to Premium.
    • Set Properties.sku.family to P.
    • Set Properties.sku.capacity to one of [1, 2, 3, 4, 5], depending on the SKU you picked:
      • P1 - 6 GB
      • P2 - 13 GB
      • P3 - 26 GB
      • P4 - 53 GB
      • P5 - 120 GB

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for Premium SKU Redis Cache:

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"].
    • Set Properties.replicasPerMaster to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.
    • Set Properties.sku.name to Premium.
    • Set Properties.sku.family to P.
    • Set Properties.sku.capacity to one of [1, 2, 3, 4, 5], depending on the SKU you picked:
      • P1 - 6 GB
      • P2 - 13 GB
      • P3 - 26 GB
      • P4 - 53 GB
      • P5 - 120 GB

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#links","title":"Links","text":"
    • Use zone-aware services
    • Enable zone redundancy for Azure Cache for Redis
    • High availability for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/","title":"Limit Redis cache number of IP addresses","text":"Azure.Redis.FirewallIPRangeAZR-000300Error

    Security \u00b7 Azure Cache for Redis \u00b7 2022_09

    Determine if there is an excessive number of permitted IP addresses for the Redis cache.

    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#description","title":"Description","text":"

    When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.

    If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.

    Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:

    • Not needed.
    • Too broad.
    • Too many.
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.

    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Limit the range of public IP address included in rules.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis/firewallRules\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n\"properties\": {\n\"startIP\": \"10.0.1.1\",\n\"endIP\": \"10.0.1.31\"\n},\n\"dependsOn\": [\n\"cache\"\n]\n}\n
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Limit the range of public IP address included in rules.
    Azure Bicep snippet
    resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#notes","title":"Notes","text":"

    This rule is not applicable when Redis is configured to allow private connectivity by setting properties.publicNetworkAccess to Disabled. Firewall rules can be used with VNET injected caches, but not private endpoints.

    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#links","title":"Links","text":"
    • Azure services for securing network connectivity
    • Azure best practices for network security
    • Azure Cache for Redis network isolation options
    • Limitations of firewall rules
    • Migrate from VNet injection caches to Private Link caches
    • Azure deployment reference
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/","title":"Cleanup Redis cache firewall rules","text":"Azure.Redis.FirewallRuleCountAZR-000299Error

    Security \u00b7 Azure Cache for Redis \u00b7 2022_09

    Determine if there is an excessive number of firewall rules for the Redis cache.

    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#description","title":"Description","text":"

    When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.

    If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.

    Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:

    • Not needed.
    • Too broad.
    • Too many.
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Configure a minimum number of firewall rules. This rule will fail if more then ten (10) firewall rules are configured.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis/firewallRules\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n\"properties\": {\n\"startIP\": \"10.0.1.1\",\n\"endIP\": \"10.0.1.31\"\n},\n\"dependsOn\": [\n\"cache\"\n]\n}\n
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Configure a minimum number of firewall rules. This rule will fail if more then ten (10) firewall rules are configured.
    Azure Bicep snippet
    resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#notes","title":"Notes","text":"

    This rule is not applicable when Redis is configured to allow private connectivity by setting properties.publicNetworkAccess to Disabled. Firewall rules can be used with VNet injected caches, but not private endpoints.

    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#links","title":"Links","text":"
    • Azure services for securing network connectivity
    • Azure best practices for network security
    • Azure Cache for Redis network isolation options
    • Limitations of firewall rules
    • Migrate from VNet injection caches to Private Link caches
    • Azure deployment reference
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/","title":"Configure cache maxmemory-reserved setting","text":"Azure.Redis.MaxMemoryReservedAZR-000160Error

    Performance Efficiency \u00b7 Azure Cache for Redis \u00b7 2020_12

    Configure maxmemory-reserved to reserve memory for non-cache operations.

    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#description","title":"Description","text":"

    Azure Cache for Redis supports configuration of the maxmemory-reserved setting. The maxmemory-reserved setting configures the amount of memory reserved for non-cache operations. Non-cache operations include background tasks, eviction, and compaction.

    By reserving memory for these operations, you prevent Redis cache from using all available memory for cache. If enough memory is not reserved for these operations it can lead to performance degradation and instability.

    Setting this value allows you to have a more consistent experience when your load varies. This value should be set higher for workloads that are write heavy.

    When memory reserved by maxmemory-reserved, it is unavailable for storage of cached data.

    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#recommendation","title":"Recommendation","text":"

    Consider configuring maxmemory-reserved to at least 10% of available cache memory.

    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#examples","title":"Examples","text":"","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisConfiguration.maxmemory-reserved property to at least 10% of the cache memory.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisConfiguration.maxmemory-reserved property to at least 10% of the cache memory.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#links","title":"Links","text":"
    • Choose the right resources
    • Choosing the right tier
    • Scaling and memory
    • Memory management
    • SKU sizes
    • Azure deployment reference
    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MinSKU/","title":"Use at least Standard C1 cache instances","text":"Azure.Redis.MinSKUAZR-000159Error

    Performance Efficiency \u00b7 Azure Cache for Redis \u00b7 2020_12

    Use Azure Cache for Redis instances of at least Standard C1.

    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#description","title":"Description","text":"

    Azure Cache for Redis supports a range of different scale options. Basic tier or Standard C0 caches are not suitable for production workloads.

    • Basic tier is a single node system with no data replication and no SLA.
    • Standard C0 caches used shared resources and subject to noisy neighbor issues.
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#recommendation","title":"Recommendation","text":"

    Consider using a minimum of a Standard C1 instance for production workloads.

    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.sku.name property to Premium or Standard.
    • Set the properties.sku.family property to P or C.
    • Set the properties.sku.capacity property to a capacity valid for the SKU 1 or higher.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.sku.name property to Premium or Standard.
    • Set the properties.sku.family property to P or C.
    • Set the properties.sku.capacity property to a capacity valid for the SKU 1 or higher.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#links","title":"Links","text":"
    • Choose the right resources
    • Choosing the right tier
    • Scaling and memory
    • Memory management
    • SKU sizes
    • Azure deployment reference
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.Redis.MinTLSAZR-000164Error

    Security \u00b7 Azure Cache for Redis \u00b7 2020_06

    Redis Cache should reject TLS versions older than 1.2.

    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.

    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to a minimum of 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to a minimum of 1.2.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To deploy caches that pass this rule:

    • Use the --set parameter.

    For example:

    Azure CLI snippet
    az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To deploy caches that pass this rule:

    • Use the -MinimumTlsVersion parameter.

    For example:

    Azure PowerShell snippet
    Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
    • Configure Azure Cache for Redis settings
    • Preparing for TLS 1.2 in Microsoft Azure
    • DP-3: Encrypt sensitive data in transit
    • Azure deployment reference
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.NonSslPort/","title":"Use secure connections to Redis instances","text":"Azure.Redis.NonSslPortAZR-000163Error

    Security \u00b7 Azure Cache for Redis \u00b7 2020_06

    Azure Cache for Redis should only accept secure connections.

    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#description","title":"Description","text":"

    Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.

    Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.

    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#recommendation","title":"Recommendation","text":"

    Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.

    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#examples","title":"Examples","text":"","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.enableNonSslPort property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.enableNonSslPort property to false.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#links","title":"Links","text":"
    • Data encryption in Azure
    • How to configure Azure Cache for Redis
    • DP-3: Encrypt sensitive data in transit
    • Azure Policy Regulatory Compliance controls for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/","title":"Use private endpoints with Azure Cache for Redis","text":"Azure.Redis.PublicNetworkAccessAZR-000165Error

    Security \u00b7 Azure Cache for Redis \u00b7 2022_03

    Redis cache should disable public network access.

    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#description","title":"Description","text":"

    When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.

    To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.

    Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.

    A private endpoint provides secure and private connectivity to Redis instances by:

    • Using a private IP address from your VNET.
    • Blocking all traffic from public networks.

    If you are using VNET injection, it is recommended to migrate to private endpoints.

    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#recommendation","title":"Recommendation","text":"

    Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.

    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#examples","title":"Examples","text":"","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false,\n\"publicNetworkAccess\": \"Disabled\"\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n    publicNetworkAccess: 'Disabled'\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#links","title":"Links","text":"
    • Azure services for securing network connectivity
    • Azure Cache for Redis with Azure Private Link
    • Best practices for endpoint security on Azure
    • Migrate from VNet injection caches to Private Link caches
    • What is Azure Private Endpoint?
    • NS-2: Secure cloud services with network controls
    • Azure Policy Regulatory Compliance controls for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.Version/","title":"Redis version for Azure Cache for Redis","text":"Azure.Redis.VersionAZR-000347Error

    Reliability \u00b7 Azure Cache for Redis \u00b7 2022_12

    Azure Cache for Redis should use the latest supported version of Redis.

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#description","title":"Description","text":"

    Azure Cache for Redis supports Redis 6. Redis 6 brings new security features and better performance.

    Version 4 for Azure Cache for Redis instances will be retired on June 30, 3023.

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#recommendation","title":"Recommendation","text":"

    Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (>=6.0).

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#examples","title":"Examples","text":"","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisVersion property to latest or 6.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisVersion property to latest or 6.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#notes","title":"Notes","text":"

    This rule is only applicable for Azure Cache for Redis (OSS Redis) offering.

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#links","title":"Links","text":"
    • Requirements
    • Security operations
    • Set Redis version for Azure Cache for Redis
    • How to upgrade an existing Redis 4 cache to Redis 6
    • Retirements from Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.RedisEnterprise.MinTLSAZR-000301Error

    Security \u00b7 Azure Cache for Redis Enterprise \u00b7 2022_09

    Redis Cache should reject TLS versions older than 1.2.

    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.

    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redisEnterprise\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Enterprise_E10\"\n},\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\"\n}\n}\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Enterprise_E10'\n  }\n  properties: {\n    minimumTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To deploy caches that pass this rule:

    • Use the --set parameter.

    For example:

    Azure CLI snippet
    az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To deploy caches that pass this rule:

    • Use the -MinimumTlsVersion parameter.

    For example:

    Azure PowerShell snippet
    Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
    • Configure Azure Cache for Redis settings
    • Preparing for TLS 1.2 in Microsoft Azure
    • DP-3: Encrypt sensitive data in transit
    • Azure deployment reference
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/","title":"Enterprise Redis cache should use Availability zones in supported regions","text":"Azure.RedisEnterprise.ZonesAZR-000162Error

    Reliability \u00b7 Azure Cache for Redis Enterprise \u00b7 2021_12

    Enterprise Redis cache should be zone-redundant for high availability.

    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#description","title":"Description","text":"

    Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.

    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for Enterprise Redis Cache deployed in supported regions.

    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#notes","title":"Notes","text":"

    This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.

    Configure AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Cache and resource type redisEnterprise.

    # YAML: The default AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for Enterprise SKU Redis Cache:

    • Set zones to [\"1\", \"2\", \"3\"] or zone-redundancy.
    • Set Properties.sku.name to one of:
      • Enterprise_E10 - 12 GB
      • Enterprise_E20 - 25 GB
      • Enterprise_E50 - 50 GB
      • Enterprise_E100 - 100 GB
      • EnterpriseFlash_F300 - 345 GB
      • EnterpriseFlash_F700 - 715 GB
      • EnterpriseFlash_F1500 - 1455 GB
    • Set Properties.sku.capacity to:
      • One of [2, 4, 6, 8, 10] if using Enterprise_E10, Enterprise_E20, Enterprise_E50 or Enterprise_E100.
      • Either 3 or 9 if using EnterpriseFlash_F300, EnterpriseFlash_F700, EnterpriseFlash_F1500.

    For example:

    Azure Template snippet
    {\n\"name\": \"testrediscache\",\n\"type\": \"Microsoft.Cache/redisEnterprise\",\n\"apiVersion\": \"2021-02-01-preview\",\n\"properties\": {},\n\"location\": \"australiaeast\",\n\"dependsOn\": [],\n\"sku\": {\n\"name\": \"EnterpriseFlash_F700\",\n\"capacity\": 3\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"tags\": {},\n\"resources\": [\n{\n\"name\": \"testrediscache/default\",\n\"type\": \"Microsoft.Cache/redisEnterprise/databases\",\n\"apiVersion\": \"2021-02-01-preview\",\n\"properties\": {\n\"clientProtocol\": \"Encrypted\",\n\"evictionPolicy\": \"NoEviction\",\n\"clusteringPolicy\": \"OSSCluster\",\n\"persistence\": {\n\"aofEnabled\": false,\n\"rdbEnabled\": false\n}\n},\n\"dependsOn\": [\n\"Microsoft.Cache/redisEnterprise/testrediscache\"\n],\n\"tags\": {}\n}\n]\n}\n
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for Enterprise SKU Redis Cache:

    • Set zones to [\"1\", \"2\", \"3\"] or zone-redundancy.
    • Set Properties.sku.name to one of:
      • Enterprise_E10 - 12 GB
      • Enterprise_E20 - 25 GB
      • Enterprise_E50 - 50 GB
      • Enterprise_E100 - 100 GB
      • EnterpriseFlash_F300 - 345 GB
      • EnterpriseFlash_F700 - 715 GB
      • EnterpriseFlash_F1500 - 1455 GB
    • Set Properties.sku.capacity to:
      • One of [2, 4, 6, 8, 10] if using Enterprise_E10, Enterprise_E20, Enterprise_E50 or Enterprise_E100.
      • Either 3 or 9 if using EnterpriseFlash_F300, EnterpriseFlash_F700, EnterpriseFlash_F1500.

    For example:

    Azure Bicep snippet
    resource testrediscache 'Microsoft.Cache/redisEnterprise@2021-02-01-preview' = {\n  name: 'testrediscache'\n  properties: {}\n  location: 'australiaeast'\n  sku: {\n    name: 'EnterpriseFlash_F700'\n    capacity: 3\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  dependsOn: []\n}\n\nresource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021-02-01-preview' = {\n  parent: testrediscache\n  name: 'default'\n  properties: {\n    clientProtocol: 'Encrypted'\n    evictionPolicy: 'NoEviction'\n    clusteringPolicy: 'OSSCluster'\n    persistence: {\n      aofEnabled: false\n      rdbEnabled: false\n    }\n  }\n  tags: {}\n}\n
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#links","title":"Links","text":"
    • Use zone-aware services
    • Enable zone redundancy for Azure Cache for Redis
    • High availability for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.Resource.AllowedRegions/","title":"Use allowed regions","text":"Azure.Resource.AllowedRegionsAZR-000167Error

    Security \u00b7 All resources \u00b7 2020_06

    Resources should be deployed to allowed regions.

    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#description","title":"Description","text":"

    Azure supports deployment to many locations around the world called regions. Many organizations have requirements that limit where data can be stored or processed. This is commonly known as data residency.

    Most Azure resources must be deployed to a specific region. To align with your organizational requirements, you may choose to limit the regions that resources can be deployed to.

    Some resources, particularly those related to preview services or features, may not be available in all regions.

    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#recommendation","title":"Recommendation","text":"

    Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions.

    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#examples","title":"Examples","text":"","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resources that pass this rule:

    • Set the location property to an allowed region. OR
    • Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resources that pass this rule:

    • Set the location property to an allowed region. OR
    • Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.

    For example:

    Azure Bicep snippet
    @sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#notes","title":"Notes","text":"

    This rule requires one or more allowed regions to be configured. By default, all regions are allowed.

    To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value to a set of allowed regions.

    For example:

    configuration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS:\n- australiaeast\n- australiasoutheast\n

    If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.

    For example:

    configuration:\nAZURE_RESOURCE_GROUP:\nlocation: australiaeast\n
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#links","title":"Links","text":"
    • Regulatory compliance
    • Data residency in Azure
    • Azure geographies
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.UseTags/","title":"Use resource tags","text":"Azure.Resource.UseTagsAZR-000166Error

    Cost Optimization \u00b7 All resources \u00b7 2020_06

    Azure resources should be tagged using a standard convention.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#description","title":"Description","text":"

    Azure Resource Manager (ARM) supports a flexible tagging model that allows each resource to be tagged. Tags are additional metadata that improves identification of resources and aids lifecycle management.

    Azure stores tags as name/ value pairs such as environment = production or costCode = 349921.

    A well defined tagging approach improves the management, billing, and automation operations of resources. When planning tags, identify information that is meaningful to business and technical staff.

    Azure provides several built-in policies to managed tags. Using these policies help enforce a tagging standard can reduce overall management Resource tags can be inherited from subscriptions or resource groups using Azure Policy.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#recommendation","title":"Recommendation","text":"

    Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.

    Also consider using Azure Policy to enforce mandatory tags.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#examples","title":"Examples","text":"","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resource that pass this rule:

    • Set the tags property tags that align to your tagging standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Resources/resourceGroups\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"tags\": {\n\"environment\": \"production\",\n\"costCode\": \"349921\"\n}\n}\n
    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resource that pass this rule:

    • Set the tags property tags that align to your tagging standard.

    For example:

    Azure Bicep snippet
    resource rg 'Microsoft.Resources/resourceGroups@2022-09-01' = {\n  name: name\n  location: location\n  tags: {\n    environment: 'production'\n    costCode: '349921'\n  }\n}\n
    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#notes","title":"Notes","text":"

    Azure Policy includes several built-in policies to enforce tagging such as:

    • Add a tag to resources
    • Add a tag to resource groups
    • Require a tag on resources
    • Require a tag on resource groups
    • Inherit a tag from the resource group
    • Inherit a tag from the resource group if missing
    • Inherit a tag from the subscription

    If you find resources that incorrectly report they should be tagged, please let us know by opening an issue.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#links","title":"Links","text":"
    • Enforce resource tagging
    • Tag support for Azure resources
    • Develop your naming and tagging strategy for Azure resources
    • Define your tagging strategy
    • Resource naming and tagging decision guide
    • Assign policy definitions for tag compliance
    • Enforcing custom tags
    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.ResourceGroup.Name/","title":"Use valid resource group names","text":"Azure.ResourceGroup.NameAZR-000168Error

    Operational Excellence \u00b7 Resource Group \u00b7 2020_06

    Resource Group names should meet naming requirements.

    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Resource Group names are:

    • Between 1 and 90 characters long.
    • Alphanumerics, underscores, parentheses, hyphens, periods.
    • Can't end with period.
    • Resource Group names must be unique within a subscription.
    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#notes","title":"Notes","text":"

    This rule does not check if Resource Group names are unique.

    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.Route.Name/","title":"Use valid Route table names","text":"Azure.Route.NameAZR-000169Error

    Operational Excellence \u00b7 Route table \u00b7 2020_06

    Route table names should meet naming requirements.

    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Route table names must be unique within a resource group.
    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#notes","title":"Notes","text":"

    This rule does not check if Route table names are unique.

    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.SQL.AAD/","title":"Use AAD authentication with SQL databases","text":"Azure.SQL.AADAZR-000188Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Use Azure Active Directory (AAD) authentication with Azure SQL databases.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#description","title":"Description","text":"

    Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable SQL authentication entirely and only use AAD authentication.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with SQL databases. Additionally, consider disabling SQL authentication.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"minimalTlsVersion\": \"1.2\",\n\"administrators\": {\n\"azureADOnlyAuthentication\": true,\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('adminLogin')]\",\n\"principalType\": \"Group\",\n\"sid\": \"[parameters('adminPrincipalId')]\",\n\"tenantId\": \"[tenant().tenantId]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/administrators sub-resource. To deploy Microsoft.Sql/servers/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/administrators\",\n\"apiVersion\": \"2022-02-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'ActiveDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('adminLogin')]\",\n\"sid\": \"[parameters('adminPrincipalId')]\"\n},\n\"dependsOn\": [\n\"server\"\n]\n}\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/administrators sub-resource. To deploy Microsoft.Sql/servers/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource sqlAdministrator 'Microsoft.Sql/servers/administrators@2022-02-01-preview' = {\n  parent: server\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: adminLogin\n    sid: adminPrincipalId\n  }\n}\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az sql server ad-admin create -s '<server_name>' -g '<resource_group>' -u '<user_name>' -i '<object_id>'\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DisplayName '<user_name>'\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#notes","title":"Notes","text":"

    In newer API versions the properties.administrators property can be configured. Azure AD authentication can also be configured using the Microsoft.Sql/servers/administrators sub-resource.

    If both the properties.administrators property and Microsoft.Sql/servers/administrators are set, the sub-resource will override the property.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Configure and manage Azure AD authentication with Azure SQL
    • Using multi-factor Azure Active Directory authentication
    • Conditional Access with Azure SQL Database and Azure Synapse Analytics
    • Azure AD-only authentication with Azure SQL
    • Azure Policy for Azure Active Directory only authentication with Azure SQL
    • Azure deployment reference
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQL.AADOnlyAZR-000369Error

    Security \u00b7 SQL Database \u00b7 2023_03

    Ensure Azure AD-only authentication is enabled with Azure SQL Database.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#description","title":"Description","text":"

    Azure SQL Database supports authentication with SQL logins and Azure AD authentication. By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities.

    Azure AD authentication provides:

    • Strong protection controls including conditional access, identity governance, and privileged identity management.
    • Centralized identity management with Azure AD.

    Additionally you can disable SQL authentication entirely, by enabling Azure AD-only authentication.

    Some features may have limitations when using Azure AD-only authentication is enabled, including:

    • Elastic jobs
    • SQL Data Sync
    • Change Data Capture (CDC)
    • Transactional replication
    • SQL insights

    Continue reading Limitations for Azure AD-only authentication in SQL Database.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#examples","title":"Examples","text":"

    Azure AD-only authentication can be enabled in two different ways.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Logical Servers that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"administrators\": {\n\"administratorType\": \"ActiveDirectory\",\n\"azureADOnlyAuthentication\": true,\n\"login\": \"[parameters('login')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/servers/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/azureADOnlyAuthentications\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'Default')]\",\n\"properties\": {\n\"azureADOnlyAuthentication\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/servers', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Logical Servers that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource logicalServer 'Microsoft.Sql/servers@2022-05-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/servers/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource aadOnly 'Microsoft.Sql/servers/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: logicalServer\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n
    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. A managed identity is required if an Azure AD service principal (Azure AD application) oversees creating and managing Azure AD users, groups, or applications in the logical server.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Azure AD-only authentication with Azure SQL Database
    • Configure and manage Azure AD authentication with Azure SQL Database
    • Limitations for Azure AD-only authentication in SQL Database
    • Azure Policy for Azure AD-only authentication with Azure SQL Database
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/","title":"Limit SQL database network access to trusted IP addresses","text":"Azure.SQL.AllowAzureAccessAZR-000184Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Determine if access from Azure services is required.

    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service network based access to databases. Network based access it not limited to a single customer, all Azure IP addresses are permitted. Network access can also be allowed/ blocked on individual databases, which takes precedence over server firewall rules.

    If network based access is permitted, authentication is still required.

    Enabling access from Azure Services is useful in certain cases for on demand PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.

    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#links","title":"Links","text":"
    • Connections from inside Azure
    • Network security
    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.Auditing/","title":"Enable auditing for Azure SQL DB server","text":"Azure.SQL.AuditingAZR-000187Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Enable auditing for Azure SQL logical server.

    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#description","title":"Description","text":"

    Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.

    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#recommendation","title":"Recommendation","text":"

    Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.

    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#examples","title":"Examples","text":"","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy logical servers that pass this rule:

    • Define a Microsoft.Sql/servers/auditingSettings sub-resource with each logical server.
    • Set the properties.state property to Enabled for the Microsoft.Sql/servers/auditingSettings sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/auditingSettings\",\n\"apiVersion\": \"2022-08-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n\"properties\": {\n\"isAzureMonitorTargetEnabled\": true,\n\"state\": \"Enabled\",\n\"retentionDays\": 7,\n\"auditActionsAndGroups\": [\n\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n\"FAILED_DATABASE_AUTHENTICATION_GROUP\",\n\"BATCH_COMPLETED_GROUP\"\n]\n},\n\"dependsOn\": [\n\"server\"\n]\n}\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy logical servers that pass this rule:

    • Define a Microsoft.Sql/servers/auditingSettings sub-resource with each logical server.
    • Set the properties.state property to Enabled for the Microsoft.Sql/servers/auditingSettings sub-resource.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n\nresource sqlAuditSettings 'Microsoft.Sql/servers/auditingSettings@2022-08-01-preview' = {\n  name: 'default'\n  parent: server\n  properties: {\n    isAzureMonitorTargetEnabled: true\n    state: 'Enabled'\n    retentionDays: 7\n    auditActionsAndGroups: [\n      'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'\n      'FAILED_DATABASE_AUTHENTICATION_GROUP'\n      'BATCH_COMPLETED_GROUP'\n    ]\n  }\n}\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az sql server audit-policy update -g '<resource_group>' -n '<server_name>' --state Enabled --bsts Enabled --storage-account '<storage_account_name>'\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlServerAudit -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -BlobStorageTargetState Enabled -StorageAccountResourceId '<storage_resource_id>'\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#links","title":"Links","text":"
    • Auditing for Azure SQL Database and Azure Synapse Analytics
    • Azure deployment reference
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.DBName/","title":"Use valid SQL Database names","text":"Azure.SQL.DBNameAZR-000192Error

    Operational Excellence \u00b7 SQL Database \u00b7 2020_12

    Azure SQL Database names should meet naming requirements.

    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL Database names are:

    • Between 1 and 128 characters long.
    • Letters, numbers, and special characters except: <>*%&:\\/?
    • Can't end with period or a space.
    • Azure SQL Database names must be unique for each logical server.

    The following reserved database names can not be used:

    • master
    • model
    • tempdb
    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#notes","title":"Notes","text":"

    This rule does not check if Azure SQL Database names are unique.

    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DefenderCloud/","title":"Use Advanced Threat Protection","text":"Azure.SQL.DefenderCloudAZR-000186Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Enable Microsoft Defender for Azure SQL logical server.

    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#description","title":"Description","text":"

    Enable Microsoft Defender for Azure SQL logical server.

    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.

    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet
    {\n\"comments\": \"Create or update an Azure SQL logical server.\",\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2019-06-01-preview\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"tags\": \"[parameters('tags')]\",\n\"kind\": \"v12.0\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('adminUsername')]\",\n\"version\": \"12.0\",\n\"publicNetworkAccess\": \"[if(parameters('allowPublicAccess'), 'Enabled', 'Disabled')]\",\n\"administratorLoginPassword\": \"[parameters('adminPassword')]\",\n\"minimalTLSVersion\": \"1.2\"\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Sql/servers/securityAlertPolicies\",\n\"apiVersion\": \"2020-02-02-preview\",\n\"name\": \"[concat(parameters('serverName'), '/Default')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]\"\n],\n\"properties\": {\n\"state\": \"Enabled\"\n}\n}\n]\n}\n
    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlDatabaseThreatDetectionPolicy -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -StorageAccountName '<account_name>' -NotificationRecipientsEmails '<email>' -EmailAdmins $False\n
    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#links","title":"Links","text":"
    • Advanced Threat Protection for Azure SQL Database
    • Microsoft Defender for SQL
    • Azure deployment reference
    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.FGName/","title":"Use valid SQL failover group names","text":"Azure.SQL.FGNameAZR-000193Error

    Operational Excellence \u00b7 SQL Database \u00b7 2020_12

    Azure SQL failover group names should meet naming requirements.

    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL failover group names are:

    • Between 1 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • SQL failover group names must be globally unique.
    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#notes","title":"Notes","text":"

    This rule does not check if Azure SQL failover group names are unique.

    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/","title":"Limit SQL logical server firewall rule range","text":"Azure.SQL.FirewallIPRangeAZR-000185Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).

    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common. This rule assesses the combined IP addresses from each Allowed IP firewall entry to check that the total allowed addresses is less than (10).

    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).

    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#example","title":"Example","text":"","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#links","title":"Links","text":"
    • Azure SQL Database and Azure Synapse IP firewall rules
    • Create and manage IP firewall rules
    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/","title":"Cleanup SQL logical server firewall rules","text":"Azure.SQL.FirewallRuleCountAZR-000183Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#links","title":"Links","text":"
    • Azure SQL Database and Azure Synapse IP firewall rules
    • Create and manage IP firewall rules
    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.MinTLS/","title":"Azure SQL DB server minimum TLS version","text":"Azure.SQL.MinTLSAZR-000189Error

    Security \u00b7 SQL Database \u00b7 2020_09

    Azure SQL Database servers should reject TLS versions older than 1.2.

    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure SQL Database servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2.

    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.minimalTlsVersion to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"minimalTlsVersion\": \"1.2\",\n\"administrators\": {\n\"azureADOnlyAuthentication\": true,\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('adminLogin')]\",\n\"principalType\": \"Group\",\n\"sid\": \"[parameters('adminPrincipalId')]\",\n\"tenantId\": \"[tenant().tenantId]\"\n}\n}\n}\n
    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.minimalTlsVersion to 1.2.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n
    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Minimal TLS Version
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.ServerName/","title":"Use valid SQL logical server names","text":"Azure.SQL.ServerNameAZR-000190Error

    Operational Excellence \u00b7 SQL Database \u00b7 2020_12

    Azure SQL logical server names should meet naming requirements.

    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL logical server names are:

    • Between 1 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • SQL logical server names must be globally unique.
    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure SQL logical server names are unique.

    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.TDE/","title":"Use SQL database TDE","text":"Azure.SQL.TDEAZR-000191Error

    Security \u00b7 SQL Database \u00b7 2020_06

    Use Transparent Data Encryption (TDE) with Azure SQL Database.

    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#description","title":"Description","text":"

    TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.

    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#recommendation","title":"Recommendation","text":"

    Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.

    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#examples","title":"Examples","text":"","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/databases\",\n\"apiVersion\": \"2020-08-01-preview\",\n\"name\": \"[variables('dbName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\"\n},\n\"kind\": \"v12.0,user\",\n\"properties\": {\n\"collation\": \"SQL_Latin1_General_CP1_CI_AS\",\n\"maxSizeBytes\": \"[mul(parameters('maxSizeMB'), 1048576)]\",\n\"catalogCollation\": \"SQL_Latin1_General_CP1_CI_AS\",\n\"zoneRedundant\": false,\n\"readScale\": \"Disabled\",\n\"storageAccountType\": \"GRS\"\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n\"apiVersion\": \"2014-04-01\",\n\"name\": \"[concat(variables('dbName'), '/current')]\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]\"\n],\n\"properties\": {\n\"status\": \"Enabled\"\n}\n}\n]\n}\n
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'\n
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled\n
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#links","title":"Links","text":"
    • Transparent data encryption for SQL Database
    • Azure deployment reference
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQLMI.AAD/","title":"Use AAD authentication with SQL Managed Instance","text":"Azure.SQLMI.AADAZR-000368Error

    Security \u00b7 SQL Managed Instance \u00b7 2023_03

    Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#description","title":"Description","text":"

    Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.

    By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    Using Azure AD authentication requires an Azure AD administrator provisioned, if a instance does not have an Azure AD administrator, then Azure AD logins and users receive a Cannot connect to instance error.

    Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#examples","title":"Examples","text":"

    An Azure AD administrator can be provisioned in two different ways.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('managedInstanceName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"administrators\": {\n\"administratorType\": \"ActiveDirectory\",\n\"azureADOnlyAuthentication\": true,\n\"login\": \"[parameters('login')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/administrators sub-resource. To deploy Microsoft.Sql/managedInstances/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances/administrators\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\":  \"[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n]\n}\n
    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/administrators sub-resource. To deploy Microsoft.Sql/managedInstances/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource sqlAdministrator 'Microsoft.Sql/managedInstances//administrators@2022-05-01-preview' = {\n  parent: managedInstance\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n  }\n}\n
    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#notes","title":"Notes","text":"

    If both the properties.administrators property and Microsoft.Sql/managedInstances/administrators are set, the sub-resoure will override the property.

    Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Use Azure AD authentication
    • Configure and manage Azure AD authentication
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQLMI.AADOnlyAZR-000366Error

    Security \u00b7 SQL Managed Instance \u00b7 2023_03

    Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#description","title":"Description","text":"

    Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.

    By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#examples","title":"Examples","text":"

    Azure AD-only authentication can be enabled in two different ways.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('managedInstanceName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"administrators\": {\n\"administratorType\": \"ActiveDirectory\",\n\"azureADOnlyAuthentication\": true,\n\"login\": \"[parameters('login')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances/azureADOnlyAuthentications\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('managedInstanceName'), 'Default')]\",\n\"properties\": {\n\"azureADOnlyAuthentication\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n]\n}\n
    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource aadOnly 'Microsoft.Sql/managedInstances/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: managedInstance\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n
    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Azure AD-only authentication with Azure SQL Managed Instance
    • Configure and manage Azure AD authentication with Azure SQL Managed Instance
    • Azure Policy for Azure AD-only authentication with Azure SQL Managed Instance
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/","title":"Managed identity","text":"Azure.SQLMI.ManagedIdentityAZR-000367Error

    Security \u00b7 SQL Managed Instance \u00b7 2023_03

    Ensure managed identity is used to allow support for Azure AD authentication.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#description","title":"Description","text":"

    A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.

    You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance.

    Additionally, a managed identity is required for transparent data encryption with customer-managed key.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity to allow support for Azure AD authentication.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('managedInstanceName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {}\n}\n
    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: appName\n  location: location\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {}\n}\n
    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#notes","title":"Notes","text":"

    To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities in Azure AD for Azure SQL Managed Instance
    • Azure deployment reference
    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.Name/","title":"Use valid SQL Managed Instance names","text":"Azure.SQLMI.NameAZR-000194Error

    Operational Excellence \u00b7 SQL Managed Instance \u00b7 2020_12

    SQL Managed Instance names should meet naming requirements.

    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL Managed Instance names are:

    • Between 1 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • SQL Managed Instance names must be globally unique.
    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#notes","title":"Notes","text":"

    This rule does not check if SQL Managed Instance names are unique.

    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.Search.IndexSLA/","title":"Search index update SLA minimum replicas","text":"Azure.Search.IndexSLAAZR-000174Error

    Reliability \u00b7 Cognitive Search \u00b7 2021_06

    Use a minimum of 3 replicas to receive an SLA for query and index updates.

    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#description","title":"Description","text":"

    Cognitive Search services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.

    Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.

    To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.

    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#recommendation","title":"Recommendation","text":"

    Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.

    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#examples","title":"Examples","text":"","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 3.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 3.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#links","title":"Links","text":"
    • Resiliency checklist for specific Azure services
    • SLA for Azure Cognitive Search
    • Azure deployment reference
    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.ManagedIdentity/","title":"Search services uses a managed identity","text":"Azure.Search.ManagedIdentityAZR-000175Error

    Security \u00b7 Cognitive Search \u00b7 2021_06

    Configure managed identities to access Azure resources.

    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#description","title":"Description","text":"

    Connections to Azure resources is required to use some features including indexing and customer managed-keys. Cognitive Search can use managed identities to authenticate to Azure resource without storing credentials.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Cognitive Search service. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the identity.type to SystemAssigned.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the identity.type to SystemAssigned.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • What are managed identities for Azure resources?
    • Connect a search service to other Azure resources using a managed identity
    • Make indexer connections to Azure Storage as a trusted service
    • Azure deployment reference
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.Name/","title":"Use valid Cognitive Search service names","text":"Azure.Search.NameAZR-000176Error

    Operational Excellence \u00b7 Cognitive Search \u00b7 2021_06

    Azure Cognitive Search service names should meet naming requirements.

    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Cognitive Search service names are:

    • Between 2 and 60 characters long.
    • Lowercase letters, numbers, and hyphens.
    • The first two and last one character must be a letter or a number.
    • Cognitive Search service names must be globally unique.
    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Cognitive Search service naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#notes","title":"Notes","text":"

    This rule does not check if Azure Cognitive Search service names are unique.

    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • REST API reference
    • Define your naming convention
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.QuerySLA/","title":"Search query SLA minimum replicas","text":"Azure.Search.QuerySLAAZR-000173Error

    Reliability \u00b7 Cognitive Search \u00b7 2021_06

    Use a minimum of 2 replicas to receive an SLA for index queries.

    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#description","title":"Description","text":"

    Cognitive Search services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.

    Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.

    To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.

    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#recommendation","title":"Recommendation","text":"

    Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.

    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#examples","title":"Examples","text":"","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 2.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#links","title":"Links","text":"
    • Resiliency checklist for specific Azure services
    • SLA for Azure Cognitive Search
    • Azure deployment reference
    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.SKU/","title":"Cognitive Search minimum SKU","text":"Azure.Search.SKUAZR-000172Error

    Performance Efficiency \u00b7 Cognitive Search \u00b7 2021_06

    Use the basic and standard tiers for entry level workloads.

    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#description","title":"Description","text":"

    Cognitive Search services using the Free tier run on resources shared across multiple subscribers. The Free tier is only suggested for limited small scale tests such as running code samples or tutorials.

    Running more demanding workloads on the Free tier may experience unpredictable performance or issues.

    To select a tier for your workload, estimate and test your required capacity.

    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#recommendation","title":"Recommendation","text":"

    Consider deploying Cognitive Search services using basic or higher tier.

    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#examples","title":"Examples","text":"","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the sku.name to a minimum of basic.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the sku.name to a minimum of basic.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#links","title":"Links","text":"
    • Choose the right resources
    • SLA for Azure Cognitive Search
    • Estimate and manage capacity of an Azure Cognitive Search service
    • Azure deployment reference
    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/","title":"Audit Service Bus data plane access","text":"Azure.ServiceBus.AuditLogsAZR-000358Error

    Security \u00b7 Service Bus \u00b7 2023_03

    Ensure namespaces audit diagnostic logs are enabled.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#description","title":"Description","text":"

    To capture logs that record data plane access operations (such as send or receive messages) in the service bus, diagnostic settings must be configured.

    When configuring diagnostic settings, enabled one of the following:

    • RuntimeAuditLogs category.
    • audit category group.
    • allLogs category group.

    Management operations for Service Bus is captured automatically within Azure Activity Logs.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to record interactions with data of the Service Bus.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable RuntimeAuditLogs category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ServiceBus/namespaces\",\n\"apiVersion\": \"2022-10-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"minimumTlsVersion\": \"1.2\"\n}\n},\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"scope\": \"[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]\",\n\"name\": \"[parameters('diagName')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"RuntimeAuditLogs\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable RuntimeAuditLogs category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n\nresource nsDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: diagName\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'RuntimeAuditLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  scope: ns\n}\n
    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#notes","title":"Notes","text":"

    This rule only applies to premium tier Service Bus instances. Runtime audit logs are currently available only in the Premium tier.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Monitoring Azure Service Bus data reference
    • Azure deployment reference
    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/","title":"Use identity-based authentication for Service Bus namespaces","text":"Azure.ServiceBus.DisableLocalAuthAZR-000178Error

    Security \u00b7 Service Bus \u00b7 2022_03

    Authenticate Service Bus publishers and consumers with Azure AD identities.

    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#description","title":"Description","text":"

    To publish or consume messages from Service Bus cryptographic keys, or Azure AD identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Azure AD authentication, the identity is validated against Azure AD. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.

    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ServiceBus/namespaces\",\n\"apiVersion\": \"2021-11-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource ns 'Microsoft.ServiceBus/namespaces@2021-11-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • Service Bus authentication and authorization
    • Azure deployment reference
    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/","title":"Enforce namespaces to minimum use TLS 1.2 version","text":"Azure.ServiceBus.MinTLSAZR-000315Error

    Security \u00b7 Service Bus \u00b7 2022_12

    Enforce namespaces to require that clients send and receive data with TLS 1.2 version.

    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#description","title":"Description","text":"

    Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS).

    Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS. If a Service Bus namespace requires a minimum version of TLS, then any requests made with an older version will fail.

    Important If you are using a service that connects to Azure Service Bus, make sure that that service is using the appropriate version of TLS to send requests to Azure Service Bus before you set the required minimum version for a Service Bus namespace.

    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider namespaces to require that clients send and receive data with TLS 1.2 version.

    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set properties.minimumTlsVersion to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ServiceBus/namespaces\",\n\"apiVersion\": \"2022-01-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"minimumTlsVersion\": \"1.2\"\n}\n}\n
    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set properties.minimumTlsVersion to 1.2.

    For example:

    Azure Bicep snippet
    @description('The name of the resource.')\nparam name string\n\n@description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource ns 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#links","title":"Links","text":"
    • Information protection and storage
    • Enforce a minimum requires version of TLS
    • Azure deployment reference
    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.Usage/","title":"Remove unused Service Bus namespaces","text":"Azure.ServiceBus.UsageAZR-000177Error

    Cost Optimization \u00b7 Service Bus \u00b7 2022_03

    Regularly remove unused resources to reduce costs.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#description","title":"Description","text":"

    Billing starts for a Standard or Premium Service Bus namespace after it is provisioned. To to receive messages you must first create at least one queue or topic. Namespaces without any queues or topics are considered unused.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing Service Bus namespaces that are not used.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Pricing
    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceFabric.AAD/","title":"Use AAD authentication with Service Fabric clusters","text":"Azure.ServiceFabric.AADAZR-000179Error

    Security \u00b7 Service Fabric \u00b7 2021_03

    Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#description","title":"Description","text":"

    When deploying Service Fabric clusters on Azure, AAD can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses AAD. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.

    For Service Fabric clusters running on Azure, AAD is recommended to secure access to management endpoints.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#recommendation","title":"Recommendation","text":"

    Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#notes","title":"Notes","text":"

    For Linux clusters, AAD authentication must be configured at cluster creation time. Windows cluster can be updated to support AAD authentication after initial deployment.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#links","title":"Links","text":"
    • Security recommendations
    • Set up Azure Active Directory for client authentication
    • Configure Azure Active Directory Authentication for Existing Cluster
    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/","title":"Use managed identities for SignalR Services","text":"Azure.SignalR.ManagedIdentityAZR-000181Error

    Security \u00b7 SignalR Service \u00b7 2022_03

    Configure SignalR Services to use managed identities to access Azure resources securely.

    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#description","title":"Description","text":"

    A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/signalR\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"SignalR\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"features\": [\n{\n\"flag\": \"ServiceMode\",\n\"value\": \"Serverless\"\n}\n]\n}\n}\n
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities for Azure SignalR Service
    • Azure deployment reference
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.Name/","title":"Use valid SignalR service names","text":"Azure.SignalR.NameAZR-000180Error

    Operational Excellence \u00b7 SignalR Service \u00b7 2020_06

    SignalR service instance names should meet naming requirements.

    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SignalR service names are:

    • Between 3 and 63 characters long.
    • Alphanumerics and hyphens.
    • Start with letter.
    • End with letter or number.
    • SignalR service names must be globally unique.
    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#notes","title":"Notes","text":"

    This rule does not check if SignalR service names are unique.

    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.SLA/","title":"Use an SLA for SignalR Services","text":"Azure.SignalR.SLAAZR-000182Error

    Reliability \u00b7 SignalR Service \u00b7 2022_03

    Use SKUs that include an SLA when configuring SignalR Services.

    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#description","title":"Description","text":"

    When choosing a SKU for a SignalR Service you should consider the SLA that is included in the SKU. SignalR Services offer a range of SKU offerings:

    • Free - Are designed for early non-production use and do not include any SLA.
    • Standard - Are designed for production use and include an SLA.
    • Premium - Are designed for production use and include an SLA. Additional, Premium SKUs support increased resilience with Availablity Zones.
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#recommendation","title":"Recommendation","text":"

    Consider using a Standard or Premium SKU that includes an SLA.

    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#examples","title":"Examples","text":"","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1 or Premium_P1.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/signalR\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"SignalR\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"features\": [\n{\n\"flag\": \"ServiceMode\",\n\"value\": \"Serverless\"\n}\n]\n}\n}\n
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1 or Premium_P1.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure SignalR Service pricing
    • Azure deployment reference
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.Storage.BlobAccessType/","title":"Use private blob containers","text":"Azure.Storage.BlobAccessTypeAZR-000199Error

    Security \u00b7 Storage Account \u00b7 2020_06

    Use containers configured with a private access type that requires authorization.

    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#description","title":"Description","text":"

    Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorization. Blob and Container access types are not intended for access to customer data. When authorization is required, clients must use cryptographic keys or identity-based tokens to authenticate.

    Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.

    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#recommendation","title":"Recommendation","text":"

    To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.

    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Account blob containers that pass this rule:

    • Set the properties.publicAccess property to None.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts/blobServices/containers\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]\",\n\"properties\": {\n\"publicAccess\": \"None\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]\",\n\"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Account blob containers that pass this rule:

    • Set the properties.publicAccess property to None.

    For example:

    Azure Bicep snippet
    resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {\n  parent: blobService\n  name: containerName\n  properties: {\n    publicAccess: 'None'\n  }\n}\n
    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#links","title":"Links","text":"
    • Authentication with Azure AD
    • About anonymous public read access
    • Use Azure Policy to enforce authorized access
    • How a shared access signature works
    • Azure deployment reference
    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/","title":"Disallow anonymous access to blob service","text":"Azure.Storage.BlobPublicAccessAZR-000198Error

    Security \u00b7 Storage Account \u00b7 2020_09

    Storage Accounts should only accept authorized requests.

    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#description","title":"Description","text":"

    Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.

    Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.

    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#recommendation","title":"Recommendation","text":"

    Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.allowBlobPublicAccess property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.allowBlobPublicAccess property to false.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#links","title":"Links","text":"
    • Use Azure AD for storage authentication
    • Allow or disallow public read access for a storage account
    • Remediate anonymous public access
    • Use Azure Policy to enforce authorized access
    • Authorize access to blobs using Azure Active Directory
    • Azure deployment reference
    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/","title":"Use container soft delete","text":"Azure.Storage.ContainerSoftDeleteAZR-000289Error

    Reliability \u00b7 Storage Account \u00b7 2022_09

    Enable container soft delete on Storage Accounts.

    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#description","title":"Description","text":"

    Container soft delete protects your data from being accidentally or erroneously modified or deleted. When container soft delete is enabled for a storage account, a container and its contents may be recovered after it has been deleted, within a retention period that you specify.

    Blob container soft delete should be considered part of the strategy to protect and retain data. Also consider:

    • Implementing role-based access control (RBAC).
    • Configuring resource locks to protect against deletion.
    • Configuring blob soft delete.

    Blob containers can be configured to retain deleted containers for a period of time between 1 and 365 days.

    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.

    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.containerDeleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.containerDeleteRetentionPolicy.days property to the number of days to retain blobs.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n\"properties\": {\n\"deleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n},\n\"containerDeleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.containerDeleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.containerDeleteRetentionPolicy.days property to the number of days to retain blobs.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days 7 -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Enable-AzStorageContainerDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -StorageAccountName '<name>' -RetentionDays 7\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

    Storage accounts with:

    • Hierarchical namespace enabled to not support blob soft delete.
    • Deployed as a FileStorage storage account do not support blob soft delete.
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#links","title":"Links","text":"
    • Data management for reliability
    • Storage Accounts and reliability
    • Soft delete for containers
    • Enable and manage soft delete for containers
    • Azure deployment reference
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/","title":"Malware Scanning","text":"Azure.Storage.DefenderCloud.MalwareScanAZR-000384Error

    Security \u00b7 Storage Account \u00b7 2023_06

    Enable Malware Scanning in Microsoft Defender for Storage.

    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#description","title":"Description","text":"

    Microsoft Defender for Storage provides additional security for storage accounts.

    One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

    Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

    Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

    This can be helpful when:

    • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
    • To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

    When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

    Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.

    It is also worth to mention that the resource level enablement can be useful when:

    • Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#recommendation","title":"Recommendation","text":"

    Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.

    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.malwareScanning.onUpload.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/DefenderForStorageSettings\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"current\",\n\"properties\": {\n\"isEnabled\": true,\n\"malwareScanning\": {\n\"onUpload\": {\n\"isEnabled\": true,\n\"capGBPerMonth\": 5000\n}\n},\n\"overrideSubscriptionLevelSettings\": false\n},\n\"scope\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\"\n}\n
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.malwareScanning.onUpload.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n\u202f properties: {\n\u202f \u202f isEnabled: true\n\u202f \u202f malwareScanning: {\n\u202f \u202f \u202f onUpload: {\n\u202f \u202f \u202f \u202f isEnabled: true\n\u202f \u202f \u202f \u202f capGBPerMonth: 5000\n\u202f \u202f \u202f }\n\u202f \u202f }\n\u202f \u202f overrideSubscriptionLevelSettings: false\n\u202f }\n}\n
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#notes","title":"Notes","text":"

    This feature is currently in preview.

    Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

    • When the plan is already enabled at the subscription level and the resource level override property overrideSubscriptionLevelSettings value is false, the resource level enablement will be ignored and the subscription level (plan) will still be used.
    • If the override property overrideSubscriptionLevelSettings value is true, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
    • If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Malware Scanning in Defender for Storage
    • Limitations
    • Setting up response to Malware Scanning
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/","title":"Sensitive data threat detection","text":"Azure.Storage.DefenderCloud.SensitiveDataAZR-000391Error

    Security \u00b7 Storage Account \u00b7 2023_06

    Enable sensitive data threat detection in Microsoft Defender for Storage.

    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#description","title":"Description","text":"

    Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.

    The sensitive data threat detection capability helps teams:

    • Identity where sensitive data is stored.
    • Detect possible security incidents resulting is data exposure.

    When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).

    Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    When overriding sensitive data threat detection on individual Storage Account it is possible to configure custom sensitive data threat detection settings that differ from the settings configured at the subscription level.

    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#recommendation","title":"Recommendation","text":"

    Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.

    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.sensitiveDataDiscovery.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/DefenderForStorageSettings\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"current\",\n\"properties\": {\n\"sensitiveDataDiscovery\": {\n\"isEnabled\": true\n},\n\"overrideSubscriptionLevelSettings\": false\n},\n\"scope\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\"\n}\n
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.sensitiveDataDiscovery.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#notes","title":"Notes","text":"

    This feature is currently in preview. The following limitations currently apply for Microsoft Defender for Storage:

    • Only Storage Accounts with public network access set to enabled are supported.
    • Not all storage services within Storage Accounts are currently supported.
    • When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority. To override settings on a Storage Account, set the properties.overrideSubscriptionLevelSettings property to true.
    • If there is no plan at the subcription level, Microsoft Defender for Storage can be configured without an override.
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Sensitive data threat detection in Defender for Storage
    • Support and prerequisites for data-aware security posture
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Storage.DefenderCloudAZR-000386Error

    Security \u00b7 Storage Account \u00b7 2023_06

    Enable Microsoft Defender for Storage for storage accounts.

    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#description","title":"Description","text":"

    Microsoft Defender for Storage analyzes data and control plane logs from protected Storage Accounts. Which allows Microsoft Defender for Cloud to surface findings with details of the security threats and contextual information.

    Additionally, Microsoft Defender for Storage provides security extensions to analyze data stored within Storage Accounts:

    • Anti-malware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
    • Sensitive data threat detection to find resources with sensitive data.

    Microsoft Defender for Storage can be enabled on a per subscription or per resource basis. Enabling at the subscription level is recommended because it protects current and future Storage Accounts. However, enabling at the resource level may be preferred for specific Storage Account to apply custom settings.

    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.

    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy storage accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/DefenderForStorageSettings\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"current\",\n\"properties\": {\n\"isEnabled\": true,\n\"malwareScanning\": {\n\"onUpload\": {\n\"isEnabled\": true,\n\"capGBPerMonth\": 5000\n}\n},\n\"sensitiveDataDiscovery\": {\n\"isEnabled\": true\n},\n\"overrideSubscriptionLevelSettings\": false\n},\n\"scope\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\"\n}\n
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy storage accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#notes","title":"Notes","text":"

    This rule is not processed by default. To enable this rule, set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration value to true.

    The following limitations currently apply for Microsoft Defender for Storage:

    • Malware scanning and sensitive data discovery are preview features.
    • Storage types supported are Blob Storage, Azure Files and Azure Data Lake Storage Gen2. Other storage types are not supported.
    • When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority. To override settings on a Storage Account, set the properties.overrideSubscriptionLevelSettings property to true.
    • If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/","title":"Use soft delete on files shares","text":"Azure.Storage.FileShareSoftDeleteAZR-000298Error

    Reliability \u00b7 Storage Account \u00b7 2022_09

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#synopsis","title":"Synopsis","text":"

    Enable soft delete on Storage Accounts file shares.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#description","title":"Description","text":"

    Soft delete for Azure Files protects your shares from being accidentally deleted. This feature does not protect against individual files being deleted or modified. When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered after it has been deleted, within a retention period that you specify.

    Soft delete on file shares should be considered part of the strategy to protect and retain data for Azure Files. Also consider:

    • Enabling Azure File Share Backup.
    • Implementing role-based access control (RBAC).

    Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the fileServices sub-resource
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain files.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts/fileServices\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"default\",\n\"properties\": {\n\"shareDeleteRetentionPolicy\": {\n\"days\": \"7\",\n\"enabled\": \"true\"\n}\n}\n}\n
    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the fileServices sub-resource
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain files.

    For example:

    Azure Bicep snippet
    resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    shareDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n
    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#links","title":"Links","text":"
    • Data management for reliability
    • Storage Accounts and reliability
    • Enable soft delete on Azure file shares
    • About Azure file share backup
    • Authorize access to file data
    • Azure deployment reference
    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.Firewall/","title":"Configure Azure Storage firewall","text":"Azure.Storage.FirewallAZR-000202Error

    Security \u00b7 Storage Account \u00b7 2021_09

    Storage Accounts should only accept explicitly allowed traffic.

    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#description","title":"Description","text":"

    By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

    After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

    • Azure services on the trusted service list.
    • IP address or CIDR range.
    • Private endpoint connections.
    • Azure virtual network subnets with a Service Endpoint.
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#recommendation","title":"Recommendation","text":"

    Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#examples","title":"Examples","text":"","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Azure storage firewall is not supported for Cloud Shell storage accounts.

    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#links","title":"Links","text":"
    • Public endpoints
    • Configure Azure Storage firewalls and virtual networks
    • Use private endpoints for Azure Storage
    • Persist files in Azure Cloud Shell
    • Azure deployment reference
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.MinTLS/","title":"Storage Account minimum TLS version","text":"Azure.Storage.MinTLSAZR-000200Error

    Security \u00b7 Storage Account \u00b7 2020_09

    Storage Accounts should reject TLS versions older than 1.2.

    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS encryption in Azure
    • Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
    • DP-3: Encrypt sensitive data in transit
    • Preparing for TLS 1.2 in Microsoft Azure
    • Use Azure Policy to enforce the minimum TLS version
    • Azure deployment reference
    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.Name/","title":"Use valid storage account names","text":"Azure.Storage.NameAZR-000201Error

    Operational Excellence \u00b7 Storage Account \u00b7 2020_06

    Storage Account names should meet naming requirements.

    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Storage Account names are:

    • Between 3 and 24 characters long.
    • Lowercase letters or numbers.
    • Storage Account names must be globally unique.
    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#notes","title":"Notes","text":"

    This rule does not check if Storage Account names are unique.

    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.SecureTransfer/","title":"Enforce encrypted Storage connections","text":"Azure.Storage.SecureTransferAZR-000196Error

    Security \u00b7 Storage Account \u00b7 2020_06

    Storage accounts should only accept encrypted connections.

    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#description","title":"Description","text":"

    Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.

    To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.

    Storage Accounts that are deployed with a newer API version will have this option enabled by default. However, this does not prevent the option from being disabled.

    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#recommendation","title":"Recommendation","text":"

    Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#examples","title":"Examples","text":"","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • For API versions older then 2019-04-01, set the properties.supportsHttpsTrafficOnly property to true.
    • For API versions 2019-04-01 and newer:
      • Omit the properties.supportsHttpsTrafficOnly property OR
      • Explicitly set the properties.supportsHttpsTrafficOnly property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • For API versions older then 2019-04-01, set the properties.supportsHttpsTrafficOnly property to true.
    • For API versions 2019-04-01 and newer:
      • Omit the properties.supportsHttpsTrafficOnly property OR
      • Explicitly set the properties.supportsHttpsTrafficOnly property to true.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#links","title":"Links","text":"
    • Data encryption in Azure
    • Require secure transfer in Azure Storage
    • DP-3: Encrypt sensitive data in transit
    • Sample policy for ensuring https traffic
    • Azure deployment reference
    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SoftDelete/","title":"Use blob soft delete","text":"Azure.Storage.SoftDeleteAZR-000197Error

    Reliability \u00b7 Storage Account \u00b7 2020_06

    Enable blob soft delete on Storage Accounts.

    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#description","title":"Description","text":"

    Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.

    Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:

    • Implementing role-based access control (RBAC).
    • Configuring resource locks to protect against deletion.
    • Configuring blob container soft delete.

    Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.

    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.

    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n\"properties\": {\n\"deleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n},\n\"containerDeleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -AccountName '<name>' -RetentionDays 7\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

    Storage accounts with:

    • Hierarchical namespace enabled to not support blob soft delete.
    • Deployed as a FileStorage storage account do not support blob soft delete.
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#links","title":"Links","text":"
    • Data management for reliability
    • Storage Accounts and reliability
    • Soft delete for Azure Storage blobs
    • Blob storage features available in Azure Data Lake Storage Gen2
    • Azure deployment reference
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.UseReplication/","title":"Use geo-replicated storage","text":"Azure.Storage.UseReplicationAZR-000195Error

    Reliability \u00b7 Storage Account \u00b7 2020_06

    Storage Accounts not using geo-replicated storage (GRS) may be at risk.

    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#description","title":"Description","text":"

    Storage Accounts can be configured with several different durability options. Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.

    The following geo-replicated options are available within Azure:

    • Standard_GRS
    • Standard_RAGRS
    • Standard_GZRS
    • Standard_RAGZRS
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#recommendation","title":"Recommendation","text":"

    Consider using GRS for storage accounts that contain data.

    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#examples","title":"Examples","text":"","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#notes","title":"Notes","text":"

    This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:

    • ms-resource-usage = 'azure-cloud-shell' - Storage Accounts used for Cloud Shell are not intended to store data. This tag is applied by Azure to Cloud Shell Storage Accounts by default.
    • resource-usage = 'azure-functions' - Storage Accounts used for Azure Functions. This tag can be optionally configured.
    • resource-usage = 'azure-monitor' - Storage Accounts used by Azure Monitor are intended for diagnostic logs. This tag can be optionally configured.
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#links","title":"Links","text":"
    • Meet application platform requirements
    • Azure Storage redundancy
    • Azure deployment reference
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Template.DebugDeployment/","title":"Disable debugging of nested deployments","text":"Azure.Template.DebugDeploymentAZR-000225Error

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Use default deployment detail level for nested deployments.

    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#description","title":"Description","text":"

    When creating Azure template, nested deployments can be created with debugging settings enabled. Deployment debugging detail is intended for troubleshooting deployments during development. Debugging settings may log sensitive values. Use caution when using this setting to debug of nested deployments.

    To reduce nested deployment detail, remove or configure the properties.debugSetting.detailLevel property to none for nested deployments.

    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#recommendation","title":"Recommendation","text":"

    Consider disabling debugging of nested deployments before release.

    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#links","title":"Links","text":"
    • Troubleshoot deployment errors
    • DebugSetting
    • Release deployment
    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DefineParameters/","title":"Define template parameters","text":"Azure.Template.DefineParametersAZR-000218Error

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.

    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#description","title":"Description","text":"

    Azure templates support parameters, which are inputs you can specify when deploying the template resources. Each template can support up to 256 parameters.

    When defining template parameters:

    • Minimize the number of parameters that require input by specifying a defaultValue.
    • Use parameters for resource names and deployment locations.
    • Use variables or literal resource properties for values that don't change.
    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#recommendation","title":"Recommendation","text":"

    Consider defining a minimal number of parameters to make the template reusable.

    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#examples","title":"Examples","text":"","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • Define at least one parameter.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"name\": \"Managed Identity\",\n\"description\": \"Create or update a Managed Identity.\"\n},\n\"parameters\": {\n\"identityName\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The name of the Managed Identity.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The Azure region to deploy to.\",\n\"example\": \"eastus\"\n}\n},\n\"tags\": {\n\"type\": \"object\",\n\"metadata\": {\n\"description\": \"Tags to apply to the resource.\",\n\"example\": {\n\"service\": \"app1\",\n\"env\": \"prod\"\n}\n}\n}\n},\n\"variables\": {\n\"tenantId\": \"[subscription().tenantId]\"\n},\n\"resources\": [\n{\n\"comments\": \"Create or update a Managed Identity\",\n\"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n\"apiVersion\": \"2018-11-30\",\n\"name\": \"[parameters('identityName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"tenantId\": \"[variables('tenantId')]\"\n},\n\"tags\": \"[parameters('tags')]\"\n}\n]\n}\n
    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#notes","title":"Notes","text":"

    This rule is not applicable and ignored for templates generated with Bicep, PSArm and AzOps. Generated templates from these tools may not require any parameters to be set.

    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.ExpressionLength/","title":"Template expressions should not exceed a maximum length","text":"Azure.Template.ExpressionLengthAZR-000228Error

    Operational Excellence \u00b7 All resources \u00b7 2021_12

    Template expressions should not exceed the maximum length.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#description","title":"Description","text":"

    Extremely long expressions may be difficult to read and debug. Avoid using expressions that exceed 24,576 characters in length.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#recommendation","title":"Recommendation","text":"

    Consider updating the expression to reduce complexity and length.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#notes","title":"Notes","text":"

    This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#links","title":"Links","text":"
    • Deployment considerations for DevOps
    • Template limits
    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.LocationDefault/","title":"Default to resource group location","text":"Azure.Template.LocationDefaultAZR-000220Error

    Reliability \u00b7 All resources \u00b7 2021_03

    Set the default value for the location parameter within an ARM template to resource group location.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#description","title":"Description","text":"

    In the event of a regional outage in the resource group location, you will be unable to control resources inside that resource group, regardless of what region those resources are actually in. Resources for regional services should be deployed into a resource group on the same region.

    When authoring templates, the resource group location should be the default resource location. This approach minimizes the number of times users are asked to provide location information.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#recommendation","title":"Recommendation","text":"

    Consider updating the location parameter to use [resourceGroup().location] as the default value.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • If the location parameter is specified, it should be set to [resourceGroup().location].

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"nsg-001\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"deny-hop-outbound\",\n\"properties\": {\n\"priority\": 200,\n\"access\": \"Deny\",\n\"protocol\": \"Tcp\",\n\"direction\": \"Outbound\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-bicep","title":"Configure with Bicep","text":"

    To author bicep source files that pass this rule:

    • If the location parameter is specified, it should be set to resourceGroup().location.

    For example:

    Azure Bicep snippet
    @description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n
    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#notes","title":"Notes","text":"

    This rule ignores templates using tenant, Management Group, and Subscription deployment schemas. Deployment to these scopes does not occur against a resource group.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#links","title":"Links","text":"
    • ARM template best practices
    • Operating in multiple regions
    • Resource group
    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationType/","title":"Use type string for location parameters","text":"Azure.Template.LocationTypeAZR-000221Error

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Location parameters should use a string value.

    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#description","title":"Description","text":"

    The template parameter location is a standard parameter recommended for deployment templates. The location parameter is a intended for specifying the deployment location of the primary resource. When including location parameters in templates use the type string.

    Additionally, the template may include other resources. Use the location parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information.

    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#recommendation","title":"Recommendation","text":"

    Consider updating the location parameter to be of type string.

    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • If the location parameter is specified, it should be set to a string type.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"nsg-001\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"deny-hop-outbound\",\n\"properties\": {\n\"priority\": 200,\n\"access\": \"Deny\",\n\"protocol\": \"Tcp\",\n\"direction\": \"Outbound\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-bicep","title":"Configure with Bicep","text":"

    To author bicep source files that pass this rule:

    • If the location parameter is specified, it should be set to a string type.

    For example:

    Azure Bicep snippet
    @description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n
    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#links","title":"Links","text":"
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.MetadataLink/","title":"Use parameter file metadata link","text":"Azure.Template.MetadataLinkAZR-000231Error

    Operational Excellence \u00b7 All resources \u00b7 2021_09

    Configure a metadata link for each parameter file.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#description","title":"Description","text":"

    A parameter file can include an additional metadata. This metadata provides additional context for use of the parameter file.

    PSRule for Azure uses the metadata.template property within parameter files to store a metadata link. A metadata link, is an explicit association between a parameter file it's intended template file.

    This rule is disabled by default but can be enabled by configuring AZURE_PARAMETER_FILE_METADATA_LINK. Enable this rule to ensure that each parameter file has a metadata link to a valid template file.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#recommendation","title":"Recommendation","text":"

    Consider setting metadata for each parameter file linking to the deployment template.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#examples","title":"Examples","text":"","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#configure-parameter-file","title":"Configure parameter file","text":"

    To create parameter files that pass this rule:

    • Set the metadata.template property to a valid template file path.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"templates/storage/v1/template.json\"\n},\n\"parameters\": {\n\"storageAccountName\": {\n\"value\": \"...\"\n}\n}\n}\n
    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#notes","title":"Notes","text":"

    Enable this rule by setting the AZURE_PARAMETER_FILE_METADATA_LINK option to true.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#links","title":"Links","text":"
    • Using templates
    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/","title":"Default should match type","text":"Azure.Template.ParameterDataTypesAZR-000226Error

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Set the parameter default value to a value of the same type.

    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#description","title":"Description","text":"

    Azure Resource Manager (ARM) template support parameters with a range of types, including:

    • bool
    • int
    • string
    • array
    • object
    • secureString
    • secureObject

    When including a defaultValue, the default value should match the same type at the type property. For example:

    Azure Template snippet
    {\n\"boolParam\": {\n\"type\": \"bool\",\n\"defaultValue\": false\n},\n\"intParam\": {\n\"type\": \"int\",\n\"defaultValue\": 5\n},\n\"stringParam\": {\n\"type\": \"string\",\n\"defaultValue\": \"test-rg\"\n},\n\"arrayParam\": {\n\"type\": \"array\",\n\"defaultValue\": [ 1, 2, 3 ]\n},\n\"objectParam\": {\n\"type\": \"object\",\n\"defaultValue\": {\n\"one\": \"a\",\n\"two\": \"b\"\n}\n}\n}\n
    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#recommendation","title":"Recommendation","text":"

    Consider updating the parameter default value to a value of the same type.

    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#links","title":"Links","text":"
    • Data types
    • Release deployment
    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterFile/","title":"Use ARM parameter file structure","text":"Azure.Template.ParameterFileAZR-000229Error

    Operational Excellence \u00b7 All resources \u00b7 2020_06

    Use ARM template parameter files that are valid.

    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#description","title":"Description","text":"

    Azure Resource Manager (ARM) template parameter files have a pre-defined structure. ARM template parameter files require $schema, contentVersion and parameters sections to be defined. If any of these sections are missing, ARM will not accept the parameter file.

    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#recommendation","title":"Recommendation","text":"

    Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.

    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for parameter files
    • Create Resource Manager parameter file
    • Parameters in Azure Resource Manager templates
    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterMetadata/","title":"Use template parameter descriptions","text":"Azure.Template.ParameterMetadataAZR-000215Error

    Operational Excellence \u00b7 All resources \u00b7 2020_09

    Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.

    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#description","title":"Description","text":"

    ARM templates supports an additional metadata description to be added to each parameter. The parameter description is visible in Azure when using portal deployment pages. Additionally, descriptions provide context for people editing template and parameter files.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"storageAccountType\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The type of the new storage account created to store the VM disks.\"\n}\n}\n}\n}\n
    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#recommendation","title":"Recommendation","text":"

    Consider defining a metadata description for each template parameter.

    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/","title":"Use minValue and maxValue with correct type","text":"Azure.Template.ParameterMinMaxValueAZR-000224Error

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Template parameters minValue and maxValue constraints must be valid.

    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#description","title":"Description","text":"

    When defining Azure template parameters the minValue or maxValue constraints can be added to parameters. These constraints are only valid for parameters using the int type. When configuring minValue and maxValue an integer must be used.

    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#recommendation","title":"Recommendation","text":"

    Consider updating parameter definitions using minValue or maxValue. When using minValue or maxValue these values must be integers and only apply to int parameters.

    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterScheme/","title":"Use a https template parameter file schema","text":"Azure.Template.ParameterSchemeAZR-000230Error

    Operational Excellence \u00b7 All resources \u00b7 2021_09

    Use an Azure template parameter file schema with the https scheme.

    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#description","title":"Description","text":"

    JSON schemas are used to validate the structure of Azure template parameter files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by schema.management.azure.com the http scheme redirects to https.

    While http://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json# points to a file. All supported Azure template parameter schemas use the https scheme.

    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#recommendation","title":"Recommendation","text":"

    Consider using a schema with the https scheme.

    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template parameter files that pass this rule:

    • Configure the template parameter schema to a supported schema with the https:// URI prefix, such as https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": { }\n}\n
    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for parameter files
    • Create Resource Manager parameter file
    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterStrongType/","title":"Parameter value should match strong type","text":"Azure.Template.ParameterStrongTypeAZR-000227Error

    Operational Excellence \u00b7 All resources \u00b7 2021_12

    Set the parameter value to a value that matches the specified strong type.

    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#description","title":"Description","text":"

    Template string parameters can optionally specify a strong type. When parameter files are expanded, if the parameter value does not match the type this rule fails. Support is provided by PSRule for Azure for the following types:

    • Resource type - Specify a resource type. For example Microsoft.OperationalInsights/workspaces. If a resource type is specified the parameter value must be a resource id of that type.
    • Location - Specify location as the strong type. If location is specified, the parameter value must be a valid Azure location.
    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#recommendation","title":"Recommendation","text":"

    Consider updating the parameter value to a value that matches the specifed strong type.

    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#links","title":"Links","text":"
    • Deployment considerations for DevOps
    • Strong type
    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterValue/","title":"Specify a value for each parameter","text":"Azure.Template.ParameterValueAZR-000232Error

    Operational Excellence \u00b7 All resources \u00b7 2021_09

    Specify a value for each parameter in template parameter files.

    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#description","title":"Description","text":"

    When defining a template parameter file:

    • Uou must specify a value for each parameter in the file.
    • If the parameter is optional, you can omit the parameter from the file.
    • If the parameter is required, you must specify a value for the parameter.
    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#recommendation","title":"Recommendation","text":"

    Consider defining a value for each parameter in the template parameter file.

    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template parameter files that pass this rule:

    • Set a value for each parameter specified in the file.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"parameter1\": {\n\"value\": \"value1\"\n},\n\"parameter2\": {\n\"value\": []\n}\n}\n}\n
    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for parameter files
    • Create Resource Manager parameter file
    • Parameters in Azure Resource Manager templates
    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ResourceLocation/","title":"Use a location parameter for regional resources","text":"Azure.Template.ResourceLocationAZR-000222Error

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Template resource location should be an expression or global.

    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#description","title":"Description","text":"

    The template parameter location is a standard parameter recommended for deployment templates. The location parameter is a intended for specifying the deployment location of the primary resource.

    When defining a resource that requires a location, use the location parameter. For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"name\": \"[parameters('VNETName')]\",\n\"apiVersion\": \"2020-06-01\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n

    Additionally, the template may include other resources. Use the location parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.

    For non-regional resources such as Front Door and DNS Zones specify a literal location global.

    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#recommendation","title":"Recommendation","text":"

    Consider updating the resource location property to use [parameters('location)].

    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#links","title":"Links","text":"
    • ARM template best practices
    • Release deployment
    • Parameters
    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.Resources/","title":"Include a template resource","text":"Azure.Template.ResourcesAZR-000216Error

    Operational Excellence \u00b7 All resources \u00b7 2020_09

    Each Azure Resource Manager (ARM) template file should deploy at least one resource.

    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#description","title":"Description","text":"

    An ARM template file is used to create or update one or more Azure resources. The resources property of an ARM template includes a definition of the resources to deploy.

    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#recommendation","title":"Recommendation","text":"

    Consider removing Azure template files that do not deploy any resources.

    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#links","title":"Links","text":"
    • Resources
    • Tutorial: Create and deploy your first ARM template
    • Release deployment
    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.TemplateFile/","title":"Use ARM template file structure","text":"Azure.Template.TemplateFileAZR-000212Error

    Operational Excellence \u00b7 All resources \u00b7 2020_06

    Use ARM template files that are valid.

    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#description","title":"Description","text":"

    Azure Resource Manager (ARM) template files have a pre-defined structure. ARM templates require $schema, contentVersion and resources sections to be defined. If any of these sections are missing, ARM will not accept the template.

    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#recommendation","title":"Recommendation","text":"

    Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.

    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Template file structure
    • Define resources in Azure Resource Manager templates
    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateSchema/","title":"Use a recent template schema version","text":"Azure.Template.TemplateSchemaAZR-000213Error

    Operational Excellence \u00b7 All resources \u00b7 2021_09

    Use a more recent version of the Azure template schema.

    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#description","title":"Description","text":"

    The JSON schemas used to define Azure templates are versioned. When defining templates use templates with a supported schema.

    The following template schemas are deprecated:

    • https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#
    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#recommendation","title":"Recommendation","text":"

    Consider using a more recent schema version for Azure template files.

    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template files that pass this rule:

    • Configure the template schema to one of the following:
      • https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#
      • https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#
      • https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#
      • https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": { },\n\"functions\": [],\n\"resources\": [ ]\n}\n
    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for ARM templates
    • Template file structure
    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateScheme/","title":"Use a https template file schema","text":"Azure.Template.TemplateSchemeAZR-000214Error

    Operational Excellence \u00b7 All resources \u00b7 2021_09

    Use an Azure template file schema with the https scheme.

    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#description","title":"Description","text":"

    JSON schemas are used to validate the structure of Azure template files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by schema.management.azure.com the http scheme redirects to https.

    While http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json# points to a file. All supported Azure template schemas use the https scheme.

    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#recommendation","title":"Recommendation","text":"

    Consider using a schema with the https scheme.

    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template files that pass this rule:

    • Configure the template schema to a supported schema with the https:// URI prefix, such as https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": { },\n\"functions\": [],\n\"resources\": [ ]\n}\n
    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for ARM templates
    • Template file structure
    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.UseComments/","title":"Use comments for each ARM template resource","text":"Azure.Template.UseCommentsAZR-000234Information

    Operational Excellence \u00b7 All resources \u00b7 2021_12

    Use comments for each resource in ARM template to communicate purpose.

    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#description","title":"Description","text":"

    ARM templates can optionally include comments in resources. This helps other contributors understand the purpose of the resource.

    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#recommendation","title":"Recommendation","text":"

    Specify comments for each resource in the template.

    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#examples","title":"Examples","text":"","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template files that pass this rule:

    • Specify comments for each resource in the template.

    For example:

    Azure Template snippet
    \"resources\": [\n{\n\"name\": \"[variables('storageAccountName')]\",\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2019-06-01\",\n\"location\": \"[resourceGroup().location]\",\n\"comments\": \"This storage account is used to store the VM disks.\",\n...\n}\n]\n
    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#links","title":"Links","text":"
    • Better understand your cloud resources
    • ARM template best practices
    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseDescriptions/","title":"Use comments for each generated template resource","text":"Azure.Template.UseDescriptionsAZR-000235Information

    Operational Excellence \u00b7 All resources \u00b7 2021_12

    Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.

    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#description","title":"Description","text":"

    Generated templates can optionally include descriptions in resources. This helps other contributors understand the purpose of the resource.

    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#recommendation","title":"Recommendation","text":"

    Specify descriptions for each resource in the template.

    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#examples","title":"Examples","text":"","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To define Bicep template files that pass this rule:

    • Specify the @description() or @sys.description() decorator for each resource in the template.

    For example:

    Azure Bicep snippet
    // An example container registry\n@description('abc')\nresource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#links","title":"Links","text":"
    • Better understand your cloud resources
    • Decorators
    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseLocationParameter/","title":"Use a location parameter to specify resource location","text":"Azure.Template.UseLocationParameterAZR-000223Warning

    Operational Excellence \u00b7 All resources \u00b7 2021_03

    Template should reference a location parameter to specify resource location.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#description","title":"Description","text":"

    The template parameter location is a standard parameter recommended for deployment templates. The location parameter is a intended for specifying the deployment location of the primary resource.

    When defining a resource that requires a location, use the location parameter. For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"name\": \"[parameters('VNETName')]\",\n\"apiVersion\": \"2020-06-01\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n

    Additionally, the template may include other resources. Use the location parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#recommendation","title":"Recommendation","text":"

    Consider using parameters('location) instead of resourceGroup().location. Using a location parameter enabled users of the template to specify the location of deployed resources.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#examples","title":"Examples","text":"","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • Define a parameter named location.
    • Set the location of any deployed resources to [parameters('location')].

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"name\": \"Managed Identity\",\n\"description\": \"Create or update a Managed Identity.\"\n},\n\"parameters\": {\n\"identityName\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The name of the Managed Identity.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The Azure region to deploy to.\",\n\"example\": \"eastus\"\n}\n},\n\"tags\": {\n\"type\": \"object\",\n\"metadata\": {\n\"description\": \"Tags to apply to the resource.\",\n\"example\": {\n\"service\": \"app1\",\n\"env\": \"prod\"\n}\n}\n}\n},\n\"variables\": {\n\"tenantId\": \"[subscription().tenantId]\"\n},\n\"resources\": [\n{\n\"comments\": \"Create or update a Managed Identity\",\n\"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n\"apiVersion\": \"2018-11-30\",\n\"name\": \"[parameters('identityName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"tenantId\": \"[variables('tenantId')]\"\n},\n\"tags\": \"[parameters('tags')]\"\n}\n]\n}\n
    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#notes","title":"Notes","text":"

    This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#links","title":"Links","text":"
    • ARM template best practices
    • Parameters
    • Release deployment
    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseParameters/","title":"Remove unused template parameters","text":"Azure.Template.UseParametersAZR-000217Error

    Operational Excellence \u00b7 All resources \u00b7 2020_09

    Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.

    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#description","title":"Description","text":"

    ARM templates can optionally define parameters that can be reused throughout the template. Parameters that are not used may make template use more complex for no benefit.

    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#recommendation","title":"Recommendation","text":"

    Consider removing unused parameters from Azure template files.

    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseVariables/","title":"Remove unused template variables","text":"Azure.Template.UseVariablesAZR-000219Error

    Operational Excellence \u00b7 All resources \u00b7 2020_09

    Each Azure Resource Manager (ARM) template variable should be used or removed from template files.

    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#description","title":"Description","text":"

    ARM templates can optionally define variables that can be reused throughout the template. Variables that are not used may add template complexity for no benefit.

    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#recommendation","title":"Recommendation","text":"

    Consider removing unused variables from Azure template files.

    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#links","title":"Links","text":"
    • Variables
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.ValidSecretRef/","title":"Use a valid secret reference","text":"Azure.Template.ValidSecretRefAZR-000233Error

    Operational Excellence \u00b7 All resources \u00b7 2021_09

    Use a valid secret reference within parameter files.

    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#description","title":"Description","text":"

    When referencing secrets in a template parameter file:

    • The secret reference must be a valid Azure resource ID Key Vault.
    • A secret name must be specified.
    • An optional secret version can be specified.
    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#recommendation","title":"Recommendation","text":"

    Check the secret value Key Vault reference is valid.

    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#examples","title":"Examples","text":"","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template parameter files that pass this rule:

    • When a secret is referenced from Key Vault, provide a valid resource ID and secret name.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"gatewayName\": {\n\"value\": \"gateway-A\"\n},\n\"sku\": {\n\"value\": \"VpnGw1\"\n},\n\"subnetId\": {\n\"value\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet\"\n},\n\"sharedKey\": {\n\"reference\": {\n\"keyVault\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001\"\n},\n\"secretName\": \"valid-secret\"\n}\n}\n}\n}\n
    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Reference secrets with static ID
    • Create Resource Manager parameter file
    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/","title":"Use at least two Traffic Manager endpoints","text":"Azure.TrafficManager.EndpointsAZR-000236Error

    Reliability \u00b7 Traffic Manager \u00b7 2020_06

    Traffic Manager should use at lest two enabled endpoints.

    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#description","title":"Description","text":"

    Traffic Manager is a DNS service that enables you to distribute traffic to improve availability and responsiveness. Traffic is distributed across endpoints, which can be located in different availability zones and regions.

    When only one enabled endpoint exists, routing for high availability and/ or responsiveness is not possible.

    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#recommendation","title":"Recommendation","text":"

    Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.

    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#links","title":"Links","text":"
    • What is Traffic Manager?
    • How Traffic Manager Works
    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Protocol/","title":"Use HTTPS to monitor web-based endpoints","text":"Azure.TrafficManager.ProtocolAZR-000237Error

    Security \u00b7 Traffic Manager \u00b7 2020_06

    Monitor Traffic Manager web-based endpoints with HTTPS.

    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#description","title":"Description","text":"

    Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health. For web-based endpoints use HTTPS.

    If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint. This alone does not indicate that the endpoint is operational and ready to receive requests. Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.

    If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint. HTTPS-based health checks additionally check if a certificate is present, but do not validate if the certificate is valid.

    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#recommendation","title":"Recommendation","text":"

    Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.

    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#links","title":"Links","text":"
    • Data encryption in Azure
    • Traffic Manager endpoint monitoring
    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.VM.ADE/","title":"Use Azure Disk Encryption","text":"Azure.VM.ADEAZR-000252Error

    Security \u00b7 Virtual Machine \u00b7 2020_06

    Use Azure Disk Encryption (ADE).

    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#description","title":"Description","text":"

    Virtual machines (VMs) can be encrypted using ADE to protect disks with full disk encryption. Storage Service Encryption (SSE) is encryption as rest for Managed Disks and Storage Accounts. SSE automatically decrypts storage as it is read. Full disk encryption varies from SSE by decrypting disks on read within the operating system.

    ADE protects disk decryption keys within Key Vault.

    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#recommendation","title":"Recommendation","text":"

    Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.

    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#links","title":"Links","text":"
    • Data encryption in Azure
    • Creating and configuring a key vault for Azure Disk Encryption
    • Azure Disk Encryption scenarios on Windows VMs
    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VM.AMAAZR-000345Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2022_12

    Use Azure Monitor Agent for collecting monitoring data.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#description","title":"Description","text":"

    Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of virtual machines. Data collected gets delivered to Azure Monitor for use by features, insights and other services, such as Microsoft Defender for Cloud.

    Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#recommendation","title":"Recommendation","text":"

    Virtual Machines should install Azure Monitor Agent.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#examples","title":"Examples","text":"","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorWindowsAgent\",\n\"typeHandlerVersion\": \"1.0\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Bicep snippet
    param vmName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {\n  name: '${vmName}/AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#notes","title":"Notes","text":"

    The Azure Monitor Agent (AMA) itself does not include all configuration needed, additionally data collection rules and associations are required.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#links","title":"Links","text":"
    • Monitoring
    • Azure Monitor Agent overview
    • Azure deployment reference
    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.ASAlignment/","title":"Use aligned availability sets","text":"Azure.VM.ASAlignmentAZR-000254Error

    Reliability \u00b7 Virtual Machine \u00b7 2020_06

    Use availability sets aligned with managed disks fault domains.

    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#description","title":"Description","text":"

    Availability sets can be configured to align with managed disk fault domains. When aligned, the fault domain for storage is co-located with compute. Aligned availability sets help prevent compute and storage from a single VM spanning multiple fault domains.

    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#recommendation","title":"Recommendation","text":"

    Consider deploying VMs with managed disks into aligned availability sets.

    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#links","title":"Links","text":"
    • Availability sets
    • Managed disk integration with availability sets
    • Reliability checklist
    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASMinMembers/","title":"Use availability sets with at least two members","text":"Azure.VM.ASMinMembersAZR-000255Error

    Reliability \u00b7 Virtual Machine \u00b7 2020_06

    Availability sets should be deployed with at least two virtual machines (VMs).

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#description","title":"Description","text":"

    An availability set is a logical grouping of VMs that allows Azure to optimize the placement of VMs. Azure uses this grouping to separate VMs within the availablity set across fault and update domains. Each VM in your availability set is assigned an update domain and a fault domain. VMs in different update and fault domains is mapped to different underlying physical hardware. The reason for doing this is to improve reliability by removing some single points of failure.

    Deploy two or more VMs within an availability set to provide for a highly available application. There is no cost for the Availability Set itself, you only pay for each VM instance that you create.

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#recommendation","title":"Recommendation","text":"

    Consider deploying at least two VMs within an availability set to gain availability benefits.

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure (in-flight).

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#links","title":"Links","text":"
    • Reliability checklist
    • Availability sets overview
    • Availability options for virtual machines in Azure
    • Failure mode analysis
    • Tutorial: Create and deploy highly available virtual machines with Azure PowerShell
    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASName/","title":"Use valid Availability Set names","text":"Azure.VM.ASNameAZR-000256Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Availability Set names should meet naming requirements.

    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Availability Set names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Availability Set names must be unique within a resource group.
    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#notes","title":"Notes","text":"

    This rule does not check if Availability Set names are unique.

    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/","title":"Use accelerated networking","text":"Azure.VM.AcceleratedNetworkingAZR-000244Error

    Performance Efficiency \u00b7 Virtual Machine \u00b7 2020_06

    Use accelerated networking for supported operating systems and VM types.

    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#description","title":"Description","text":"

    Enabling accelerated networking for a virtual machine (VM) greatly improves networking performance. Accelerated networking work by enabling single root I/O virtualization (SR-IOV) to a VM. SR-IOV reduces latency, jitter, and CPU utilization network demanding workloads.

    Accelerated networking is available for supported operating systems and VM types.

    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#recommendation","title":"Recommendation","text":"

    Consider enabling accelerated networking for supported operating systems and VM types.

    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#links","title":"Links","text":"
    • Create a Linux virtual machine with Accelerated Networking using Azure CLI
    • Create a Windows VM with accelerated networking using Azure PowerShell
    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.Agent/","title":"VM agent is provisioned automatically","text":"Azure.VM.AgentAZR-000246Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Ensure the VM agent is provisioned automatically.

    ","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#description","title":"Description","text":"

    The virtual machine (VM) agent is required for most functionality that interacts with the guest operating system.

    VM extensions help reduce management overhead by providing an entry point to bootstrap monitoring and configuration of the guest operating system. The VM agent is required to use any VM extensions.

    ","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#recommendation","title":"Recommendation","text":"

    Automatically provision the VM agent for all supported operating systems, this is the default.

    ","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.BasicSku/","title":"Avoid Basic VM SKU","text":"Azure.VM.BasicSkuAZR-000241Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Virtual machines (VMs) should not use Basic sizes.

    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#description","title":"Description","text":"

    VMs can be deployed in Basic or Standard sizes. Basic VM sizes are suitable only for entry level development scenarios.

    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#recommendation","title":"Recommendation","text":"

    Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.

    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#links","title":"Links","text":"
    • Sizes for Windows virtual machines in Azure
    • Sizes for Linux virtual machines in Azure
    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.ComputerName/","title":"Use valid VM computer names","text":"Azure.VM.ComputerNameAZR-000249Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Virtual Machine (VM) computer name should meet naming requirements.

    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#description","title":"Description","text":"

    When configuring Azure VMs the assigned computer name must meet operation system (OS) requirements.

    The requirements for Windows VMs are:

    • Between 1 and 15 characters long.
    • Alphanumerics, and hyphens.
    • Can not include only numbers.

    The requirements for Linux VMs are:

    • Between 1 and 64 characters long.
    • Alphanumerics, periods, and hyphens.
    • Start with alphanumeric.
    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#recommendation","title":"Recommendation","text":"

    Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.

    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#notes","title":"Notes","text":"

    VM resource names have different naming restrictions. See Azure.VM.Name for details.

    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.DiskAttached/","title":"Remove unused managed disks","text":"Azure.VM.DiskAttachedAZR-000250Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 2020_06

    Managed disks should be attached to virtual machines or removed.

    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#description","title":"Description","text":"

    Unattached managed disks are charged but not in use. Unattached managed disks still consume storage and are charged on their size.

    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#recommendation","title":"Recommendation","text":"

    Consider removing managed disks that are no longer required to reduce complexity and costs.

    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#links","title":"Links","text":"
    • Managed Disk pricing
    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskCaching/","title":"Configure host caching","text":"Azure.VM.DiskCachingAZR-000242Error

    Performance Efficiency \u00b7 Virtual Machine \u00b7 2020_06

    Check disk caching is configured correctly for the workload.

    ","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#description","title":"Description","text":"

    Check disk caching is configured correctly for the workload.

    ","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#recommendation","title":"Recommendation","text":"

    Check disk caching is configured correctly for the workload.

    ","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskName/","title":"Use valid Managed Disk names","text":"Azure.VM.DiskNameAZR-000253Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Managed Disk names should meet naming requirements.

    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Managed Disk names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Managed Disk names must be unique within a resource group.
    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#notes","title":"Notes","text":"

    This rule does not check if Managed Disk names are unique.

    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/","title":"Allocate VM disks aligned to billing model","text":"Azure.VM.DiskSizeAlignmentAZR-000251Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 2020_06

    Align to the Managed Disk billing model to improve cost efficiency.

    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#description","title":"Description","text":"

    Managed disk is smaller than SKU size.

    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#recommendation","title":"Recommendation","text":"

    Consider resizing or optimizing storage to reduce waste by using disk sizes that align to the billing model for Managed Disks. Also consider, sizing and striping disks to optimize performance.

    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#links","title":"Links","text":"
    • Managed Disks pricing
    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.VM.MaintenanceConfigAZR-000375Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2023_06

    Use a maintenance configuration for virtual machines.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#description","title":"Description","text":"

    Virtual machines can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#recommendation","title":"Recommendation","text":"

    Consider automatically managing and applying operating system updates by associating a maintenance configuration.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Maintenance/configurationAssignments\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('assignmentName')]\",\n\"location\": \"[parameters('location')]\",\n\"scope\": \"[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]\",\n\"properties\": {\n\"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Bicep snippet
    resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: vm\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n
    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#notes","title":"Notes","text":"

    Operating system updates with Update Managment center is a preview feature. Not all operating systems are supported, check out the LINKS section for more information. Update management center doesn't support driver updates.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#links","title":"Links","text":"
    • Repeatable infrastructure
    • About Update management center
    • How to programmatically manage updates for Azure VMs
    • Manage Update configuration settings
    • Supported operating systems
    • Azure deployment reference
    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VM.MigrateAMAAZR-000317Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2022_12

    Use Azure Monitor Agent as replacement for Log Analytics Agent.

    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#description","title":"Description","text":"

    The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your VMs and servers in Azure. The Azure Monitor agent provdes the following benefits over legacy agents:

    • Security and performance
      • Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).
      • A higher events-per-second (EPS) upload rate.
    • Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:
      • DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.
      • With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.
    • Simpler management of data collection, including ease of troubleshooting:
      • Easy multihoming on Windows and Linux.
      • Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.
      • Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.
    • A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#recommendation","title":"Recommendation","text":"

    Virtual Machines should migrate to Azure Monitor Agent.

    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorWindowsAgent\",\n\"typeHandlerVersion\": \"1.0\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Bicep snippet
    param vmName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {\n  name: '${vmName}/AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#links","title":"Links","text":"
    • Monitoring
    • Log Analytics agent retiring
    • Migrate to Azure Monitor Agent from Log Analytics Agent
    • Azure deployment reference
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.NICAttached/","title":"Attach NIC or clean up","text":"Azure.VM.NICAttachedAZR-000257Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Network interfaces (NICs) should be attached.

    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICAttached/#description","title":"Description","text":"

    Network interfaces (NICs) are used to attach services to a virtual network. Each NIC is deployed as a separate resource, however are intended to be used with a related service. A NIC that is not attached to a related service perform no purpose.

    Example of services that use NICs include:

    • Virtual Machines
    • Private Endpoints
    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICAttached/#recommendation","title":"Recommendation","text":"

    Consider cleaning up NICs that are not required to reduce management complexity. Also consider using Resource Groups to help manage the lifecycle of related resources together.

    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICAttached/#links","title":"Links","text":"
    • Azure deployment reference
    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICName/","title":"Use valid NIC names","text":"Azure.VM.NICNameAZR-000259Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Network Interface (NIC) names should meet naming requirements.

    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Network Interface names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • NIC names must be unique within a resource group.
    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#notes","title":"Notes","text":"

    This rule does not check if Network Interface names are unique.

    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.Name/","title":"Use valid VM names","text":"Azure.VM.NameAZR-000248Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Virtual Machine (VM) names should meet naming requirements.

    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for VM names are:

    • Between 1 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VM names must be unique within a resource group.
    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.

    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#notes","title":"Notes","text":"

    This rule does not check if VM names are unique. Additionally, VM computer names have additional restrictions. See Azure.VM.ComputerName for details.

    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.PPGName/","title":"Use valid PPG names","text":"Azure.VM.PPGNameAZR-000260Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Proximity Placement Group (PPG) names should meet naming requirements.

    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for placement groups names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start and end with alphanumeric.
    • PPG names must be unique within a resource group.
    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#notes","title":"Notes","text":"

    This rule does not check if Proximity Placement Group names are unique.

    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PromoSku/","title":"Use current VM SKUs","text":"Azure.VM.PromoSkuAZR-000240Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 2020_06

    Virtual machines (VMs) should not use expired promotional SKU.

    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#description","title":"Description","text":"

    Some VM sizes may offer promotional rates that can be used by deploying VMs with a designated SKU. Promotional rates expire, and while this does not cause interruption to running VMs, the rate that VMs are billed at returns to the original price.

    Promo SKUs are not eligible for savings from reserved instances. Expired promo SKUs may confuse billing reconciliation when the promotional period expires.

    VMs should not use expired promo SKU.

    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#recommendation","title":"Recommendation","text":"

    Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Consider moving from promotional SKUs to the regular SKU once the promotional period has expired.

    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#links","title":"Links","text":"
    • Virtual Machine pricing
    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PublicKey/","title":"Use public keys for Linux","text":"Azure.VM.PublicKeyAZR-000245Error

    Security \u00b7 Virtual Machine \u00b7 2020_06

    Linux virtual machines should use public keys.

    ","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#description","title":"Description","text":"

    Linux virtual machines support either password or public key based authentication for the default administrator account.

    ","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#recommendation","title":"Recommendation","text":"

    Consider using public key based authentication instead of passwords.

    ","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.SQLServerDisk/","title":"Configure Premium disks or above","text":"Azure.VM.SQLServerDiskAZR-000324Error

    Performance Efficiency \u00b7 Virtual Machine \u00b7 2022_12

    Use Premium SSD disks or greater for data and log files for production SQL Server workloads.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#description","title":"Description","text":"

    Use premium SSD disks or greater for data and log files for production SQL Server workloads.

    This is an advanced topic with many considerations, so we highly suggest to follow the LINKS section for more around this with aligned and up-to-date documentation.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#recommendation","title":"Recommendation","text":"

    Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#examples","title":"Examples","text":"","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Machines that pass this rule:

    • Set the properties.storageProfile.osDisk.managedDisk.storageAccountType property to Premium_LRS or greater.
    • Configure each data disk included in properties.storageProfile.dataDisks to use Premium_LRS or greater by setting the property managedDisk.storageAccountType.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('virtualMachineName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"[parameters('virtualMachineSize')]\"\n},\n\"storageProfile\": {\n\"osDisk\": {\n\"createOption\": \"FromImage\",\n\"managedDisk\": {\n\"storageAccountType\": \"Premium_LRS\"\n},\n\"diskSizeGB\": 127\n},\n\"imageReference\": {\n\"publisher\": \"MicrosoftSQLServer\",\n\"offer\": \"SQL2019-WS2019\",\n\"sku\": \"Enterprise\",\n\"version\": \"latest\"\n},\n\"dataDisks\": [\n{\n\"lun\": 0,\n\"caching\": \"ReadOnly\",\n\"createOption\": \"Empty\",\n\"writeAcceleratorEnabled\": false,\n\"managedDisk\": {\n\"storageAccountType\": \"UltraSSD_LRS\"\n},\n\"diskSizeGB\": 1023\n}\n]\n},\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n}\n]\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('virtualMachineName')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\",\n\"windowsConfiguration\": {\n\"enableAutomaticUpdates\": true,\n\"provisionVMAgent\": true\n}\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n]\n}\n
    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Machines that pass this rule:

    • Set the properties.storageProfile.osDisk.managedDisk.storageAccountType property to Premium_LRS or greater.
    • Configure each data disk included in properties.storageProfile.dataDisks to use Premium_LRS or greater by setting the property managedDisk.storageAccountType.

    For example:

    Azure Bicep snippet
    resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: virtualMachineName\n  location: location\n  properties: {\n    hardwareProfile: {\n      vmSize: virtualMachineSize\n    }\n    storageProfile: {\n      osDisk: {\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n        diskSizeGB: 127\n      }\n      imageReference: {\n        publisher: 'MicrosoftSQLServer'\n        offer: 'SQL2019-WS2019'\n        sku: 'Enterprise'\n        version: 'latest'\n      }\n      dataDisks: [\n        {\n          lun: 0\n          caching: 'ReadOnly'\n          createOption: 'Empty'\n          writeAcceleratorEnabled: false\n          managedDisk: {\n            storageAccountType: 'UltraSSD_LRS'\n          }\n          diskSizeGB: 1023\n        }\n      ]\n    }\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: networkInterface.id\n        }\n      ]\n    }\n    osProfile: {\n      computerName: virtualMachineName\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n      windowsConfiguration: {\n        enableAutomaticUpdates: true\n        provisionVMAgent: true\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#notes","title":"Notes","text":"

    This rule is only applicable for OS disk and data disks configured with the property properties.storageProfile.osDisk.managedDisk.storageAccountType and the property properties.storageProfile.dataDisks.managedDisk.storageAccountType.

    Resources declarations can therefore pass the rule which are using not using Premium disks or above.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#links","title":"Links","text":"
    • Design for performance
    • Performance best practices for SQL Server on Azure VMs
    • Azure deployment reference
    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine","text":"Azure.VM.ScriptExtensionsAZR-000332Error

    Security \u00b7 Virtual Machine \u00b7 2022_12

    Custom Script Extensions scripts that reference secret values must use the protectedSettings.

    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#description","title":"Description","text":"

    Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#recommendation","title":"Recommendation","text":"

    Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.

    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#examples","title":"Examples","text":"","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy VM extensions that pass this rule:

    • Set any secure values within properties.protectedSettings.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n\"name\": \"installcustomscript\",\n\"apiVersion\": \"2015-06-15\",\n\"location\": \"australiaeast\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Extensions\",\n\"type\": \"CustomScript\",\n\"typeHandlerVersion\": \"2.0\",\n\"autoUpgradeMinorVersion\": true,\n\"protectedSettings\": {\n\"commandToExecute\": \"Write-Output 'hello-world'\"\n}\n}\n}\n
    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VM extensions that pass this rule:

    • Set any secure values within properties.protectedSettings.
    Azure Bicep snippet
    resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {\n  name: 'installcustomscript'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Extensions'\n    type: 'CustomScript'\n    typeHandlerVersion: '2.0'\n    autoUpgradeMinorVersion: true\n    protectedSettings: {\n        commandToExecute: 'Write-Output \"hello-world\"'\n    }\n  }\n}\n
    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#links","title":"Links","text":"
    • Secure application configuration and dependencies
    • Azure deployment reference
    • Windows Custom Script Extensions
    • Linux Custom Script Extensions
    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/","title":"VMs should not be stopped state","text":"Azure.VM.ShouldNotBeStoppedAZR-000351Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 2023_03

    Azure VMs should be running or in a deallocated state.

    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#description","title":"Description","text":"

    Azure Virtual Machines in a stopped state are still billed hourly for compute usage. Therefor VMs should generally be in a deallocated or running state.

    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#recommendation","title":"Recommendation","text":"

    Consider fully deallocating VMs instead of stopping VMs to reduce cost.

    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#links","title":"Links","text":"
    • Shut down underutilized instances
    • States and billing status of Azure Virtual Machines
    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.Standalone/","title":"Standalone Virtual Machine","text":"Azure.VM.StandaloneAZR-000239Error

    Reliability \u00b7 Virtual Machine \u00b7 2020_06

    Use VM features to increase reliability and improve covered SLA for VM configurations.

    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#description","title":"Description","text":"

    All VM configurations within Azure offer an SLA. However, the SLA provided and the overall availability of the system varies depending on the configuration.

    First, consider performing a Failure Mode Analysis (FMA) of the system. A FMA is the process of analyzing the system to determine the possible failure points.

    For Virtual Machines (VMs), running a single instance is often a single point of failure. In many but not all cases, the number of VMs can be increased to add redundancy to the system. Taking advantage of some of the features of Azure can further increase the availability of the system.

    • Availability Zones (AZ) - is a physically separate zone, within an Azure region. Each Availability Zone has a distinct power source, network, and cooling.
    • Availability Sets - is a logical grouping of VMs that allows Azure to understand how your application is built. By understanding the distinct tiers of the application, Azure can better organize compute and storage to improve availability.
    • Solid State Storage (SSD) Disks - high performance block-level storage with three replicas of your data.
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.

    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#examples","title":"Examples","text":"","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy VMs that pass this rule with on of the following:

    • Deploy the VM in an Availability Set by specifying properties.availabilitySet.id in code.
    • Deploy the VM in an Availability Zone by specifying zones with 1, 2, or 3 in code.
    • Deploy the VM using only premium disks for OS and data disks by specifying storageAccountType as Premium_LRS.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"zones\": [\n\"1\"\n],\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"Standard_D2s_v3\"\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('name')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\"\n},\n\"storageProfile\": {\n\"imageReference\": {\n\"publisher\": \"MicrosoftWindowsServer\",\n\"offer\": \"WindowsServer\",\n\"sku\": \"[parameters('sku')]\",\n\"version\": \"latest\"\n},\n\"osDisk\": {\n\"name\": \"[format('{0}-disk0', parameters('name'))]\",\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\",\n\"managedDisk\": {\n\"storageAccountType\": \"Premium_LRS\"\n}\n}\n},\n\"licenseType\": \"Windows_Server\",\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n}\n]\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n]\n}\n
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VMs that pass this rule with on of the following:

    • Deploy the VM in an Availability Set by specifying properties.availabilitySet.id in code.
    • Deploy the VM in an Availability Zone by specifying zones with 1, 2, or 3 in code.
    • Deploy the VM using only premium disks for OS and data disks by specifying storageAccountType as Premium_LRS.

    For example:

    Azure Bicep snippet
    resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#links","title":"Links","text":"
    • Meet application platform requirements
    • Virtual Machine SLA
    • Availability options for virtual machines in Azure
    • Manage the availability of Windows virtual machines in Azure
    • Manage the availability of Linux virtual machines
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.UniqueDns/","title":"NICs with custom DNS settings","text":"Azure.VM.UniqueDnsAZR-000258Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Network interfaces (NICs) should inherit DNS from virtual networks.

    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.UniqueDns/#description","title":"Description","text":"

    By default Virtual machine (VM) NICs automatically use a DNS configuration inherited from the virtual network they connect to. Optionally, DNS servers can be overridden on a per NIC basis with a custom configuration.

    Using network interfaces with individual DNS server settings may increase management overhead and complexity.

    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.UniqueDns/#recommendation","title":"Recommendation","text":"

    Consider updating NIC DNS server settings to inherit from virtual network.

    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.UniqueDns/#links","title":"Links","text":"
    • Change DNS servers.
    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.Updates/","title":"Automatic updates are enabled","text":"Azure.VM.UpdatesAZR-000247Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 2020_06

    Ensure automatic updates are enabled at deployment.

    ","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#description","title":"Description","text":"

    Window virtual machines (VMs) have automatic updates turned on at deployment time by default. The option can be enabled/ disabled at deployment time or updated for VM scale sets.

    Enabling this option does not prevent automatic updates being disabled or reconfigured within the operating system after deployment.

    ","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#recommendation","title":"Recommendation","text":"

    Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.

    ","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/","title":"Use Azure Hybrid Benefit","text":"Azure.VM.UseHybridUseBenefitAZR-000243Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 2020_06

    Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.

    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#description","title":"Description","text":"

    Azure Hybrid Benefit is a licensing benefit that helps you to reduce costs of running virtual machine (VM) workloads.

    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#recommendation","title":"Recommendation","text":"

    Consider using Azure Hybrid Benefit for eligible workloads.

    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#examples","title":"Examples","text":"","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy VMs that pass this rule:

    • Set the properties.licenseType property to one of the following:
      • Windows_Server
      • Windows_Client

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"Standard_D2s_v3\"\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('name')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\"\n},\n\"storageProfile\": {\n\"imageReference\": {\n\"publisher\": \"MicrosoftWindowsServer\",\n\"offer\": \"WindowsServer\",\n\"sku\": \"[parameters('sku')]\",\n\"version\": \"latest\"\n},\n\"osDisk\": {\n\"name\": \"[format('{0}-disk0', parameters('name'))]\",\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n}\n},\n\"licenseType\": \"Windows_Server\",\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n}\n]\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n]\n}\n
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VMs that pass this rule:

    • Set the properties.licenseType property to one of the following:
      • Windows_Server
      • Windows_Client

    For example:

    Azure Bicep snippet
    resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' = {\n  name: name\n  location: location\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az vm update -n '<name>' -g '<resource_group>' --set licenseType=Windows_Server\n
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#links","title":"Links","text":"
    • Azure Hybrid Benefit FAQ
    • Azure Hybrid Benefit for Windows Server
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseManagedDisks/","title":"Use Managed Disks","text":"Azure.VM.UseManagedDisksAZR-000238Error

    Reliability \u00b7 Virtual Machine \u00b7 2020_06

    Virtual machines (VMs) should use managed disks.

    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#description","title":"Description","text":"

    VMs can be configured with un-managed or managed disks. Un-managed disks, are .vhd files stored on a Storage Account that you manage as files. Managed disks allow you to managed the VM disk and the Storage Account is managed by Microsoft.

    Managed disks are the successor to un-managed disks and provide an number of additional features. Using managed disks reduces management of VM storage, improves durability and availability of VMs.

    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#recommendation","title":"Recommendation","text":"

    Consider using managed disks for virtual machine storage.

    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#links","title":"Links","text":"
    • Introduction to Azure managed disks
    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VMSS.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VMSS.AMAAZR-000346Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 2022_12

    Use Azure Monitor Agent for collecting monitoring data.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#description","title":"Description","text":"

    Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of virtual machines in virtual machine scale sets. Data collected gets delivered to Azure Monitor for use by features, insights and other services, such as Microsoft Defender for Cloud.

    Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#recommendation","title":"Recommendation","text":"

    Consider monitoring Virtual Machine Scale Sets using the Azure Monitor Agent.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\",\n\"defaultValue\": \"vmss-01\"\n},\n\"location\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[parameters('vmssName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"b2ms\",\n\"tier\": \"Standard\",\n\"capacity\": 1\n},\n\"properties\": {\n\"overprovision\": true,\n\"upgradePolicy\": {\n\"mode\": \"Automatic\"\n},\n\"singlePlacementGroup\": true,\n\"platformFaultDomainCount\": 3,\n\"virtualMachineProfile\": {\n\"extensionProfile\": {\n\"extensions\": [\n{\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"properties\": {\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true,\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\"\n}\n}\n]\n},\n\"storageProfile\": {\n\"osDisk\": {\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n},\n\"imageReference\": {\n\"publisher\": \"microsoft-aks\",\n\"offer\": \"aks\",\n\"sku\": \"aks-ubuntu-1804-202208\",\n\"version\": \"2022.08.29\"\n}\n},\n\"osProfile\": {\n\"adminUsername\": \"azureuser\",\n\"computerNamePrefix\": \"vmss-01\",\n\"linuxConfiguration\": {\n\"disablePasswordAuthentication\": true\n},\n\"provisionVMAgent\": true,\n\"ssh\": {\n\"publicKeys\": [\n{\n\"path\": \"/home/azureuser/.ssh/authorized_keys\"\n}\n]\n}\n},\n\"networkProfile\": {\n\"networkInterfaceConfigurations\": [\n{\n\"name\": \"vmss-001\",\n\"properties\": {\n\"primary\": true,\n\"enableAcceleratedNetworking\": true,\n\"networkSecurityGroup\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n},\n\"ipConfigurations\": [\n{\n\"name\": \"ipconfig1\",\n\"properties\": {\n\"primary\": true,\n\"subnet\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n},\n\"privateIPAddressVersion\": \"IPv4\",\n\"loadBalancerBackendAddressPools\": [\n{\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n}\n]\n}\n}\n]\n}\n}\n]\n}\n}\n}\n}\n]\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#notes","title":"Notes","text":"

    The Azure Monitor Agent (AMA) itself does not include all configuration needed, additionally data collection rules and associations are required.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#links","title":"Links","text":"
    • Monitoring
    • Azure Monitor Agent overview
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.ComputerName/","title":"Use valid VMSS computer names","text":"Azure.VMSS.ComputerNameAZR-000262Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 2020_06

    Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.

    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#description","title":"Description","text":"

    When configuring Azure VMSS the assigned computer name prefix must meet operation system (OS) requirements.

    The requirements for Windows VM instances are:

    • Between 1 and 15 characters long.
    • Alphanumerics, and hyphens.
    • Can not include only numbers.

    The requirements for Linux VM instances are:

    • Between 1 and 64 characters long.
    • Alphanumerics, periods, and hyphens.
    • Start with alphanumeric.
    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#recommendation","title":"Recommendation","text":"

    Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.

    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#notes","title":"Notes","text":"

    VMSS resource names have different naming restrictions. See Azure.VMSS.Name for details.

    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VMSS.MigrateAMAAZR-000318Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 2022_12

    Use Azure Monitor Agent as replacement for Log Analytics Agent.

    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#description","title":"Description","text":"

    The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your virtual machine scale sets. The Azure Monitor agent provdes the following benefits over legacy agents:

    • Security and performance
      • Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).
      • A higher events-per-second (EPS) upload rate.
    • Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:
      • DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.
      • With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.
    • Simpler management of data collection, including ease of troubleshooting:
      • Easy multihoming on Windows and Linux.
      • Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.
      • Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.
    • A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#recommendation","title":"Recommendation","text":"

    Virtual Machine Scale Sets should migrate to Azure Monitor Agent.

    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\",\n\"defaultValue\": \"vmss-01\"\n},\n\"location\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[parameters('vmssName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"b2ms\",\n\"tier\": \"Standard\",\n\"capacity\": 1\n},\n\"properties\": {\n\"overprovision\": true,\n\"upgradePolicy\": {\n\"mode\": \"Automatic\"\n},\n\"singlePlacementGroup\": true,\n\"platformFaultDomainCount\": 3,\n\"virtualMachineProfile\": {\n\"extensionProfile\": {\n\"extensions\": [\n{\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"properties\": {\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true,\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\"\n}\n}\n]\n},\n\"storageProfile\": {\n\"osDisk\": {\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n},\n\"imageReference\": {\n\"publisher\": \"microsoft-aks\",\n\"offer\": \"aks\",\n\"sku\": \"aks-ubuntu-1804-202208\",\n\"version\": \"2022.08.29\"\n}\n},\n\"osProfile\": {\n\"adminUsername\": \"azureuser\",\n\"computerNamePrefix\": \"vmss-01\",\n\"linuxConfiguration\": {\n\"disablePasswordAuthentication\": true\n},\n\"provisionVMAgent\": true,\n\"ssh\": {\n\"publicKeys\": [\n{\n\"path\": \"/home/azureuser/.ssh/authorized_keys\"\n}\n]\n}\n},\n\"networkProfile\": {\n\"networkInterfaceConfigurations\": [\n{\n\"name\": \"vmss-001\",\n\"properties\": {\n\"primary\": true,\n\"enableAcceleratedNetworking\": true,\n\"networkSecurityGroup\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n},\n\"ipConfigurations\": [\n{\n\"name\": \"ipconfig1\",\n\"properties\": {\n\"primary\": true,\n\"subnet\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n},\n\"privateIPAddressVersion\": \"IPv4\",\n\"loadBalancerBackendAddressPools\": [\n{\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n}\n]\n}\n}\n]\n}\n}\n]\n}\n}\n}\n}\n]\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#links","title":"Links","text":"
    • Monitoring
    • Log Analytics agent retiring
    • Migrate to Azure Monitor Agent from Log Analytics Agent
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.Name/","title":"Use valid VMSS names","text":"Azure.VMSS.NameAZR-000261Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 2020_06

    Virtual Machine Scale Set (VMSS) names should meet naming requirements.

    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for VMSS names are:

    • Between 1 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VM names must be unique within a resource group.
    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.

    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#notes","title":"Notes","text":"

    This rule does not check if VMSS names are unique. Additionally, VMSS computer names have additional restrictions. See Azure.VMSS.ComputerName for details.

    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.PublicKey/","title":"Disable password authentication","text":"Azure.VMSS.PublicKeyAZR-000288Error

    Security \u00b7 Virtual Machine Scale Sets \u00b7 2022_09

    Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.

    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#description","title":"Description","text":"

    Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.

    A common tactic observed used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks.

    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#recommendation","title":"Recommendation","text":"

    Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.

    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#examples","title":"Examples","text":"","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an virtual machine scale set that pass this rule:

    • Set properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n\"apiVersion\": \"2021-11-01\",\n\"name\": \"vmss-01\",\n\"location\": \"[resourceGroup().location]\",\n\"sku\": {\n\"name\": \"b2ms\",\n\"tier\": \"Standard\",\n\"capacity\": 1\n},\n\"properties\": {\n\"overprovision\": true,\n\"upgradePolicy\": {\n\"mode\": \"Automatic\"\n},\n\"singlePlacementGroup\": true,\n\"platformFaultDomainCount\": 3,\n\"virtualMachineProfile\": {\n\"storageProfile\": {\n\"osDisk\": {\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n},\n\"imageReference\": {\n\"publisher\": \"microsoft-aks\",\n\"offer\": \"aks\",\n\"sku\": \"aks-ubuntu-1804-202208\",\n\"version\": \"2022.08.29\"\n}\n},\n\"osProfile\": {\n\"adminUsername\": \"azureuser\",\n\"computerNamePrefix\": \"vmss-01\",\n\"linuxConfiguration\": {\n\"disablePasswordAuthentication\": true\n},\n\"provisionVMAgent\": true,\n\"ssh\": {\n\"publicKeys\": [\n{\n\"path\": \"/home/azureuser/.ssh/authorized_keys\"\n}\n]\n}\n},\n\"networkProfile\": {\n\"networkInterfaceConfigurations\": [\n{\n\"name\": \"vmss-001\",\n\"properties\": {\n\"primary\": true,\n\"enableAcceleratedNetworking\": true,\n\"networkSecurityGroup\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n},\n\"ipConfigurations\": [\n{\n\"name\": \"ipconfig1\",\n\"properties\": {\n\"primary\": true,\n\"subnet\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n},\n\"privateIPAddressVersion\": \"IPv4\",\n\"loadBalancerBackendAddressPools\": [\n{\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n}\n]\n}\n}\n]\n}\n}\n]\n}\n}\n}\n}\n
    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an virtual machine scale set that pass this rule:

    • Set properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication to true.

    For example:

    Azure Bicep snippet
    resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = {\n  name: 'vmss-01'\n  location: resourceGroup().location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }    \n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n          }\n          provisionVMAgent: true\n          ssh: {\n            publicKeys: [\n              {\n                path: '/home/azureuser/.ssh/authorized_keys'\n              }\n            ]\n          }\n        }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id:  '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#links","title":"Links","text":"
    • Identity and access management
    • Azure security baseline for Linux Virtual Machines
    • Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure
    • Azure deployment reference
    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets","text":"Azure.VMSS.ScriptExtensionsAZR-000333Error

    Security \u00b7 Virtual Machine Scale Sets \u00b7 2022_12

    Custom Script Extensions scripts that reference secret values must use the protectedSettings.

    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#description","title":"Description","text":"

    Virtual Machines Scale Sets support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#recommendation","title":"Recommendation","text":"

    Consider specifying secure values within properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.

    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#examples","title":"Examples","text":"

    To deploy VMSS extensions that pass this rule:

    • Set any secure values within properties.extensionProfile.extensions.protectedSettings
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet
    \"extensionProfile\": {\n\"extensions\": [\n{\n\"name\": \"customScript\",\n\"properties\": {\n\"publisher\": \"Microsoft.Compute\",\n\"protectedSettings\": {\n\"commandToExecute\": \"Write-Output 'example'\"\n},\n\"typeHandlerVersion\": \"1.8\",\n\"autoUpgradeMinorVersion\": true,\n\"type\": \"CustomScriptExtension\"\n}\n}\n]\n}\n
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VMSS extensions that pass this rule:

    • Set any secure values within properties.extensionProfile.extensions.protectedSettings
    Azure Bicep snippet
    extensionProfile: {\n  extensions: [\n    {\n      name: 'customScript'\n      properties: {\n        publisher: 'Microsoft.Compute'\n        protectedSettings: {\n          commandToExecute: 'Write-Output \"example\"'\n        },\n        typeHandlerVersion: '1.8'\n        autoUpgradeMinorVersion: true\n        type: 'CustomScriptExtension'\n      }\n    }\n  ]\n}\n
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#links","title":"Links","text":"
    • Secure application configuration and dependencies
    • Azure deployment reference
    • Azure VMSS Extensions Overview
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VNET.BastionSubnet/","title":"Configure VNETs with a AzureBastionSubnet subnet","text":"Azure.VNET.BastionSubnetAZR-000314Error

    Reliability \u00b7 Virtual Network \u00b7 2022_12

    VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.

    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#description","title":"Description","text":"

    Azure Bastion lets you securely connect to a virtual machine using your browser or native SSH/RDP client on Windows workstations or the Azure portal. An Azure Bastion host is deployed inside an Azure Virtual Network and can access virtual machines in the virtual network (VNet), or virtual machines in peered VNets.

    Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs), without any exposure through public IP addresses.

    This is a recommended pattern for virtual machine remote access.

    Adding Azure Bastion in your configuration adds the following benefits:

    • Added resiliency (out of band remote access).
    • Negates the need for hybrid connectivity.
    • Provides an extra layer of control. It enables secure and seamless RDP/SSH connectivity to your VMs directly from the Azure portal or native client in preview over a secure TLS channel.
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#recommendation","title":"Recommendation","text":"

    Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.

    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureBastionSubnet defined in properties.subnets.

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2023-05-01\",\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\"10.0.0.0/16\"]\n},\n\"subnets\": [\n{\n\"name\": \"GatewaySubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.0.0/27\"\n}\n},\n{\n\"name\": \"AzureBastionSubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.64/26\"\n}\n}\n]\n}\n}\n

    To deploy Virtual Networks with a subnet sub-resource that pass this rule:

    • Configure an AzureBastionSubnet sub-resource.

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2023-05-01\",\n\"type\": \"Microsoft.Network/virtualNetworks/subnets\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'AzureBastionSubnet')]\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.64/26\"\n},\n\"dependsOn\": [\"[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]\"]\n}\n
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureBastionSubnet defined in properties.subnets.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureBastionSubnet'\n        properties: {\n          addressPrefix: '10.0.1.64/26'\n        }\n      }\n    ]\n  }\n}\n

    To deploy Virtual Networks with a subnet sub-resource that pass this rule:

    • Configure an AzureBastionSubnet sub-resource.

    For example:

    Azure Bicep snippet
    resource bastionSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-05-01' = {\n  name: 'AzureBastionSubnet'\n  parent: vnet\n  properties: {\n    addressPrefix: '10.0.1.64/26'\n  }\n}\n
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#links","title":"Links","text":"
    • Best practices
    • Plan for virtual machine remote access
    • Hub-spoke network topology in Azure
    • What is Azure Bastion?
    • Azure VNET deployment reference
    • Azure subnet deployment reference
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/","title":"Configure VNETs with a AzureFirewallSubnet subnet","text":"Azure.VNET.FirewallSubnetAZR-000322Error

    Security \u00b7 Virtual Network \u00b7 2022_12

    Use Azure Firewall to filter network traffic to and from Azure resources.

    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#description","title":"Description","text":"

    Network segmentation is a key component of a secure network architecture. Azure provides several features that work together to provide strong network segmentation controls.

    Azure Firewall is a cloud native stateful Firewall as a service. It can be used to perform deep packet inspection on both east-west and north-south traffic. Firewalls rules can be defined as policies and centrally managed.

    Some key advantages that Azure Firewall has over traditional solutions include:

    • Azure Firewall integrates directly with Virtual Network (VNET) and subnet level security. Supports Azure concepts that minimize the need for complex network configuration such as service/ FQDN tags and load balancing.
    • Managed by Azure, there is no need to deploy additional management infrastructure or consoles.
    • Built-in support for Infrastructure as Code (IaC), version control, and DevOps.

    For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).

    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#recommendation","title":"Recommendation","text":"

    Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.

    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureFirewallSubnet defined in properties.subnets.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"subnets\": [\n{\n\"name\": \"GatewaySubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.0.0/27\"\n}\n},\n{\n\"name\": \"AzureFirewallSubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.0/26\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureFirewallSubnet defined in properties.subnets.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureFirewallSubnet'\n        properties: {\n          addressPrefix: '10.0.1.0/26'\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#links","title":"Links","text":"
    • Azure features for segmentation
    • Hub-spoke network topology in Azure
    • Define an Azure network topology
    • What is Azure Firewall?
    • Azure VNET deployment reference
    • Azure subnet deployment reference
    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.LocalDNS/","title":"Use local DNS servers","text":"Azure.VNET.LocalDNSAZR-000265Error

    Reliability \u00b7 Virtual Network \u00b7 2020_06

    Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.

    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#description","title":"Description","text":"

    Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.

    When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.

    Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.

    Where possible consider deploying:

    • Azure DNS Private Resolver.
    • Azure Private DNS Zones.

    Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.

    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#recommendation","title":"Recommendation","text":"

    Consider deploying redundant DNS services within a connected Azure VNET.

    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to an IP address within the same or peered network within Azure. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"dhcpOptions\": {\n\"dnsServers\": [\n\"10.0.1.4\",\n\"10.0.1.5\"\n]\n}\n}\n}\n
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to an IP address within the same or peered network within Azure. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure (in-flight).

    When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:

    • Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
    • Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.

    When you do this, this rule may report a false positive by default. If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY to true.

    For example:

    configuration:\nAZURE_VNET_DNS_WITH_IDENTITY: true\n
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#links","title":"Links","text":"
    • Understand the impact of dependencies
    • Hub-spoke network topology in Azure
    • Azure landing zone conceptual architecture
    • What is Azure DNS Private Resolver?
    • What is Azure Private DNS?
    • Azure deployment reference
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.Name/","title":"Use valid VNET names","text":"Azure.VNET.NameAZR-000268Error

    Operational Excellence \u00b7 Virtual Network \u00b7 2020_06

    Virtual Network (VNET) names should meet naming requirements.

    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Virtual Network names are:

    • Between 2 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VNET names must be unique within a resource group.
    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#notes","title":"Notes","text":"

    This rule does not check if Virtual Network names are unique.

    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.PeerState/","title":"VNET peer is not connected","text":"Azure.VNET.PeerStateAZR-000266Error

    Operational Excellence \u00b7 Virtual Network \u00b7 2020_06

    VNET peering connections must be connected.

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#description","title":"Description","text":"

    When peering virtual networks, a peering connection must be established from both virtual networks. Only once both peering connections are in the Connected state will traffic be allowed to flow between the virtual networks.

    Connections in the Initiated or Disconnected state should be investigated to determine if the connection is required. When the connection is no longer required, it should be removed to prevent confusion during management and monitoring operations.

    Most customers will use a hub and spoke topology to connect virtual networks. For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#recommendation","title":"Recommendation","text":"

    Consider removing peering connections that are not longer required or complete peering connections.

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#examples","title":"Examples","text":"","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual networks that pass this rule:

    • Create a peering connection from the spoke to the hub. AND
    • Create a peering connection from the hub to the spoke.

    For example a peering connection from a spoke to a hub:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[format('{0}/{1}', parameters('spokeName'), format('peer-to-{0}', parameters('hubName')))]\",\n\"properties\": {\n\"remoteVirtualNetwork\": {\n\"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('hubName'))]\"\n},\n\"allowVirtualNetworkAccess\": true,\n\"allowForwardedTraffic\": true,\n\"allowGatewayTransit\": false,\n\"useRemoteGateways\": true\n}\n}\n

    For example a peering connection from a hub to a spoke:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[format('{0}/{1}', parameters('hubName'), format('peer-to-{0}', parameters('spokeName')))]\",\n\"properties\": {\n\"remoteVirtualNetwork\": {\n\"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeName'))]\"\n},\n\"allowVirtualNetworkAccess\": true,\n\"allowForwardedTraffic\": false,\n\"allowGatewayTransit\": true,\n\"useRemoteGateways\": false\n}\n}\n
    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual networks that pass this rule:

    • Create a peering connection from the spoke to the hub. AND
    • Create a peering connection from the hub to the spoke.

    For example a peering connection from a spoke to a hub:

    Azure Bicep snippet
    resource toHub 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: spoke\n  name: 'peer-to-${hub.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: hub.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: true\n    allowGatewayTransit: false\n    useRemoteGateways: true\n  }\n}\n

    For example a peering connection from a hub to a spoke:

    Azure Bicep snippet
    resource toSpoke 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: hub\n  name: 'peer-to-${spoke.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: spoke.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: false\n    allowGatewayTransit: true\n    useRemoteGateways: false\n  }\n}\n
    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure (in-flight).

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#links","title":"Links","text":"
    • Monitoring operations of cloud applications
    • Virtual network peering
    • Create, change, or delete a virtual network peering
    • Networking limits
    • Hub-spoke network topology in Azure
    • Define an Azure network topology
    • Azure VNET deployment reference
    • Azure VNET peering deployment reference
    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.SingleDNS/","title":"Use redundant DNS servers","text":"Azure.VNET.SingleDNSAZR-000264Error

    Reliability \u00b7 Virtual Network \u00b7 2020_06

    Virtual networks (VNETs) should have at least two DNS servers assigned.

    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#description","title":"Description","text":"

    Virtual networks (VNETs) should have at least two (2) DNS servers assigned. Using a single DNS server may indicate a single point of failure where the DNS IP address is not load balanced.

    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#recommendation","title":"Recommendation","text":"

    Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.

    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to at least two DNS server addresses. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"dhcpOptions\": {\n\"dnsServers\": [\n\"10.0.1.4\",\n\"10.0.1.5\"\n]\n}\n}\n}\n
    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to at least two DNS server addresses. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#links","title":"Links","text":"
    • Understand the impact of dependencies
    • Hub-spoke network topology in Azure
    • Azure landing zone conceptual architecture
    • Azure deployment reference
    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SubnetName/","title":"Use valid subnet names","text":"Azure.VNET.SubnetNameAZR-000267Error

    Operational Excellence \u00b7 Virtual Network \u00b7 2020_06

    Subnet names should meet naming requirements.

    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Subnet names must be unique within a virtual network.
    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#notes","title":"Notes","text":"

    This rule does not check if subnet names are unique.

    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.UseNSGs/","title":"Use NSGs on subnets","text":"Azure.VNET.UseNSGsAZR-000263Error

    Security \u00b7 Virtual Network \u00b7 2020_06

    Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.

    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#description","title":"Description","text":"

    Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.

    NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.

    There is a small subset of special purpose subnets that do not support NSGs. These subnets are:

    • GatewaySubnet - used for hybrid connectivity with VPN and ExpressRoute gateways.
    • AzureFirewallSubnet and AzureFirewallManagementSubnet - are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.
    • RouteServerSubnet - used by managed routing provided by Azure Route Server.
    • Any subnet delegated to a dedicated HSM with Microsoft.HardwareSecurityModules/dedicatedHSMs.
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#recommendation","title":"Recommendation","text":"

    Consider assigning a network security group (NSG) to each virtual network subnet.

    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#examples","title":"Examples","text":"","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual networks subnets that pass this rule:

    • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"dhcpOptions\": {\n\"dnsServers\": [\n\"10.0.1.4\",\n\"10.0.1.5\"\n]\n},\n\"subnets\": [\n{\n\"name\": \"GatewaySubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.0.0/24\"\n}\n},\n{\n\"name\": \"snet-001\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.0/24\",\n\"networkSecurityGroup\": {\n\"id\": \"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n}\n}\n}\n]\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n]\n}\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual network subnets that pass this rule:

    • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/24'\n        }\n      }\n      {\n        name: 'snet-001'\n        properties: {\n          addressPrefix: '10.0.1.0/24'\n          networkSecurityGroup: {\n            id: nsg.id\n          }\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'\n$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'\nSet-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Network Security Best Practices
    • Azure Firewall FAQ
    • Forced tunneling configuration
    • Azure Route Server FAQ
    • Azure Dedicated HSM networking
    • Azure VNET deployment reference
    • Azure NSG deployment reference
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNG.ConnectionName/","title":"Use valid connection names","text":"Azure.VNG.ConnectionNameAZR-000275Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 2020_06

    Virtual Network Gateway (VNG) connection names should meet naming requirements.

    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for connection names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Connection names must be unique within a resource group.
    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#notes","title":"Notes","text":"

    This rule does not check if connection names are unique.

    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/","title":"Use availability zone SKU for ExpressRoute gateways","text":"Azure.VNG.ERAvailabilityZoneSKUAZR-000273Error

    Reliability \u00b7 Virtual Network Gateway \u00b7 2021_12

    Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#description","title":"Description","text":"

    ExpressRoute gateways can be deployed in Availability Zones with the following SKUs:

    • ErGw1AZ
    • ErGw2AZ
    • ErGw3AZ

    This brings resiliency, scalability, and higher availability to ExpressRoute gateways. Deploying ExpressRoute gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"

    Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#notes","title":"Notes","text":"

    ExpressRoute gateway availability zones are managed via Public IP addresses, and are flagged separately under the Azure.PublicIP.AvailabilityZone rule.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure an AZ SKU for an ExpressRoute gateway:

    • Set properties.gatewayType to 'ExpressRoute'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'ErGw1AZ'
      • 'ErGw2AZ'
      • 'ErGw3AZ'

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/virtualNetworkGateways\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [\n\"[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]\"\n],\n\"tags\": {},\n\"properties\": {\n\"gatewayType\": \"ExpressRoute\",\n\"ipConfigurations\": [\n{\n\"name\": \"default\",\n\"properties\": {\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"[parameters('subnetId')]\"\n},\n\"publicIpAddress\": {\n\"id\": \"[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]\"\n}\n}\n}\n],\n\"vpnType\": \"[parameters('vpnType')]\",\n\"vpnGatewayGeneration\": \"[parameters('vpnGatewayGeneration')]\",\n\"sku\": {\n\"name\": \"ErGw1AZ\",\n\"tier\": \"ErGw1AZ\"\n}\n}\n}\n
    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure an AZ SKU for an ExpressRoute gateway:

    • Set properties.gatewayType to 'ExpressRoute'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'ErGw1AZ'
      • 'ErGw2AZ'
      • 'ErGw3AZ'

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {\n  name: name\n  location: location\n  tags: {}\n  properties: {\n    gatewayType: 'ExpressRoute'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)\n          }\n        }\n      }\n    ]\n    vpnType: vpnType\n    vpnGatewayGeneration: vpnGatewayGeneration\n    sku: {\n      name: 'ErGw1AZ'\n      tier: 'ErGw1AZ'\n    }\n  }\n  dependsOn: [\n    newPublicIpAddressName_resource\n  ]\n}\n
    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#links","title":"Links","text":"
    • Azure deployment reference
    • About zone-redundant virtual network gateways in Azure Availability Zones
    • ExpressRoute gateway SKUs
    • Use zone-aware services
    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/","title":"Migrate from legacy ER gateway SKUs","text":"Azure.VNG.ERLegacySKUAZR-000271Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 2020_06

    Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.

    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#description","title":"Description","text":"

    When deploying a ER gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.

    • Basic
    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#recommendation","title":"Recommendation","text":"

    Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.

    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#links","title":"Links","text":"
    • Estimated performances by gateway SKU
    • Azure deployment reference
    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.Name/","title":"Use valid VNG names","text":"Azure.VNG.NameAZR-000274Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 2020_06

    Virtual Network Gateway (VNG) names should meet naming requirements.

    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for VNG names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VNG names must be unique within a resource group.
    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#notes","title":"Notes","text":"

    This rule does not check if VNG names are unique.

    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/","title":"Use Active-Active VPN gateways","text":"Azure.VNG.VPNActiveActiveAZR-000270Error

    Reliability \u00b7 Virtual Network Gateway \u00b7 2020_06

    Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.

    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#description","title":"Description","text":"

    VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).

    When using an Active-Passive configuration, one instance is designated a standby for failover.

    Gateways configured to use an Active-Active configuration:

    • Establish two IPSEC tunnels, one from each instance per connection.
    • Each instance will load balance network traffic.
    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#recommendation","title":"Recommendation","text":"

    Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.

    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#notes","title":"Notes","text":"

    Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.

    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#links","title":"Links","text":"
    • Highly Available Cross-Premises and VNet-to-VNet Connectivity
    • Update an existing VPN gateway
    • Azure deployment reference
    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/","title":"Use availability zone SKU for VPN gateways","text":"Azure.VNG.VPNAvailabilityZoneSKUAZR-000272Error

    Reliability \u00b7 Virtual Network Gateway \u00b7 2021_12

    Use availability zone SKU for virtual network gateways deployed with VPN gateway type.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#description","title":"Description","text":"

    VPN gateways can be deployed in Availability Zones with the following SKUs:

    • VpnGw1AZ
    • VpnGw2AZ
    • VpnGw3AZ
    • VpnGw4AZ
    • VpnGw5AZ

    This brings resiliency, scalability, and higher availability to VPN gateways. Deploying VPN gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"

    Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#notes","title":"Notes","text":"

    VPN gateway availability zones are managed via Public IP addresses, and are flagged separately under the Azure.PublicIP.AvailabilityZone rule.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure an AZ SKU for a VPN gateway:

    • Set properties.gatewayType to 'Vpn'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'VpnGw1AZ'
      • 'VpnGw2AZ'
      • 'VpnGw3AZ'
      • 'VpnGw4AZ'
      • 'VpnGw5AZ'

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/virtualNetworkGateways\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [\n\"[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]\"\n],\n\"tags\": {},\n\"properties\": {\n\"gatewayType\": \"Vpn\",\n\"ipConfigurations\": [\n{\n\"name\": \"default\",\n\"properties\": {\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"[parameters('subnetId')]\"\n},\n\"publicIpAddress\": {\n\"id\": \"[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]\"\n}\n}\n}\n],\n\"vpnType\": \"[parameters('vpnType')]\",\n\"vpnGatewayGeneration\": \"[parameters('vpnGatewayGeneration')]\",\n\"sku\": {\n\"name\": \"VpnGw1AZ\",\n\"tier\": \"VpnGw1AZ\"\n}\n}\n}\n
    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure an AZ SKU for a VPN gateway:

    • Set properties.gatewayType to 'Vpn'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'VpnGw1AZ'
      • 'VpnGw2AZ'
      • 'VpnGw3AZ'
      • 'VpnGw4AZ'
      • 'VpnGw5AZ'

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {\n  name: name\n  location: location\n  tags: {}\n  properties: {\n    gatewayType: 'Vpn'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)\n          }\n        }\n      }\n    ]\n    vpnType: vpnType\n    vpnGatewayGeneration: vpnGatewayGeneration\n    sku: {\n      name: 'VpnGw1AZ'\n      tier: 'VpnGw1AZ'\n    }\n  }\n  dependsOn: [\n    newPublicIpAddressName_resource\n  ]\n}\n
    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#links","title":"Links","text":"
    • Azure deployment reference
    • About zone-redundant virtual network gateways in Azure Availability Zones
    • VPN gateway SKUs
    • Use zone-aware services
    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/","title":"Migrate from legacy VPN gateway SKUs","text":"Azure.VNG.VPNLegacySKUAZR-000269Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 2020_06

    Migrate from legacy SKUs to improve reliability and performance of VPN gateways.

    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#description","title":"Description","text":"

    When deploying a VPN gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.

    • Basic
    • Standard
    • HighPerformance
    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#recommendation","title":"Recommendation","text":"

    Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.

    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#links","title":"Links","text":"
    • Change to the new gateway SKUs
    • Azure deployment reference
    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/","title":"Use managed identities for Web PubSub Services","text":"Azure.WebPubSub.ManagedIdentityAZR-000277Error

    Security \u00b7 Web PubSub Service \u00b7 2022_03

    Configure Web PubSub Services to use managed identities to access Azure resources securely.

    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#description","title":"Description","text":"

    A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/webPubSub\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/webPubSub@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities for Azure Web PubSub Service
    • IM-1: Use centralized identity and authentication system
    • IM-3: Manage application identities securely and automatically
    • Azure deployment reference
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.SLA/","title":"Use an SLA for Web PubSub Services","text":"Azure.WebPubSub.SLAAZR-000278Error

    Reliability \u00b7 Web PubSub Service \u00b7 2022_03

    Use SKUs that include an SLA when configuring Web PubSub Services.

    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#description","title":"Description","text":"

    When choosing a SKU for a Web PubSub Service you should consider the SLA that is included in the SKU. Web PubSub Services offer a range of SKU offerings:

    • Free - Are designed for early non-production use and do not include any SLA.
    • Standard - Are designed for production use and include an SLA.
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#recommendation","title":"Recommendation","text":"

    Consider using a Standard SKU that includes an SLA.

    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/webPubSub\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/webPubSub@2021-10-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Web PubSub pricing
    • Azure deployment reference
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.vWAN.Name/","title":"Use valid vWAN names","text":"Azure.vWAN.NameAZR-000276Error

    Operational Excellence \u00b7 Virtual WAN \u00b7 2021_12

    Virtual WAN (vWAN) names should meet naming requirements.

    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for vWAN names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • vWAN names must be unique within a resource group.
    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#notes","title":"Notes","text":"

    This rule does not check if vWAN names are unique.

    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/module/","title":"Rules by pillar","text":"

    PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.

    "},{"location":"en/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"en/rules/module/#governance","title":"Governance","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"en/rules/module/#optimize","title":"Optimize","text":"Name Synopsis Severity Level Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error"},{"location":"en/rules/module/#pricing-and-billing-model","title":"Pricing and billing model","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"en/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error"},{"location":"en/rules/module/#reports","title":"Reports","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/module/#resource-usage","title":"Resource usage","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"en/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"en/rules/module/#automation","title":"Automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"en/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"en/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning"},{"location":"en/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning"},{"location":"en/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"en/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"en/rules/module/#principles_1","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"en/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"en/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"en/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"en/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"en/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"en/rules/module/#design-for-performance-efficiency","title":"Design for performance efficiency","text":"Name Synopsis Severity Level Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"en/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"en/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"en/rules/module/#performance-patterns","title":"Performance patterns","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"en/rules/module/#reliability","title":"Reliability","text":""},{"location":"en/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"en/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"en/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"en/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"en/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"en/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error"},{"location":"en/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"en/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"en/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"en/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"en/rules/module/#security","title":"Security","text":""},{"location":"en/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"en/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"en/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning"},{"location":"en/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"en/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"en/rules/module/#data-flow","title":"Data flow","text":"Name Synopsis Severity Level Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"en/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"en/rules/module/#deployment_1","title":"Deployment","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"en/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"en/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error"},{"location":"en/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"en/rules/module/#information-protection","title":"Information protection","text":"Name Synopsis Severity Level Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"en/rules/module/#logs-and-alerts","title":"Logs and alerts","text":"Name Synopsis Severity Level Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error"},{"location":"en/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"en/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"en/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/module/#optimize_1","title":"Optimize","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error"},{"location":"en/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"en/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/module/#security-configuration","title":"Security configuration","text":"Name Synopsis Severity Level Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"en/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"en/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"en/rules/resource/","title":"Rules by resource type","text":"

    PSRule for Azure includes the following rules organized by resource type.

    "},{"location":"en/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"en/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"en/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"en/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"en/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"en/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"en/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"en/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"en/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"en/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"en/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"en/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"en/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"en/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#cognitive-search","title":"Cognitive Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/resource/#cognitive-services","title":"Cognitive Services","text":"Name Synopsis Severity Level Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error"},{"location":"en/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"en/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"en/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"en/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"en/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error"},{"location":"en/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"en/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"en/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"en/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"en/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"en/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"en/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"en/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"en/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"en/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"en/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"en/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"en/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/selectors/Azure.AppService.IsAPIApp/","title":"Azure.AppService.IsAPIApp","text":"

    Azure App Services API apps.

    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against API apps.

    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsAPIApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsAPIApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsAPIApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsAPIApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsAPIApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsAPIApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/","title":"Azure.AppService.IsFunctionApp","text":"

    Azure App Services function apps.

    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against Azure Functions apps.

    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsFunctionApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/","title":"Azure.AppService.IsLogicApp","text":"

    Single tenanted Logic Apps.

    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against Logic Apps with the Standard SKU.

    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsLogicApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsLogicApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsLogicApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsLogicApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsLogicApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsLogicApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsWebApp/","title":"Azure.AppService.IsWebApp","text":"

    Azure App Services web apps.

    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against web apps.

    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsWebApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsWebApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsWebApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsWebApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsWebApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsWebApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.Resource.SupportsTags/","title":"Azure.Resource.SupportsTags","text":"

    Resources that supports tags.

    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#description","title":"Description","text":"

    Use this selector to filter rules to only run against resources that support tags.

    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.Resource.SupportsTags.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.Resource.SupportsTags\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.Resource.SupportsTags.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.Resource.SupportsTags\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.Resource.SupportsTags.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.Resource.SupportsTags' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/","title":"Azure.ServiceBus.IsPremium","text":"

    Azure Service Bus premium namespaces.

    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#description","title":"Description","text":"

    Use this selector to filter rules to only run against premium Service Bus namespaces.

    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.ServiceBus.IsPremium\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium' {\n# Rule logic goes here\n}\n
    "},{"location":"es/asb-v3/","title":"Azure Security Benchmark","text":"

    Azure Security Benchmark (ASB) es un conjunto de controles y recomendaciones que ayudan a mejorar la seguridad de las cargas de trabajo en Azure. Los controles del ASB tambi\u00e9n se asignan a los marcos de la industria, como CIS, PCI-DSS y NIST. Si esta es su primera introduccion a ASB o esta busecano por ayudo a como utilizarlo, refiera a la Introducci\u00f3n a Azure Security Benchmark

    "},{"location":"es/asb-v3/#azure-security-benchmark-v3","title":"Azure Security Benchmark v3","text":"

    Esta es la versi\u00f3n mas reciente del ASB. Las reglas incluidas en PSRule para Azure se han asignado a v3 para que pueda comprender el impacto de las reglas. Esto es particularmente \u00fatil cuando busca comprender c\u00f3mo abordar un requisito de cumplimiento espec\u00edfico de su organizaci\u00f3n.

    Los siguientes controles est\u00e1n incluidos en Azure Security Benchmark v3:

    • Seguridad de red (NS)
    • Administraci\u00f3n de identidades (IM)
    • Acceso con privilegios (PA)
    • Protecci\u00f3n de datos (DP)
    • Administraci\u00f3n de recursos (AM)
    • Registro y detecci\u00f3n de amenazas (LT)
    • Respuesta a incidentes IR)
    • Posici\u00f3n y administraci\u00f3n de vulnerabilidades (PV)
    • Seguridad de los puntos de conexi\u00f3n (ES)
    • Copia de seguridad y recuperaci\u00f3n (BR)
    • Seguridad de DevOps (DS)
    • Gobernanza y estrategia (GS)

    "},{"location":"es/asb-v3/#links","title":"Links","text":"
    • Introducci\u00f3n a los controles de seguridad de Azure (v3)
    "},{"location":"es/rules/","title":"Reference","text":"

    The following rules and features are included in PSRule for Azure.

    Info

    The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.

    "},{"location":"es/rules/#rules","title":"Rules","text":"

    The following rules are included in PSRule for Azure.

    Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Preview AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Front Door. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.VM.NICAttached Network interfaces (NICs) should be attached. GA AZR-000258 Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. GA AZR-000281 Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. GA AZR-000283 Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Preview AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. Preview AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Preview AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000384 Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000385 Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Preview AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA"},{"location":"es/rules/Azure.ACR.AdminUser/","title":"Deshabilitar el usuario adminstrador para ACR","text":"Azure.ACR.AdminUserAZR-000005Error

    Seguridad \u00b7 Container Registry \u00b7 2020_06

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#sinopsis","title":"Sinopsis","text":"

    Usar identidades de Azure AD en lugar de usar el usuario administrador del registro.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#descripcion","title":"Descripci\u00f3n","text":"

    Azure Container Registry (ACR) incluye una cuenta de usuario administrador incorporada. La cuenta de usuario administrador es una cuenta de usuario \u00fanica con acceso administrativo al registro. Esta cuenta proporciona acceso de usuario \u00fanico para pruebas y desarrollo tempranos. La cuenta de usuario administrador no est\u00e1 dise\u00f1ada para usarse con registros de contenedores de producci\u00f3n.

    En su lugar, utilice el control de acceso basado en roles (RBAC). RBAC se puede usar para delegar permisos de registro a una identidad de Azure AD (AAD).

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere deshabilitar la cuenta de usuario administrador y solo use la autenticaci\u00f3n basada en identidad para las operaciones de registro.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar Container Registries, pasa la siguiente regla:

    • Establezca properties.adminUserEnabled a false.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar Container Registries, pasa la siguiente regla:

    • Establezca properties.adminUserEnabled a false.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet
    az acr update --admin-enabled false -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet
    Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#enlaces","title":"Enlaces","text":"
    • Uso de la autenticaci\u00f3n basada en identidad
    • Autenticaci\u00f3n con un registro de contenedor de Azure
    • Procedimientos recomendados para Azure Container Registry
    • Use la identidad administrada de Azure para autenticarse en Azure Container Registry
    • Roles y permisos de Azure Container Registry
    • \u00bfQu\u00e9 es el control de acceso basado en rol de Azure (RBAC)?
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.ContainerScan/","title":"Examen de im\u00e1genes del registro","text":"Azure.ACR.ContainerScanAZR-000002Error

    Seguridad \u00b7 Container Registry \u00b7 2020_12

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#sinopsis","title":"Sinopsis","text":"

    Habilite el an\u00e1lisis de vulnerabilidades para im\u00e1genes de contenedores.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#descripcion","title":"Descripci\u00f3n","text":"

    Un riesgo potencial con las cargas de trabajo basadas en contenedores son las vulnerabilidades de seguridad sin parches en:

    • Im\u00e1genes base del sistema operativo.
    • Marcos y dependencias de tiempo de ejecuci\u00f3n utilizados por el c\u00f3digo de la aplicaci\u00f3n.

    Es importante adoptar una estrategia para escanear activamente las im\u00e1genes en busca de vulnerabilidades de seguridad. Una opci\u00f3n para escanear im\u00e1genes de contenedores es usar Microsoft Defender para registros de contenedores. Microsoft Defender para registros de contenedores analiza cada imagen de contenedor enviada al registro.

    Microsoft Defender para registros de contenedores analiza im\u00e1genes en im\u00e1genes insertadas, importadas y extra\u00eddas recientemente. Las im\u00e1genes extra\u00eddas recientemente se escanean peri\u00f3dicamente cuando se extrajeron en los \u00faltimos 30 d\u00edas. Cualquier vulnerabilidad detectada se informa a Microsoft Defender for Cloud.

    Escaneo de vulnerabilidades de im\u00e1genes de contenedores con Microsoft Defender para registros de contenedores:

    • Actualmente solo est\u00e1 disponible para registros ACR alojados en Linux.
    • El registro de contenedores debe ser accesible para los registros de contenedores de Microsoft Defender. El acceso a la red no puede estar restringido por firewall, puntos de conexi\u00f3n de servicio o puntos de conexi\u00f3n privados.
    • Es compatible para clientes de la nube comerciales. Actualmente no se admite en nubes soberanas o nacionales (por ejemplo, gobierno de EE. UU., gobierno de China, etc.).
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar Microsoft Defender para la nube para buscar vulnerabilidades de seguridad en im\u00e1genes de contenedores.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para habilitar el escaneo de im\u00e1genes de contenedores:

    • Establezca pricingTier a Standard para Microsoft Defender para container registries.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"ContainerRegistry\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para habilitar el escaneo de im\u00e1genes de contenedores:

    • Establezca pricingTier a Standard para Microsoft Defender para container registries.

    Por ejemplo:

    Azure Bicep snippet
    resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'ContainerRegistry' --tier 'standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#enlaces","title":"Enlaces","text":"
    • Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud
    • Introducci\u00f3n a Microsoft Defender para registros de contenedor
    • Introducci\u00f3n a Microsoft Defender for Containers
    • Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContentTrust/","title":"Utilica im\u00e1genes de contenedores de confianza","text":"Azure.ACR.ContentTrustAZR-000009Error

    Seguridad \u00b7 Container Registry \u00b7 2020_12

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#sinopsis","title":"Sinopsis","text":"

    Utilica im\u00e1genes de contenedores firmadas por un publicador de im\u00e1genes de confianza. Use container images signed by a trusted image publisher.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#descripcion","title":"Descripci\u00f3n","text":"

    La confianza en el contenido de Azure Container Registry (ACR) permite insertar y extraer im\u00e1genes firmadas. Las im\u00e1genes firmadas brindan una garant\u00eda adicional de que se han creado en una fuente confiable. Para habilitar la confianza en el contenido, el registro del contenedor debe usar una SKU Premium.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere habilitar la confianza en el contenido en registros, clientes e im\u00e1genes de contenedores de firmas.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar resgistros de contenedores que superen esta regla:

    • Establezca properties.trustPolicy.status a enabled.
    • Establezca properties.trustPolicy.type a Notary.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar resgistros de contenedores que superen esta regla:

    • Establezca properties.trustPolicy.status a enabled.
    • Establezca properties.trustPolicy.type a Notary.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#enlaces","title":"Enlaces","text":"
    • Confianza en el contenido en Azure Container Registry
    • Content trust in Docker
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.GeoReplica/","title":"Geo-replicar im\u00e1genes de contenedores","text":"Azure.ACR.GeoReplicaAZR-000004Error

    Confiabilidad \u00b7 Container Registry \u00b7 2020_12

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#sinopsis","title":"Sinopsis","text":"

    Utilice registros de contenedores replicados geogr\u00e1ficamente para complementar las implementaciones de contenedores en varias regiones.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#descripcion","title":"Descripci\u00f3n","text":"

    Un registro de contenedor se almacena y mantiene de forma predeterminada en una sola regi\u00f3n. Opcionalmente, se puede habilitar la replicaci\u00f3n geogr\u00e1fica en una o m\u00e1s regiones adicionales.

    Los registros de contenedores de replicaci\u00f3n geogr\u00e1fica brindan los siguientes beneficios:

    • Los nombres \u00fanicos de registros/im\u00e1genes/etiquetas se pueden usar en m\u00faltiples regiones.
    • El acceso al registro de cierre de red dentro de la regi\u00f3n reduce la latencia.
    • Como las im\u00e1genes se extraen de un registro replicado local, cada extracci\u00f3n no genera costos de salida adicionales.
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar un registro de contenedor replicado geogr\u00e1ficamente para implementaciones en varias regiones.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:

    • Establezca sku.name a Premium (necesario para la replicaci\u00f3n geogr\u00e1fica).
    • Agrega el recurso secundario replications con location establecida en la regi\u00f3n para replicar.

    Por ejemplo:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"_generator\": {\n\"name\": \"bicep\",\n\"version\": \"0.5.6.12127\",\n\"templateHash\": \"12610175857982700190\"\n}\n},\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"acrAdminUserEnabled\": {\n\"type\": \"bool\",\n\"defaultValue\": false,\n\"metadata\": {\n\"description\": \"Enable admin user that has push / pull permission to the registry.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\"Premium\"],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n}\n},\n\"acrReplicaLocation\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"Short name for registry replica location.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n},\n\"properties\": {\n\"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n}\n},\n{\n\"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n\"location\": \"[parameters('acrReplicaLocation')]\",\n\"properties\": {},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n]\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:

    • Establezca sku.name a Premium (necesario para la replicaci\u00f3n geogr\u00e1fica).
    • Agrega el recurso secundario replications con location establecida en la regi\u00f3n para replicar.

    Por ejemplo:

    Azure Bicep snippet
    resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#elaces","title":"Elaces","text":"
    • Resistencia y dependencias
    • Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones
    • Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry
    • Tutorial: Preparar un registro de contenedor de Azure con replicaci\u00f3n geogr\u00e1fica
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.ImageHealth/","title":"Eliminar im\u00e1genes de contenedores vulnerables","text":"Azure.ACR.ImageHealthAZR-000003Error

    Seguridad \u00b7 Container Registry \u00b7 2020_12

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#sinopsis","title":"Sinopsis","text":"

    Eliminar im\u00e1genes de contenedores con vulnerabilidades conocidas.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#descripcion","title":"Descripci\u00f3n","text":"

    Cuando Microsoft Defender para registros de contenedores est\u00e1 habilitado, Microsoft Defender analiza las im\u00e1genes de contenedores. Las im\u00e1genes de contenedores se escanean en busca de vulnerabilidades conocidas y se marcan como saludables o no saludables. No se deben utilizar im\u00e1genes de contenedores vulnerables.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar la eliminaci\u00f3n de im\u00e1genes de contenedores con vulnerabilidades conocidas.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#enlaces","title":"Enlaces","text":"
    • Recomendaciones de revisi\u00f3n y correcci\u00f3n
    • Introducci\u00f3n a Microsoft Defender para registros de contenedor
    • Introducci\u00f3n a Microsoft Defender for Containers
    • Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n
    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.MinSku/","title":"Utilice el SKU de producci\u00f3n de ACR","text":"Azure.ACR.MinSkuAZR-000006Error

    Confiabilidad \u00b7 Container Registry \u00b7 2020_06

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#sinopsis","title":"Sinopsis","text":"

    ACR debe usar el SKU Premium o Est\u00e1ndar para las implementaciones de producci\u00f3n.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#descripcion","title":"Descripci\u00f3n","text":"

    Azure Container Registry (ACR) proporciona una gama de diferentes niveles de servicio (tambi\u00e9n conocidos como SKU). Estos niveles de servicio proporcionan diferentes niveles de rendimiento y caracter\u00edsticas.

    Hay tres niveles de servicio disponibles: B\u00e1sico, Est\u00e1ndar y Premium. Los registros de contenedores b\u00e1sicos solo se recomiendan para implementaciones que no sean de producci\u00f3n. Utilice un m\u00ednimo de Est\u00e1ndar para registros de contenedores de producci\u00f3n.

    El SKU Premium proporciona un mayor rendimiento de im\u00e1genes y almacenamiento incluido, y es necesario para:

    • Geo-replicaci\u00f3n
    • Zonas de disponibilidad
    • Puntos de conexi\u00f3n privados
    • Restricciones de firewall
    • Tokens y mapas de alcance
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar el SKU de Premium de registros de contenedores para implementaciones de producci\u00f3n.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca sku.name a Premium o Standard.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca sku.name a Premium o Standard.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#elaces","title":"Elaces","text":"
    • Requisitos no funcionales y de destino
    • Niveles del servicio Azure Container Registry
    • Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry
    • Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.Name/","title":"Utilice nombres de registro v\u00e1lidos","text":"Azure.ACR.NameAZR-000007Error

    Excelencia operativa \u00b7 Container Registry \u00b7 2020_06

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#sinopsis","title":"Sinopsis","text":"

    Los nombres de registro de contenedores deben cumplir con los requisitos de denominaci\u00f3n.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#descripcion","title":"Descripci\u00f3n","text":"

    Al nombrar los recursos de Azure, los nombres de los recursos deben cumplir con los requisitos del servicio. Los requisitos para los nombres de registro de contenedores son:

    • Entre 5 y 50 caracteres de longitud.
    • Alfanum\u00e9ricos.
    • Los nombres de registros de contenedores deben ser \u00fanicos a nivel mundial.
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar nombres que cumplan con los requisitos de nombres del registro de contenedores. Adem\u00e1s, considere nombrar recursos con una convenci\u00f3n de nomenclatura est\u00e1ndar.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Puede asegurarse de que el par\u00e1metro acrName cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros MinLength y maxLength. Tambi\u00e9n puede usar una funci\u00f3n uniqueString() para asegurarse de que el nombre sea globalmente \u00fanico.

    Por ejemplo

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\n\"Standard\"\n\"Premium\"\n],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n}\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Puede asegurarse de que el par\u00e1metro acrName cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros MinLength y maxLength. Tambi\u00e9n puede usar una funci\u00f3n uniqueString() para asegurarse de que el nombre sea globalmente \u00fanico.

    Por ejemplo:

    Azure Bicep snippet
    @description('Globally unique name of your Azure Container Registry')\n@minLength(5)\n@maxLength(50)\nparam acrName string = 'acr${uniqueString(resourceGroup().id)}'\n\n@description('Location for registry home replica.')\nparam location string = resourceGroup().location\n\n@description('Tier of your Azure Container Registry. Geo-replication requires Premium SKU.')\n@allowed([\n  'Standard'\n  'Premium'\n])\nparam acrSku string = 'Premium'\n\nresource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: acrSku\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n}\n\noutput acrLoginServer string = containerRegistry.properties.loginServer\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#notas","title":"Notas","text":"

    Esta regla no comprueba si los nombres de registro de contenedores son \u00fanicos.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#enlaces","title":"Enlaces","text":"
    • Infraestructura repetible
    • Reglas y restricciones de nomenclatura para los recursos de Azure
    • Abreviaturas recomendadas para los tipos de recursos de Azure
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Quarantine/","title":"Utilice patr\u00f3n de cuarentena de imagen de contenedor","text":"Azure.ACR.QuarantineAZR-000008Error

    Seguridad \u00b7 Container Registry \u00b7 Preview \u00b7 2020_12

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#sinopsis","title":"Sinopsis","text":"

    Habilite la cuarentena de im\u00e1genes de contenedores, escanee y marque im\u00e1genes como verificadas.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#descripcion","title":"Descripci\u00f3n","text":"

    La cuarentena de im\u00e1genes es una opci\u00f3n configurable para Azure Container Registry (ACR). Cuando est\u00e1 habilitado, las im\u00e1genes enviadas al registro del contenedor no est\u00e1n disponibles de forma predeterminada. Cada imagen debe verificarse y marcarse como Aprobada antes de que est\u00e9 disponible para extraer.

    Para verificar im\u00e1genes de contenedores, integre con una herramienta de seguridad externa que admita esta funci\u00f3n.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere configurar una herramienta de seguridad para implementar el patr\u00f3n de cuarentena de im\u00e1genes. Habilite la cuarentena de im\u00e1genes en el registro de contenedores para garantizar que cada imagen se verifique antes de su uso.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.quarantinePolicy.status a enabled.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.quarantinePolicy.status a enabled.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#notas","title":"Notas","text":"

    La cuarentena de im\u00e1genes para Azure Container Registry se encuentra actualmente en versi\u00f3n preliminar.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#enlaces","title":"Enlaces","text":"
    • Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud
    • \u00bfC\u00f3mo se habilita la cuarentena autom\u00e1tica de im\u00e1genes para un registro?
    • Patr\u00f3n de cuarentena
    • Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Retention/","title":"Configurar directiva de retenci\u00f3n de ACR","text":"Azure.ACR.RetentionAZR-000010Error

    Optimizaci\u00f3n de costos \u00b7 Container Registry \u00b7 Preview \u00b7 2020_12

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#sinopsis","title":"Sinopsis","text":"

    Use una directiva de retenci\u00f3n para limpiar los manifiestos sin etiquetar.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#descripcion","title":"Descripci\u00f3n","text":"

    La directiva de retenci\u00f3n es una opci\u00f3n configurable de Premium Azure Container Registry (ACR). Cuando se configura una directiva de retenci\u00f3n, los manifiestos sin etiquetar en el registro se eliminan autom\u00e1ticamente. Un manifiesto no est\u00e1 etiquetado cuando se env\u00eda una imagen m\u00e1s reciente con la misma etiqueta. es decir, lo \u00faltimo.

    La directiva de retenci\u00f3n (en d\u00edas) se puede establecer en 0-365. El valor predeterminado es 7 d\u00edas.

    Para configurar una directiva de retenci\u00f3n, el registro del contenedor debe usar una SKU Premium.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere habilitar una directiva de retenci\u00f3n para manifiestos sin etiquetar.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.retentionPolicy.status a enabled.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.retentionPolicy.status a enabled.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#notas","title":"Notas","text":"

    Las directivas de retenci\u00f3n para Azure Container Registry est\u00e1n actualmente en versi\u00f3n preliminar.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#enlaces","title":"Enlaces","text":"
    • Almacenamiento escalable
    • Establecimiento de una directiva de retenci\u00f3n para manifiestos sin etiqueta
    • Bloqueo de una imagen de contenedor en una instancia de Azure Container Registry
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Usage/","title":"Uso del almacenamiento del registro de contenedores","text":"Azure.ACR.UsageAZR-000001Error

    Optimizaci\u00f3n de costos \u00b7 Container Registry \u00b7 2020_12

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#sinopsis","title":"Sinopsis","text":"

    Elimine peri\u00f3dicamente las im\u00e1genes obsoletas e innecesarias para reducir el uso del almacenamiento.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#descripcion","title":"Descripci\u00f3n","text":"

    Cada SKU de ACR tiene una cantidad de almacenamiento incluido. Cuando se excede la cantidad de almacenamiento incluido, se acumulan costos de almacenamiento adicionales por GiB.

    Es una buena pr\u00e1ctica limpiar regularmente las im\u00e1genes hu\u00e9rfanas. Estas im\u00e1genes son el resultado de enviar im\u00e1genes actualizadas con la misma etiqueta.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere eliminar las im\u00e1genes obsoletas e innecesarias para reducir el consumo de almacenamiento. Tambi\u00e9n considere actualizar a Premium SKU para registros b\u00e1sicos o est\u00e1ndar para aumentar el almacenamiento incluido.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#enlaces","title":"Enlaces","text":"
    • Generar informes de costos
    • Niveles del servicio Azure Container Registry
    • Almacenamiento escalable
    • Administraci\u00f3n del tama\u00f1o del registro
    • Eliminaci\u00f3n de im\u00e1genes de contenedor en Azure Container Registry
    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/module/","title":"Rules by pillar","text":"

    PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.

    "},{"location":"es/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"es/rules/module/#governance","title":"Governance","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"es/rules/module/#optimize","title":"Optimize","text":"Name Synopsis Severity Level Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error"},{"location":"es/rules/module/#pricing-and-billing-model","title":"Pricing and billing model","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"es/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error"},{"location":"es/rules/module/#reports","title":"Reports","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/module/#resource-usage","title":"Resource usage","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"es/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"es/rules/module/#automation","title":"Automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"es/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"es/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning"},{"location":"es/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning"},{"location":"es/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"es/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"es/rules/module/#principles_1","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"es/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"es/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"es/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"es/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"es/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"es/rules/module/#design-for-performance-efficiency","title":"Design for performance efficiency","text":"Name Synopsis Severity Level Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"es/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"es/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"es/rules/module/#performance-patterns","title":"Performance patterns","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"es/rules/module/#reliability","title":"Reliability","text":""},{"location":"es/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"es/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"es/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"es/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"es/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"es/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error"},{"location":"es/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"es/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"es/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"es/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"es/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"es/rules/module/#security","title":"Security","text":""},{"location":"es/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"es/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"es/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning"},{"location":"es/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"es/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"es/rules/module/#data-flow","title":"Data flow","text":"Name Synopsis Severity Level Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"es/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"es/rules/module/#deployment_1","title":"Deployment","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"es/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"es/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error"},{"location":"es/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"es/rules/module/#information-protection","title":"Information protection","text":"Name Synopsis Severity Level Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"es/rules/module/#logs-and-alerts","title":"Logs and alerts","text":"Name Synopsis Severity Level Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error"},{"location":"es/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"es/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"es/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/module/#optimize_1","title":"Optimize","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error"},{"location":"es/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"es/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/module/#security-configuration","title":"Security configuration","text":"Name Synopsis Severity Level Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"es/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"es/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"es/rules/resource/","title":"Rules by resource type","text":"

    PSRule for Azure includes the following rules organized by resource type.

    "},{"location":"es/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"es/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"es/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"es/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"es/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"es/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"es/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"es/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"es/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"es/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"es/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"es/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"es/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"es/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#cognitive-search","title":"Cognitive Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/resource/#cognitive-services","title":"Cognitive Services","text":"Name Synopsis Severity Level Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error"},{"location":"es/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"es/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"es/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"es/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"es/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error"},{"location":"es/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"es/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"es/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"es/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"es/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"es/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"es/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"es/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"es/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"es/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"es/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"es/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"es/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"learn/learn-video-series/","title":"Learn PSRule for Azure series","text":""},{"location":"learn/learn-video-series/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"

    An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.

    "},{"location":"learn/learn-video-series/#getting-started-using-github","title":"Getting started using GitHub","text":"

    Getting started with PSRule for Azure using GitHub. We create a GitHub Actions workflow, enabled expansion, and iterate on Bicep code.

    "},{"location":"learn/official/","title":"Official learning","text":""},{"location":"learn/official/#blog-posts","title":"Blog posts","text":""},{"location":"learn/official/#2022","title":"2022","text":"
    • Visualize Infrastructure as Code Maturity
    • Introduction to Infrastructure As Code (IAC) Testing
    "},{"location":"license-contributing/","title":"License and contributing","text":"

    PSRule for Azure is licensed with an MIT License, which means it's free to use and modify. But please check out the details.

    We open source at Microsoft.

    In addition to our team, we hope you will think about contributing too. Here is how you can get started:

    • Report issues.
    • Upvote existing issues that are important to you.
    • Improve documentation.
    • Contribute code.

    Please read our contributing guidelines and code of conduct to learn how to contribute.

    "},{"location":"license-contributing/hackathons/","title":"Past hackathons","text":""},{"location":"license-contributing/hackathons/#microsoft-global-hackathon-2022","title":"Microsoft Global Hackathon 2022","text":"

    Thanks to the team who made the following contributions during the hackathon:

    • New features:
      • Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
    • New rules:
      • Azure Cache for Redis:
        • Check the number of firewall rules for caches by @jonathanruiz. #544
        • Check the number of IP addresses in firewall rules for caches by @jonathanruiz. #544
      • App Configuration:
        • Check identity-based authentication is used for configuration stores by @pazdedav. #1691
      • Application Gateway WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Defender for Cloud:
        • Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher. #1632
      • Front Door WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Network Security Group:
        • Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
      • Storage Account:
        • Check blob container soft delete is enabled by @pazdedav. #1671
        • Check file share soft delete is enabled by @jonathanruiz. #966
    • Updated rules:
      • Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz. #545
        • The following rules have been renamed with aliases:
          • Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
          • Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
          • Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
        • If you are referencing the old names please consider updating to the new names.
      • Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
    • General improvements:
      • Updated NSG documentation with code snippets and links by @simone-bennett. #1607
      • Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
      • Updated SQL firewall rules documentation by @ms-sambell. #1569
      • Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
      • Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
      • Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
    • Bug fixes:
      • Fixed continue processing policy assignments on error by @BernieWhite. #1651
      • Fixed handling of runtime assessment data by @BernieWhite. #1707
      • Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
    "},{"location":"license-contributing/writing-documentation/","title":"Writing documentation","text":"

    PSRule for Azure contains documentation ranging from conceptual, code examples, to recommendations. All of this documentation is written in markdown, open source, and available for you to contribute to.

    Some of the documentation that you might like to improve includes:

    • Rule recommendations (docs/en/rules/).
    • Scenarios and examples (docs/customization/ and docs/scenarios/).
    • PowerShell cmdlet and conceptual topics (docs/commands/ and docs/concepts/).

    Abstract

    This topic covers contributing documentation in PSRule for Azure.

    "},{"location":"license-contributing/writing-documentation/#rule-help","title":"Rule help","text":"

    PSRule for Azure includes recommendations and expanded documentation with each rule. The recommendations are written in markdown and consumed by PSRule during analysis. This allows us to present easy to read web documentation without writing it separately for anaylsis.

    As a result, PSRule does require rule documentation to be structured in a standard way. Also we have standards about the metadata we required to ensure there is consistency across documentation.

    Some key points for writing rule help:

    • Aligned \u2014 PSRule for Azure is aligned to the Microsoft Azure Well-Archtected Framework (WAF).
    • Actionable \u2014 Any recommendations must be clear and actionable. The reader must be able to understand:
      • What has been detected as an issue.
      • Why it is considered an issue.
    • Learn by examples \u2014 For most cases, recommendations should include Azure Bicep and template examples. Optionally CLI or PowerShell command reference may be included. Examples should be as concise as possible.
    • Documentation references \u2014 Each recommendation must include references to the WAF. Additionally consider adding:
      • Links to provide more detail about the service feature.
      • Azure deployment reference.

    Please read our contributing guidelines and code of conduct to learn how to contribute.

    "},{"location":"quickstarts/test-bicep-with-github/","title":"Test a Bicep deployment with GitHub Actions","text":"

    Bicep supports using a parameter file to deploy a module to Azure.

    Abstract

    Learn how to setup your GitHub repository to automatically test Bicep deployments referenced using .bicepparam files.

    "},{"location":"quickstarts/test-bicep-with-github/#before-you-begin","title":"Before you begin","text":"

    This quickstart assumes you have already:

    1. Installed Git locally and created a GitHub account. For more information, see Setup Git and Signing up for a new GitHub account.
    2. Created a GitHub repository and cloned it locally. For more information, see Create a repo and Clone a repo.
    3. Installed an editor or IDE locally to edit your repository files. For more information, see Visual Studio Code.

    "},{"location":"quickstarts/test-bicep-with-github/#add-a-sample-bicep-deployment","title":"Add a sample Bicep deployment","text":"

    If you don't already have a Bicep deployment in your repository, add a sample deployment.

    1. In the root of your repository, create a new folder called deployments.
    2. In the deployments folder, create a new file called dev.bicepparam.
    3. In the deployments folder, create a new file called main.bicep.
    Example parameter file deployments/dev.bicepparam
    using 'main.bicep'\n\nparam environment = 'dev'\nparam name = 'kv-example-001'\nparam defaultAction = 'Deny'\nparam workspaceId = '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-001'\n
    Example deployment module deployments/main.bicep
    targetScope = 'resourceGroup'\n\nparam name string\nparam location string = resourceGroup().location\n\n@allowed([\n  'Allow'\n  'Deny'\n])\nparam defaultAction string = 'Deny'\nparam environment string\nparam workspaceId string = ''\n\nresource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'standard'\n    }\n    tenantId: tenant().tenantId\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: defaultAction\n    }\n  }\n  tags: {\n    env: environment\n  }\n}\n\n@sys.description('Configure auditing for Key Vault.')\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {\n  name: 'service'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n

    You can also find a copy of these files in the quickstart sample repository.

    "},{"location":"quickstarts/test-bicep-with-github/#create-an-options-file","title":"Create an options file","text":"

    PSRule can be configured using a default YAML options file called ps-rule.yaml. Many of configuration options you are likely to want to use can be set using this file. Options in this file will automatically be detected by other PSRule commands and tools.

    1. Create a new branch in your repository for your changes. For more information, see Creating a branch.
    2. In the root of your repository, create a new file called ps-rule.yaml.
    3. Update the file with the following contents and save.

      ps-rule.yaml
      #\n# PSRule configuration\n#\n# Please see the documentation for all configuration options:\n# https://aka.ms/ps-rule-azure/options\n# Require a minimum version of PSRule for Azure.\nrequires:\nPSRule.Rules.Azure: '>=1.29.0'\n# Automatically use rules for Azure.\ninclude:\nmodule:\n- PSRule.Rules.Azure\n# Ignore all files except .bicepparam files.\ninput:\npathIgnore:\n- '**'\n- '!**/*.bicepparam'\n# Enable expansion of Azure .bicepparam files.\nconfiguration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: true\n
    "},{"location":"quickstarts/test-bicep-with-github/#create-a-workflow","title":"Create a workflow","text":"

    GitHub Actions are configured using a YAML file called a workflow. A workflow is made up of one or more jobs and steps.

    1. In the root of your repository, create a new folder called .github/workflows.
    2. In the .github/workflows folder, create a new file called analysis.yaml.
    3. Update the file with the following contents and save.
    GitHub Actions workflow
    #\n# Analyze repository with PSRule\n#\n# For PSRule documentation see:\n# https://aka.ms/ps-rule\n# https://aka.ms/ps-rule-azure\n# For action details see:\n# https://aka.ms/ps-rule-action\nname: Analyze repository\n# Run analysis for main or PRs against main\non:\npush:\nbranches:\n- main\npull_request:\nbranches:\n- main\njobs:\nanalyze:\nname: Analyze repository\nruns-on: ubuntu-latest\nsteps:\n- name: Checkout\nuses: actions/checkout@v3\n- name: Run PSRule analysis\nuses: microsoft/ps-rule@v2.9.0 # (1)\nwith:\nmodules: PSRule.Rules.Azure # (2)\n
    1. Reference the PSRule action. You can find the latest version of the action on the GitHub Marketplace.
    2. Automatically download and use PSRule for Azure during analysis.
    "},{"location":"quickstarts/test-bicep-with-github/#commit-and-push-changes","title":"Commit and push changes","text":"
    1. Commit and push the changes to your repository. For more information, see Committing changes to your project.
    2. Create a pull request to merge the changes into the main branch in GitHub. For more information, see Creating a pull request.
    3. Navigate to the Actions tab in your repository to check the status of the workflow.

    "},{"location":"quickstarts/test-bicep-with-github/#recommended-content","title":"Recommended content","text":"
    • Testing Bicep modules
    • Restoring modules from a private registry
    • Suppression and excluding rules
    • Enforcing custom tags

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/","title":"Validate Azure resources from templates with Azure Pipelines","text":"

    Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.

    Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.

    The following scenario shows how PSRule can be used to validate Azure resource templates within an Azure Pipeline.

    This scenario covers the following:

    • Installing PSRule extension
    • Linking parameter files to templates
    • Creating a YAML pipeline
      • Installing Azure rules
      • Exporting resource data for analysis
      • Validating exported resources
    • Generating NUnit output
    • Complete example
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-psrule-extension","title":"Installing PSRule extension","text":"

    PSRule includes an extension that can be installed from the Visual Studio Marketplace. Once installed, Azure Pipelines tasks are available to install PSRule modules and run analysis.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#linking-parameter-files-to-templates","title":"Linking parameter files to templates","text":"

    ARM template parameter files allows parameters for a deployment to be saved and checked into source control. PSRule can automatically resolve ARM templates from parameter files by using a metadata link.

    To link a parameter file to an ARM template add the metadata.template property within a parameter file.

    For example:

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./azuredeploy.json\"\n},\n\"parameters\": {\n\"vnetName\": {\n\"value\": \"vnet-001\"\n},\n\"addressPrefix\": {\n\"value\": [\n\"10.1.0.0/24\"\n]\n}\n}\n}\n

    In the example parameter file azuredeploy.parameters.json is linked to the template azuredeploy.json. The prefix of ./ indicates that the template file is in a relative path to the parameter file. If ./ is not included, PSRule will look for the template relative to the working directory.

    For example:

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"templates/vnet-hub/v1/template.json\"\n},\n\"parameters\": {\n\"vnetName\": {\n\"value\": \"vnet-001\"\n},\n\"addressPrefix\": {\n\"value\": [\n\"10.1.0.0/24\"\n]\n}\n}\n}\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#creating-a-yaml-pipeline","title":"Creating a YAML pipeline","text":"

    Azure Pipelines supports defining pipelines in YAML. PSRule uses a number of configurable task steps to install modules, export data and perform analysis.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-azure-rules","title":"Installing Azure rules","text":"

    To install the module containing Azure rules use the ps-rule-install YAML task.

    # Install PSRule.Rules.Azure from the PowerShell Gallery.\n- task: ps-rule-install@2\ninputs:\nmodule: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#exporting-resource-data-for-analysis","title":"Exporting resource data for analysis","text":"

    PSRule provides a pre-built cmdlets for finding template files within a path and exporting resource data.

    • Get-AzRuleTemplateLink finds linked templates from parameter files. By default, parameter files with the *.parameters.json extension are discovered. Files are found recursively from the current working path.
    • Export-AzRuleTemplateData exports resource data from template files.

    To generate data for analysis use a PowerShell YAML task to export resource data from linked templates.

    # Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n

    If parameter files are located in a specific sub-directory the path can be updated as follows.

    # Export resource data from parameter files in the deployments/ sub-directory.\n- powershell: Get-AzRuleTemplateLink ./deployments/ | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n

    If parameter files do not use the file extension .parameters.json input path can be set.

    # Export resource data from parameter files ending in *.json instead of default *.parameters.json.\n- powershell: Get-AzRuleTemplateLink -InputPath *.json | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n

    In both cases, resource data for analysis is exported to out/templates/.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#validating-exported-resources","title":"Validating exported resources","text":"

    To validate exported resources use the ps-rule-assert YAML task. The following task uses previously exported resource data for analysis.

    # Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\ninputs:\ninputType: inputPath\ninputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\nmodules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n# Optionally, also analyze objects using custom rules from '.ps-rule/'.\nsource: '.ps-rule/'\n# Optionally, save results to an NUnit report.\noutputFormat: NUnit3\noutputPath: reports/ps-rule-resources.xml\n

    In the example:

    • Resource data is read from out/templates/.
    • If custom rules are defined in the .ps-rule/ these are also evaluated.
    • Validation results are saved as an NUnit report.
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#generating-nunit-output","title":"Generating NUnit output","text":"

    NUnit is a popular unit test framework for .NET. PSRule supports publishing validation results in the NUnit format. With Azure DevOps, an NUnit report can be published using Publish Test Results task.

    An example YAML snippet is included below:

    # Publish NUnit report as test results\n- task: PublishTestResults@2\ndisplayName: 'Publish PSRule results'\ninputs:\ntestRunTitle: 'PSRule'                          # The title to use for the test run.\ntestRunner: NUnit                               # Import report using the NUnit format.\ntestResultsFiles: 'reports/ps-rule-results.xml' # The previously saved NUnit report.\ncondition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#complete-example","title":"Complete example","text":"

    Putting each of these steps together.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#azure-devops-pipeline","title":"Azure DevOps Pipeline","text":"
    #\n# PSRule with Azure Pipelines\n#\ntrigger:\n- main\npool:\nvmImage: 'ubuntu-latest'\nsteps:\n# Install PSRule.Rules.Azure from the PowerShell Gallery\n- task: ps-rule-install@2\ninputs:\nmodule: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n# Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n# Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\ninputs:\ninputType: inputPath\ninputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\nmodules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n# Optionally, also analyze objects using custom rules from '.ps-rule/'.\nsource: '.ps-rule/'\n# Optionally, save results to an NUnit report.\noutputFormat: NUnit3\noutputPath: reports/ps-rule-resources.xml\n# Publish NUnit report as test results\n- task: PublishTestResults@2\ndisplayName: 'Publish PSRule results'\ninputs:\ntestRunTitle: 'PSRule'                          # The title to use for the test run.\ntestRunner: NUnit                               # Import report using the NUnit format.\ntestResultsFiles: 'reports/ps-rule-*.xml'       # Use previously saved NUnit reports.\nmergeTestResults: true                          # Merge multiple reports.\ncondition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#more-information","title":"More information","text":"
    • azure-pipelines.yaml - An example Azure DevOps Pipeline.
    • azuredeploy.json - An example template file.
    • azuredeploy.parameters.json - An example parameters file.
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/","title":"Validate Azure resources from templates with continuous integration (CI)","text":"

    Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.

    Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.

    The following scenario shows how to validate Azure resources from templates using a generic pipeline. The examples provided can be integrated into a continuous integration (CI) pipeline able to run PowerShell.

    For integrating into Azure DevOps see Validate Azure resources from templates with Azure Pipelines.

    This scenario covers the following:

    • Installing PSRule within a CI pipeline
    • Exporting rule data for analysis
    • Validating exported resources
    • Formatting output
    • Failing the pipeline
    • Generating NUnit output
    • Complete example
    • Additional options
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#installing-psrule-within-a-ci-pipeline","title":"Installing PSRule within a CI pipeline","text":"

    Typically, PSRule is not pre-installed on CI worker nodes and must be installed within the pipeline. PSRule PowerShell modules need to be installed prior to calling PSRule cmdlets.

    If your CI pipeline runs on a persistent virtual machine that you control, consider pre-installing PSRule. The following examples focus on installing PSRule dynamically during execution of the pipeline. Which is suitable for cloud-based CI worker nodes.

    To install PSRule within a CI pipeline, execute the Install-Module PowerShell cmdlet.

    Depending on your environment, the CI worker process may not have administrative permissions. To install modules into the current context running the CI pipeline use -Scope CurrentUser. The PowerShell Gallery is not a trusted source by default. Use the -Force switch to suppress a prompt to install modules from PowerShell Gallery.

    For example:

    $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -Force;\n

    Installing PSRule.Rules.Azure also installs the base PSRule module and associated Azure dependencies. The PSRule.Rules.Azure module includes cmdlets and pre-built rules for validating Azure resources. Using the pre-built rules is completely optional.

    In some cases, installing NuGet and PowerShellGet may be required to connect to the PowerShell Gallery. The NuGet package provider can be installed using the Install-PackageProvider PowerShell cmdlet.

    $Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n

    The example below includes both steps together with checks:

    if ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction SilentlyContinue)) {\n$Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n}\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\nInstall-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n

    Add -AllowPrerelease to install pre-release versions. See the change log for the latest version.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#exporting-rule-data-for-analysis","title":"Exporting rule data for analysis","text":"

    In PSRule, the Export-AzRuleTemplateData cmdlet resolves a template and returns a resultant set of resources. The resultant set of resources can then be validated.

    No connectivity to Azure is required by default when calling Export-AzRuleTemplateData.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#export-cmdlet-parameters","title":"Export cmdlet parameters","text":"

    To run Export-AzRuleTemplateData two key parameters are required:

    • -TemplateFile - An absolute or relative path to the template JSON file.
    • -ParameterFile - An absolute or relative path to one or more parameter JSON files.

    The -ParameterFile parameter is optional when all parameters defined in the template have defaultValue set.

    Optionally the following parameters can be used:

    • -Name - The name of the deployment. If not specified a default name of export-<xxxxxxxx> will be used.
    • -OutputPath - An absolute or relative path where the resultant resources will be written to JSON. If not specified the current working path be used.
    • -ResourceGroup - The name of a resource group where the deployment is intended to be run. If not specified placeholder values will be used.
    • -Subscription - The name or subscription Id of a subscription where the deployment is intended to be run. If not specified placeholder values will be used.

    See cmdlet help for a full list of parameters.

    If -OutputPath is a directory or is not set, the output file will be automatically named resources-<name>.json.

    For example:

    Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n

    Multiple parameter files that map to the same template can be supplied in a single cmdlet call. Additional templates can be exported by calling Export-AzRuleTemplateData multiple times.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#use-of-placeholder-values","title":"Use of placeholder values","text":"

    A number of functions that can be used within Azure templates retrieve information from Azure. Some examples include reference, subscription, resourceGroup, list*.

    The default for Export-AzRuleTemplateData is to operate without requiring authenticated connectivity to Azure. As a result, functions that retrieve information from Azure use placeholders such as {{Subscription.SubscriptionId}}.

    To provide a real value for subscription and resourceGroup use the -Subscription and -ResourceGroup parameters. When using -Subscription and -ResourceGroup the subscription and resource group must already exist. Additionally the context running the cmdlet must have at least read access (i.e. Reader).

    It is currently not possible to provide a real value for reference and list*, only placeholders will be used.

    Key Vault references in parameter files use placeholders instead of the real value to prevent accidental exposure of secrets.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#validating-exported-resources","title":"Validating exported resources","text":"

    To validate exported resources use Invoke-PSRule, Assert-PSRule or Test-PSRuleTarget. In a CI pipeline, Assert-PSRule is recommended. Assert-PSRule outputs preformatted results ideal for use within a CI pipeline.

    Use Assert-PSRule with the resolved resource output as an input using -InputPath.

    In the following example, resources from .\\resources.json are validated against pre-built rules:

    Assert-PSRule -InputPath .\\resources-export-*.json -Module PSRule.Rules.Azure;\n

    Example output:

     -> vnet-001 : Microsoft.Network/virtualNetworks\n\n    [PASS] Azure.Resource.UseTags\n    [PASS] Azure.VirtualNetwork.UseNSGs\n    [PASS] Azure.VirtualNetwork.SingleDNS\n    [PASS] Azure.VirtualNetwork.LocalDNS\n\n -> vnet-001/subnet2 : Microsoft.Network/virtualNetworks/subnets\n\n    [FAIL] Azure.Resource.UseTags\n

    To process multiple input files a wildcard * can be used.

    Assert-PSRule -InputPath .\\out\\*.json -Module PSRule.Rules.Azure;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#formatting-output","title":"Formatting output","text":"

    When executing a CI pipeline, feedback on any validation failures is important. The Assert-PSRule cmdlet provides easy to read formatted output instead of PowerShell objects.

    Additionally, Assert-PSRule supports styling formatted output for Azure Pipelines and GitHub Actions. Use the -Style AzurePipelines or -Style GitHubActions parameter to style output.

    For example:

    Assert-PSRule -InputPath .\\out\\*.json -Style AzurePipelines -Module PSRule.Rules.Azure;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#failing-the-pipeline","title":"Failing the pipeline","text":"

    When using PSRule within a CI pipeline, a failed rule should stop the pipeline. When using Assert-PSRule if any rules fail, an error will be generated.

    Assert-PSRule : One or more rules reported failure.\nAt line:1 char:1\n+ Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\tests\\Resou ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n+ CategoryInfo          : InvalidData: (:) [Assert-PSRule], FailPipelineException\n+ FullyQualifiedErrorId : PSRule.Fail,Assert-PSRule\n

    A single PowerShell error is typically enough to stop a CI pipeline. If you are using a different configuration additionally -ErrorAction Stop can be used.

    For example:

    Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\*.json -ErrorAction Stop;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#generating-nunit-output","title":"Generating NUnit output","text":"

    NUnit is a popular unit test framework for .NET. NUnit generates a test report format that is widely interpreted by CI systems. While PSRule does not use NUnit directly, it support outputting validation results in the NUnit3 format. Using a common format allows integration with any system that supports the NUnit3 for publishing test results.

    To generate an NUnit report:

    • Use the -OutputFormat NUnit3 parameter.
    • Use the -OutputPath parameter to specify the path of the report file to write.
    Assert-PSRule -OutputFormat NUnit3 -OutputPath .\\reports\\rule-report.xml -Module PSRule.Rules.Azure -InputPath .\\out\\*.json;\n

    The output path will be created if it does not exist.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#complete-example","title":"Complete example","text":"

    Putting each of these steps together.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#install-dependencies","title":"Install dependencies","text":"
    # Install dependencies for connecting to PowerShell Gallery\nif ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction Ignore)) {\nInstall-PackageProvider -Name NuGet -Force -Scope CurrentUser;\n}\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\nInstall-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#validate-templates","title":"Validate templates","text":"
    # Install PSRule.Rules.Azure module\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n# Resolve resources\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n# Validate resources\n$assertParams = @{\nInputPath = 'out/*.json'\nModule = 'PSRule.Rules.Azure'\nStyle = 'AzurePipelines'\nOutputFormat = 'NUnit3'\nOutputPath = 'reports/rule-report.xml'\n}\nAssert-PSRule @assertParams;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#additional-options","title":"Additional options","text":""},{"location":"scenarios/azure-template-ci/azure-template-ci/#using-invoke-build","title":"Using Invoke-Build","text":"

    Invoke-Build is a build automation cmdlet that can be installed from the PowerShell Gallery by installing the InvokeBuild module. Within Invoke-Build, each build process is broken into tasks.

    The following example shows an example of using PSRule.Rules.Azure with InvokeBuild tasks.

    # Synopsis: Install PSRule modules\ntask InstallPSRule {\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n}\n# Synopsis: Run validation\ntask ValidateTemplate InstallPSRule, {\n# Resolve resources\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n# Validate resources\n$assertParams = @{\nInputPath = 'out/*.json'\nModule = 'PSRule.Rules.Azure'\nStyle = 'AzurePipelines'\nOutputFormat = 'NUnit3'\nOutputPath = 'reports/rule-report.xml'\n}\nAssert-PSRule @assertParams;\n}\n# Synopsis: Run all build tasks\ntask Build ValidateTemplate\n
    Invoke-Build Build;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#calling-from-pester","title":"Calling from Pester","text":"

    Pester is a unit test framework for PowerShell that can be installed from the PowerShell Gallery.

    Typically, Pester unit tests are built for a particular pipeline. PSRule can complement Pester unit tests by providing dynamic and sharable rules that are easy to reuse. By using -If or -Type pre-conditions, rules can dynamically provide validation for a range of use cases.

    When calling PSRule from Pester use Invoke-PSRule instead of Assert-PSRule. Invoke-PSRule returns validation result objects that can be tested by Pester Should conditions.

    Additionally, the Logging.RuleFail option can be included to generate an error message for each failing rule.

    For example:

    Describe 'Azure' {\nContext 'Resource templates' {\nIt 'Use content rules' {\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath .\\out\\resources.json;\n# Validate resources\n$invokeParams = @{\nInputPath = 'out/*.json'\nModule = 'PSRule.Rules.Azure'\nOutputFormat = 'NUnit3'\nOutputPath = 'reports/rule-report.xml'\nOption = (New-PSRuleOption -LoggingRuleFail Error)\n}\nInvoke-PSRule @invokeParams -Outcome Fail,Error | Should -BeNullOrEmpty;\n}\n}\n}\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#more-information","title":"More information","text":"
    • pipeline-deps.ps1 - Example script installing pipeline dependencies.
    • validate-template.ps1 - Example script for running template validation.
    • template.json - Example template file.
    • parameters.json - Example parameters file.
    "},{"location":"setup/configuring-expansion/","title":"Configuring expansion","text":"

    PSRule for Azure can automatically resolve Azure resource context at runtime from infrastructure code. This feature can be enabled by using the following configuration options.

    "},{"location":"setup/configuring-expansion/#configuration","title":"Configuration","text":"

    Tip

    Each of these configuration options are set within the ps-rule.yaml file. To learn how to set configuration options see Configuring options.

    "},{"location":"setup/configuring-expansion/#parameter-file-expansion","title":"Parameter file expansion","text":"

    v1.4.1

    This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded. When enabled, PSRule will discover and expand JSON parameter files for Azure templates or Bicep modules.

    Parameter files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_PARAMETER_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"setup/configuring-expansion/#bicep-source-expansion","title":"Bicep source expansion","text":"

    v1.11.0

    This configuration option determines if Azure Bicep source files will automatically be expanded. By default, Bicep files will not be automatically expanded.

    Bicep files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_BICEP_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_BICEP_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION: true\n
    "},{"location":"setup/configuring-expansion/#bicep-parameter-expansion","title":"Bicep parameter expansion","text":"

    v1.27.0

    This configuration option determines if Azure Bicep parameter files (.bicepparam) are expanded. Currently while this is an experimental feature this is not enabled by default.

    Bicep files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: true\n
    "},{"location":"setup/configuring-expansion/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"

    v1.13.3

    This configuration option determines the maximum time to spend building a single Bicep source file. The timeout is configured in seconds.

    When a timeout occurs, PSRule for Azure stops the build and returns an error. Any resources contained within Bicep source files that exceeded the timeout are not analyzed.

    The default timeout is 5 seconds, however the timeout can be set to an integer between 1 and 120.

    Syntax:

    configuration:\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: int\n

    Default:

    # YAML: The default AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 5\n

    Example:

    # YAML: Set the AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option to enable expansion\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n
    "},{"location":"setup/configuring-expansion/#require-template-metadata-link","title":"Require template metadata link","text":"

    v1.7.0

    This configuration option determines if Azure template parameter files require a metadata link. When configured to true, the Azure.Template.MetadataLink rule is enabled. Any Azure template parameter files that do not include a metadata link will report a fail for this rule.

    The rule Azure.Template.MetadataLink is not enabled by default. Additionally, when enabled this rule can still be excluded or suppressed like all other rules.

    Syntax:

    configuration:\nAZURE_PARAMETER_FILE_METADATA_LINK: bool\n

    Default:

    # YAML: The default AZURE_PARAMETER_FILE_METADATA_LINK configuration option\nconfiguration:\nAZURE_PARAMETER_FILE_METADATA_LINK: false\n

    Example:

    # YAML: Set the AZURE_PARAMETER_FILE_METADATA_LINK configuration option to enable expansion\nconfiguration:\nAZURE_PARAMETER_FILE_METADATA_LINK: true\n
    "},{"location":"setup/configuring-expansion/#deployment-properties","title":"Deployment properties","text":"

    v1.17.0

    This configuration option sets the deployment object use by the deployment() function. Configure this option to change the details of the deployment when exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option applies to the parent deployment. Nested deployments will use any properties configured within code. Additionally, this configuration option will be ignore when -Name is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_DEPLOYMENT:\nname: string\n

    Default:

    # YAML: The default AZURE_DEPLOYMENT configuration option\nconfiguration:\nAZURE_DEPLOYMENT:\nname: 'ps-rule-test-deployment'\n

    Example:

    # YAML: Override the name of the deployment object.\nconfiguration:\nAZURE_DEPLOYMENT:\nname: 'deploy-web-application'\n
    "},{"location":"setup/configuring-expansion/#deployment-resource-group","title":"Deployment resource group","text":"

    v1.1.0

    This configuration option sets the resource group object used by the resourceGroup() function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -ResourceGroup is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_RESOURCE_GROUP:\nname: string\nlocation: string\ntags: object\nproperties:\nprovisioningState: string\n

    Default:

    # YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\nAZURE_RESOURCE_GROUP:\nname: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\nprovisioningState: 'Succeeded'\n

    Example:

    # YAML: Override the location of the resource group object.\nconfiguration:\nAZURE_RESOURCE_GROUP:\nlocation: 'australiasoutheast'\n
    "},{"location":"setup/configuring-expansion/#deployment-subscription","title":"Deployment subscription","text":"

    v1.1.0

    This configuration option sets the subscription object used by the subscription() function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -Subscription is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: string\ndisplayName: string\nstate: string\n

    Default:

    # YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n

    Example:

    # YAML: Override the display name of the subscription object\nconfiguration:\nAZURE_SUBSCRIPTION:\ndisplayName: 'My test subscription'\n
    "},{"location":"setup/configuring-expansion/#deployment-tenant","title":"Deployment tenant","text":"

    v1.11.0

    This configuration option sets the tenant object used by the tenant() function. Configure this option to change the tenant object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    Syntax:

    configuration:\nAZURE_TENANT:\ncountryCode: string\ntenantId: string\ndisplayName: string\n

    Default:

    # YAML: The default AZURE_TENANT configuration option\nconfiguration:\nAZURE_TENANT:\ncountryCode: 'US'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule'\n

    Example:

    # YAML: Override the display name of the tenant object\nconfiguration:\nAZURE_TENANT:\ndisplayName: 'Contoso'\n
    "},{"location":"setup/configuring-expansion/#deployment-management-group","title":"Deployment management group","text":"

    v1.11.0

    This configuration option sets the management group object used by the managementGroup() function. Configure this option to change the management group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    Syntax:

    configuration:\nAZURE_MANAGEMENT_GROUP:\nname: string\nproperties:\ndisplayName: string\n

    Default:

    # YAML: The default AZURE_MANAGEMENT_GROUP configuration option\nconfiguration:\nAZURE_MANAGEMENT_GROUP:\nname: 'psrule-test'\nproperties:\ndisplyName: 'PSRule Test Management Group'\n

    Example:

    # YAML: Override the display name of the management group object\nconfiguration:\nAZURE_MANAGEMENT_GROUP:\nproperties:\ndisplayName: 'My test management group'\n
    "},{"location":"setup/configuring-expansion/#required-parameter-defaults","title":"Required parameter defaults","text":"

    v1.13.0

    This configuration option allows a fallback value to be configured for required parameters. When a parameter value is not provided and a default is not set, the fallback value will be used.

    Configure this option when you are providing a set of common parameters dynamically during a pipeline. In this scenario, it may not make sense to add the parameters to a parameter file or Bicep deployment.

    Syntax:

    configuration:\nAZURE_PARAMETER_DEFAULTS:\n<parameter>: <value>\n

    Default:

    # YAML: The default AZURE_PARAMETER_DEFAULTS configuration option\nconfiguration:\nAZURE_PARAMETER_DEFAULTS: { }\n

    Example:

    # YAML: Set fallback values for adminPassword and workspaceId parameters.\nconfiguration:\nAZURE_PARAMETER_DEFAULTS:\nadminPassword: $CREDENTIAL_PLACEHOLDER$\nworkspaceId: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}\n
    "},{"location":"setup/configuring-expansion/#excluding-files","title":"Excluding files","text":"

    Template or Bicep source files can be excluded from being processed by PSRule and expansion. To exclude a file, configure the input.pathIgnore option by providing a path spec to ignore.

    Syntax:

    input:\npathIgnore:\n- string\n- string\n

    Default:

    # YAML: The default input.pathIgnore option\ninput:\npathIgnore: []\n

    Example:

    # YAML: Exclude a file from being processed by PSRule and expansion\ninput:\npathIgnore:\n- 'out/'\n- 'modules/**/*.bicep'\n
    "},{"location":"setup/configuring-options/","title":"Configuring options","text":"

    PSRule for Azure comes with many configuration options. Additionally, the PSRule engine includes several options that apply to all rules. You can visit the about_PSRule_Options topic to read about general PSRule options.

    "},{"location":"setup/configuring-options/#setting-options","title":"Setting options","text":"

    Configuration options are set within the ps-rule.yaml file. PSRule will automatically find this file within the current working directory. To set options, create a new file named ps-rule.yaml in the root directory of your repository.

    For configuring pre-flight analysis, create a ps-rule.yaml in your current working directory.

    Tip

    This file should be committed to your repository so it is available when your pipeline runs.

    Note

    Use all lowercase characters ps-rule.yaml to name the file. On case-sensitive file systems, a file with uppercase characters may not be found.

    Configuration can be combined as indented keys. Use comments to add context.

    Example ps-rule.yaml

    requires:\n# Require a minimum of PSRule for Azure v1.29.0\nPSRule.Rules.Azure: '>=1.29.0'\nconfiguration:\n# Enable expansion of Azure Template files.\nAZURE_PARAMETER_FILE_EXPANSION: true\n# Enable expansion of Azure Bicep files.\nAZURE_BICEP_FILE_EXPANSION: true\n# Configure the timeout for bicep build to 15 seconds.\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n# Enable Bicep CLI checks.\nAZURE_BICEP_CHECK_TOOL: true\n# Optionally, configure the minimum version of the Bicep CLI.\nAZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n# Configure the minimum AKS cluster version.\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.26.6'\nrule:\n# Enable custom rules that don't exist in the baseline\nincludeLocal: true\nexclude:\n# Ignore the following rules for all resources\n- Azure.VM.UseHybridUseBenefit\n- Azure.VM.Standalone\nsuppression:\nAzure.AKS.AuthorizedIPs:\n# Exclude the following externally managed AKS clusters\n- aks-cluster-prod-eus-001\nAzure.Storage.SoftDelete:\n# Exclude the following non-production storage accounts\n- storagedeveus6jo36t\n- storagedeveus1df278\n

    Tip

    YAML can be a bit particular about indenting. If something is not working, double check that you have consistent spacing in your options file. We recommend using two (2) spaces to indent.

    "},{"location":"setup/configuring-options/#setting-environment-variables","title":"Setting environment variables","text":"

    In addition to ps-rule.yaml, most options can be set using environment variables. When configuring environment variables we recommend that all capital letters are used. This is because environment variables are case-sensitive on some operating systems.

    PSRule environment variables use a consistent naming pattern of PSRULE_<PARENT>_<NAME>. Where <PARENT> is the parent class and <NAME> is the specific option.

    When setting environment variables:

    • Enum values are set by string and are not case-sensitive. For example PSRULE_OUTPUT_FORMAT could be set to Yaml.
    • Boolean values are set by true, false, 1, or 0 and are not case-sensitive. For example PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION could be set to true.
    • String array values can specify multiple items by using a semi-colon separator. For example PSRULE_RULE_EXCLUDE could be set to 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'.
    GitHub ActionsAzure PipelinesPowerShellBash
    env:\nPSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: true\nPSRULE_OUTPUT_FORMAT: Yaml\nPSRULE_RULE_EXCLUDE: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    variables:\n- name: PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION\nvalue: true\n- name: PSRULE_OUTPUT_FORMAT\nvalue: Yaml\n- name: PSRULE_RULE_EXCLUDE\nvalue: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    $Env:PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION = 'true'\n$Env:PSRULE_OUTPUT_FORMAT = 'Yaml'\n$Env:PSRULE_RULE_EXCLUDE = 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    export PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION=true\nexport PSRULE_OUTPUT_FORMAT=Yaml\nexport PSRULE_RULE_EXCLUDE='Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    "},{"location":"setup/configuring-rules/","title":"Configuring rule defaults","text":"

    PSRule for Azure include several rules that can be configured. Setting these values overrides the default configuration with organization specific values.

    Tip

    Each of these configuration options are set within the ps-rule.yaml file. To learn how to set configuration options see Configuring options.

    "},{"location":"setup/configuring-rules/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"

    v1.12.0

    This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.

    Syntax:

    configuration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string\n

    Default:

    # YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option\nconfiguration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.26.6\n

    Example:

    # YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.22.4\nconfiguration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.22.4\n
    "},{"location":"setup/configuring-rules/#azure_aks_cni_minimum_cluster_subnet_size","title":"AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE","text":"

    This configuration option determines the minimum subnet size for Azure AKS CNI.

    Syntax:

    configuration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: integer\n

    Default:

    # YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n

    Example:

    # YAML: Set the AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option to 26\nconfiguration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 26\n
    "},{"location":"setup/configuring-rules/#azure_aks_additional_region_availability_zone_list","title":"AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST","text":"

    This configuration option adds availability zones that are not included in the existing providers. You can use this option to add availability zones that are not included in the default list.

    The following providers are supported:

    • Microsoft.Compute/virtualMachineScaleSets
    • Microsoft.Network/applicationGateways
    • Microsoft.Network/publicIPAddresses
    • Microsoft.ApiManagement/service
    • Microsoft.Cache/Redis
    • Microsoft.Cache/redisEnterprise

    The following rules and configuration options are supported:

    • Azure.AKS.AvailabilityZone - AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.AppGw.AvailabilityZone - AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.PublicIP.AvailabilityZone - AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.APIM.AvailabilityZone - AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.Redis.AvailabilityZone - AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.RedisEnterprise.Zones - AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST

    Syntax:

    configuration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: array\n

    Default:

    # YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n

    Example:

    # YAML: Set the AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option to Antarctica North and Antarctica South, with zones 1, 2, 3.\nconfiguration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST:\n- location: Antarctica North\nzones:\n- '1'\n- '2'\n- '3'\n- location: Antarctica South\nzones:\n- '1'\n- '2'\n- '3'\n

    The above example, both these forms of location are accepted:

    • Antarctica North or antarcticanorth
    • Antarctica South or antarcticasouth

    The rules normalize these location formats so either is accepted in the configuration.

    Note

    The above are examples for illustration purpose only. At the time of writing, Antarctica North and Antarctica South are fictional locations. If they do in the future exist, use this option add them prior to PSRule for Azure support. The above shows examples specific to Azure.AKS.AvailabilityZone, but behavior is consistent across all supported rules.

    "},{"location":"setup/configuring-rules/#azure_aks_enabled_platform_log_categories_list","title":"AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"

    This configuration option sets selective platform diagnostic categories to report on being enabled.

    Syntax:

    configuration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n

    Default:

    # YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- cluster-autoscaler\n- kube-apiserver\n- kube-controller-manager\n- kube-scheduler\n- AllMetrics\n

    Example:

    # YAML: Set the AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to cluster-autoscaler and AllMetrics categories only. \nconfiguration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- cluster-autoscaler\n- AllMetrics\n
    "},{"location":"setup/configuring-rules/#azure_automationaccount_enabled_platform_log_categories_list","title":"AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"

    This configuration option sets selective platform diagnostic categories to report on being enabled.

    Syntax:

    configuration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n

    Default:

    # YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- JobLogs\n- JobStreams\n- DscNodeStatus\n- AllMetrics\n

    Example:

    # YAML: Set the AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to JobLogs and AllMetrics categories only. \nconfiguration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- JobLogs\n- AllMetrics\n
    "},{"location":"setup/configuring-rules/#set-the-minimum-maxpods-for-a-node-pool","title":"Set the minimum MaxPods for a node pool","text":"

    This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a maxPods option is used to determine the maximum number of pods for each node in the node pool.

    Depending on your workloads it may make sense to change this option:

    • Micro-services/ web applications: 50+
    • Data movement/ processing: 20-30

    Syntax:

    configuration:\nAzure_AKSNodeMinimumMaxPods: integer\n

    Default:

    # YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 50\n

    Example:

    # YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 30\n
    "},{"location":"setup/configuring-rules/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"

    This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to '2021-08-01'.

    Syntax:

    configuration:\nAZURE_APIM_MIN_API_VERSION: string\n

    Default:

    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-08-01'\n

    Example:

    # YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n
    "},{"location":"setup/configuring-rules/#azure_containerapps_restrict_ingress","title":"AZURE_CONTAINERAPPS_RESTRICT_INGRESS","text":"

    This configuration specifies whether if external ingress should be enabled or disabled.

    Syntax:

    configuration:\nAZURE_CONTAINERAPPS_RESTRICT_INGRESS: boolean # An boolean value\n

    Default:

    # YAML: The default AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option\nconfiguration:\nAZURE_CONTAINERAPPS_RESTRICT_INGRESS: false\n

    Example:

    # YAML: Set the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to enabled\nconfiguration:\nAZURE_CONTAINERAPPS_RESTRICT_INGRESS: true\n
    "},{"location":"setup/configuring-rules/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"

    This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"setup/configuring-rules/#azure_resource_allowed_locations","title":"AZURE_RESOURCE_ALLOWED_LOCATIONS","text":"

    v1.30.0

    Applies to Azure.Resource.AllowedRegions.

    This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.

    By default, AZURE_RESOURCE_ALLOWED_LOCATIONS is not configured.

    Syntax:

    configuration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS: array # An array of regions\n

    Default:

    # YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS: []\n

    Example:

    # YAML: Set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option to Australia East, Australia South East\nconfiguration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS:\n- australiaeast\n- australiasoutheast\n

    If you configure the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.

    For example:

    configuration:\nAZURE_RESOURCE_GROUP:\nlocation: australiaeast\n
    "},{"location":"setup/configuring-rules/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"

    This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.

    Syntax:

    configuration:\nAzure_MinimumCertificateLifetime: integer\n

    Default:

    # YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\nAzure_MinimumCertificateLifetime: 30\n

    Example:

    # YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\nAzure_MinimumCertificateLifetime: 90\n
    "},{"location":"setup/configuring-rules/#azure_linux_os_offers","title":"AZURE_LINUX_OS_OFFERS","text":"

    v1.20.0

    This configurations specifies names of offers corresponding to the Linux OS. It's mostly intended to be used when analyzing templates that use private Linux offerings. Rules that check if a VM or VMSS has Linux OS also validate against the values set by this configuration.

    Syntax:

    configuration:\nAZURE_LINUX_OS_OFFERS: array # An array of offer names\n

    Default:

    # YAML: The default AZURE_LINUX_OS_OFFERS configuration option\nconfiguration:\nAZURE_LINUX_OS_OFFERS: []\n

    Example:

    # YAML: Set the AZURE_LINUX_OS_OFFERS configuration option to aLinuxOffer, anotherLinuxOffer\nconfiguration:\nAZURE_LINUX_OS_OFFERS:\n- 'aLinuxOffer'\n- 'anotherLinuxOffer'\n
    "},{"location":"setup/configuring-rules/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"

    v1.21.0

    This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.

    Configure this option to ignore policy definitions that:

    • Already have a rule defined.
    • Are not relevant to testing Infrastructure as Code.

    Syntax:

    configuration:\nAZURE_POLICY_IGNORE_LIST: array\n

    Default:

    # YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\nAZURE_POLICY_IGNORE_LIST: []\n

    Example:

    # YAML: Add a custom policy definition to ignore\nAZURE_POLICY_IGNORE_LIST:\n- '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n- '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n
    "},{"location":"setup/configuring-rules/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"

    This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to Azure.

    This configuration option will be ignored when -Prefix is used with Export-AzPolicyAssignmentRuleData.

    Syntax:

    configuration:\nAZURE_POLICY_RULE_PREFIX: string\n

    Default:

    # YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\nAZURE_POLICY_RULE_PREFIX: Azure\n

    Example:

    # YAML: Override the prefix of exported policy rules\nAZURE_POLICY_RULE_PREFIX: AzureCustomPrefix\n
    "},{"location":"setup/configuring-rules/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"

    This configuration option determines the maximum number of days in the future for a waiver policy exemption.

    Syntax:

    configuration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n

    Default:

    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n

    Example:

    # YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n
    "},{"location":"setup/configuring-rules/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"

    v1.27.0

    This configuration option enables validation for that each storage account is associated with a Microsoft Defender for Storage resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"setup/configuring-rules/#azure_vnet_dns_with_identity","title":"AZURE_VNET_DNS_WITH_IDENTITY","text":"

    v1.30.0

    Applies to Azure.VNET.LocalDNS.

    Set this configuration option to true when DNS is deployed within the Identity subscription to avoid false positives.

    When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:

    • Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
    • Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.

    If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY to true. By default, this configuration option is set to false.

    Syntax:

    configuration:\nAZURE_VNET_DNS_WITH_IDENTITY: boolean # An boolean value\n

    Default:

    # YAML: The default AZURE_VNET_DNS_WITH_IDENTITY configuration option\nconfiguration:\nAZURE_VNET_DNS_WITH_IDENTITY: false\n

    Example:

    # YAML: Set the AZURE_VNET_DNS_WITH_IDENTITY configuration option to enabled\nconfiguration:\nAZURE_VNET_DNS_WITH_IDENTITY: true\n
    "},{"location":"setup/setup-azure-monitor-logs/","title":"Setup Azure Monitor logs","text":"

    When analyzing Azure resources, you may want to capture the results of each analysis run. Azure Monitor provides a central storage location for log data through Log Analytics workspaces. Centrally storing PSRule results enables the following scenarios:

    • Auditing and reporting \u2014 Report on analysis pass or failures.
      • Use Azure Monitor workbooks or custom queries to perform analysis and display results.
      • Perform security analysis within Microsoft Azure Sentinel your a scalable, cloud-native SIEM. Alternatively, export log data from Log Analytics for ingestion into a third-party SIEM.
    • Send notifications using alerts \u2014 Trigger alerts to send notifications.
    • Integration with other workflows \u2014 Configure alerts and action groups to trigger integration.

    Abstract

    This topic covers setting up PSRule to log rule results into a Log Analytics workspace.

    "},{"location":"setup/setup-azure-monitor-logs/#logging-into-a-log-analytics-workspace","title":"Logging into a Log Analytics workspace","text":"

    Logging of PSRule results into a workspace is done using the PSRule for Azure Monitor module. PSRule for Azure Monitor extends the PSRule pipeline to import results into the specified workspace.

    Once configured, PSRule will log results into the PSRule_CL custom log table of the chosen workspace.

    Info

    Integration between PSRule and Azure Monitor is done by means of a convention. Conventions extend the pipeline to be able to upload results after rules have run.

    "},{"location":"setup/setup-azure-monitor-logs/#setting-environment-variables","title":"Setting environment variables","text":"

    PSRule for Azure Monitor requires a Log Analytics workspace to import results into. To configure the workspace to import results to the following environment variables must be set.

    • PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID - The unique ID (GUID) for the workspace to import results.
    • PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY - Either the primary or secondary key of the workspace.

    How to set these environment variables is covered in the next section for GitHub Actions and Azure Pipelines.

    Tip

    Both the workspace ID and keys can be found under the Agents management settings of the workspace.

    "},{"location":"setup/setup-azure-monitor-logs/#configuring-your-pipeline","title":"Configuring your pipeline","text":"

    The convention that imports PSRule analysis results is not executed by default. To enable, reference the Monitor.LogAnalytics.Import convention in your analysis pipeline.

    "},{"location":"setup/setup-azure-monitor-logs/#with-github-actions","title":"With GitHub Actions","text":"

    GitHub Action

    Import analysis results into Azure Monitor with GitHub Actions by:

    • Using the PSRule.Monitor module.
    • Referencing the Monitor.LogAnalytics.Import convention.
    • Configure secrets for MONITOR_WORKSPACE_ID and MONITOR_WORKSPACE_KEY.
    StablePre-release

    Install the latest stable module versions.

    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables using GitHub encrypted secrets\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n

    Install the latest stable or pre-release module versions.

    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nprerelease: true\nenv:\n# Define environment variables using GitHub encrypted secrets\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n

    Important

    Environment variables can be configured in the workflow or from a secret. To keep MONITOR_WORKSPACE_KEY secure, use an encrypted secret.

    "},{"location":"setup/setup-azure-monitor-logs/#with-azure-pipelines","title":"With Azure Pipelines","text":"

    Extension

    Import analysis results into Azure Monitor with Azure Pipelines by:

    • Installing the PSRule extension, then using the ps-rule-assert task in pipeline steps.
    • Using the PSRule.Monitor module.
    • Referencing the Monitor.LogAnalytics.Import convention.
    • Configure variables for MONITORWORKSPACEID and MONITORWORKSPACEKEY.
    StablePre-release

    Install the latest stable module versions.

    - task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables within Azure Pipelines\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n

    Install the latest stable or pre-release module versions.

    - task: ps-rule-install@2\ndisplayName: Install PSRule for Azure (pre-release)\ninputs:\nmodule: PSRule.Rules.Azure\nprerelease: true\n- task: ps-rule-install@2\ndisplayName: Install PSRule for Azure Monitor (pre-release)\ninputs:\nmodule: PSRule.Monitor\nprerelease: true\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables within Azure Pipelines\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n

    Important

    Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep MONITORWORKSPACEKEY secure, use a variable group linked to an Azure Key Vault.

    "},{"location":"setup/setup-azure-monitor-logs/#samples","title":"Samples","text":"

    Continue reading for some sample resources you can try once this integration is setup Azure Monitor integration.

    "},{"location":"setup/setup-azure-monitor-logs/#log-analytics-queries","title":"Log Analytics Queries","text":""},{"location":"setup/setup-azure-monitor-logs/#results-with-annotations","title":"Results with annotations","text":"Kusto
    // Show extended info\nPSRule_CL\n| where TimeGenerated > ago(30d)\n| extend Pillar = tostring(parse_json(Annotations_s).pillar)\n| extend Link = tostring(parse_json(Annotations_s).[\"online version\"])\n
    "},{"location":"setup/setup-azure-monitor-logs/#summarize-results-by-run","title":"Summarize results by run","text":"Kusto
    // Group by run\nPSRule_CL\n| where TimeGenerated > ago(30d)\n| summarize Pass=countif(Outcome_s == \"Pass\"), Fail=countif(Outcome_s  == \"Fail\") by RunId_s\n
    "},{"location":"setup/setup-azure-monitor-logs/#querying-the-data","title":"Querying The Data","text":"

    Once the results have been published to the Log Analytics workspace, they can be queried by executing results against the PSRule_CL table (under Custom Logs). For more information on how to write Log Analytics querys, review the Log Analytics tutortial.

    "},{"location":"setup/setup-azure-monitor-logs/#workbook","title":"Workbook","text":"

    Workbook

    A sample Azure Monitor Workbook is available in the PSRule for Azure GitHub repository. This workbook can be imported directly into Azure Monitor and used as a foundation to build from. Review the Workbook creation tutorial for instructions on how to work with the sample Workbook.

    "},{"location":"setup/setup-bicep/","title":"Setup Bicep","text":"

    To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines.

    Abstract

    This topic covers setting up support for analyzing Azure resources within Bicep source files.

    "},{"location":"setup/setup-bicep/#installing-bicep-cli","title":"Installing Bicep CLI","text":"

    PSRule for Azure requires a minimum of Bicep CLI version 0.4.451. However the features you use within Bicep may require a newer version of the Bicep CLI.

    You may need to install or upgrade the Bicep CLI in the following scenarios:

    • Your Bicep source files require a newer version of the CLI then supported by hosted agents. The Bicep CLI version can be found in the included software list for each supported platform.
    • You are using self-hosted runners with your GitHub Actions workflow.
    • You are using self-hosted agents with Azure Pipelines.
    • You are performing local validation or using a different CI platform.

    The Bicep CLI can be installed on MacOS, Linux, and Windows. For installation instructions see Setup your Bicep development environment.

    Tip

    When installing Bicep using the Azure CLI, Bicep is not added to the PATH environment variable. To use PSRule for Azure with the Azure CLI set the PSRULE_AZURE_BICEP_USE_AZURE_CLI to true. Setting this environment variable is explained in the next section.

    "},{"location":"setup/setup-bicep/#setting-environment-variables","title":"Setting environment variables","text":"

    When expanding Bicep files, the path to the Bicep CLI binary is required. By default, the PATH environment variable will be used to discover the binary path. When using this option, add the sub-directory containing the Bicep binary to the environment variable.

    Alternatively, the path can be overridden by setting the PSRULE_AZURE_BICEP_PATH environment variable. When setting PSRULE_AZURE_BICEP_PATH specify the full path to the Bicep binary including the file name. File names used for Bicep binaries include bicep, or bicep.exe.

    Example

    Bash
    export PSRULE_AZURE_BICEP_PATH='/usr/local/bin/bicep'\n
    PowerShell
    $Env:PSRULE_AZURE_BICEP_PATH = '/usr/local/bin/bicep';\n
    GitHub Actions
    env:\nPSRULE_AZURE_BICEP_PATH: '/usr/local/bin/bicep'\n
    Azure Pipelines
    variables:\n- name: PSRULE_AZURE_BICEP_PATH\nvalue: '/usr/local/bin/bicep'\n
    "},{"location":"setup/setup-bicep/#using-azure-cli","title":"Using Azure CLI","text":"

    By default, PSRule for Azure uses the Bicep CLI directly. An additional option is to use the Azure CLI to invoke the Bicep CLI. When using this option the required version of the CLI must be installed prior to using PSRule for Azure. This is explained in Setup your Bicep development environment.

    To enable this option, set the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable to true.

    Example

    Bash
    export PSRULE_AZURE_BICEP_USE_AZURE_CLI=true\n
    PowerShell
    $Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true'\n
    GitHub Actions
    env:\nPSRULE_AZURE_BICEP_USE_AZURE_CLI: true\n
    Azure Pipelines
    variables:\n- name: PSRULE_AZURE_BICEP_USE_AZURE_CLI\nvalue: true\n
    "},{"location":"setup/setup-bicep/#additional-arguments","title":"Additional arguments","text":"

    For configuration, additional arguments can be passed to the Bicep CLI. This is intended to improve forward compatibility with Bicep CLI.

    To configure additional arguments, set the PSRULE_AZURE_BICEP_ARGS environment variable.

    "},{"location":"setup/setup-bicep/#configuring-expansion","title":"Configuring expansion","text":"

    Docs

    PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from .bicep files.

    To enabled this feature, set the Configuration.AZURE_BICEP_FILE_EXPANSION to true. This option can be set within the ps-rule.yaml file.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of bicep source files.\nAZURE_BICEP_FILE_EXPANSION: true\n

    Tip

    If you deploy Bicep code using JSON parameter files this option does not need to be set. Set Configuration.AZURE_PARAMETER_FILE_EXPANSION to true instead. See Using parameter files and By metadata for more information.

    "},{"location":"setup/setup-bicep/#configuring-timeout","title":"Configuring timeout","text":"

    Docs

    In certain environments it may be necessary to increase the default timeout for building Bicep files. This can occur if your Bicep deployments are:

    • Large and complex.
    • Use nested modules.
    • Use modules restored from a registry.

    If you are experiencing timeout errors you can increase the default timeout of 5 seconds. To configure the timeout, set Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT to the timeout in seconds.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of bicep source files.\nAZURE_BICEP_FILE_EXPANSION: true\n# Configure the timeout for bicep build to 15 seconds.\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n
    "},{"location":"setup/setup-bicep/#checking-bicep-version","title":"Checking Bicep version","text":"

    v1.25.0

    To use Bicep files with PSRule for Azure:

    • The Bicep CLI must be installed or you must configure the Azure CLI.
    • The version installed must support the features you are using.

    It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Additionally, the version installed in your CI/ CD pipeline may not be the same as your local development environment.

    You can enable checking the Bicep CLI version during initialization. To enable this feature, set the Configuration.AZURE_BICEP_CHECK_TOOL option to true. Additionally, you can set the minimum version required using the Configuration.AZURE_BICEP_MINIMUM_VERSION option.

    ps-rule.yaml
    configuration:\n# Enable Bicep CLI checks.\nAZURE_BICEP_CHECK_TOOL: true\n# Optionally, configure the minimum version of the Bicep CLI.\nAZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n
    "},{"location":"setup/setup-bicep/#configuring-minimum-version","title":"Configuring minimum version","text":"

    v1.25.0

    The Azure Bicep CLI is updated regularly, with new features and bug fixes. You must use a version of the Bicep CLI that supports the features you are using. If you attempt to use a feature that is not supported by the Bicep CLI, expansion will fail with a BCP error.

    Tip

    It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Using the Bicep CLI via az bicep is not the default, and you may need to set additional options to use it.

    To ensure you are using the correct version of the Bicep CLI, you can configure the minimum version required. If an earlier version is detected, PSRule for Azure will generate an error. To configure the minimum version, set the Configuration.AZURE_BICEP_MINIMUM_VERSION option. By default, the minimum version is set to 0.4.451.

    ps-rule.yaml
    configuration:\n# Enable Bicep CLI checks.\nAZURE_BICEP_CHECK_TOOL: true\n# Configure the minimum version of the Bicep CLI.\nAZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n

    Important

    The Configuration.AZURE_BICEP_CHECK_TOOL must be set to true for this option to take effect.

    Tip

    For troubleshooting Bicep compilation errors see Bicep compile errors.

    "},{"location":"setup/setup-bicep/#recommended-content","title":"Recommended content","text":"
    • Using Bicep source
    • Restoring modules from a private registry
    "},{"location":"specs/inflight-export-spec/","title":"Design spec for export of in-flight resource data","text":"

    To support analysis of in-flight resources, the configuration data must be exported from Azure. This spec documents this mode of operation.

    "},{"location":"specs/inflight-export-spec/#requirements","title":"Requirements","text":"

    The requirements for this feature/ mode of operation include:

    • Export resources, resource groups, and subscription configuration.
    • Export related sub-resource configuration data to support rules.

    Additonally some non-function requirements include:

    • Gracefully handle Azure management API throttling.
    • Limit exported data based on filters.
    "}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"CHANGELOG-v0/","title":"Change log","text":""},{"location":"CHANGELOG-v0/#v0190","title":"v0.19.0","text":"

    What's changed since v0.18.0:

    • New features:
      • Added Azure.GA_2020_12 baseline. #593
        • Includes rules released before or during December 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_09 as obsolete.
    • New rules:
      • Database for MySQL:
        • Check database servers meet name requirements. #583
      • Database for PostgreSQL:
        • Check database servers meet name requirements. #583
      • SQL Database:
        • Check SQL logical servers meet name requirements. #583
        • Check SQL failover groups meet name requirements. #583
        • Check SQL databases meet name requirements. #583
      • SQL Managed Instance:
        • Check SQL Managed Instances meet name requirements. #583
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.3. #590
    • General improvements:
      • Added support for true, false, and null template functions. #579
      • Added support for createObject template function. #580
    • Engineering:
      • Bump PSRule dependency to v1.0.0. #588

    What's changed since pre-release v0.19.0-B2012008:

    • New features:
      • Added Azure.GA_2020_12 baseline. #593
        • Includes rules released before or during December 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_09 as obsolete.
    "},{"location":"CHANGELOG-v0/#v0190-b2012008-pre-release","title":"v0.19.0-B2012008 (pre-release)","text":"

    What's changed since pre-release v0.19.0-B2011008:

    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.3. #590
    • Engineering:
      • Bump PSRule dependency to v1.0.0. #588
    "},{"location":"CHANGELOG-v0/#v0190-b2011008-pre-release","title":"v0.19.0-B2011008 (pre-release)","text":"

    What's changed since v0.18.0:

    • New rules:
      • Database for MySQL:
        • Check database servers meet name requirements. #583
      • Database for PostgreSQL:
        • Check database servers meet name requirements. #583
      • SQL Database:
        • Check SQL logical servers meet name requirements. #583
        • Check SQL failover groups meet name requirements. #583
        • Check SQL databases meet name requirements. #583
      • SQL Managed Instance:
        • Check SQL Managed Instances meet name requirements. #583
    • General improvements:
      • Added support for true, false, and null template functions. #579
      • Added support for createObject template function. #580
    "},{"location":"CHANGELOG-v0/#v0180","title":"v0.18.0","text":"

    What's changed since v0.17.0:

    • New rules:
      • Container Registry:
        • Check registries use container image scanning. #558
        • Check registries image scanning results are healthy. #558
        • Check registries use content trust. #558
        • Check registries are geo-replicated. #558
        • Check registries uses storage space less than included storage. #558
        • Check registries have a retention set of untagged manifests (preview). #558
        • Check registries use image quarantine pattern (preview). #558
      • Front Door:
        • Check Front Door WAF policy name requirements. #552
    • Bug fixes:
      • Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554
      • Fixed reason typo on template parameter metadata. #567
      • Fixed Get-AzRuleTemplateLink reports incorrect parameter with file path. #568
      • Fixed variable property not resolved with copy peer. #571
      • Fixed blob soft delete for FileStorage storage accounts. #573
      • Fixed top level variable copy detected as unused variable.#569
      • Fixed ResourceGroupName property cannot be found on this object. #561

    What's changed since pre-release v0.18.0-B2011023:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0180-b2011023-pre-release","title":"v0.18.0-B2011023 (pre-release)","text":"

    What's changed since pre-release v0.18.0-B2011005:

    • Bug fixes:
      • Fixed reason typo on template parameter metadata. #567
      • Fixed Get-AzRuleTemplateLink reports incorrect parameter with file path. #568
      • Fixed variable property not resolved with copy peer. #571
      • Fixed blob soft delete for FileStorage storage accounts. #573
      • Fixed top level variable copy detected as unused variable.#569
    "},{"location":"CHANGELOG-v0/#v0180-b2011005-pre-release","title":"v0.18.0-B2011005 (pre-release)","text":"

    What's changed since pre-release v0.18.0-B2010016:

    • Bug fixes:
      • Fixed ResourceGroupName property cannot be found on this object. #561
    "},{"location":"CHANGELOG-v0/#v0180-b2010016-pre-release","title":"v0.18.0-B2010016 (pre-release)","text":"

    What's changed since v0.17.0:

    • New rules:
      • Container Registry:
        • Check registries use container image scanning. #558
        • Check registries image scanning results are healthy. #558
        • Check registries use content trust. #558
        • Check registries are geo-replicated. #558
        • Check registries uses storage space less than included storage. #558
        • Check registries have a retention set of untagged manifests (preview). #558
        • Check registries use image quarantine pattern (preview). #558
      • Front Door:
        • Check Front Door WAF policy name requirements. #552
    • Bug fixes:
      • Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554
    "},{"location":"CHANGELOG-v0/#v0170","title":"v0.17.0","text":"

    What's changed since v0.16.0:

    • New rules:
      • Azure Cache for Redis:
        • Check cache instances use Standard C1 or greater SKU. #501
        • Cache cache instances configure maxmemory-reserved setting. #502
      • App Configuration:
        • Check App Configuration stores meet name requirements. #528
        • Check App Configuration stores use standard SKU. #528
      • App Service:
        • Check App Service apps use HTTP/2. #538
        • Check App Service apps use managed identities. #537
        • Check App Service apps use Always On. #521
        • Check App Service apps have remote debugging disabled. #521
        • Check App Service apps use newer .NET Framework versions. #521
        • Check App Service apps use newer PHP runtime versions. #521
      • Logic App:
        • Check Logic App apps limit IP range for HTTP triggers. #526
    • Updated rules:
      • Storage:
        • Updated Azure.Storage.UseReplication for additional use cases.
          • Added support for geo-zone-redundant storage. #535
          • Exclude storage tagged with resource-usage = 'azure-functions' or resource-usage = 'azure-monitor'. #534
      • Azure Kubernetes Service:
        • Promote Azure.AKS.AzurePolicyAddOn to GA rule set. #524
    • Removed rules:
      • Azure Kubernetes Service:
        • Remove Azure.AKS.PodSecurityPolicy as this AKS feature is replaced by Azure Policy. #523
    • General improvements:
      • Added support for providers template function. #177
      • Added support for dateTimeAdd template function. #516
    • Bug fixes:
      • Fixed expansion of templates with multiple variables copy blocks. #541
      • Fixed App Service rule site config false positives in templates. #533

    What's changed since pre-release v0.17.0-B2010028:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0170-b2010028-pre-release","title":"v0.17.0-B2010028 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2010022:

    • New rules:
      • Azure Cache for Redis:
        • Check cache instances use Standard C1 or greater SKU. #501
        • Cache cache instances configure maxmemory-reserved setting. #502
    "},{"location":"CHANGELOG-v0/#v0170-b2010022-pre-release","title":"v0.17.0-B2010022 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2010017:

    • Bug fixes:
      • Fixed expansion of templates with multiple variables copy blocks. #541
    "},{"location":"CHANGELOG-v0/#v0170-b2010017-pre-release","title":"v0.17.0-B2010017 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2010006:

    • New rules:
      • App Service:
        • Check App Service apps use HTTP/2. #538
        • Check App Service apps use managed identities. #537
    • Updated rules:
      • Storage:
        • Updated Azure.Storage.UseReplication for additional use cases.
          • Added support for geo-zone-redundant storage. #535
          • Exclude storage tagged with resource-usage = 'azure-functions' or resource-usage = 'azure-monitor'. #534
    • Bug fixes:
      • Fixed App Service rule site config false positives in templates. #533
    "},{"location":"CHANGELOG-v0/#v0170-b2010006-pre-release","title":"v0.17.0-B2010006 (pre-release)","text":"

    What's changed since pre-release v0.17.0-B2009009:

    • New rules:
      • App Configuration:
        • Check App Configuration stores meet name requirements. #528
        • Check App Configuration stores use standard SKU. #528
      • App Service:
        • Check App Service apps use Always On. #521
        • Check App Service apps have remote debugging disabled. #521
        • Check App Service apps use newer .NET Framework versions. #521
        • Check App Service apps use newer PHP runtime versions. #521
      • Logic App:
        • Check Logic App apps limit IP range for HTTP triggers. #526
    • Updated rules:
      • Azure Kubernetes Service:
        • Promote Azure.AKS.AzurePolicyAddOn to GA rule set. #524
    • Removed rules:
      • Azure Kubernetes Service:
        • Remove Azure.AKS.PodSecurityPolicy as this AKS feature is replaced by Azure Policy. #523
    "},{"location":"CHANGELOG-v0/#v0170-b2009009-pre-release","title":"v0.17.0-B2009009 (pre-release)","text":"

    What's changed since v0.16.0:

    • General improvements:
      • Added support for providers template function. #177
      • Added support for dateTimeAdd template function. #516
    "},{"location":"CHANGELOG-v0/#v0160","title":"v0.16.0","text":"

    What's changed since v0.15.0:

    • New features:
      • Added Azure.GA_2020_09 baseline. #488
        • Includes rules released before or during September 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_06 as obsolete.
    • New rules:
      • CDN:
        • Check CDN endpoint naming requirements. #486
        • Check CDN endpoints use TLS 1.2. #487
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.18.8. #504
    • General improvements:
      • Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481
      • Improve output of template processing exceptions. #484
    • Engineering:
      • Bump PSRule dependency to v0.20.0.
    • Bug fixes:
      • Fixed Data Factory version not detected with template. #498
      • Fixed parameter file detection with 2019-04-01 schema. #495
      • Fixed deprecated $Rule properties. #491

    What's changed since pre-release v0.16.0-B2009033:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0160-b2009033-pre-release","title":"v0.16.0-B2009033 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009024:

    • New features:
      • Added Azure.GA_2020_09 baseline. #488
        • Includes rules released before or during September 2020 for Azure GA features.
        • Marked baseline Azure.GA_2020_06 as obsolete.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.18.8. #504
    • Engineering:
      • Bump PSRule dependency to v0.20.0.
    "},{"location":"CHANGELOG-v0/#v0160-b2009024-pre-release","title":"v0.16.0-B2009024 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009019:

    • Bug fixes:
      • Fixed Data Factory version not detected with template. #498
    "},{"location":"CHANGELOG-v0/#v0160-b2009019-pre-release","title":"v0.16.0-B2009019 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009011:

    • Bug fixes:
      • Fixed parameter file detection with 2019-04-01 schema. #495
    "},{"location":"CHANGELOG-v0/#v0160-b2009011-pre-release","title":"v0.16.0-B2009011 (pre-release)","text":"

    What's changed since pre-release v0.16.0-B2009004:

    • Bug fixes:
      • Fixed deprecated $Rule properties. #491
    "},{"location":"CHANGELOG-v0/#v0160-b2009004-pre-release","title":"v0.16.0-B2009004 (pre-release)","text":"

    What's changed since v0.15.0:

    • New rules:
      • CDN:
        • Check CDN endpoint naming requirements. #486
        • Check CDN endpoints use TLS 1.2. #487
    • General improvements:
      • Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481
      • Improve output of template processing exceptions. #484
    "},{"location":"CHANGELOG-v0/#v0150","title":"v0.15.0","text":"

    What's changed since v0.14.1:

    • New rules:
      • All resources:
        • Check ARM template parameters are used. #232
        • Check ARM template variables are used. #233
        • Check ARM template parameters include a metadata description. #360
        • Check ARM templates define at least one resource. #359
      • Database for MySQL:
        • Check database servers reject TLS versions older than 1.2. #469
      • Database for PostgreSQL:
        • Check database servers reject TLS versions older than 1.2. #470
      • SQL Database:
        • Check database servers reject TLS versions older than 1.2. #471
      • Storage Account:
        • Check Storage Accounts reject TLS versions older than 1.2. #455
        • Check Storage Accounts only accept authorized requests. #456
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.9. #452
    • Engineering:
      • Bump PSRule dependency to v0.19.0.
    • Bug fixes:
      • Fixed export of non-blob Storage Accounts. #464
      • Fixed export of subscription Security Center data based on API version. #465
      • Fixed masking of sharedKey when property does not exist. #466

    What's changed since pre-release v0.15.0-B2008034:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0150-b2008043-pre-release","title":"v0.15.0-B2008043 (pre-release)","text":"

    What's changed since pre-release v0.15.0-B2008034:

    • New rules:
      • Database for MySQL:
        • Check database servers reject TLS versions older than 1.2. #469
      • Database for PostgreSQL:
        • Check database servers reject TLS versions older than 1.2. #470
      • SQL Database:
        • Check database servers reject TLS versions older than 1.2. #471
    • Bug fixes:
      • Fixed use variables check when no variables are defined. #462
    "},{"location":"CHANGELOG-v0/#v0150-b2008034-pre-release","title":"v0.15.0-B2008034 (pre-release)","text":"

    What's changed since pre-release v0.15.0-B2008026:

    • Bug fixes:
      • Fixed export of non-blob Storage Accounts. #464
      • Fixed export of subscription Security Center data based on API version. #465
      • Fixed masking of sharedKey when property does not exist. #466
    "},{"location":"CHANGELOG-v0/#v0150-b2008026-pre-release","title":"v0.15.0-B2008026 (pre-release)","text":"

    What's changed since v0.14.1:

    • New rules:
      • All resources:
        • Check ARM template parameters are used. #232
        • Check ARM template variables are used. #233
        • Check ARM template parameters include a metadata description. #360
        • Check ARM templates define at least one resource. #359
      • Storage Account:
        • Check Storage Accounts reject TLS versions older than 1.2. #455
        • Check Storage Accounts only accept authorized requests. #456
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.9. #452
    "},{"location":"CHANGELOG-v0/#v0141","title":"v0.14.1","text":"

    What's changed since v0.14.0:

    • Bug fixes:
      • Fixed resource tags rule to exclude diagnostic settings. #448
    "},{"location":"CHANGELOG-v0/#v0140","title":"v0.14.0","text":"

    What's changed since v0.13.0:

    • New rules:
      • API Management:
        • Check API Management service name requirements. #437
        • Check API Management products have legal terms. #438
        • Check API Management products have a display name and description. #439
        • Check API Management APIs have a display name and description. #440
      • Subscriptions:
        • Check subscription is managed by PIM. #422
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.7. #427
    • General improvements:
      • Updated rule reasons and logic. #424
    • Bug fixes:
      • Fixed masking for network connection resource configuration. #434
      • Fixed hybrid use benefit rule to exclude Windows client OSs. #433
      • Fixed VM standalone rule to exclude Windows client OSs. #442

    What's changed since pre-release v0.14.0-B2007031:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0140-b2007031-pre-release","title":"v0.14.0-B2007031 (pre-release)","text":"

    What's changed since pre-release v0.14.0-B2007020:

    • New rules:
      • API Management:
        • Check API Management service name requirements. #437
        • Check API Management products have legal terms. #438
        • Check API Management products have a display name and description. #439
        • Check API Management APIs have a display name and description. #440
    • Bug fixes:
      • Fixed masking for network connection resource configuration. #434
      • Fixed hybrid use benefit rule to exclude Windows client OSs. #433
      • Fixed VM standalone rule to exclude Windows client OSs. #442
    "},{"location":"CHANGELOG-v0/#v0140-b2007020-pre-release","title":"v0.14.0-B2007020 (pre-release)","text":"

    What's changed since v0.13.0:

    • New rules:
      • Subscriptions:
        • Check subscription is managed by PIM. #422
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.17.7. #427
    • General improvements:
      • Updated rule reasons and logic. #424
    "},{"location":"CHANGELOG-v0/#v0130","title":"v0.13.0","text":"

    What's changed since v0.12.1:

    • New features:
      • Added Azure.GA_2020_06 baseline. #399
        • Includes rules released before or during June 2020 for Azure GA features.
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS clusters use a Standard load balancer SKU. #334
        • Check AKS clusters use Managed Identities for cluster infrastructure. #333
        • Check AKS clusters use Azure Policy add-on (preview). #405
      • Public IP:
        • Check Public IP domain name label requirements. #389
      • Virtual Machines:
        • Check Availability Set name requirements. #387
        • Check Computer name requirements. #387
        • Check Managed Disk name requirements. #387
        • Check Network Interface name requirements. #387
        • Check Virtual Machine name requirements. #387
        • Check Proximity Placement Group name requirements. #387
      • Virtual Machine Scale Sets:
        • Check Computer name requirements. #387
        • Check Virtual Machine Scale Set name requirements. #387
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.9. #394
    • Bug fixes:
      • Fixed module default culture. #390
      • Fixed exception message for object property that does not exist. #362
      • Fixed substring raises an exception processing sub expressions. #413

    What's changed since pre-release v0.13.0-B2006032:

    • Bug fixes:
      • Fixed substring raises an exception processing sub expressions. #413
    "},{"location":"CHANGELOG-v0/#v0130-b2006032-pre-release","title":"v0.13.0-B2006032 (pre-release)","text":"
    • New features:
      • Added Azure.GA_2020_06 baseline. #399
        • Includes rules released before or during June 2020 for Azure GA features.
    • Bug fixes:
      • Fixed exception message for object property that does not exist. #362
    "},{"location":"CHANGELOG-v0/#v0130-b2006023-pre-release","title":"v0.13.0-B2006023 (pre-release)","text":"
    • New rules:
      • Public IP:
        • Check Public IP domain name label requirements. #389
      • Virtual Machines:
        • Check Availability Set name requirements. #387
        • Check Computer name requirements. #387
        • Check Managed Disk name requirements. #387
        • Check Network Interface name requirements. #387
        • Check Virtual Machine name requirements. #387
        • Check Proximity Placement Group name requirements. #387
      • Virtual Machine Scale Sets:
        • Check Computer name requirements. #387
        • Check Virtual Machine Scale Set name requirements. #387
    "},{"location":"CHANGELOG-v0/#v0130-b2006017-pre-release","title":"v0.13.0-B2006017 (pre-release)","text":"
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS clusters use a Standard load balancer SKU. #334
        • Check AKS clusters use Managed Identities for cluster infrastructure. #333
        • Check AKS clusters use Azure Policy add-on (preview). #405
    "},{"location":"CHANGELOG-v0/#v0130-b2006003-pre-release","title":"v0.13.0-B2006003 (pre-release)","text":"
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.9. #394
    • Bug fixes:
      • Fixed module default culture. #390
    "},{"location":"CHANGELOG-v0/#v0121","title":"v0.12.1","text":"

    What's changed since v0.12.0:

    • Bug fixes:
      • Fixed subnet name check for VNET with no subnets. #386
    "},{"location":"CHANGELOG-v0/#v0120","title":"v0.12.0","text":"

    What's changed since v0.11.0:

    • New rules:
      • Azure Kubernetes Service:
        • Check AKS cluster name requirements. #373
        • Check AKS cluster DNS prefix requirements. #373
      • Container Registry:
        • Check registry name requirements. #373
      • Front Door:
        • Check Front Door name requirements. #373
      • Load Balancer:
        • Check Load Balancer name requirements. #373
      • Network Security Group:
        • Check NSG name requirements. #373
      • Public IP:
        • Check Public IP name requirements. #373
      • Policy:
        • Check Policy definitions use descriptive fields. #364
      • Resource Group:
        • Check Resource Group name requirements. #373
      • Route table
        • Check Route table name requirements. #373
      • SignalR Service:
        • Check SignalR Service name requirements. #373
      • SQL Database:
        • Check SQL Database uses TDE. #379
        • Check SQL Database uses AAD authentication. #378
      • Storage Account:
        • Check Storage Account name requirements. #373
        • Check Storage blob containers use private access type. #365
      • Virtual Network:
        • Check VNET name requirements. #373
        • Check VNET subnet name requirements. #373
      • Virtual Network Gateway:
        • Check VNG name requirements. #373
        • Check VNG connection name requirements. #373
        • Check ExpressRoute Gateway uses current SKU. #369
        • Check VPN Gateway uses current SKU. #370
        • Check VPN Gateway uses active-active configuration. #371

    What's changed since pre-release v0.12.0-B2005026:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0120-b2005026-pre-release","title":"v0.12.0-B2005026 (pre-release)","text":"
    • New rules:
      • SQL Database:
        • Check SQL Database uses TDE. #379
        • Check SQL Database uses AAD authentication. #378
    • Bug fixes:
      • Fixed handling of subnet sub-resource name with slash. #381
    "},{"location":"CHANGELOG-v0/#v0120-b2005019-pre-release","title":"v0.12.0-B2005019 (pre-release)","text":"
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS cluster name requirements. #373
        • Check AKS cluster DNS prefix requirements. #373
      • Container Registry:
        • Check registry name requirements. #373
      • Front Door:
        • Check Front Door name requirements. #373
      • Load Balancer:
        • Check Load Balancer name requirements. #373
      • Network Security Group:
        • Check NSG name requirements. #373
      • Public IP:
        • Check Public IP name requirements. #373
      • Resource Group:
        • Check Resource Group name requirements. #373
      • Route table
        • Check Route table name requirements. #373
      • SignalR Service:
        • Check SignalR Service name requirements. #373
      • Storage Account:
        • Check Storage Account name requirements. #373
      • Virtual Network:
        • Check VNET name requirements. #373
        • Check VNET subnet name requirements. #373
      • Virtual Network Gateway:
        • Check VNG name requirements. #373
        • Check VNG connection name requirements. #373
        • Check ExpressRoute Gateway uses current SKU. #369
        • Check VPN Gateway uses current SKU. #370
        • Check VPN Gateway uses active-active configuration. #371
    "},{"location":"CHANGELOG-v0/#v0120-b2005005-pre-release","title":"v0.12.0-B2005005 (pre-release)","text":"
    • New rules:
      • Storage Account:
        • Check Storage blob containers use private access type. #365
      • Policy:
        • Check Policy definitions use descriptive fields. #364
    "},{"location":"CHANGELOG-v0/#v0110","title":"v0.11.0","text":"

    What's changed since v0.10.1:

    • New rules:
      • Azure Kubernetes Service:
        • Check AKS nodes use a minimum number of pods. #274
      • API Management:
        • Check API Management products require a subscription. #342
        • Check API Management products require approval. #343
        • Check API Management sample products have been removed. #344
        • Check API Management uses a managed identity. #345
        • Check API Management certificates are not expired. #346
    • General improvements:
      • Added name and type bindings for template files. #353
      • Breaking change: Renamed configuration options to use a standard prefix. #327
        • Configuration options use the Azure_ prefix.
        • Update configuration settings to use the new name, old configuration names are ignored.
        • Renamed minAKSVersion to Azure_AKSMinimumVersion.
        • Renamed azureAllowedRegions to Azure_AllowedRegions.
        • Added configuration option documentation. See about_PSRule_Azure_Configuration for details.

    What's changed since pre-release v0.11.0-B2004012:

    • General improvements:
      • Added name and type bindings for template files. #353
    "},{"location":"CHANGELOG-v0/#v0110-b2004012-pre-release","title":"v0.11.0-B2004012 (pre-release)","text":"
    • New rules:
      • Azure Kubernetes Service:
        • Check AKS nodes use a minimum number of pods. #274
    • General improvements:
      • Breaking change: Renamed configuration options to use a standard prefix. #327
        • Configuration options use the Azure_ prefix.
        • Update configuration settings to use the new name, old configuration names are ignored.
        • Renamed minAKSVersion to Azure_AKSMinimumVersion.
        • Renamed azureAllowedRegions to Azure_AllowedRegions.
        • Added configuration option documentation. See about_PSRule_Azure_Configuration for details.
    "},{"location":"CHANGELOG-v0/#v0110-b2004005-pre-release","title":"v0.11.0-B2004005 (pre-release)","text":"
    • New rules:
      • API Management:
        • Check API Management products require a subscription. #342
        • Check API Management products require approval. #343
        • Check API Management sample products have been removed. #344
        • Check API Management uses a managed identity. #345
        • Check API Management certificates are not expired. #346
    "},{"location":"CHANGELOG-v0/#v0101","title":"v0.10.1","text":"

    What's changed since v0.10.0:

    • Bug fixes:
      • Fixed false positive for unused public IP in templates. #336
      • Fixed false positive for use of managed disks in templates. #337
      • Fixed false positive for disk caching when no VM data disks is null in templates. #338
    "},{"location":"CHANGELOG-v0/#v0100","title":"v0.10.0","text":"

    What's changed since v0.9.0:

    • New features:
      • Added support for linking parameter and template files for analysis with metadata. #324
        • Added Get-AzRuleTemplateLink cmdlet to get metadata link to template files.
        • See cmdlet help for usage.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.7. #330
    • General improvements:
      • Removed warning message for azureAllowedRegions option. #328
      • Improvements to verbose logging of Export-AzRuleData. #301
    • Bug fixes:
      • Fixed unused VM resource false positives in templates. #312
      • Fixed handling SKU for accelerated networking. #314
      • Fixed detection of hybrid use benefit in templates. #313
      • Fixed exception message when a template or parameter file is not found. #316
      • Fixed detection of diagnostic logging for Front Door. #307
      • Fixed Front Door WAF Policy export. #308
      • Fixed union of object properties in templates. #303

    What's changed since pre-release v0.10.0-B2003051:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v0100-b2003051-pre-release","title":"v0.10.0-B2003051 (pre-release)","text":"
    • New features:
      • Added support for linking parameter and template files for analysis with metadata. #324
        • Added Get-AzRuleTemplateLink cmdlet to get metadata link to template files.
        • See cmdlet help for usage.
    • General improvements:
      • Removed warning message for azureAllowedRegions option. #328
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.16.7. #330
    "},{"location":"CHANGELOG-v0/#v0100-b2003032-pre-release","title":"v0.10.0-B2003032 (pre-release)","text":"
    • Bug fixes:
      • Fixed unused VM resource false positives in templates. #312
      • Fixed handling SKU for accelerated networking. #314
      • Fixed detection of hybrid use benefit in templates. #313
      • Fixed exception message when a template or parameter file is not found. #316
    "},{"location":"CHANGELOG-v0/#v0100-b2003004-pre-release","title":"v0.10.0-B2003004 (pre-release)","text":"
    • Bug fixes:
      • Fixed detection of diagnostic logging for Front Door. #307
      • Fixed Front Door WAF Policy export. #308
    "},{"location":"CHANGELOG-v0/#v0100-b2002023-pre-release","title":"v0.10.0-B2002023 (pre-release)","text":"
    • General improvements:
      • Improvements to verbose logging of Export-AzRuleData. #301
    • Bug fixes:
      • Fixed union of object properties in templates. #303
    "},{"location":"CHANGELOG-v0/#v090","title":"v0.9.0","text":"

    What's changed since v0.8.0:

    • New rules:
      • Azure Firewall:
        • Check threat intelligence is configured as deny. #266
      • Front Door:
        • Check Front Door is enabled. #267
        • Check Front Door uses TLS 1.2. #268
        • Check Front Door has a configured WAF policy. #269
        • Check Front Door WAF policy is configured in prevention mode. #271
        • Check Front Door WAF policy is enabled. #270
        • Check if diagnostic logs are configured. #289
      • Traffic Manager:
        • Check web-based endpoints are monitored with HTTPS. #240
        • Check at least two endpoints are enabled. #241
      • Key Vault:
        • Check soft delete is enabled. #277
        • Check purge protection is enabled. #280
        • Check least privileges permissions assigned in access policy. #281
        • Check if diagnostic logs are configured. #288
      • Subscriptions:
        • Check if service health alerts are configured. #290
    • Updated rules:
      • Exclude cloud shell storage accounts from data rules. #278
        • Azure.Storage.UseReplication and Azure.Storage.SoftDelete ignore cloud shell storage accounts.
    • General improvements:
      • Removed module dependency on Az.Security. #105
    • Bug fixes:
      • Fixed incorrect string formatting in POSIX culture. #262
      • Fixed Azure.VNET.UseNSGs to exclude AzureFirewallSubnet. #261

    What's changed since pre-release v0.9.0-B2002036:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v090-b2002036-pre-release","title":"v0.9.0-B2002036 (pre-release)","text":"
    • Exclude cloud shell storage accounts from data rules. #278
    • Added new rule for Subscriptions:
      • Check if service health alerts are configured. #290
    • Added new rule for Key Vault:
      • Check if diagnostic logs are configured. #288
    • Added new rule for Front Door:
      • Check if diagnostic logs are configured. #289
    • Removed module dependency on Az.Security. #105
    "},{"location":"CHANGELOG-v0/#v090-b2002026-pre-release","title":"v0.9.0-B2002026 (pre-release)","text":"
    • Added new rules for Traffic Manager:
      • Check web-based endpoints are monitored with HTTPS. #240
      • Check at least two endpoints are enabled. #241
    • Added new rules for Key Vault:
      • Check soft delete is enabled. #277
      • Check purge protection is enabled. #280
      • Check least privileges permissions assigned in access policy. #281
    "},{"location":"CHANGELOG-v0/#v090-b2002019-pre-release","title":"v0.9.0-B2002019 (pre-release)","text":"
    • Added new rule to check Azure Firewall threat intelligence is configured as deny. #266
    • Added new rules for Front Door:
      • Check Front Door is enabled. #267
      • Check Front Door uses TLS 1.2. #268
      • Check Front Door has a configured WAF policy. #269
      • Check Front Door WAF policy is configured in prevention mode. #271
      • Check Front Door WAF policy is enabled. #270
    "},{"location":"CHANGELOG-v0/#v090-b2002011-pre-release","title":"v0.9.0-B2002011 (pre-release)","text":"
    • Fixed incorrect string formatting in POSIX culture. #262
    • Fixed Azure.VNET.UseNSGs to exclude AzureFirewallSubnet. #261
    "},{"location":"CHANGELOG-v0/#v080","title":"v0.8.0","text":"

    What's changed since v0.7.0:

    • New rules:
      • API Management:
        • Check API Management uses secure protocol versions. #237
        • Check API Management published APIs use HTTPS. #236
        • Check API Management backend connections use HTTPS. #238
        • Check API Management named values are encrypted. #239
      • Automation Accounts:
        • Check automation accounts use encrypted variables. #211
        • Check automation account webhook expiry interval. #212
      • CDN:
        • Check Azure CDN connections use HTTPS. #242
      • Resource Manager Templates:
        • Check ARM template and parameter file structure. #225
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.15.7. #247
      • Virtual networks:
        • Updated Azure.VNET.UseNSGs to apply to subnet resources from templates. #246
    • General improvements:
      • Improvements to rule help wording and usage of links section. #220 #224 #257
        • Documentation and reasons messages are now available for all en cultures.
      • Various updates to rule implementation to take advantage of PSRule v0.12.0 language features. #220
      • Breaking change: Shorten rule names to improve output display. #119
        • Application Gateway rules have been renamed from Azure.VirtualNetwork.* to Azure.AppGW.*.
        • Load balancer rules have been renamed from Azure.VirtualNetwork.* to Azure.LB.*.
        • NSG rules have been renamed from Azure.VirtualNetwork.* to Azure.NSG.*.
        • VNET rules have been renamed from Azure.VirtualNetwork.* to Azure.VNET.*.
        • NIC rules have been renamed from Azure.VirtualNetwork.* to Azure.VM.*.
        • Renamed storage account rule Azure.Storage.SecureTransferRequired to Azure.Storage.SecureTransfer.
    • Bug fixes:
      • Fix Azure.Resource.UseTags applying to template and parameter files. #230

    What's changed since pre-release v0.8.0-B2001029:

    • Fixed Azure.VNET.UseNSGs not populating subnet name in reason message. #256
    • Updated reason strings to use parent culture en. #257
    "},{"location":"CHANGELOG-v0/#v080-b2001029-pre-release","title":"v0.8.0-B2001029 (pre-release)","text":"
    • Updated Azure.VNET.UseNSGs to apply to subnet resources from templates. #246
    • Updated Azure.AKS.Version to 1.15.7. #247
    • Breaking change: Renamed Azure.File.* rules to Azure.Template.*. #252
    "},{"location":"CHANGELOG-v0/#v080-b2001018-pre-release","title":"v0.8.0-B2001018 (pre-release)","text":"
    • Fixed Azure.Resource.UseTags applying to template and parameter files. #230
    • Fixed ARM template and parameter schemas used to detect files. #234
    • Added new rule to check API Management uses secure protocol versions. #237
    • Added new rule to check API Management published APIs use HTTPS. #236
    • Added new rule to check API Management backend connections use HTTPS. #238
    • Added new rule to check API Management named values are encrypted. #239
    • Added new rule to check Azure CDN connections use HTTPS. #242
    "},{"location":"CHANGELOG-v0/#v080-b2001006-pre-release","title":"v0.8.0-B2001006 (pre-release)","text":"
    • Updated documentation to use parent culture en. #224
    • Added rules for ARM template and parameter file structure. #225
    • Breaking change: Application Gateway rules have been renamed from Azure.VirtualNetwork.* to Azure.AppGW.*. #119
    • Breaking change: Load balancer rules have been renamed from Azure.VirtualNetwork.* to Azure.LB.*. #119
    • Breaking change: NSG rules have been renamed from Azure.VirtualNetwork.* to Azure.NSG.*. #119
    • Breaking change: VNET rules have been renamed from Azure.VirtualNetwork.* to Azure.VNET.*. #119
    • Breaking change: NIC rules have been renamed from Azure.VirtualNetwork.* to Azure.VM.*. #119
    • Breaking change: Renamed storage account rule Azure.Storage.SecureTransferRequired to Azure.Storage.SecureTransfer. #119
    "},{"location":"CHANGELOG-v0/#v080-b1912026-pre-release","title":"v0.8.0-B1912026 (pre-release)","text":"
    • Fixed Automation account handling with no webhooks or variables. #219
    • Rule improvements from PSRule v0.12.0. #220
    • Updated Azure.AKS.Version to 1.15.5. #217
    "},{"location":"CHANGELOG-v0/#v080-b1912012-pre-release","title":"v0.8.0-B1912012 (pre-release)","text":"
    • Added new rule to check automation accounts use encrypted variables. #211
    • Added new rule to check automation account webhook expiry interval. #212
    "},{"location":"CHANGELOG-v0/#v070","title":"v0.7.0","text":"

    What's changed since v0.6.0:

    • New rules:
      • Role assignment:
        • Check presence of classic Co-Administrators. #188
      • Azure Kubernetes Service:
        • Check AKS node pool version matches cluster version. #186
        • Check AKS clusters use pod security policies. #142
        • Check AKS clusters use network policies. #143
        • Check AKS node pools use scale sets. #187
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to check for node pool version. #191
    • General improvements:
      • Added custom bindings for common resource properties. #202
      • Added new baseline to include rules for preview features. #190
      • Breaking change: Shorten rule names to improve output display. #119
        • RBAC rules have been renamed from Azure.Subscription.* to Azure.RBAC.*.
        • Security Center rules have been renamed from Azure.Subscription.* to Azure.SecureCenter.*.
      • Breaking change: Renamed default baseline from Azure.SubscriptionDefault to Azure.Default. #190
    • Bug fixes:
      • Fixed handling of tags for sub-resources. #203
      • Fixed missing cmdlet help. #196
      • Fixed AKS templates without node pool orchestratorVersion fail. #198
      • Fixed null reference without parameters file. #189

    What's changed since pre-release v0.7.0-B1912024:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v070-b1912024-pre-release","title":"v0.7.0-B1912024 (pre-release)","text":"
    • Fixed handling of tags for sub-resources. #203
    • Added custom bindings for common resource properties. #202
    "},{"location":"CHANGELOG-v0/#v070-b1912017-pre-release","title":"v0.7.0-B1912017 (pre-release)","text":"
    • Fixed missing cmdlet help. #196
    • Fixed AKS templates without node pool orchestratorVersion fail. #198
    "},{"location":"CHANGELOG-v0/#v070-b1912008-pre-release","title":"v0.7.0-B1912008 (pre-release)","text":"
    • Fixed null reference without parameters file. #189
    • Added new rule to check presence of classic Co-Administrators. #188
    • Added new rule to check AKS node pool version matches cluster version. #186
    • Added new rule to check AKS clusters use pod security policies. #142
    • Added new rule to check AKS clusters use network policies. #143
    • Added new rule to check AKS node pools use scale sets. #187
    • Added new baseline to include rules for preview features. #190
    • Updated Azure.AKS.Version to check for node pool version. #191
    • Breaking change: RBAC rules have been renamed from Azure.Subscription.* to Azure.RBAC.*. #119
    • Breaking change: Security Center rules have been renamed from Azure.Subscription.* to Azure.SecureCenter.*. #119
    • Breaking change: Renamed default baseline from Azure.SubscriptionDefault to Azure.Default. #190
    "},{"location":"CHANGELOG-v0/#v060","title":"v0.6.0","text":"

    What's changed since v0.5.0:

    • New features:
      • Added support for exporting rule data from templates. #145
        • Added Export-AzTemplateRuleData cmdlet to export templates. See cmdlet help for limitations.
        • Template and parameters are merged, resolving functions, copy loops and conditions.
    • Updated rules:
      • Azure Kubernetes Services:
        • Updated Azure.AKS.Version to 1.14.8. #140
    • General improvements:
      • Updated rules to use type pre-conditions. #144
    • Bug fixes:
      • Fixed processing of Azure.Resource.UseTags to exclude */providers/roleAssignments. #155
        • Provider role assignments do not support tags.
      • Fixed processing of Azure.Resource.AllowedRegions. #156
        • Exclude */providers/roleAssignments, Microsoft.Authorization/* and Microsoft.Consumption/*.
      • Fixed processing of Azure.VirtualNetwork.NSGAssociated for templates. #150
      • Fixed processing of Azure.VirtualNetwork.LateralTraversal when destinationPortRanges is used. #149

    What's changed since pre-release v0.6.0-B1911046:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v060-b1911046-pre-release","title":"v0.6.0-B1911046 (pre-release)","text":"
    • Improved template support of Export-AzTemplateRuleData cmdlet. #145
      • Added support for deployment function.
      • Fixed property copy loop.
    • Fixed Export-AzTemplateRuleData does not return FileInfo objects. #162
    • Fixed automatically name outputs from Export-AzTemplateRuleData. #163
    • Fixed resource segmentation issue when ResourceType includes trailing slash. #165
    • Fixed expand resource template property as null fails. #167
    • Fixed case-sensitivity of variables, parameters and functions. #168
    • Fixed out of order parameter and variables cross reference. #170
    • Fixed expression parser race condition. #171
    • Fixed handling of padding spaces in expressions. #173
    • Fixed property of property is parsed incorrectly. #174
    • Fixed root variable copy loop handling. #175
    "},{"location":"CHANGELOG-v0/#v060-b1911027-pre-release","title":"v0.6.0-B1911027 (pre-release)","text":"
    • Fixed processing of Azure.Resource.UseTags to exclude */providers/roleAssignments. #155
      • Provider role assignments do not support tags.
    • Fixed processing of Azure.Resource.AllowedRegions. #156
      • Exclude */providers/roleAssignments, Microsoft.Authorization/* and Microsoft.Consumption/*.
    "},{"location":"CHANGELOG-v0/#v060-b1911020-pre-release","title":"v0.6.0-B1911020 (pre-release)","text":"
    • Fixed processing of Azure.VirtualNetwork.NSGAssociated for templates. #150
    • Fixed processing of Azure.VirtualNetwork.LateralTraversal when destinationPortRanges is used. #149
    • Improved template support of Export-AzTemplateRuleData cmdlet. #145
      • Added support for nested templates.
      • Added support for array, createArray, coalesce, intersection, dataUri and dataUriToString functions.
    "},{"location":"CHANGELOG-v0/#v060-b1911011-pre-release","title":"v0.6.0-B1911011 (pre-release)","text":"
    • Updated Azure.AKS.Version to 1.14.8. #140
    • Updated rules to use type pre-conditions. #144
    • Experimental: Added support for exporting rule data from templates. #145
      • Added Export-AzTemplateRuleData cmdlet to export templates. See cmdlet help for limitations.
      • Template and parameters are merged, resolving functions, copy loops and conditions.
    "},{"location":"CHANGELOG-v0/#v050","title":"v0.5.0","text":"

    What's changed since v0.4.0:

    • New rules:
      • Virtual machines:
        • Check Windows automatic updates are enabled. #132
        • Check VM agent is automatically provisioned. #131
    • Updated rules:
      • Azure Kubernetes Services:
        • Updated Azure.AKS.Version to 1.14.6. #130
    • General improvements:
      • Shorten rule names for virtual machined to Azure.VM.* to improve output display. #119
        • Breaking change: Rules have been renamed from Azure.VirtualMachine.* to Azure.VM.*.

    What's changed since pre-release v0.5.0-B1910004:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v050-b1910004-pre-release","title":"v0.5.0-B1910004 (pre-release)","text":"
    • Added rule to verify Windows automatic updates are enabled. #132
    • Added rule to verify VM agent is automatically provisioned. #131
    • Updated Azure.AKS.Version to 1.14.6. #130
    • Breaking change: Renamed Azure.VirtualMachine.* rules to Azure.VM.*. #119
    "},{"location":"CHANGELOG-v0/#v040","title":"v0.4.0","text":"

    What's changed since v0.3.0:

    • New rules:
      • Virtual machines:
        • Added rule to verify Azure Disk Encryption. #122
        • Added rule to check if public key is used for Linux. #123
      • Virtual networking:
        • Added rule to verify connectivity of VNET peers. #120
        • Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121
    • General improvements:
      • Removed dependency on Az.Storage module. #105
      • Added default baseline to module. #126

    What's changed since pre-release v0.4.0-B190902:

    • Added default baseline to module. #126
    "},{"location":"CHANGELOG-v0/#v040-b190902-pre-release","title":"v0.4.0-B190902 (pre-release)","text":"
    • Added rule to verify connectivity of VNET peers. #120
    • Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121
    • Added rule to verify Azure Disk Encryption. #122
    • Added rule to check if public key is used for Linux. #123
    • Removed dependency on Az.Storage module. #105
    "},{"location":"CHANGELOG-v0/#v030","title":"v0.3.0","text":"

    What's changed since v0.2.0:

    • New rules:
      • App Services:
        • Enforce minimum TLS version for App Service. #99
      • Resource clean up:
        • Network security groups that are not associated. #93
        • Unattached network interfaces. #92
      • Role assignment:
        • Added subscription RBAC delegation rules. #107
          • Check for number of subscription owners.
          • Check for RBAC inheritance from management groups.
          • Check for user RBAC assignments.
          • Check for RBAC delegation on individual resources.
      • Virtual machines:
        • VMs should avoid using expired promo SKUs. #87
        • VMs should avoid using basic SKUs. #69
      • Virtual networking:
        • Added NSG rule to check for lateral traversal security rules. #103
        • Added rule to detect deny all inbound NSG rule. #94
    • Updated rules:
      • App Services:
        • Updated App Service site rules to include slots. #100
        • Azure.AppService.ARRAffinity and Azure.AppService.UseHTTPS now run against slots.
      • Azure Kubernetes Services:
        • Updated Azure.AKS.Version to 1.14.5. #109
    • Bug fixes:
      • Fix handling of empty DNS servers in Azure.VirtualNetwork.LocalDNS. #84
      • Fix handling of no peering connections in Azure.VirtualNetwork.LocalDNS. #89
      • Fix export of additional properties for Microsoft.Sql/servers. #114
      • Excluded global services from Azure.Resource.AllowedRegions. #96

    What's changed since pre-release v0.3.0-B190807:

    • Fix export of additional properties for Microsoft.Sql/servers. #114
    "},{"location":"CHANGELOG-v0/#v030-b190807-pre-release","title":"v0.3.0-B190807 (pre-release)","text":"
    • Updated Azure.AKS.Version to 1.14.5. #109
    • Added subscription RBAC delegation rules. #107
      • Check for number of subscription owners.
      • Check for RBAC inheritance from management groups.
      • Check for user RBAC assignments.
      • Check for RBAC delegation on individual resources.
    "},{"location":"CHANGELOG-v0/#v030-b190723-pre-release","title":"v0.3.0-B190723 (pre-release)","text":"
    • Excluded global services from Azure.Resource.AllowedRegions. #96
    • Enforce minimum TLS version for App Service. #99
    • Updated App Service site rules to include slots. #100
      • Azure.AppService.ARRAffinity and Azure.AppService.UseHTTPS now run against slots.
    • Added rule to detect deny all inbound NSG rule. #94
    • Added unused resource rules.
      • Network security groups that are not associated. #93
      • Unattached network interfaces. #92
    • Added NSG rule to check for lateral traversal security rules. #103
    "},{"location":"CHANGELOG-v0/#v030-b190710-pre-release","title":"v0.3.0-B190710 (pre-release)","text":"
    • Fix handling of empty DNS servers in Azure.VirtualNetwork.LocalDNS. #84
    • Fix handling of no peering connections in Azure.VirtualNetwork.LocalDNS. #89
    • Updated AKS version in Azure.AKS.Version to 1.13.7. #83
    • Added VM SKU rules:
      • VMs should avoid using expired promo SKUs. #87
      • VMs should avoid using basic SKUs. #69
    "},{"location":"CHANGELOG-v0/#v020","title":"v0.2.0","text":"

    What's changed since v0.1.0:

    • Fix rule Azure.AKS.UseRBAC returns null. #60
    • Fix rule Azure.Storage.SoftDelete and Azure.Storage.SecureTransferRequired returns null. #64
    • Fix collection of ASR vault configuration for cmdlet deprecation. #63
    • Updated rules to use Recommend keyword instead of Hint alias. #71
    • Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54
      • The rules Azure.SQL.FirewallIPRange, Azure.MySQL.FirewallIPRange and Azure.PostgreSQL.FirewallIPRange were added to check SQL, MySQL and PostgreSQL.
    • Added parameters to filter resource export by resource group and/ or tag. #59
      • Added -ResourceGroupName and -Tag parameters to Export-AzRuleData cmdlet.
    • Added support for Application Gateway v2. #75
    • Added VNET rule to check for local DNS. #68
    • Added WAF hardening rules for Application Gateway. #78
      • Application Gateways use OWASP 3.x rules.
      • Application Gateways have WAF enabled.
      • Application Gateways have all OWASP rules enabled.

    What's changed since pre-release v0.2.0-B190715:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v020-b190715-pre-release","title":"v0.2.0-B190715 (pre-release)","text":"
    • Added support for Application Gateway v2. #75
    • Added VNET rule to check for local DNS. #68
    • Added WAF hardening rules for Application Gateway. #78
      • Application Gateways use OWASP 3.x rules.
      • Application Gateways have WAF enabled.
      • Application Gateways have all OWASP rules enabled.
    "},{"location":"CHANGELOG-v0/#v020-b190706-pre-release","title":"v0.2.0-B190706 (pre-release)","text":"
    • Fix rule Azure.AKS.UseRBAC returns null. #60
    • Fix rule Azure.Storage.SoftDelete and Azure.Storage.SecureTransferRequired returns null. #64
    • Fix collection of ASR vault configuration for cmdlet deprecation. #63
    • Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54
      • The rules Azure.SQL.FirewallIPRange, Azure.MySQL.FirewallIPRange and Azure.PostgreSQL.FirewallIPRange were added to check SQL, MySQL and PostgreSQL.
    • Updated rules to use Recommend keyword instead of Hint alias. #71
    • Added parameters to filter resource export by resource group and/ or tag. #59
      • Added -ResourceGroupName and -Tag parameters to Export-AzRuleData cmdlet.
    "},{"location":"CHANGELOG-v0/#v010","title":"v0.1.0","text":"
    • Initial release.

    What's changed since pre-release v0.1.0-B190624:

    • No additional changes.
    "},{"location":"CHANGELOG-v0/#v010-b190624-pre-release","title":"v0.1.0-B190624 (pre-release)","text":"
    • Added rule to check if allow access to Azure services enabled for MySQL. #4
    • Added rule to count the number of database server firewall rules for MySQL. #2
    • Added rule to check if allow access to Azure services enabled for PostgreSQL. #50
    • Added rule to count the number of database server firewall rules for PostgreSQL. #51
    • Added rule to check if SSL is enforced for PostgreSQL. #49
    "},{"location":"CHANGELOG-v0/#v010-b190607-pre-release","title":"v0.1.0-B190607 (pre-release)","text":"
    • Added rule documentation. #40
    "},{"location":"CHANGELOG-v0/#v010-b190569-pre-release","title":"v0.1.0-B190569 (pre-release)","text":"
    • Fix exported resource data overwritten. #34
    "},{"location":"CHANGELOG-v0/#v010-b190562-pre-release","title":"v0.1.0-B190562 (pre-release)","text":"
    • Add units tests for Export-AzRuleData and update filters. #28
    • Export-AzRuleData returns files generated by default. #27
    • Export-AzRuleData passes through objects resource objects to the pipeline. #25
    • Breaking change - Export-AzRuleData only exports data from current subscription context by default. #24
      • Data can be exported from all subscription contexts by using the -All switch, or specifying specific subscriptions with the -Subscription or -Tenant parameters.
    "},{"location":"CHANGELOG-v0/#v010-b190543-pre-release","title":"v0.1.0-B190543 (pre-release)","text":"
    • Fix cannot find the type for custom attribute error. #21
    "},{"location":"CHANGELOG-v0/#v010-b190536-pre-release","title":"v0.1.0-B190536 (pre-release)","text":"
    • Initial pre-release.
    "},{"location":"CHANGELOG-v1/","title":"Change log","text":"

    See upgrade notes for helpful information when upgrading from previous versions.

    Important notes:

    • Issue #741: Could not load file or assembly YamlDotNet. See troubleshooting guide for a workaround to this issue.
    • The configuration option Azure_AKSMinimumVersion is replaced with AZURE_AKS_CLUSTER_MINIMUM_VERSION. If you have this option configured, please update it to AZURE_AKS_CLUSTER_MINIMUM_VERSION. Support for Azure_AKSMinimumVersion will be removed in v2. See upgrade notes for more information.
    • The configuration option Azure_AllowedRegions is replaced with AZURE_RESOURCE_ALLOWED_LOCATIONS. If you have this option configured, please update it to AZURE_RESOURCE_ALLOWED_LOCATIONS. Support for Azure_AllowedRegions will be removed in v2. See upgrade notes for more information.
    • The SupportsTag PowerShell function has been replaced with the Azure.Resource.SupportsTags selector. Update PowerShell rules to use the Azure.Resource.SupportsTags selector instead. Support for the SupportsTag function will be removed in v2. See upgrade notes for more information.
    "},{"location":"CHANGELOG-v1/#unreleased","title":"Unreleased","text":"

    What's changed since pre-release v1.30.0-B0080:

    • New features:
      • Added September 2023 baselines Azure.GA_2023_09 and Azure.Preview_2023_09 by @BernieWhite. #2451
        • Includes rules released before or during September 2023.
        • Marked Azure.GA_2023_06 and Azure.Preview_2023_06 baselines as obsolete.
    • New rules:
      • Azure Container Registry:
        • Check that Container Registries restricts network access by @BenjaminEngeset. #2423
        • Check that Container Registries disables anonymous pull access by @BenjaminEngeset. #2422
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.26.6 by @BernieWhite. #2404
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Add source link for rule in docs by @BernieWhite. #2115
    • Engineering:
      • Updated resource providers and policy aliases. #2442
      • Bump xunit to v2.5.1. #2436
      • Bump xunit.runner.visualstudio to v2.5.1. #2435
    • Bug fixes:
      • Fixed Azure.AKS.Version by excluding node-image channel by @BernieWhite. #2446
    "},{"location":"CHANGELOG-v1/#v1300-b0080-pre-release","title":"v1.30.0-B0080 (pre-release)","text":"

    What's changed since pre-release v1.30.0-B0047:

    • General improvements:
      • Important change: Replaced the Azure_AllowedRegions option with AZURE_RESOURCE_ALLOWED_LOCATIONS. #941
        • For compatibility, if Azure_AllowedRegions is set it will be used instead of AZURE_RESOURCE_ALLOWED_LOCATIONS.
        • If only AZURE_RESOURCE_ALLOWED_LOCATIONS is set, this value will be used.
        • The default will be used neither options are configured.
        • If Azure_AllowedRegions is set a warning will be generated until the configuration is removed.
        • Support for Azure_AllowedRegions is deprecated and will be removed in v2.
        • See upgrade notes for details.
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.7.2. #2407
      • Bump BenchmarkDotNet to v0.13.8. #2425
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8. #2425
    • Bug fixes:
      • Fixed false positive with Azure.Storage.SecureTransfer on new API versions by @BernieWhite. #2414
      • Fixed false positive with Azure.VNET.LocalDNS for DNS server addresses out of local scope by @BernieWhite. #2370
        • This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.
        • Set AZURE_VNET_DNS_WITH_IDENTITY to true when using an Identity subscription for DNS.
    "},{"location":"CHANGELOG-v1/#v1300-b0047-pre-release","title":"v1.30.0-B0047 (pre-release)","text":"

    What's changed since pre-release v1.30.0-B0026:

    • Engineering:
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4. #2405
    • Bug fixes:
      • Fixed lambda map in map variable by @BernieWhite. #2410
    "},{"location":"CHANGELOG-v1/#v1300-b0026-pre-release","title":"v1.30.0-B0026 (pre-release)","text":"

    What's changed since pre-release v1.30.0-B0011:

    • New rules:
      • Azure Container Apps:
        • Check that Container Apps uses a supported API version by @BenjaminEngeset. #2398
    • Bug fixes:
      • Fixed non-resource group rule triggering for a resource group by @BernieWhite. #2401
    "},{"location":"CHANGELOG-v1/#v1300-b0011-pre-release","title":"v1.30.0-B0011 (pre-release)","text":"

    What's changed since v1.29.0:

    • New rules:
      • Azure Database for MySQL:
        • Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2227
      • Azure Firewall:
        • Check that Azure Firewall polices has configured threat intelligence-based filtering in alert and deny mode by @BenjaminEngeset. #2354
      • Backup vault:
        • Check that immutability is configured for Backup vaults by @BenjaminEngeset. #2387
      • Front Door:
        • Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset. #2378
      • Public IP address:
        • Check that Public IP addresses uses Standard SKU by @BenjaminEngeset. #2376
      • Recovery Services vault:
        • Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset. #2386
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.7. #2385
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.7. #2382
      • Bump Microsoft.NET.Test.Sdk to v17.7.1. #2393
    "},{"location":"CHANGELOG-v1/#v1290","title":"v1.29.0","text":"

    What's changed since v1.28.2:

    • New rules:
      • Databricks:
        • Check that workspaces use secure cluster connectivity by @BernieWhite. #2334
    • General improvements:
      • Use policy definition name when generating a rule from it by @BernieWhite. #1959
      • Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite. #2248
      • Added export in-flight data for Defender for APIs from API Management by @BernieWhite. #2247
    • Bug fixes:
      • Fixed policy expansion with unquoted field property by @BernieWhite. #2352
      • Fixed array contains with JArray by @BernieWhite. #2368
      • Fixed index out of bounds of array with first function on empty array by @BernieWhite. #2372

    What's changed since pre-release v1.29.0-B0062:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1290-b0062-pre-release","title":"v1.29.0-B0062 (pre-release)","text":"

    What's changed since pre-release v1.29.0-B0036:

    • Bug fixes:
      • Fixed array contains with JArray by @BernieWhite. #2368
      • Fixed index out of bounds of array with first function on empty array by @BernieWhite. #2372
    "},{"location":"CHANGELOG-v1/#v1290-b0036-pre-release","title":"v1.29.0-B0036 (pre-release)","text":"

    What's changed since pre-release v1.29.0-B0015:

    • General improvements:
      • Added export in-flight data for Defender for Storage from Storage Accounts by @BernieWhite. #2248
      • Added export in-flight data for Defender for APIs from API Management by @BernieWhite. #2247
    "},{"location":"CHANGELOG-v1/#v1290-b0015-pre-release","title":"v1.29.0-B0015 (pre-release)","text":"

    What's changed since v1.28.2:

    • New rules:
      • Databricks:
        • Check that workspaces use secure cluster connectivity by @BernieWhite. #2334
    • General improvements:
      • Use policy definition name when generating a rule from it by @BernieWhite. #1959
    • Bug fixes:
      • Fixed policy expansion with unquoted field property by @BernieWhite. #2352
    "},{"location":"CHANGELOG-v1/#v1282","title":"v1.28.2","text":"

    What's changed since v1.28.1:

    • Bug fixes:
      • Fixed policy rules with no effect conditions are evaluated incorrectly by @BernieWhite. #2346
    "},{"location":"CHANGELOG-v1/#v1281","title":"v1.28.1","text":"

    What's changed since v1.28.0:

    • Bug fixes:
      • Fixed parseCidr with /32 is not valid by @BernieWhite. #2336
      • Fixed mismatch of resource group type on policy as code rules by @BernieWhite. #2338
      • Fixed length cannot be less than zero when converting policy to rules by @BernieWhite. #1802
      • Fixed naming rules for MariaDB by @BernieWhite. #2335
        • Updated Azure.MariaDB.VNETRuleName to allow for parent resources.
        • Updated Azure.MariaDB.FirewallRuleName to allow for parent resources.
      • Fixed network watcher existence check by @BernieWhite. #2342
    "},{"location":"CHANGELOG-v1/#v1280","title":"v1.28.0","text":"

    What's changed since v1.27.3:

    • New features:
      • Added June 2023 baselines Azure.GA_2023_06 and Azure.Preview_2023_06 by @BernieWhite. #2310
        • Includes rules released before or during June 2023.
        • Marked Azure.GA_2023_03 and Azure.Preview_2023_03 baselines as obsolete.
    • New rules:
      • Azure Database for MySQL:
        • Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2226
      • Azure Database for PostgreSQL:
        • Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2250
        • Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2249
    • Removed rules:
      • Azure Kubernetes Service:
        • Removed Azure.AKS.PodIdentity as pod identities has been replaced by workload identities by @BernieWhite. #2273
    • General improvements:
      • Added support for safe dereference operator by @BernieWhite. #2322
        • Added support for tryGet Bicep function.
      • Added support for Bicep CIDR functions by @BernieWhite. #2279
        • Added support for parseCidr, cidrSubnet, and cidrHost.
      • Added support for managementGroupResourceId Bicep function by @BernieWhite. #2294
    • Engineering:
      • Bump PSRule to v2.9.0. #2293
      • Updated resource providers and policy aliases. #2261
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3. #2281
      • Bump Microsoft.NET.Test.Sdk to v17.6.3. #2290
      • Bump coverlet.collector to v6.0.0. #2232
      • Bump Az.Resources to v6.7.0. #2274
      • Bump xunit to v2.5.0. #2306
      • Bump xunit.runner.visualstudio to v2.5.0. #2307
      • Bump BenchmarkDotNet to v0.13.6. #2317
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6. #2318
    • Bug fixes:
      • Fixed Redis firewall rules can not bind to start by @BernieWhite. #2303
      • Fixed null condition handling by @BernieWhite. #2316
      • Fixed reference expression in property name by @BernieWhite. #2321
      • Fixed handling of nested mock objects by @BernieWhite. #2325
      • Fixed late binding of coalesce function by @BernieWhite. #2328
      • Fixed handling of JArray outputs with runtime values by @BernieWhite. #2159

    What's changed since pre-release v1.28.0-B0213:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1280-b0213-pre-release","title":"v1.28.0-B0213 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0159:

    • General improvements:
      • Added support for safe dereference operator by @BernieWhite. #2322
        • Added support for tryGet Bicep function.
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.6. #2317
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6. #2318
    • Bug fixes:
      • Fixed null condition handling by @BernieWhite. #2316
      • Fixed reference expression in property name by @BernieWhite. #2321
      • Fixed handling of nested mock objects by @BernieWhite. #2325
      • Fixed late binding of coalesce function by @BernieWhite. #2328
    "},{"location":"CHANGELOG-v1/#v1280-b0159-pre-release","title":"v1.28.0-B0159 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0115:

    • New features:
      • Added June 2023 baselines Azure.GA_2023_06 and Azure.Preview_2023_06 by @BernieWhite. #2310
        • Includes rules released before or during June 2023.
        • Marked Azure.GA_2023_03 and Azure.Preview_2023_03 baselines as obsolete.
    • Engineering:
      • Bump xunit to v2.5.0. #2306
      • Bump xunit.runner.visualstudio to v2.5.0. #2307
    • Bug fixes:
      • Fixed Redis firewall rules can not bind to start by @BernieWhite. #2303
    "},{"location":"CHANGELOG-v1/#v1280-b0115-pre-release","title":"v1.28.0-B0115 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0079:

    • General improvements:
      • Added support for Bicep CIDR functions by @BernieWhite. #2279
        • Added support for parseCidr, cidrSubnet, and cidrHost.
    "},{"location":"CHANGELOG-v1/#v1280-b0079-pre-release","title":"v1.28.0-B0079 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0045:

    • General improvements:
      • Added support for managementGroupResourceId Bicep function by @BernieWhite. #2294
    • Engineering:
      • Bump PSRule to v2.9.0. #2293
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3. #2281
      • Bump Microsoft.NET.Test.Sdk to v17.6.3. #2290
      • Bump coverlet.collector to v6.0.0. #2232
    • Bug fixes:
      • Fixed handling of JArray outputs with runtime values by @BernieWhite. #2159
    "},{"location":"CHANGELOG-v1/#v1280-b0045-pre-release","title":"v1.28.0-B0045 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0024:

    • Removed rules:
      • Azure Kubernetes Service:
        • Removed Azure.AKS.PodIdentity as pod identities has been replaced by workload identities by @BernieWhite. #2273
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.6.2. #2266
      • Bump Az.Resources to v6.7.0. #2274
    • Bug fixes:
      • Fixed false positive of IsolatedV2 with Azure.AppService.MinPlan by @BernieWhite. #2277
    "},{"location":"CHANGELOG-v1/#v1280-b0024-pre-release","title":"v1.28.0-B0024 (pre-release)","text":"

    What's changed since pre-release v1.28.0-B0010:

    • Bug fixes:
      • Fixed union function for merge of object properties by @BernieWhite. #2264
      • Fixed length function counting properties in object by @BernieWhite. #2263
    "},{"location":"CHANGELOG-v1/#v1280-b0010-pre-release","title":"v1.28.0-B0010 (pre-release)","text":"

    What's changed since v1.27.1:

    • New rules:
      • Azure Database for MySQL:
        • Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2226
      • Azure Database for PostgreSQL:
        • Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2250
        • Check that Azure AD authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset. #2249
    • Engineering:
      • Updated resource providers and policy aliases. #2261
      • Bump Microsoft.NET.Test.Sdk to v17.6.1. #2256
    "},{"location":"CHANGELOG-v1/#v1273","title":"v1.27.3","text":"

    What's changed since v1.27.2:

    • Bug fixes:
      • Fixed false positive of IsolatedV2 with Azure.AppService.MinPlan by @BernieWhite. #2277
    "},{"location":"CHANGELOG-v1/#v1272","title":"v1.27.2","text":"

    What's changed since v1.27.1:

    • Bug fixes:
      • Fixed union function for merge of object properties by @BernieWhite. #2264
      • Fixed length function counting properties in object by @BernieWhite. #2263
    "},{"location":"CHANGELOG-v1/#v1271","title":"v1.27.1","text":"

    What's changed since v1.27.0:

    • Bug fixes:
      • Fixed depends on ordering fails to expand deployment by @BernieWhite. #2255
    "},{"location":"CHANGELOG-v1/#v1270","title":"v1.27.0","text":"

    What's changed since v1.26.1:

    • New features:
      • Experimental: Added support for expanding deployments from .bicepparam files by @BernieWhite. #2132
        • See Using Bicep source for details.
    • New rules:
      • Application Gateway:
        • Check that Application Gateways uses a v2 SKU by @BenjaminEngeset. #2185
      • API Management:
        • Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset. #2187
        • Check that base element for any policy element in a section is configured by @BenjaminEngeset. #2072
      • Arc-enabled Kubernetes cluster:
        • Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset. #2124
      • Arc-enabled server:
        • Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset. #2122
      • Container App:
        • Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset. #2188
        • Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset. #2189
      • Cosmos DB:
        • Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset. #2203
      • Defender for Cloud:
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2207
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2206
        • Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset. #2186
        • Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset. #2204
        • Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset. #1632
        • Check that Microsoft Defender Cloud Security Posture Management is using Standard plan by @BenjaminEngeset. #2151
      • Key Vault:
        • Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset. #1916
      • Storage Account:
        • Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2225
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2207
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2206
      • Virtual Machine:
        • Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset. #2121
    • General improvements:
      • Added support for Bicep symbolic names by @BernieWhite. #2238
    • Updated rules:
      • API Management:
        • Updated Azure.APIM.EncryptValues to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset. #2146
      • Container App:
        • Promoted Azure.ContainerApp.Insecure to GA rule set by @BernieWhite. #2174
      • Defender for Cloud:
        • Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset. #2205
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.6.0. #2216
    • Bug fixes:
      • Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset. #2171
      • Fixed left-side or function evaluation by @BernieWhite. #2220
      • Fixed interdependent variable copy loop count by @BernieWhite. #2221
      • Fixed handling of database name in Azure.MariaDB.Database by @BernieWhite. #2191
      • Fixed typing error in Azure.Defender.Api documentation by @BenjaminEngeset. #2209
      • Fixed Azure.AKS.UptimeSLA with new pricing by @BenjaminEngeset. #2065 #2202
      • Fixed false positive on managed identity without space by @BernieWhite. #2235
      • Fixed reference for runtime subnet ID property by @BernieWhite. #2159

    What's changed since pre-release v1.27.0-B0186:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1270-b0186-pre-release","title":"v1.27.0-B0186 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0136:

    • New rules:
      • API Management:
        • Check that APIs published in Azure API Management are on-boarded to Microsoft Defender for APIs by @BenjaminEngeset. #2187
      • Key Vault:
        • Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset. #1916
      • Storage Account:
        • Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2225
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2207
    "},{"location":"CHANGELOG-v1/#v1270-b0136-pre-release","title":"v1.27.0-B0136 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0091:

    • New rules:
      • Defender for Cloud:
        • Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2207
    • General improvements:
      • Added support for Bicep symbolic names by @BernieWhite. #2238
    • Bug fixes:
      • Fixed false positive on managed identity without space by @BernieWhite. #2235
    "},{"location":"CHANGELOG-v1/#v1270-b0091-pre-release","title":"v1.27.0-B0091 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0050:

    • New features:
      • Experimental: Added support for expanding deployments from .bicepparam files by @BernieWhite. #2132
        • See Using Bicep source for details.
    • New rules:
      • Storage Account:
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.
      • Defender for Cloud:
        • Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2206
    • Bug fixes:
      • Fixed left-side or function evaluation by @BernieWhite. #2220
      • Fixed interdependent variable copy loop count by @BernieWhite. #2221
    "},{"location":"CHANGELOG-v1/#v1270-b0050-pre-release","title":"v1.27.0-B0050 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0015:

    • New rules:
      • Application Gateway:
        • Check that Application Gateways uses a v2 SKU by @BenjaminEngeset. #2185
      • Arc-enabled Kubernetes cluster:
        • Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset. #2124
      • Arc-enabled server:
        • Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset. #2122
      • Container App:
        • Check that container apps has disabled session affinity to prevent unbalanced distribution by @BenjaminEngeset. #2188
        • Check that container apps with IP ingress restrictions mode configured is set to allow for all rules defined by @BenjaminEngeset. #2189
      • Cosmos DB:
        • Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset. #2203
      • Defender for Cloud:
        • Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset. #2186
        • Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset. #2204
        • Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset. #1632
      • Virtual Machine:
        • Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset. #2121
    • Updated rules:
      • Defender for Cloud:
        • Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset. #2205
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.6.0. #2216
    • Bug fixes:
      • Fixed handling of database name in Azure.MariaDB.Database by @BernieWhite. #2191
      • Fixed typing error in Azure.Defender.Api documentation by @BenjaminEngeset. #2209
      • Fixed Azure.AKS.UptimeSLA with new pricing by @BenjaminEngeset. #2065 #2202
    "},{"location":"CHANGELOG-v1/#v1270-b0015-pre-release","title":"v1.27.0-B0015 (pre-release)","text":"

    What's changed since pre-release v1.27.0-B0003:

    • New rules:
      • API Management:
        • Check that base element for any policy element in a section is configured by @BenjaminEngeset. #2072
      • Defender for Cloud:
        • Check that Microsoft Defender Cloud Security Posture Management is using Standard plan by @BenjaminEngeset. #2151
    • Updated rules:
      • Container App:
        • Promoted Azure.ContainerApp.Insecure to GA rule set by @BernieWhite. #2174
    • Bug fixes:
      • Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset. #2171
    "},{"location":"CHANGELOG-v1/#v1270-b0003-pre-release","title":"v1.27.0-B0003 (pre-release)","text":"

    What's changed since v1.26.1:

    • Updated rules:
      • API Management:
        • Updated Azure.APIM.EncryptValues to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset. #2146
    • Bug fixes:
      • Fixed reference for runtime subnet ID property by @BernieWhite. #2159
    "},{"location":"CHANGELOG-v1/#v1261","title":"v1.26.1","text":"

    What's changed since v1.26.0:

    • Bug fixes:
      • Fixed null union with first value being null by @BernieWhite. #2075
      • Fixed Azure.Resource.UseTags for additional resources that don't support tags by @BernieWhite. #2129
    "},{"location":"CHANGELOG-v1/#v1260","title":"v1.26.0","text":"

    What's changed since v1.25.0:

    • New features:
      • Added March 2023 baselines Azure.GA_2023_03 and Azure.Preview_2023_03 by @BernieWhite. #2138
        • Includes rules released before or during March 2023.
        • Marked Azure.GA_2022_12 and Azure.Preview_2022_12 baselines as obsolete.
    • New rules:
      • API Management:
        • Check that wildcard * for any configuration option in CORS policies settings is not in use by @BenjaminEngeset. #2073
      • Azure Kubernetes Service:
        • Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset. #2123
      • Container App:
        • Check that internal-only ingress for container apps are configured by @BenjaminEngeset. #2098
        • Check that Azure File volumes for container apps are configured by @BenjaminEngeset. #2101
        • Check that the names of container apps meets the naming requirements by @BenjaminEngeset. #2094
        • Check that managed identity for container apps are configured by @BenjaminEngeset. #2096
        • Check that public network access for container apps environments are disabled by @BenjaminEngeset. #2098
      • Deployment:
        • Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset. #1915
      • IoT Hub:
        • Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset. #1996
      • Service Bus:
        • Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset. #1862
      • SQL Database:
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2119
        • Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset. #2117
      • SQL Managed Instance:
        • Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset. #2120
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2118
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.6 by @BernieWhite. #2136
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Added a selector for premium Service Bus namespaces by @BernieWhite. #2091
      • Improved export of in-flight deeply nested API Management policies by @BernieWhite. #2153
    • Engineering:
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1. #2082
      • Bump Newtonsoft.Json to v13.0.3. #2080
      • Updated resource providers and policy aliases. #2144
      • Bump PSRule to v2.8.1. #2155
      • Bump Az.Resources to v6.6.0. #2155
      • Bump Pester to v5.4.1. #2155
    • Bug fixes:
      • Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
      • Fixed false positive with Azure.Deployment.Name by @BernieWhite. #2109
      • Fixed false positives for Azure.AppService.AlwaysOn with Functions and Workflows by @BernieWhite. #943

    What's changed since pre-release v1.26.0-B0078:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1260-b0078-pre-release","title":"v1.26.0-B0078 (pre-release)","text":"

    What's changed since pre-release v1.26.0-B0040:

    • General improvements:
      • Improved export of in-flight deeply nested API Management policies by @BernieWhite. #2153
    • Engineering:
      • Updated resource providers and policy aliases. #2144
      • Bump PSRule to v2.8.1. #2155
      • Bump Az.Resources to v6.6.0. #2155
      • Bump Pester to v5.4.1. #2155
    • Bug fixes:
      • Fixed false positives for Azure.AppService.AlwaysOn with Functions and Workflows by @BernieWhite. #943
    "},{"location":"CHANGELOG-v1/#v1260-b0040-pre-release","title":"v1.26.0-B0040 (pre-release)","text":"

    What's changed since pre-release v1.26.0-B0011:

    • New features:
      • Added March 2023 baselines Azure.GA_2023_03 and Azure.Preview_2023_03 by @BernieWhite. #2138
        • Includes rules released before or during March 2023.
        • Marked Azure.GA_2022_12 and Azure.Preview_2022_12 baselines as obsolete.
    • New rules:
      • API Management:
        • Check that wildcard * for any configuration option in CORS policies settings is not in use by @BenjaminEngeset. #2073
      • Azure Kubernetes Service:
        • Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset. #2123
      • Container App:
        • Check that internal-only ingress for container apps are configured by @BenjaminEngeset. #2098
        • Check that Azure File volumes for container apps are configured by @BenjaminEngeset. #2101
      • SQL Database:
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2119
        • Check that Azure AD authentication is configured for SQL Managed Instances by @BenjaminEngeset. #2117
      • SQL Managed Instance:
        • Check that managed identity for SQL Managed Instances are configured by @BenjaminEngeset. #2120
        • Check that Azure AD-only authentication is enabled by @BenjaminEngeset. #2118
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.6 by @BernieWhite. #2136
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Bug fixes:
      • Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
      • Fixed false positive with Azure.Deployment.Name by @BernieWhite. #2109
    "},{"location":"CHANGELOG-v1/#v1260-b0011-pre-release","title":"v1.26.0-B0011 (pre-release)","text":"

    What's changed since v1.25.0:

    • New rules:
      • Container App:
        • Check that the names of container apps meets the naming requirements by @BenjaminEngeset. #2094
        • Check that managed identity for container apps are configured by @BenjaminEngeset. #2096
        • Check that public network access for container apps environments are disabled by @BenjaminEngeset. #2098
      • Deployment:
        • Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset. #1915
      • IoT Hub:
        • Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset. #1996
      • Service Bus:
        • Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset. #1862
    • General improvements:
      • Added a selector for premium Service Bus namespaces by @BernieWhite. #2091
    • Engineering:
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.1. #2082
      • Bump Newtonsoft.Json to v13.0.3. #2080
    "},{"location":"CHANGELOG-v1/#v1251","title":"v1.25.1","text":"

    What's changed since v1.25.0:

    • Bug fixes:
      • Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
    "},{"location":"CHANGELOG-v1/#v1250","title":"v1.25.0","text":"

    What's changed since v1.24.2:

    • New features:
      • Experimental: Added Azure.MCSB.v1 which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite. #1634
    • New rules:
      • Defender for Cloud:
        • Check Microsoft Defender for Key Vault is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for DNS is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for ARM is enabled by @BernieWhite. #1632
      • Event Hub:
        • Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset. #1995
      • Key Vault:
        • Check if firewall is set to deny by @zilberd. #2067
      • Virtual Machine:
        • Virtual machines should be fully deallocated and not stopped by @dcrreynolds. #88
    • General improvements:
      • Added support for Bicep toObject function by @BernieWhite. #2014
      • Added support for configuring a minimum version of Bicep by @BernieWhite. #1935
        • Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.
        • Set AZURE_BICEP_CHECK_TOOL to true to check the Bicep CLI.
        • Set AZURE_BICEP_MINIMUM_VERSION to configure the minimum version.
        • If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.
        • By default, the minimum Bicep version defaults to 0.4.451.
      • Added support for Bicep custom types by @BernieWhite. #2026
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.5. #2052
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5. #2052
      • Bump Microsoft.NET.Test.Sdk to v17.5.0. #2055
      • Bump Az.Resources to v6.5.2. #2037
      • Updated build to use GitHub Actions by @BernieWhite. #1696
    • Bug fixes:
      • Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd. #2059
      • Fixed cases of exit code 5 with path probing by @BernieWhite. #1901

    What's changed since pre-release v1.25.0-B0100:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1250-b0138-pre-release","title":"v1.25.0-B0138 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0100:

    • New rules:
      • Event Hub:
        • Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset. #1995
    "},{"location":"CHANGELOG-v1/#v1250-b0100-pre-release","title":"v1.25.0-B0100 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0065:

    • New rules:
      • Key Vault:
        • Check if firewall is set to deny by @zilberd. #2067
    "},{"location":"CHANGELOG-v1/#v1250-b0065-pre-release","title":"v1.25.0-B0065 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0035:

    • General improvements:
      • Added support for Bicep toObject function by @BernieWhite. #2014
    • Engineering:
      • Bump BenchmarkDotNet to v0.13.5. #2052
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.5. #2052
      • Bump Microsoft.NET.Test.Sdk to v17.5.0. #2055
    • Bug fixes:
      • Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd. #2059
    "},{"location":"CHANGELOG-v1/#v1250-b0035-pre-release","title":"v1.25.0-B0035 (pre-release)","text":"

    What's changed since pre-release v1.25.0-B0013:

    • New rules:
      • Defender for Cloud:
        • Check Microsoft Defender for Key Vault is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for DNS is enabled by @BernieWhite. #1632
        • Check Microsoft Defender for ARM is enabled by @BernieWhite. #1632
    • General improvements:
      • Added support for configuring a minimum version of Bicep by @BernieWhite. #1935
        • Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.
        • Set AZURE_BICEP_CHECK_TOOL to true to check the Bicep CLI.
        • Set AZURE_BICEP_MINIMUM_VERSION to configure the minimum version.
        • If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.
        • By default, the minimum Bicep version defaults to 0.4.451.
    • Engineering:
      • Bump Az.Resources to v6.5.2. #2037
    • Bug fixes:
      • Fixed cases of exit code 5 with path probing by @BernieWhite. #1901
    "},{"location":"CHANGELOG-v1/#v1250-b0013-pre-release","title":"v1.25.0-B0013 (pre-release)","text":"

    What's changed since v1.24.2:

    • New features:
      • Experimental: Added Azure.MCSB.v1 which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite. #1634
    • New rules:
      • Virtual Machine:
        • Virtual machines should be fully deallocated and not stopped by @dcrreynolds. #88
    • General improvements:
      • Added support for Bicep custom types by @BernieWhite. #2026
    • Engineering:
      • Updated build to use GitHub Actions by @BernieWhite. #1696
      • Bump BenchmarkDotNet to v0.13.4. #1992
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.4. #1992
    "},{"location":"CHANGELOG-v1/#v1242","title":"v1.24.2","text":"

    This is a republish of v1.24.1 to fix a release issue. What's changed since v1.24.0:

    • Bug fixes:
      • Fixed Bicep expand object or null by @BernieWhite. #2021
    "},{"location":"CHANGELOG-v1/#v1241","title":"v1.24.1","text":"

    What's changed since v1.24.0:

    • Bug fixes:
      • Fixed Bicep expand object or null by @BernieWhite. #2021
    "},{"location":"CHANGELOG-v1/#v1240","title":"v1.24.0","text":"

    What's changed since v1.23.0:

    • General improvements:
      • Updated Export-AzRuleData to improve export performance by @BernieWhite. #1341
        • Removed Az.Resources dependency.
        • Added async threading for export concurrency.
        • Improved performance by using automatic look up of API versions by using provider cache.
      • Added support for Bicep lambda functions by @BernieWhite. #1536
        • Bicep filter, map, reduce, and sort are supported.
        • Support for flatten was previously added in v1.23.0.
      • Added optimization for policy type conditions by @BernieWhite. #1966
    • Engineering:
      • Bump PSRule to v2.7.0. #1973
      • Updated resource providers and policy aliases. #1736
      • Bump Az.Resources to v6.5.1. #1973
      • Bump Newtonsoft.Json to v13.0.2. #1903
      • Bump Pester to v5.4.0. #1994
    • Bug fixes:
      • Fixed Export-AzRuleData may not export all data if throttled by @BernieWhite. #1341
      • Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite. #2004
      • Fixed apiVersion comparison of requestContext by @BernieWhite. #1654
      • Fixed simple cases for field type expressions by @BernieWhite. #1323

    What's changed since pre-release v1.24.0-B0035:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1240-b0035-pre-release","title":"v1.24.0-B0035 (pre-release)","text":"

    What's changed since pre-release v1.24.0-B0013:

    • General improvements:
      • Added support for Bicep lambda functions by @BernieWhite. #1536
        • Bicep filter, map, reduce, and sort are supported.
        • Support for flatten was previously added in v1.23.0.
      • Added optimization for policy type conditions by @BernieWhite. #1966
    • Engineering:
      • Updated resource providers and policy aliases. #1736
    • Bug fixes:
      • Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite. #2004
      • Fixed apiVersion comparison of requestContext by @BernieWhite. #1654
      • Fixed simple cases for field type expressions by @BernieWhite. #1323
    "},{"location":"CHANGELOG-v1/#v1240-b0013-pre-release","title":"v1.24.0-B0013 (pre-release)","text":"

    What's changed since v1.23.0:

    • General improvements:
      • Updated Export-AzRuleData to improve export performance by @BernieWhite. #1341
        • Removed Az.Resources dependency.
        • Added async threading for export concurrency.
        • Improved performance by using automatic look up of API versions by using provider cache.
    • Engineering:
      • Bump PSRule to v2.7.0. #1973
      • Bump Az.Resources to v6.5.1. #1973
      • Bump Newtonsoft.Json to v13.0.2. #1903
      • Bump Pester to v5.4.0. #1994
    • Bug fixes:
      • Fixed Export-AzRuleData may not export all data if throttled by @BernieWhite. #1341
    "},{"location":"CHANGELOG-v1/#v1230","title":"v1.23.0","text":"

    What's changed since v1.22.2:

    • New features:
      • Added December 2022 baselines Azure.GA_2022_12 and Azure.Preview_2022_12 by @BernieWhite. #1961
        • Includes rules released before or during December 2022.
        • Marked Azure.GA_2022_09 and Azure.Preview_2022_09 baselines as obsolete.
    • New rules:
      • API Management:
        • Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset. #1910
      • Application Gateway:
        • Check Application Gateways names meet naming requirements by @BenjaminEngeset. #1943
      • Azure Cache for Redis:
        • Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset. #1077
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset. #1856
        • Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset. #1855
        • Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset. #1857
      • Bastion:
        • Check Bastion hosts names meet naming requirements by @BenjaminEngeset. #1950
      • Recovery Services Vault:
        • Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset. #1953
      • Virtual Machine:
        • Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset. #1868
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset. #1867
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.4 by @BernieWhite. #1960
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Improves handling for policy definition modes by using support tags selector by @BernieWhite. #1946
      • Added support to export exemptions related to policy assignments by @BernieWhite. #1888
      • Added support for Bicep flatten function by @BernieWhite. #1536
    • Engineering:
      • Bump Az.Resources to v6.5.0. #1945
      • Bump Microsoft.NET.Test.Sdk v17.4.1. #1964
    • Bug fixes:
      • Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset. #1926

    What's changed since pre-release v1.23.0-B0072:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1230-b0072-pre-release","title":"v1.23.0-B0072 (pre-release)","text":"

    What's changed since pre-release v1.23.0-B0046:

    • New features:
      • Added December 2022 baselines Azure.GA_2022_12 and Azure.Preview_2022_12 by @BernieWhite. #1961
        • Includes rules released before or during December 2022.
        • Marked Azure.GA_2022_09 and Azure.Preview_2022_09 baselines as obsolete.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.25.4 by @BernieWhite. #1960
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • General improvements:
      • Improves handling for policy definition modes by using support tags selector by @BernieWhite. #1946
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk v17.4.1. #1964
    "},{"location":"CHANGELOG-v1/#v1230-b0046-pre-release","title":"v1.23.0-B0046 (pre-release)","text":"

    What's changed since pre-release v1.23.0-B0025:

    • New rules:
      • Bastion:
        • Check Bastion hosts names meet naming requirements by @BenjaminEngeset. #1950
      • Recovery Services Vault:
        • Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset. #1953
    • Bug fixes:
      • Fixed Azure.Deployment.SecureValue with reference function expression by @BernieWhite. #1882
    "},{"location":"CHANGELOG-v1/#v1230-b0025-pre-release","title":"v1.23.0-B0025 (pre-release)","text":"

    What's changed since pre-release v1.23.0-B0009:

    • New rules:
      • Application Gateway:
        • Check Application Gateways names meet naming requirements by @BenjaminEngeset. #1943
      • Azure Cache for Redis:
        • Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset. #1077
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset. #1867
    • General improvements:
      • Added support to export exemptions related to policy assignments by @BernieWhite. #1888
      • Added support for Bicep flatten function by @BernieWhite. #1536
    • Engineering:
      • Bump Az.Resources to v6.5.0. #1945
    "},{"location":"CHANGELOG-v1/#v1230-b0009-pre-release","title":"v1.23.0-B0009 (pre-release)","text":"

    What's changed since v1.22.1:

    • New rules:
      • API Management:
        • Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset. #1910
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset. #1856
        • Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset. #1855
        • Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset. #1857
      • Virtual Machine:
        • Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset. #1868
    • Bug fixes:
      • Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset. #1926
    "},{"location":"CHANGELOG-v1/#v1222","title":"v1.22.2","text":"

    What's changed since v1.22.1:

    • Bug fixes:
      • Fixed Azure.Deployment.SecureValue with reference function expression by @BernieWhite. #1882
    "},{"location":"CHANGELOG-v1/#v1221","title":"v1.22.1","text":"

    What's changed since v1.22.0:

    • Bug fixes:
      • Fixed template parameter does not use the required format by @BernieWhite. #1930
    "},{"location":"CHANGELOG-v1/#v1220","title":"v1.22.0","text":"

    What's changed since v1.21.2:

    • New rules:
      • API Management:
        • Check API management instances uses multi-region deployment by @BenjaminEngeset. #1030
        • Check api management instances limits control plane API calls to apim with version '2021-08-01' or newer by @BenjaminEngeset. #1819
      • App Service Environment:
        • Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset. #1805
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset. #1854
        • Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset. #1853
        • Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset. #1852
        • Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset. #1850
        • Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset. #1848
      • Azure Database for PostgreSQL:
        • Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset. #286
        • Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset. #285
      • Azure Database for MySQL:
        • Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset. #287
        • Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset. #1841
        • Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset. #1840
        • Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset. #284
      • Azure Resource Deployments:
        • Check for nested deployment that are scoped to outer and passing secure values by @ms-sambell. #1475
        • Check custom script extension uses protected settings for secure values by @ms-sambell. #1478
      • Front Door:
        • Check front door uses caching by @BenjaminEngeset. #548
      • Virtual Machine:
        • Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset. #9
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite. #875
    • General improvements:
      • Added debug logging improvements for Bicep expansion by @BernieWhite. #1901
    • Engineering:
      • Bump PSRule to v2.6.0. #1883
      • Bump Az.Resources to v6.4.1. #1883
      • Bump Microsoft.NET.Test.Sdk to v17.4.0 #1838
      • Bump coverlet.collector to v3.2.0. #1814
    • Bug fixes:
      • Fixed ref and name duplicated by @BernieWhite. #1876
      • Fixed an item with the same key for parameters by @BernieWhite #1871
      • Fixed policy parse of requestContext function by @BernieWhite. #1654
      • Fixed handling of policy type field by @BernieWhite. #1323
      • Fixed Azure.AppService.WebProbe with non-boolean value set by @BernieWhite. #1906
      • Fixed managed identity flagged as secret by Azure.Deployment.OutputSecretValue by @BernieWhite. #1826 #1886
      • Fixed missing support for diagnostic settings category groups by @BenjaminEngeset. #1873

    What's changed since pre-release v1.22.0-B0203:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1220-b0203-pre-release","title":"v1.22.0-B0203 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0153:

    • General improvements:
      • Added debug logging improvements for Bicep expansion by @BernieWhite. #1901
    • Bug fixes:
      • Fixed Azure.AppService.WebProbe with non-boolean value set by @BernieWhite. #1906
    "},{"location":"CHANGELOG-v1/#v1220-b0153-pre-release","title":"v1.22.0-B0153 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0106:

    • Bug fixes:
      • Fixed managed identity flagged as secret by Azure.Deployment.OutputSecretValue by @BernieWhite. #1826 #1886
    "},{"location":"CHANGELOG-v1/#v1220-b0106-pre-release","title":"v1.22.0-B0106 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0062:

    • New rules:
      • API Management:
        • Check API management instances uses multi-region deployment by @BenjaminEngeset. #1030
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset. #1854
    • Engineering:
      • Bump PSRule to v2.6.0. #1883
      • Bump Az.Resources to v6.4.1. #1883
    • Bug fixes:
      • Fixed ref and name duplicated by @BernieWhite. #1876
      • Fixed an item with the same key for parameters by @BernieWhite #1871
      • Fixed policy parse of requestContext function by @BernieWhite. #1654
      • Fixed handling of policy type field by @BernieWhite. #1323
    "},{"location":"CHANGELOG-v1/#v1220-b0062-pre-release","title":"v1.22.0-B0062 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0026:

    • New rules:
      • Azure Database for MariaDB:
        • Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset. #1853
        • Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset. #1852
        • Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset. #1850
        • Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset. #1848
      • Azure Database for PostgreSQL:
        • Check Azure Database for PostgreSQL servers have Microsoft Defender configured by @BenjaminEngeset. #286
        • Check Azure Database for PostgreSQL servers have geo-redundant backup configured by @BenjaminEngeset. #285
      • Azure Database for MySQL:
        • Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset. #287
        • Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset. #1841
        • Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset. #1840
        • Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset. #284
      • Azure Resource Deployments:
        • Check for nested deployment that are scoped to outer and passing secure values by @ms-sambell. #1475
        • Check custom script extension uses protected settings for secure values by @ms-sambell. #1478
      • Virtual Machine:
        • Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset. #9
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.4.0 #1838
      • Bump coverlet.collector to v3.2.0. #1814
    • Bug fixes:
      • Fixed missing support for diagnostic settings category groups by @BenjaminEngeset. #1873
    "},{"location":"CHANGELOG-v1/#v1220-b0026-pre-release","title":"v1.22.0-B0026 (pre-release)","text":"

    What's changed since pre-release v1.22.0-B0011:

    • New rules:
      • API Management:
        • Check api management instances limits control plane API calls to apim with version '2021-08-01' or newer by @BenjaminEngeset. #1819
    • Engineering:
      • Bump Az.Resources to v6.4.0. #1829
    • Bug fixes:
      • Fixed non-Linux VM images flagged as Linux by @BernieWhite. #1825
      • Fixed failed to expand with last function on runtime property by @BernieWhite. #1830
    "},{"location":"CHANGELOG-v1/#v1220-b0011-pre-release","title":"v1.22.0-B0011 (pre-release)","text":"

    What's changed since v1.21.0:

    • New rules:
      • App Service Environment:
        • Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset. #1805
      • Front Door:
        • Check front door uses caching by @BenjaminEngeset. #548
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite. #875
    "},{"location":"CHANGELOG-v1/#v1212","title":"v1.21.2","text":"

    What's changed since v1.21.1:

    • Bug fixes:
      • Fixed non-Linux VM images flagged as Linux by @BernieWhite. #1825
      • Fixed failed to expand with last function on runtime property by @BernieWhite. #1830
    "},{"location":"CHANGELOG-v1/#v1211","title":"v1.21.1","text":"

    What's changed since v1.21.0:

    • Bug fixes:
      • Fixed multiple nested parameter loops returns stack empty exception by @BernieWhite. #1811
      • Fixed Azure.ACR.ContentTrust when customer managed keys are enabled by @BernieWhite. #1810
    "},{"location":"CHANGELOG-v1/#v1210","title":"v1.21.0","text":"

    What's changed since v1.20.2:

    • New features:
      • Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
    • New rules:
      • Deployment:
        • Check sensitive resource values use secure parameters by @VeraBE @BernieWhite. #1773
      • Service Bus:
        • Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset. #1777
      • Virtual Machine:
        • Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset. #1761
    • General improvements:
      • Added built-in list of ignored policy definitions by @BernieWhite. #1730
        • To ignore additional policy definitions, use the AZURE_POLICY_IGNORE_LIST configuration option.
    • Engineering:
      • Bump PSRule to v2.5.3. #1800
      • Bump Az.Resources to v6.3.1. #1800

    What's changed since pre-release v1.21.0-B0050:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1210-b0050-pre-release","title":"v1.21.0-B0050 (pre-release)","text":"

    What's changed since pre-release v1.21.0-B0027:

    • New rules:
      • Virtual Machine:
        • Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
      • Virtual Machine Scale Sets:
        • Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
    • Engineering:
      • Bump PSRule to v2.5.3. #1800
      • Bump Az.Resources to v6.3.1. #1800
    • Bug fixes:
      • Fixed contains function unable to match array by @BernieWhite. #1793
    "},{"location":"CHANGELOG-v1/#v1210-b0027-pre-release","title":"v1.21.0-B0027 (pre-release)","text":"

    What's changed since pre-release v1.21.0-B0011:

    • New rules:
      • Deployment:
        • Check sensitive resource values use secure parameters by @VeraBE @BernieWhite. #1773
      • Service Bus:
        • Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset. #1777
    "},{"location":"CHANGELOG-v1/#v1210-b0011-pre-release","title":"v1.21.0-B0011 (pre-release)","text":"

    What's changed since v1.20.1:

    • New features:
      • Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
    • New rules:
      • Virtual Network:
        • Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset. #1761
    • General improvements:
      • Added built-in list of ignored policy definitions by @BernieWhite. #1730
        • To ignore additional policy definitions, use the AZURE_POLICY_IGNORE_LIST configuration option.
    • Engineering:
      • Bump PSRule to v2.5.1. #1782
      • Bump Az.Resources to v6.3.0. #1782
    "},{"location":"CHANGELOG-v1/#v1202","title":"v1.20.2","text":"

    What's changed since v1.20.1:

    • Bug fixes:
      • Fixed contains function unable to match array by @BernieWhite. #1793
    "},{"location":"CHANGELOG-v1/#v1201","title":"v1.20.1","text":"

    What's changed since v1.20.0:

    • Bug fixes:
      • Fixed expand bicep source when reading JsonContent into a parameter by @BernieWhite. #1780
    "},{"location":"CHANGELOG-v1/#v1200","title":"v1.20.0","text":"

    What's changed since v1.19.2:

    • New features:
      • Added September 2022 baselines Azure.GA_2022_09 and Azure.Preview_2022_09 by @BernieWhite. #1738
        • Includes rules released before or during September 2022.
        • Marked Azure.GA_2022_06 and Azure.Preview_2022_06 baselines as obsolete.
    • New rules:
      • AKS:
        • Check clusters use Ephemeral OS disk by @BenjaminEngeset. #1618
      • App Configuration:
        • Check app configuration store has purge protection enabled by @BenjaminEngeset. #1689
        • Check app configuration store has one or more replicas by @BenjaminEngeset. #1688
        • Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset. #1690
        • Check identity-based authentication is used for configuration stores by @pazdedav. #1691
      • Application Gateway WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Azure Cache for Redis:
        • Check the number of firewall rules for caches by @jonathanruiz. #544
        • Check the number of IP addresses in firewall rules for caches by @jonathanruiz. #544
      • CDN:
        • Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset. #1612
      • Container Registry:
        • Check soft delete policy is enabled by @BenjaminEngeset. #1674
      • Defender for Cloud:
        • Check Microsoft Defender for Containers is enable by @jdewisscher. #1632
        • Check Microsoft Defender for Servers is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for SQL is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for App Services is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for Storage is enabled by @jdewisscher. #1632
        • Check Microsoft Defender for SQL Servers on VMs is enabled by @jdewisscher. #1632
      • Deployment:
        • Check that nested deployments securely pass through administrator usernames by @ms-sambell. #1479
      • Front Door WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Network Security Group:
        • Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
      • Storage Account:
        • Check blob container soft delete is enabled by @pazdedav. #1671
        • Check file share soft delete is enabled by @jonathanruiz. #966
      • VMSS:
        • Check Linux VMSS has disabled password authentication by @BenjaminEngeset. #1635
    • Updated rules:
      • Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz. #545
        • The following rules have been renamed with aliases:
          • Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
          • Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
          • Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
        • If you are referencing the old names please consider updating to the new names.
      • Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
      • Improved the way we check that VM or VMSS has Linux by @verabe. #1704
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.23.8 by @BernieWhite. #1627
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Event Grid:
        • Promoted Azure.EventGrid.DisableLocalAuth to GA rule set by @BernieWhite. #1628
      • Key Vault:
        • Promoted Azure.KeyVault.AutoRotationPolicy to GA rule set by @BernieWhite. #1629
    • General improvements:
      • Updated NSG documentation with code snippets and links by @simone-bennett. #1607
      • Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
      • Updated SQL firewall rules documentation by @ms-sambell. #1569
      • Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
      • Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
      • Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
      • Added hash to name and ref properties for policy rules by @ArmaanMcleod. #1653
        • Use AZURE_POLICY_RULE_PREFIX or Export-AzPolicyAssignmentRuleData -RulePrefix to override rule prefix.
    • Engineering:
      • Bump PSRule to v2.4.2. #1753 #1748
      • Bump Microsoft.NET.Test.Sdk to v17.3.2. #1719
      • Updated provider data for analysis. #1605
      • Bump Az.Resources to v6.2.0. #1636
      • Bump PSScriptAnalyzer to v1.21.0. #1636
    • Bug fixes:
      • Fixed continue processing policy assignments on error by @BernieWhite. #1651
      • Fixed handling of runtime assessment data by @BernieWhite. #1707
      • Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
      • Fixed inconclusive failure of Azure.Deployment.AdminUsername by @BernieWhite. #1631
      • Fixed error expanding with json() and single quotes by @BernieWhite. #1656
      • Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod. #1653
      • Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset. #1726
      • Fixed Azure.Deployment.AdminUsername incorrectly fails with nested deployments by @BernieWhite. #1762
      • Fixed Azure.FrontDoorWAF.Exclusions reports exclusions when none are specified by @BernieWhite. #1751
      • Fixed Azure.Deployment.AdminUsername does not match the pattern by @BernieWhite. #1758
      • Consider private offerings when checking that a VM or VMSS has Linux by @verabe. #1725

    What's changed since pre-release v1.20.0-B0477:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1200-b0477-pre-release","title":"v1.20.0-B0477 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0389:

    • General improvements:
      • Added hash to name and ref properties for policy rules by @ArmaanMcleod. #1653
        • Use AZURE_POLICY_RULE_PREFIX or Export-AzPolicyAssignmentRuleData -RulePrefix to override rule prefix.
    "},{"location":"CHANGELOG-v1/#v1200-b0389-pre-release","title":"v1.20.0-B0389 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0304:

    • New rules:
      • App Configuration:
        • Check app configuration store has purge protection enabled by @BenjaminEngeset. #1689
    • Bug fixes:
      • Fixed Azure.Deployment.AdminUsername incorrectly fails with nested deployments by @BernieWhite. #1762
    "},{"location":"CHANGELOG-v1/#v1200-b0304-pre-release","title":"v1.20.0-B0304 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0223:

    • Engineering:
      • Bump PSRule to v2.4.2. #1753 #1748
    • Bug fixes:
      • Fixed Azure.FrontDoorWAF.Exclusions reports exclusions when none are specified by @BernieWhite. #1751
      • Fixed Azure.Deployment.AdminUsername does not match the pattern by @BernieWhite. #1758
      • Consider private offerings when checking that a VM or VMSS has Linux by @verabe. #1725
    "},{"location":"CHANGELOG-v1/#v1200-b0223-pre-release","title":"v1.20.0-B0223 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0148:

    • New features:
      • Added September 2022 baselines Azure.GA_2022_09 and Azure.Preview_2022_09 by @BernieWhite. #1738
        • Includes rules released before or during September 2022.
        • Marked Azure.GA_2022_06 and Azure.Preview_2022_06 baselines as obsolete.
    • New rules:
      • App Configuration:
        • Check app configuration store has one or more replicas by @BenjaminEngeset. #1688
    • Engineering:
      • Bump PSRule to v2.4.1. #1636
      • Bump Az.Resources to v6.2.0. #1636
      • Bump PSScriptAnalyzer to v1.21.0. #1636
    • Bug fixes:
      • Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod. #1653
      • Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset. #1726
    "},{"location":"CHANGELOG-v1/#v1200-b0148-pre-release","title":"v1.20.0-B0148 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0085:

    • New rules:
      • App Configuration:
        • Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset. #1690
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.3.2. #1719
    • Bug fixes:
      • Fixed error expanding with json() and single quotes by @BernieWhite. #1656
    "},{"location":"CHANGELOG-v1/#v1200-b0085-pre-release","title":"v1.20.0-B0085 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0028:

    • New rules:
      • Azure Cache for Redis:
        • Check the number of firewall rules for caches by @jonathanruiz. #544
        • Check the number of IP addresses in firewall rules for caches by @jonathanruiz. #544
      • App Configuration:
        • Check identity-based authentication is used for configuration stores by @pazdedav. #1691
      • Container Registry:
        • Check soft delete policy is enabled by @BenjaminEngeset. #1674
      • Defender for Cloud:
        • Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher. #1632
      • Network Security Group:
        • Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
      • Storage Account:
        • Check blob container soft delete is enabled by @pazdedav. #1671
        • Check file share soft delete is enabled by @jonathanruiz. #966
    • Updated rules:
      • Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz. #545
        • The following rules have been renamed with aliases:
          • Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
          • Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
          • Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
        • If you are referencing the old names please consider updating to the new names.
      • Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
      • Improved the way we check that VM or VMSS has Linux by @verabe. #1704
    • General improvements:
      • Updated NSG documentation with code snippets and links by @simone-bennett. #1607
      • Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
      • Updated SQL firewall rules documentation by @ms-sambell. #1569
      • Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
      • Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
      • Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
    • Bug fixes:
      • Fixed continue processing policy assignments on error by @BernieWhite. #1651
      • Fixed handling of runtime assessment data by @BernieWhite. #1707
      • Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
    "},{"location":"CHANGELOG-v1/#v1200-b0028-pre-release","title":"v1.20.0-B0028 (pre-release)","text":"

    What's changed since pre-release v1.20.0-B0004:

    • New rules:
      • AKS:
        • Check clusters use Ephemeral OS disk by @BenjaminEngeset. #1618
      • CDN:
        • Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset. #1612
      • VMSS:
        • Check Linux VMSS has disabled password authentication by @BenjaminEngeset. #1635
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.23.8 by @BernieWhite. #1627
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Event Grid:
        • Promoted Azure.EventGrid.DisableLocalAuth to GA rule set by @BernieWhite. #1628
      • Key Vault:
        • Promoted Azure.KeyVault.AutoRotationPolicy to GA rule set by @BernieWhite. #1629
    • Engineering:
      • Bump PSRule to v2.4.0. #1620
      • Updated provider data for analysis. #1605
    • Bug fixes:
      • Fixed function dateTimeAdd errors handling utcNow output by @BernieWhite. #1637
      • Fixed inconclusive failure of Azure.Deployment.AdminUsername by @BernieWhite. #1631
    "},{"location":"CHANGELOG-v1/#v1200-b0004-pre-release","title":"v1.20.0-B0004 (pre-release)","text":"

    What's changed since v1.19.1:

    • New rules:
      • Azure Resources:
        • Check that nested deployments securely pass through administrator usernames by @ms-sambell. #1479
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.3.1. #1603
    "},{"location":"CHANGELOG-v1/#v1192","title":"v1.19.2","text":"

    What's changed since v1.19.1:

    • Bug fixes:
      • Fixed function dateTimeAdd errors handling utcNow output by @BernieWhite. #1637
    "},{"location":"CHANGELOG-v1/#v1191","title":"v1.19.1","text":"

    What's changed since v1.19.0:

    • Bug fixes:
      • Fixed Azure.VNET.UseNSGs is missing exceptions by @BernieWhite. #1609
        • Added exclusions for RouteServerSubnet and any subnet with a dedicated HSM delegation.
    "},{"location":"CHANGELOG-v1/#v1190","title":"v1.19.0","text":"

    What's changed since v1.18.1:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use uptime SLA by @BenjaminEngeset. #1601
    • General improvements:
      • Updated rule level for the following rules by @BernieWhite. #1551
        • Set Azure.APIM.APIDescriptors to warning from error.
        • Set Azure.APIM.ProductDescriptors to warning from error.
        • Set Azure.Template.UseLocationParameter to warning from error.
        • Set Azure.Template.UseComments to information from error.
        • Set Azure.Template.UseDescriptions to information from error.
      • Improve reporting of failing resource property for rules by @BernieWhite. #1429
    • Engineering:
      • Added publishing of symbols for NuGet packages by @BernieWhite. #1549
      • Bump Az.Resources to v6.1.0. #1557
      • Bump Microsoft.NET.Test.Sdk to v17.3.0. #1563
      • Bump PSRule to v2.3.2. #1574
      • Bump support projects to .NET 6 by @BernieWhite. #1560
      • Bump BenchmarkDotNet to v0.13.2. #1593
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2. #1594
      • Updated provider data for analysis. #1598
    • Bug fixes:
      • Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite. #1582
      • Fixed handling of storage accounts sub-resources with CMK by @BernieWhite. #1575

    What's changed since pre-release v1.19.0-B0077:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1190-b0077-pre-release","title":"v1.19.0-B0077 (pre-release)","text":"

    What's changed since pre-release v1.19.0-B0042:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use uptime SLA by @BenjaminEngeset. #1601
    "},{"location":"CHANGELOG-v1/#v1190-b0042-pre-release","title":"v1.19.0-B0042 (pre-release)","text":"

    What's changed since pre-release v1.19.0-B0010:

    • General improvements:
      • Improve reporting of failing resource property for rules by @BernieWhite. #1429
    • Engineering:
      • Bump PSRule to v2.3.2. #1574
      • Bump support projects to .NET 6 by @BernieWhite. #1560
      • Bump BenchmarkDotNet to v0.13.2. #1593
      • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2. #1594
      • Updated provider data for analysis. #1598
    • Bug fixes:
      • Fixed parameter files linked to bicep code via naming convention is not working by @BernieWhite. #1582
      • Fixed handling of storage accounts sub-resources with CMK by @BernieWhite. #1575
    "},{"location":"CHANGELOG-v1/#v1190-b0010-pre-release","title":"v1.19.0-B0010 (pre-release)","text":"

    What's changed since v1.18.1:

    • General improvements:
      • Updated rule level for the following rules by @BernieWhite. #1551
        • Set Azure.APIM.APIDescriptors to warning from error.
        • Set Azure.APIM.ProductDescriptors to warning from error.
        • Set Azure.Template.UseLocationParameter to warning from error.
        • Set Azure.Template.UseComments to information from error.
        • Set Azure.Template.UseDescriptions to information from error.
    • Engineering:
      • Added publishing of symbols for NuGet packages by @BernieWhite. #1549
      • Bump PSRule to v2.3.1. #1561
      • Bump Az.Resources to v6.1.0. #1557
      • Bump Microsoft.NET.Test.Sdk to v17.3.0. #1563
    "},{"location":"CHANGELOG-v1/#v1181","title":"v1.18.1","text":"

    What's changed since v1.18.0:

    • Bug fixes:
      • Fixed Azure.APIM.HTTPBackend reports failure when service URL is not defined by @BernieWhite. #1555
      • Fixed Azure.SQL.AAD failure with newer API by @BernieWhite. #1302
    "},{"location":"CHANGELOG-v1/#v1180","title":"v1.18.0","text":"

    What's changed since v1.17.1:

    • New rules:
      • Cognitive Services:
        • Check accounts use network access restrictions by @BernieWhite. #1532
        • Check accounts use managed identities to access Azure resources by @BernieWhite. #1532
        • Check accounts only accept requests using Azure AD identities by @BernieWhite. #1532
        • Check accounts disable access using public endpoints by @BernieWhite. #1532
    • General improvements:
      • Added support for array indexOf, lastIndexOf, and items ARM functions by @BernieWhite. #1440
      • Added support for join ARM function by @BernieWhite. #1535
      • Improved output of full path to emitted resources by @BernieWhite. #1523
    • Engineering:
      • Bump Az.Resources to v6.0.1. #1521
      • Updated provider data for analysis. #1540
      • Bump xunit to v2.4.2. #1542
      • Added readme and tags to NuGet by @BernieWhite. #1513
    • Bug fixes:
      • Fixed Azure.SQL.TDE is not required to enable Transparent Data Encryption for IaC by @BernieWhite. #1530

    What's changed since pre-release v1.18.0-B0027:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1180-b0027-pre-release","title":"v1.18.0-B0027 (pre-release)","text":"

    What's changed since pre-release v1.18.0-B0010:

    • New rules:
      • Cognitive Services:
        • Check accounts use network access restrictions by @BernieWhite. #1532
        • Check accounts use managed identities to access Azure resources by @BernieWhite. #1532
        • Check accounts only accept requests using Azure AD identities by @BernieWhite. #1532
        • Check accounts disable access using public endpoints by @BernieWhite. #1532
    • General improvements:
      • Added support for array indexOf, lastIndexOf, and items ARM functions by @BernieWhite. #1440
      • Added support for join ARM function by @BernieWhite. #1535
    • Engineering:
      • Updated provider data for analysis. #1540
      • Bump xunit to v2.4.2. #1542
    • Bug fixes:
      • Fixed Azure.SQL.TDE is not required to enable Transparent Data Encryption for IaC by @BernieWhite. #1530
    "},{"location":"CHANGELOG-v1/#v1180-b0010-pre-release","title":"v1.18.0-B0010 (pre-release)","text":"

    What's changed since pre-release v1.18.0-B0002:

    • General improvements:
      • Improved output of full path to emitted resources by @BernieWhite. #1523
    • Engineering:
      • Bump Az.Resources to v6.0.1. #1521
    "},{"location":"CHANGELOG-v1/#v1180-b0002-pre-release","title":"v1.18.0-B0002 (pre-release)","text":"

    What's changed since v1.17.1:

    • Engineering:
      • Added readme and tags to NuGet by @BernieWhite. #1513
    "},{"location":"CHANGELOG-v1/#v1171","title":"v1.17.1","text":"

    What's changed since v1.17.0:

    • Bug fixes:
      • Fixed union returns null when merged with built-in expansion objects by @BernieWhite. #1515
      • Fixed missing zones in test for standalone VM by @BernieWhite. #1506
    "},{"location":"CHANGELOG-v1/#v1170","title":"v1.17.0","text":"

    What's changed since v1.16.1:

    • New features:
      • Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
      • Added June 2022 baselines Azure.GA_2022_06 and Azure.Preview_2022_06 by @BernieWhite. #1499
        • Includes rules released before or during June 2022.
        • Marked Azure.GA_2022_03 and Azure.Preview_2022_03 baselines as obsolete.
    • New rules:
      • Deployment:
        • Check for secure values in outputs by @BernieWhite. #297
    • Engineering:
      • Bump Newtonsoft.Json to v13.0.1. #1494
      • Updated NuGet packaging metadata by @BernieWhite. #1428
      • Updated provider data for analysis. #1502
      • Bump PSRule to v2.2.0. #1444
      • Updated NuGet packaging metadata by @BernieWhite. #1428
    • Bug fixes:
      • Fixed TDE property status to state by @Dylan-Prins. #1505
      • Fixed the language expression value fails in outputs by @BernieWhite. #1485

    What's changed since pre-release v1.17.0-B0064:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1170-b0064-pre-release","title":"v1.17.0-B0064 (pre-release)","text":"

    What's changed since pre-release v1.17.0-B0035:

    • Engineering:
      • Updated provider data for analysis. #1502
      • Bump PSRule to v2.2.0. #1444
    • Bug fixes:
      • Fixed TDE property status to state by @Dylan-Prins. #1505
    "},{"location":"CHANGELOG-v1/#v1170-b0035-pre-release","title":"v1.17.0-B0035 (pre-release)","text":"

    What's changed since pre-release v1.17.0-B0014:

    • New features:
      • Added June 2022 baselines Azure.GA_2022_06 and Azure.Preview_2022_06 by @BernieWhite. #1499
        • Includes rules released before or during June 2022.
        • Marked Azure.GA_2022_03 and Azure.Preview_2022_03 baselines as obsolete.
    • Engineering:
      • Bump Newtonsoft.Json to v13.0.1. #1494
      • Updated NuGet packaging metadata by @BernieWhite. #1428
    "},{"location":"CHANGELOG-v1/#v1170-b0014-pre-release","title":"v1.17.0-B0014 (pre-release)","text":"

    What's changed since v1.16.1:

    • New features:
      • Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
    • New rules:
      • Deployment:
        • Check for secure values in outputs by @BernieWhite. #297
    • Engineering:
      • Updated NuGet packaging metadata by @BernieWhite. #1428
    • Bug fixes:
      • Fixed the language expression value fails in outputs by @BernieWhite. #1485
    "},{"location":"CHANGELOG-v1/#v1161","title":"v1.16.1","text":"

    What's changed since v1.16.0:

    • Bug fixes:
      • Fixed TLS 1.3 support in Azure.AppGw.SSLPolicy by @BernieWhite. #1469
      • Fixed Application Gateway referencing a WAF policy by @BernieWhite. #1466
    "},{"location":"CHANGELOG-v1/#v1160","title":"v1.16.0","text":"

    What's changed since v1.15.2:

    • New rules:
      • App Service:
        • Check web apps have insecure FTP disabled by @BernieWhite. #1436
        • Check web apps use a dedicated health probe by @BernieWhite. #1437
    • Updated rules:
      • Public IP:
        • Updated Azure.PublicIP.AvailabilityZone to exclude IP addresses for Azure Bastion by @BernieWhite. #1442
          • Public IP addresses with the resource-usage tag set to azure-bastion are excluded.
    • General improvements:
      • Added support for dateTimeFromEpoch and dateTimeToEpoch ARM functions by @BernieWhite. #1451
    • Engineering:
      • Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
      • Added ref properties for several rules by @BernieWhite. #1430
      • Updated provider data for analysis. #1453
      • Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
      • Update CI checks to include required ref property by @BernieWhite. #1431
      • Added ref properties for rules by @BernieWhite. #1430
    • Bug fixes:
      • Fixed Azure.Template.UseVariables does not accept function variables names by @BernieWhite. #1427
      • Fixed dependency issue within Azure Pipelines AzurePowerShell task by @BernieWhite. #1447
        • Removed dependency on Az.Accounts and Az.Resources from manifest. Pre-install these modules to use export cmdlets.

    What's changed since pre-release v1.16.0-B0072:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1160-b0072-pre-release","title":"v1.16.0-B0072 (pre-release)","text":"

    What's changed since pre-release v1.16.0-B0041:

    • Engineering:
      • Update CI checks to include required ref property by @BernieWhite. #1431
      • Added ref properties for rules by @BernieWhite. #1430
    • Bug fixes:
      • Fixed dependency issue within Azure Pipelines AzurePowerShell task by @BernieWhite. #1447
        • Removed dependency on Az.Accounts and Az.Resources from manifest. Pre-install these modules to use export cmdlets.
    "},{"location":"CHANGELOG-v1/#v1160-b0041-pre-release","title":"v1.16.0-B0041 (pre-release)","text":"

    What's changed since pre-release v1.16.0-B0017:

    • Updated rules:
      • Public IP:
        • Updated Azure.PublicIP.AvailabilityZone to exclude IP addresses for Azure Bastion by @BernieWhite. #1442
          • Public IP addresses with the resource-usage tag set to azure-bastion are excluded.
    • General improvements:
      • Added support for dateTimeFromEpoch and dateTimeToEpoch ARM functions by @BernieWhite. #1451
    • Engineering:
      • Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
      • Added ref properties for several rules by @BernieWhite. #1430
      • Updated provider data for analysis. #1453
    "},{"location":"CHANGELOG-v1/#v1160-b0017-pre-release","title":"v1.16.0-B0017 (pre-release)","text":"

    What's changed since v1.15.2:

    • New rules:
      • App Service:
        • Check web apps have insecure FTP disabled by @BernieWhite. #1436
        • Check web apps use a dedicated health probe by @BernieWhite. #1437
    • Engineering:
      • Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
    • Bug fixes:
      • Fixed Azure.Template.UseVariables does not accept function variables names by @BernieWhite. #1427
    "},{"location":"CHANGELOG-v1/#v1152","title":"v1.15.2","text":"

    What's changed since v1.15.1:

    • Bug fixes:
      • Fixed Azure.AppService.ManagedIdentity does not accept both system and user assigned by @BernieWhite. #1415
        • This also applies to:
          • Azure.ADX.ManagedIdentity
          • Azure.APIM.ManagedIdentity
          • Azure.EventGrid.ManagedIdentity
          • Azure.Automation.ManagedIdentity
      • Fixed Web apps with .NET 6 do not meet version constraint of Azure.AppService.NETVersion by @BernieWhite. #1414
        • This also applies to Azure.AppService.PHPVersion.
    "},{"location":"CHANGELOG-v1/#v1151","title":"v1.15.1","text":"

    What's changed since v1.15.0:

    • Bug fixes:
      • Fixed exclusion of dataCollectionRuleAssociations from Azure.Resource.UseTags by @BernieWhite. #1400
      • Fixed could not determine JSON object type for MockObject using CreateObject by @BernieWhite. #1411
      • Fixed cannot bind argument to parameter 'Sku' because it is an empty string by @BernieWhite. #1407
    "},{"location":"CHANGELOG-v1/#v1150","title":"v1.15.0","text":"

    What's changed since v1.14.3:

    • New features:
      • Important change: Added Azure.Resource.SupportsTags selector by @BernieWhite. #1339
        • Use this selector in custom rules to filter rules to only run against resources that support tags.
        • This selector replaces the SupportsTags PowerShell function.
        • Using the SupportsTag function will now result in a warning.
        • The SupportsTags function will be removed in v2.
        • See upgrade notes for more information.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.22.6 by @BernieWhite. #1386
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Added code signing of module by @BernieWhite. #1379
      • Added SBOM manifests to module by @BernieWhite. #1380
      • Embedded provider and alias information as manifest resources by @BernieWhite. #1383
        • Resources are minified and compressed to improve size and speed.
      • Added additional nodeps manifest that does not include dependencies for Az modules by @BernieWhite. #1392
      • Bump Az.Accounts to 2.7.6. #1338
      • Bump Az.Resources to 5.6.0. #1338
      • Bump PSRule to 2.1.0. #1338
      • Bump Pester to 5.3.3. #1338
    • Bug fixes:
      • Fixed dependency chain order when dependsOn copy by @BernieWhite. #1381
      • Fixed error calling SupportsTags function by @BernieWhite. #1401

    What's changed since pre-release v1.15.0-B0053:

    • Bug fixes:
      • Fixed error calling SupportsTags function by @BernieWhite. #1401
    "},{"location":"CHANGELOG-v1/#v1150-b0053-pre-release","title":"v1.15.0-B0053 (pre-release)","text":"

    What's changed since pre-release v1.15.0-B0022:

    • New features:
      • Important change: Added Azure.Resource.SupportsTags selector. #1339
        • Use this selector in custom rules to filter rules to only run against resources that support tags.
        • This selector replaces the SupportsTags PowerShell function.
        • Using the SupportsTag function will now result in a warning.
        • The SupportsTags function will be removed in v2.
        • See upgrade notes for more information.
    • Engineering:
      • Embedded provider and alias information as manifest resources. #1383
        • Resources are minified and compressed to improve size and speed.
      • Added additional nodeps manifest that does not include dependencies for Az modules. #1392
      • Bump Az.Accounts to 2.7.6. #1338
      • Bump Az.Resources to 5.6.0. #1338
      • Bump PSRule to 2.1.0. #1338
      • Bump Pester to 5.3.3. #1338
    "},{"location":"CHANGELOG-v1/#v1150-b0022-pre-release","title":"v1.15.0-B0022 (pre-release)","text":"

    What's changed since v1.14.3:

    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.22.6. #1386
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Added code signing of module. #1379
      • Added SBOM manifests to module. #1380
    • Bug fixes:
      • Fixed dependency chain order when dependsOn copy. #1381
    "},{"location":"CHANGELOG-v1/#v1143","title":"v1.14.3","text":"

    What's changed since v1.14.2:

    • Bug fixes:
      • Fixed Azure Firewall threat intel mode reported for Secure VNET hubs. #1365
      • Fixed array function handling with mock objects. #1367
    "},{"location":"CHANGELOG-v1/#v1142","title":"v1.14.2","text":"

    What's changed since v1.14.1:

    • Bug fixes:
      • Fixed handling of parent resources when sub resource is in a separate deployment. #1360
    "},{"location":"CHANGELOG-v1/#v1141","title":"v1.14.1","text":"

    What's changed since v1.14.0:

    • Bug fixes:
      • Fixed unable to set parameter defaults option with type object. #1355
    "},{"location":"CHANGELOG-v1/#v1140","title":"v1.14.0","text":"

    What's changed since v1.13.4:

    • New features:
      • Added support for referencing resources in template. #1315
        • The reference() function can be used to reference resources in template.
        • A placeholder value is still used for resources outside of the template.
      • Added March 2022 baselines Azure.GA_2022_03 and Azure.Preview_2022_03. #1334
        • Includes rules released before or during March 2022.
        • Marked Azure.GA_2021_12 and Azure.Preview_2021_12 baselines as obsolete.
      • Experimental: Cmdlets to validate objects with Azure policy conditions:
        • Export-AzPolicyAssignmentData - Exports policy assignment data. #1266
        • Export-AzPolicyAssignmentRuleData - Exports JSON rules from policy assignment data. #1278
        • Get-AzPolicyAssignmentDataSource - Discovers policy assignment data. #1340
        • See cmdlet help for limitations and usage.
        • Additional information will be posted as this feature evolves here.
    • New rules:
      • SignalR Service:
        • Check services use Managed Identities. #1306
        • Check services use a SKU with an SLA. #1307
      • Web PubSub Service:
        • Check services use Managed Identities. #1308
        • Check services use a SKU with an SLA. #1309
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.9. #1318
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Engineering:
      • Cache Azure Policy Aliases. #1277
      • Cleanup of additional alias metadata. #1351
    • Bug fixes:
      • Fixed index was out of range with split on mock properties. #1327
      • Fixed mock objects with no properties. #1347
      • Fixed sub-resources nesting by scope regression. #1348
      • Fixed expand of runtime properties on reference objects. #1324
      • Fixed processing of deployment outputs. #1316

    What's changed since pre-release v1.14.0-B2204013:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1140-b2204013-pre-release","title":"v1.14.0-B2204013 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2204007:

    • Engineering:
      • Cleanup of additional alias metadata. #1351
    "},{"location":"CHANGELOG-v1/#v1140-b2204007-pre-release","title":"v1.14.0-B2204007 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2203117:

    • Bug fixes:
      • Fixed mock objects with no properties. #1347
      • Fixed sub-resources nesting by scope regression. #1348
    "},{"location":"CHANGELOG-v1/#v1140-b2203117-pre-release","title":"v1.14.0-B2203117 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2203088:

    • New features:
      • Experimental: Cmdlets to validate objects with Azure policy conditions:
        • Export-AzPolicyAssignmentData - Exports policy assignment data. #1266
        • Export-AzPolicyAssignmentRuleData - Exports JSON rules from policy assignment data. #1278
        • Get-AzPolicyAssignmentDataSource - Discovers policy assignment data. #1340
        • See cmdlet help for limitations and usage.
        • Additional information will be posted as this feature evolves here.
    • Engineering:
      • Cache Azure Policy Aliases. #1277
    • Bug fixes:
      • Fixed index was out of range with split on mock properties. #1327
    "},{"location":"CHANGELOG-v1/#v1140-b2203088-pre-release","title":"v1.14.0-B2203088 (pre-release)","text":"

    What's changed since pre-release v1.14.0-B2203066:

    • New features:
      • Added March 2022 baselines Azure.GA_2022_03 and Azure.Preview_2022_03. #1334
        • Includes rules released before or during March 2022.
        • Marked Azure.GA_2021_12 and Azure.Preview_2021_12 baselines as obsolete.
    • Bug fixes:
      • Fixed expand of runtime properties on reference objects. #1324
    "},{"location":"CHANGELOG-v1/#v1140-b2203066-pre-release","title":"v1.14.0-B2203066 (pre-release)","text":"

    What's changed since v1.13.4:

    • New features:
      • Added support for referencing resources in template. #1315
        • The reference() function can be used to reference resources in template.
        • A placeholder value is still used for resources outside of the template.
    • New rules:
      • SignalR Service:
        • Check services use Managed Identities. #1306
        • Check services use a SKU with an SLA. #1307
      • Web PubSub Service:
        • Check services use Managed Identities. #1308
        • Check services use a SKU with an SLA. #1309
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.9. #1318
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Bug fixes:
      • Fixed processing of deployment outputs. #1316
    "},{"location":"CHANGELOG-v1/#v1134","title":"v1.13.4","text":"

    What's changed since v1.13.3:

    • Bug fixes:
      • Fixed virtual network without any subnets is invalid. #1303
      • Fixed container registry rules that require a premium tier. #1304
        • Rules Azure.ACR.Retention and Azure.ACR.ContentTrust are now only run against premium instances.
    "},{"location":"CHANGELOG-v1/#v1133","title":"v1.13.3","text":"

    What's changed since v1.13.2:

    • Bug fixes:
      • Fixed bicep build timeout for complex deployments. #1299
    "},{"location":"CHANGELOG-v1/#v1132","title":"v1.13.2","text":"

    What's changed since v1.13.1:

    • Engineering:
      • Bump PowerShellStandard.Library to 5.1.1. #1295
    • Bug fixes:
      • Fixed nested resource loops. #1293
    "},{"location":"CHANGELOG-v1/#v1131","title":"v1.13.1","text":"

    What's changed since v1.13.0:

    • Bug fixes:
      • Fixed parsing of nested quote pairs within JSON function. #1288
    "},{"location":"CHANGELOG-v1/#v1130","title":"v1.13.0","text":"

    What's changed since v1.12.2:

    • New features:
      • Added support for setting defaults for required parameters. #1065
        • When specified, the value will be used when a parameter value is not provided.
      • Added support expanding Bicep from parameter files. #1160
    • New rules:
      • Azure Cache for Redis:
        • Limit public access for Azure Cache for Redis instances. #935
      • Container App:
        • Check insecure ingress is not enabled (preview). #1252
      • Key Vault:
        • Check key auto-rotation is enabled (preview). #1159
      • Recovery Services Vault:
        • Check vaults have replication alerts configured. #7
    • Engineering:
      • Automatically build baseline docs. #1242
      • Bump PSRule dependency to v1.11.1. #1269
    • Bug fixes:
      • Fixed empty value with strong type. #1258
      • Fixed error with empty logic app trigger. #1249
      • Fixed out of order parameters. #1257
      • Fixed mapping default configuration causes cast exception. #1274
      • Fixed resource id is incorrectly built for sub resource types. #1279

    What's changed since pre-release v1.13.0-B2202113:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1130-b2202113-pre-release","title":"v1.13.0-B2202113 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202108:

    • Bug fixes:
      • Fixed resource id is incorrectly built for sub resource types. #1279
    "},{"location":"CHANGELOG-v1/#v1130-b2202108-pre-release","title":"v1.13.0-B2202108 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202103:

    • Bug fixes:
      • Fixed mapping default configuration causes cast exception. #1274
    "},{"location":"CHANGELOG-v1/#v1130-b2202103-pre-release","title":"v1.13.0-B2202103 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202090:

    • Engineering:
      • Bump PSRule dependency to v1.11.1. #1269
    • Bug fixes:
      • Fixed out of order parameters. #1257
    "},{"location":"CHANGELOG-v1/#v1130-b2202090-pre-release","title":"v1.13.0-B2202090 (pre-release)","text":"

    What's changed since pre-release v1.13.0-B2202063:

    • New rules:
      • Azure Cache for Redis:
        • Limit public access for Azure Cache for Redis instances. #935
    • Engineering:
      • Automatically build baseline docs. #1242
    • Bug fixes:
      • Fixed empty value with strong type. #1258
    "},{"location":"CHANGELOG-v1/#v1130-b2202063-pre-release","title":"v1.13.0-B2202063 (pre-release)","text":"

    What's changed since v1.12.2:

    • New features:
      • Added support for setting defaults for required parameters. #1065
        • When specified, the value will be used when a parameter value is not provided.
      • Added support expanding Bicep from parameter files. #1160
    • New rules:
      • Container App:
        • Check insecure ingress is not enabled (preview). #1252
      • Key Vault:
        • Check key auto-rotation is enabled (preview). #1159
      • Recovery Services Vault:
        • Check vaults have replication alerts configured. #7
    • Bug fixes:
      • Fixed error with empty logic app trigger. #1249
    "},{"location":"CHANGELOG-v1/#v1122","title":"v1.12.2","text":"

    What's changed since v1.12.1:

    • Bug fixes:
      • Fixed detect strong type requirements for nested deployments. #1235
    "},{"location":"CHANGELOG-v1/#v1121","title":"v1.12.1","text":"

    What's changed since v1.12.0:

    • Bug fixes:
      • Fixed Bicep already exists with PSRule v2. #1232
    "},{"location":"CHANGELOG-v1/#v1120","title":"v1.12.0","text":"

    What's changed since v1.11.1:

    • New rules:
      • Data Explorer:
        • Check clusters use Managed Identities. #1207
        • Check clusters use a SKU with a SLA. #1208
        • Check clusters use disk encryption. #1209
        • Check clusters are in use with databases. #1215
      • Event Hub:
        • Check namespaces are in use with event hubs. #1216
        • Check namespaces only accept identity-based authentication. #1217
      • Azure Recovery Services Vault:
        • Check vaults use geo-redundant storage. #5
      • Service Bus:
        • Check namespaces are in use with queues and topics. #1218
        • Check namespaces only accept identity-based authentication. #1219
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.7. #1188
          • Pinned latest GA baseline Azure.GA_2021_12 to previous version 1.20.5.
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Azure API Management:
        • Check service disabled insecure ciphers. #1128
        • Refactored the cipher and protocol rule into individual rules.
          • Azure.APIM.Protocols
          • Azure.APIM.Ciphers
    • General improvements:
      • Important change: Replaced Azure_AKSMinimumVersion option with AZURE_AKS_CLUSTER_MINIMUM_VERSION. #941
        • For compatibility, if Azure_AKSMinimumVersion is set it will be used instead of AZURE_AKS_CLUSTER_MINIMUM_VERSION.
        • If only AZURE_AKS_CLUSTER_MINIMUM_VERSION is set, this value will be used.
        • The default will be used neither options are configured.
        • If Azure_AKSMinimumVersion is set a warning will be generated until the configuration is removed.
        • Support for Azure_AKSMinimumVersion is deprecated and will be removed in v2.
        • See upgrade notes for details.
    • Bug fixes:
      • Fixed false positive of blob container with access unspecified. #1212

    What's changed since pre-release v1.12.0-B2201086:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1120-b2201086-pre-release","title":"v1.12.0-B2201086 (pre-release)","text":"

    What's changed since pre-release v1.12.0-B2201067:

    • New rules:
      • Data Explorer:
        • Check clusters are in use with databases. #1215
      • Event Hub:
        • Check namespaces are in use with event hubs. #1216
        • Check namespaces only accept identity-based authentication. #1217
      • Azure Recovery Services Vault:
        • Check vaults use geo-redundant storage. #5
      • Service Bus:
        • Check namespaces are in use with queues and topics. #1218
        • Check namespaces only accept identity-based authentication. #1219
    "},{"location":"CHANGELOG-v1/#v1120-b2201067-pre-release","title":"v1.12.0-B2201067 (pre-release)","text":"

    What's changed since pre-release v1.12.0-B2201054:

    • New rules:
      • Data Explorer:
        • Check clusters use Managed Identities. #1207
        • Check clusters use a SKU with a SLA. #1208
        • Check clusters use disk encryption. #1209
    • Bug fixes:
      • Fixed false positive of blob container with access unspecified. #1212
    "},{"location":"CHANGELOG-v1/#v1120-b2201054-pre-release","title":"v1.12.0-B2201054 (pre-release)","text":"

    What's changed since v1.11.1:

    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to use latest stable version 1.21.7. #1188
          • Pinned latest GA baseline Azure.GA_2021_12 to previous version 1.20.5.
          • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
      • Azure API Management:
        • Check service disabled insecure ciphers. #1128
        • Refactored the cipher and protocol rule into individual rules.
          • Azure.APIM.Protocols
          • Azure.APIM.Ciphers
    • General improvements:
      • Important change: Replaced Azure_AKSMinimumVersion option with AZURE_AKS_CLUSTER_MINIMUM_VERSION. #941
        • For compatibility, if Azure_AKSMinimumVersion is set it will be used instead of AZURE_AKS_CLUSTER_MINIMUM_VERSION.
        • If only AZURE_AKS_CLUSTER_MINIMUM_VERSION is set, this value will be used.
        • The default will be used neither options are configured.
        • If Azure_AKSMinimumVersion is set a warning will be generated until the configuration is removed.
        • Support for Azure_AKSMinimumVersion is deprecated and will be removed in v2.
        • See upgrade notes for details.
    "},{"location":"CHANGELOG-v1/#v1111","title":"v1.11.1","text":"

    What's changed since v1.11.0:

    • Bug fixes:
      • Fixed Azure.AKS.CNISubnetSize rule to use CNI selector. #1178
    "},{"location":"CHANGELOG-v1/#v1110","title":"v1.11.0","text":"

    What's changed since v1.10.4:

    • New features:
      • Added baselines containing only Azure preview features. #1129
        • Added baseline Azure.Preview_2021_09.
        • Added baseline Azure.Preview_2021_12.
      • Added Azure.GA_2021_12 baseline. #1146
        • Includes rules released before or during December 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_09 as obsolete.
      • Bicep support promoted from experimental to generally available (GA). #1176
    • New rules:
      • All resources:
        • Check comments for each template resource. #969
      • Automation Account:
        • Automation accounts should enable diagnostic logs. #1075
      • Azure Kubernetes Service:
        • Check clusters have the HTTP application routing add-on disabled. #1131
        • Check clusters use the Secrets Store CSI Driver add-on. #992
        • Check clusters autorotation with the Secrets Store CSI Driver add-on. #993
        • Check clusters use Azure AD Pod Managed Identities (preview). #991
      • Azure Redis Cache:
        • Use availability zones for Azure Cache for Redis for regions that support it. #1078
          • Azure.Redis.AvailabilityZone
          • Azure.RedisEnterprise.Zones
      • Application Security Group:
        • Check Application Security Groups meet naming requirements. #1110
      • Firewall:
        • Check Firewalls meet naming requirements. #1110
        • Check Firewall policies meet naming requirements. #1110
      • Private Endpoint:
        • Check Private Endpoints meet naming requirements. #1110
      • Virtual WAN:
        • Check Virtual WANs meet naming requirements. #1110
    • Updated rules:
      • Azure Kubernetes Service:
        • Promoted Azure.AKS.AutoUpgrade to GA rule set. #1130
    • General improvements:
      • Added support for template function tenant(). #1124
      • Added support for template function managementGroup(). #1125
      • Added support for template function pickZones(). #518
    • Engineering:
      • Rule refactoring of rules from PowerShell to YAML. #1109
        • The following rules were refactored:
          • Azure.LB.Name
          • Azure.NSG.Name
          • Azure.Firewall.Mode
          • Azure.Route.Name
          • Azure.VNET.Name
          • Azure.VNG.Name
          • Azure.VNG.ConnectionName
          • Azure.AppConfig.SKU
          • Azure.AppConfig.Name
          • Azure.AppInsights.Workspace
          • Azure.AppInsights.Name
          • Azure.Cosmos.AccountName
          • Azure.FrontDoor.State
          • Azure.FrontDoor.Name
          • Azure.FrontDoor.WAF.Mode
          • Azure.FrontDoor.WAF.Enabled
          • Azure.FrontDoor.WAF.Name
          • Azure.AKS.MinNodeCount
          • Azure.AKS.ManagedIdentity
          • Azure.AKS.StandardLB
          • Azure.AKS.AzurePolicyAddOn
          • Azure.AKS.ManagedAAD
          • Azure.AKS.AuthorizedIPs
          • Azure.AKS.LocalAccounts
          • Azure.AKS.AzureRBAC
    • Bug fixes:
      • Fixed output of Bicep informational and warning messages in error stream. #1157

    What's changed since pre-release v1.11.0-B2112112:

    • New features:
      • Bicep support promoted from experimental to generally available (GA). #1176
    "},{"location":"CHANGELOG-v1/#v1110-b2112112-pre-release","title":"v1.11.0-B2112112 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2112104:

    • New rules:
      • Azure Redis Cache:
        • Use availability zones for Azure Cache for Redis for regions that support it. #1078
          • Azure.Redis.AvailabilityZone
          • Azure.RedisEnterprise.Zones
    "},{"location":"CHANGELOG-v1/#v1110-b2112104-pre-release","title":"v1.11.0-B2112104 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2112073:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use Azure AD Pod Managed Identities (preview). #991
    • Engineering:
      • Rule refactoring of rules from PowerShell to YAML. #1109
        • The following rules were refactored:
          • Azure.AppConfig.SKU
          • Azure.AppConfig.Name
          • Azure.AppInsights.Workspace
          • Azure.AppInsights.Name
          • Azure.Cosmos.AccountName
          • Azure.FrontDoor.State
          • Azure.FrontDoor.Name
          • Azure.FrontDoor.WAF.Mode
          • Azure.FrontDoor.WAF.Enabled
          • Azure.FrontDoor.WAF.Name
          • Azure.AKS.MinNodeCount
          • Azure.AKS.ManagedIdentity
          • Azure.AKS.StandardLB
          • Azure.AKS.AzurePolicyAddOn
          • Azure.AKS.ManagedAAD
          • Azure.AKS.AuthorizedIPs
          • Azure.AKS.LocalAccounts
          • Azure.AKS.AzureRBAC
    • Bug fixes:
      • Fixed output of Bicep informational and warning messages in error stream. #1157
      • Fixed obsolete flag for baseline Azure.Preview_2021_12. #1166
    "},{"location":"CHANGELOG-v1/#v1110-b2112073-pre-release","title":"v1.11.0-B2112073 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2112024:

    • New features:
      • Added baselines containing only Azure preview features. #1129
        • Added baseline Azure.Preview_2021_09.
        • Added baseline Azure.Preview_2021_12.
      • Added Azure.GA_2021_12 baseline. #1146
        • Includes rules released before or during December 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_09 as obsolete.
    • New rules:
      • All resources:
        • Check comments for each template resource. #969
    • Bug fixes:
      • Fixed template function equals parameter count mismatch. #1137
      • Fixed copy loop on nested deployment parameters is not handled. #1144
      • Fixed outer copy loop of nested deployment. #1154
    "},{"location":"CHANGELOG-v1/#v1110-b2112024-pre-release","title":"v1.11.0-B2112024 (pre-release)","text":"

    What's changed since pre-release v1.11.0-B2111014:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters have the HTTP application routing add-on disabled. #1131
        • Check clusters use the Secrets Store CSI Driver add-on. #992
        • Check clusters autorotation with the Secrets Store CSI Driver add-on. #993
      • Automation Account:
        • Automation accounts should enable diagnostic logs. #1075
    • Updated rules:
      • Azure Kubernetes Service:
        • Promoted Azure.AKS.AutoUpgrade to GA rule set. #1130
    • General improvements:
      • Added support for template function tenant(). #1124
      • Added support for template function managementGroup(). #1125
      • Added support for template function pickZones(). #518
    • Bug fixes:
      • Fixed Azure.Policy.WaiverExpiry date conversion. #1118
    "},{"location":"CHANGELOG-v1/#v1110-b2111014-pre-release","title":"v1.11.0-B2111014 (pre-release)","text":"

    What's changed since v1.10.0:

    • New rules:
      • Application Security Group:
        • Check Application Security Groups meet naming requirements. #1110
      • Firewall:
        • Check Firewalls meet naming requirements. #1110
        • Check Firewall policies meet naming requirements. #1110
      • Private Endpoint:
        • Check Private Endpoints meet naming requirements. #1110
      • Virtual WAN:
        • Check Virtual WANs meet naming requirements. #1110
    • Engineering:
      • Rule refactoring of rules from PowerShell to YAML. #1109
        • The following rules were refactored:
          • Azure.LB.Name
          • Azure.NSG.Name
          • Azure.Firewall.Mode
          • Azure.Route.Name
          • Azure.VNET.Name
          • Azure.VNG.Name
          • Azure.VNG.ConnectionName
    "},{"location":"CHANGELOG-v1/#v1104","title":"v1.10.4","text":"

    What's changed since v1.10.3:

    • Bug fixes:
      • Fixed outer copy loop of nested deployment. #1154
    "},{"location":"CHANGELOG-v1/#v1103","title":"v1.10.3","text":"

    What's changed since v1.10.2:

    • Bug fixes:
      • Fixed copy loop on nested deployment parameters is not handled. #1144
    "},{"location":"CHANGELOG-v1/#v1102","title":"v1.10.2","text":"

    What's changed since v1.10.1:

    • Bug fixes:
      • Fixed template function equals parameter count mismatch. #1137
    "},{"location":"CHANGELOG-v1/#v1101","title":"v1.10.1","text":"

    What's changed since v1.10.0:

    • Bug fixes:
      • Fixed Azure.Policy.WaiverExpiry date conversion. #1118
    "},{"location":"CHANGELOG-v1/#v1100","title":"v1.10.0","text":"

    What's changed since v1.9.1:

    • New features:
      • Added support for parameter strong types. #1083
        • The value of string parameters can be tested against the expected type.
        • When configuring a location strong type, the parameter value must be a valid Azure location.
        • When configuring a resource type strong type, the parameter value must be a matching resource Id.
    • New rules:
      • All resources:
        • Check template expressions do not exceed a maximum length. #1006
      • Automation Service:
        • Check automation accounts should use managed identities for authentication. #1074
      • Event Grid:
        • Check topics and domains use managed identities. #1091
        • Check topics and domains use private endpoints. #1092
        • Check topics and domains use identity-based authentication. #1093
    • General improvements:
      • Updated default baseline to use module configuration. #1089
    • Engineering:
      • Bump PSRule dependency to v1.9.0. #1081
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080
      • Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085
    • Bug fixes:
      • Fixed expansion of secret references. #1098
      • Fixed handling of tagging for deployments. #1099
      • Fixed strong type issue flagged with empty defaultValue string. #1100

    What's changed since pre-release v1.10.0-B2111081:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v1100-b2111081-pre-release","title":"v1.10.0-B2111081 (pre-release)","text":"

    What's changed since pre-release v1.10.0-B2111072:

    • New rules:
      • Automation Service:
        • Automation accounts should use managed identities for authentication. #1074
    "},{"location":"CHANGELOG-v1/#v1100-b2111072-pre-release","title":"v1.10.0-B2111072 (pre-release)","text":"

    What's changed since pre-release v1.10.0-B2111058:

    • New rules:
      • All resources:
        • Check template expressions do not exceed a maximum length. #1006
    • Bug fixes:
      • Fixed expansion of secret references. #1098
      • Fixed handling of tagging for deployments. #1099
      • Fixed strong type issue flagged with empty defaultValue string. #1100
    "},{"location":"CHANGELOG-v1/#v1100-b2111058-pre-release","title":"v1.10.0-B2111058 (pre-release)","text":"

    What's changed since pre-release v1.10.0-B2111040:

    • New rules:
      • Event Grid:
        • Check topics and domains use managed identities. #1091
        • Check topics and domains use private endpoints. #1092
        • Check topics and domains use identity-based authentication. #1093
    • General improvements:
      • Updated default baseline to use module configuration. #1089
    "},{"location":"CHANGELOG-v1/#v1100-b2111040-pre-release","title":"v1.10.0-B2111040 (pre-release)","text":"

    What's changed since v1.9.1:

    • New features:
      • Added support for parameter strong types. #1083
        • The value of string parameters can be tested against the expected type.
        • When configuring a location strong type, the parameter value must be a valid Azure location.
        • When configuring a resource type strong type, the parameter value must be a matching resource Id.
    • Engineering:
      • Bump PSRule dependency to v1.9.0. #1081
      • Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080
      • Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085
    "},{"location":"CHANGELOG-v1/#v191","title":"v1.9.1","text":"

    What's changed since v1.9.0:

    • Bug fixes:
      • Fixed can not index into resource group tags. #1066
      • Fixed Azure.VM.ASMinMembers for template deployments. #1064
      • Fixed zones property not found on public IP resource. #1070
    "},{"location":"CHANGELOG-v1/#v190","title":"v1.9.0","text":"

    What's changed since v1.8.1:

    • New rules:
      • API Management Service:
        • Check API management services are using availability zones when available. #1017
      • Public IP Address:
        • Check Public IP addresses are configured with zone-redundancy. #958
        • Check Public IP addresses are using Standard SKU. #979
      • User Assigned Managed Identity:
        • Check identities meet naming requirements. #1021
      • Virtual Network Gateway:
        • Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
    • General improvements:
      • Improved processing of AzOps generated templates. #799
        • Azure.Template.DefineParameters is ignored for AzOps generated templates.
        • Azure.Template.UseLocationParameter is ignored for AzOps generated templates.
      • Bicep is now installed when using PSRule GitHub Action. #1050
    • Engineering:
      • Bump PSRule dependency to v1.8.0. #1018
      • Added automated PR workflow to bump providers.json monthly. #1041
    • Bug fixes:
      • Fixed AKS Network Policy should accept calico. #1046
      • Fixed Azure.ACR.AdminUser fails when adminUserEnabled not set. #1014
      • Fixed Azure.KeyVault.Logs reports cannot index into a null array. #1024
      • Fixed template function empty returns object reference not set exception. #1025
      • Fixed delayed binding of and template function. #1026
      • Fixed template function array nests array with array parameters. #1027
      • Fixed property used by Azure.ACR.MinSKU to work more reliably with templates. #1034
      • Fixed could not determine JSON object type for MockMember using CreateObject. #1035
      • Fixed Bicep convention ordering. #1053

    What's changed since pre-release v1.9.0-B2110087:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v190-b2110087-pre-release","title":"v1.9.0-B2110087 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110082:

    • Bug fixes:
      • Fixed Bicep convention ordering. #1053
    "},{"location":"CHANGELOG-v1/#v190-b2110082-pre-release","title":"v1.9.0-B2110082 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110059:

    • General improvements:
      • Bicep is now installed when using PSRule GitHub Action. #1050
    • Engineering:
      • Added automated PR workflow to bump providers.json monthly. #1041
    • Bug fixes:
      • Fixed AKS Network Policy should accept calico. #1046
    "},{"location":"CHANGELOG-v1/#v190-b2110059-pre-release","title":"v1.9.0-B2110059 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110040:

    • New rules:
      • API Management Service:
        • Check API management services are using availability zones when available. #1017
    • Bug fixes:
      • Fixed property used by Azure.ACR.MinSKU to work more reliably with templates. #1034
      • Fixed could not determine JSON object type for MockMember using CreateObject. #1035
    "},{"location":"CHANGELOG-v1/#v190-b2110040-pre-release","title":"v1.9.0-B2110040 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110025:

    • New rules:
      • User Assigned Managed Identity:
        • Check identities meet naming requirements. #1021
    • Bug fixes:
      • Fixed Azure.KeyVault.Logs reports cannot index into a null array. #1024
      • Fixed template function empty returns object reference not set exception. #1025
      • Fixed delayed binding of and template function. #1026
      • Fixed template function array nests array with array parameters. #1027
    "},{"location":"CHANGELOG-v1/#v190-b2110025-pre-release","title":"v1.9.0-B2110025 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110014:

    • Engineering:
      • Bump PSRule dependency to v1.8.0. #1018
    • Bug fixes:
      • Fixed Azure.ACR.AdminUser fails when adminUserEnabled not set. #1014
    "},{"location":"CHANGELOG-v1/#v190-b2110014-pre-release","title":"v1.9.0-B2110014 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2110009:

    • Bug fixes:
      • Fixed expression out of range of valid values. #1005
      • Fixed template expand fails in nested reference expansion. #1007
    "},{"location":"CHANGELOG-v1/#v190-b2110009-pre-release","title":"v1.9.0-B2110009 (pre-release)","text":"

    What's changed since pre-release v1.9.0-B2109027:

    • Bug fixes:
      • Fixed handling of comments with template and parameter file rules. #996
      • Fixed Azure.Template.UseLocationParameter to only apply to templates deployed as RG scope #995
      • Fixed expand template fails with createObject when no parameters are specified. #1000
    "},{"location":"CHANGELOG-v1/#v190-b2109027-pre-release","title":"v1.9.0-B2109027 (pre-release)","text":"

    What's changed since v1.8.0:

    • New rules:
      • Public IP Address:
        • Check Public IP addresses are configured with zone-redundancy. #958
        • Check Public IP addresses are using Standard SKU. #979
      • Virtual Network Gateway:
        • Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
    • General improvements:
      • Improved processing of AzOps generated templates. #799
        • Azure.Template.DefineParameters is ignored for AzOps generated templates.
        • Azure.Template.UseLocationParameter is ignored for AzOps generated templates.
    • Bug fixes:
      • Fixed ToUpper fails to convert character. #986
    "},{"location":"CHANGELOG-v1/#v181","title":"v1.8.1","text":"

    What's changed since v1.8.0:

    • Bug fixes:
      • Fixed handling of comments with template and parameter file rules. #996
      • Fixed Azure.Template.UseLocationParameter to only apply to templates deployed as RG scope #995
      • Fixed expand template fails with createObject when no parameters are specified. #1000
      • Fixed ToUpper fails to convert character. #986
      • Fixed expression out of range of valid values. #1005
      • Fixed template expand fails in nested reference expansion. #1007
    "},{"location":"CHANGELOG-v1/#v180","title":"v1.8.0","text":"

    What's changed since v1.7.0:

    • New features:
      • Added Azure.GA_2021_09 baseline. #961
        • Includes rules released before or during September 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_06 as obsolete.
    • New rules:
      • Application Gateway:
        • Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928
      • Azure Kubernetes Service:
        • Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882
        • Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922
        • Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881
        • Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880
      • Cosmos DB:
        • Check DB account names meet naming requirements. #954
        • Check DB accounts use Azure AD identities for resource management operations. #953
      • Load Balancer:
        • Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957
        • Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927
    • Engineering:
      • Bump PSRule dependency to v1.7.2. #951
      • Automated update of availability zone information in providers.json. #907
      • Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960
    • Bug fixes:
      • Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920
      • Fixed plan instance count is not applicable to Elastic Premium plans. #946
      • Fixed minimum App Service Plan fails Elastic Premium plans. #945
      • Fixed App Service Plan should include PremiumV3 plan. #944
      • Fixed Azure.VM.NICAttached with private endpoints. #932
      • Fixed Bicep CLI fails with unexpected end of content. #889
      • Fixed incomplete reason message for Azure.Storage.MinTLS. #971
      • Fixed false positive of Azure.Storage.UseReplication with large file storage. #965

    What's changed since pre-release v1.8.0-B2109060:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v180-b2109086-pre-release","title":"v1.8.0-B2109086 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2109060:

    • New rules:
      • Load Balancer:
        • Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #957
    • Engineering:
      • Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #960
    • Bug fixes:
      • Fixed Bicep CLI fails with unexpected end of content. #889
      • Fixed incomplete reason message for Azure.Storage.MinTLS. #971
      • Fixed false positive of Azure.Storage.UseReplication with large file storage. #965
    "},{"location":"CHANGELOG-v1/#v180-b2109060-pre-release","title":"v1.8.0-B2109060 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2109046:

    • New features:
      • Added Azure.GA_2021_09 baseline. #961
        • Includes rules released before or during September 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_06 as obsolete.
    • New rules:
      • Load Balancer:
        • Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #927
    "},{"location":"CHANGELOG-v1/#v180-b2109046-pre-release","title":"v1.8.0-B2109046 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2109020:

    • New rules:
      • Application Gateway:
        • Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #928
      • Cosmos DB:
        • Check DB account names meet naming requirements. #954
        • Check DB accounts use Azure AD identities for resource management operations. #953
    • Bug fixes:
      • Fixed plan instance count is not applicable to Elastic Premium plans. #946
      • Fixed minimum App Service Plan fails Elastic Premium plans. #945
      • Fixed App Service Plan should include PremiumV3 plan. #944
      • Fixed Azure.VM.NICAttached with private endpoints. #932
    • Engineering:
      • Bump PSRule dependency to v1.7.2. #951
    "},{"location":"CHANGELOG-v1/#v180-b2109020-pre-release","title":"v1.8.0-B2109020 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2108026:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #882
        • Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #922
    • Engineering:
      • Bump PSRule dependency to v1.7.0. #938
    "},{"location":"CHANGELOG-v1/#v180-b2108026-pre-release","title":"v1.8.0-B2108026 (pre-release)","text":"

    What's changed since pre-release v1.8.0-B2108013:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #881
    • Bug fixes:
      • Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #920
    "},{"location":"CHANGELOG-v1/#v180-b2108013-pre-release","title":"v1.8.0-B2108013 (pre-release)","text":"

    What's changed since v1.7.0:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #880
    • Engineering:
      • Bump PSRule dependency to v1.6.1. #913
      • Automated update of availability zone information in providers.json. #907
    "},{"location":"CHANGELOG-v1/#v170","title":"v1.7.0","text":"

    What's changed since v1.6.0:

    • New rules:
      • All resources:
        • Check template parameter files use metadata links. #846
          • Configure the AZURE_PARAMETER_FILE_METADATA_LINK option to enable this rule.
        • Check template files use a recent schema. #845
        • Check template files use a https schema scheme. #894
        • Check template parameter files use a https schema scheme. #894
        • Check template parameters set a value. #896
        • Check template parameters use a valid secret reference. #897
      • Azure Kubernetes Service:
        • Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #273
        • Check clusters use auto-scale node pools. Thanks @ArmaanMcleod. #218
          • By default, a minimum of a /23 subnet is required.
          • Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to change the default minimum subnet size.
      • Storage Account:
        • Check Storage Accounts only accept explicitly allowed network traffic. #884
    • Updated rules:
      • Virtual Network:
        • Excluded AzureFirewallManagementSubnet from Azure.VNET.UseNSGs. #869
    • General improvements:
      • Added version information to bicep compilation exceptions. #903
    • Engineering:
      • Bump PSRule dependency to v1.6.0. #871
    • Bug fixes:
      • Fixed DateTimeAdd function and tests within timezones with DST. #891
      • Fixed Azure.Template.ParameterValue failing on empty value. #901

    What's changed since pre-release v1.7.0-B2108059:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v170-b2108059-pre-release","title":"v1.7.0-B2108059 (pre-release)","text":"

    What's changed since pre-release v1.7.0-B2108049:

    • General improvements:
      • Added version information to bicep compilation exceptions. #903
    • Bug fixes:
      • Fixed Azure.Template.ParameterValue failing on empty value. #901
    "},{"location":"CHANGELOG-v1/#v170-b2108049-pre-release","title":"v1.7.0-B2108049 (pre-release)","text":"

    What's changed since pre-release v1.7.0-B2108040:

    • New rules:
      • All resources:
        • Check template files use a recent schema. #845
        • Check template files use a https schema scheme. #894
        • Check template parameter files use a https schema scheme. #894
        • Check template parameters set a value. #896
        • Check template parameters use a valid secret reference. #897
    • Bug fixes:
      • Fixed DateTimeAdd function and tests within timezones with DST. #891
    "},{"location":"CHANGELOG-v1/#v170-b2108040-pre-release","title":"v1.7.0-B2108040 (pre-release)","text":"

    What's changed since pre-release v1.7.0-B2108020:

    • New rules:
      • All resources:
        • Check template parameter files use metadata links. #846
          • Configure the AZURE_PARAMETER_FILE_METADATA_LINK option to enable this rule.
      • Azure Kubernetes Service:
        • Check clusters using Azure CNI should use large subnets. Thanks @ArmaanMcleod. #273
          • By default, a minimum of a /23 subnet is required.
          • Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to change the default minimum subnet size.
      • Storage Account:
        • Check Storage Accounts only accept explicitly allowed network traffic. #884
    "},{"location":"CHANGELOG-v1/#v170-b2108020-pre-release","title":"v1.7.0-B2108020 (pre-release)","text":"

    What's changed since v1.6.0:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #218
    • Updated rules:
      • Virtual Network:
        • Excluded AzureFirewallManagementSubnet from Azure.VNET.UseNSGs. #869
    • Engineering:
      • Bump PSRule dependency to v1.6.0. #871
    "},{"location":"CHANGELOG-v1/#v160","title":"v1.6.0","text":"

    What's changed since v1.5.1:

    • New features:
      • Experimental: Added support for expansion from Bicep source files. #848 #670 #858
        • Bicep support is currently experimental.
        • To opt-in set the AZURE_BICEP_FILE_EXPANSION configuration to true.
        • For more information see Using Bicep.
    • New rules:
      • Application Gateways:
        • Check Application Gateways publish endpoints by HTTPS. #841
    • Engineering:
      • Bump PSRule dependency to v1.5.0. #832
      • Migration of Pester v4 tests to Pester v5. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). #395

    What's changed since pre-release v1.6.0-B2108038:

    • Bug fixes:
      • Fixed Bicep expand creates deadlock and times out. #863
    "},{"location":"CHANGELOG-v1/#v160-b2108038-pre-release","title":"v1.6.0-B2108038 (pre-release)","text":"

    What's changed since pre-release v1.6.0-B2108023:

    • Bug fixes:
      • Fixed Bicep expand hangs analysis. #858
    "},{"location":"CHANGELOG-v1/#v160-b2108023-pre-release","title":"v1.6.0-B2108023 (pre-release)","text":"

    What's changed since pre-release v1.6.0-B2107028:

    • New features:
      • Experimental: Added support for expansion from Bicep source files. #848 #670
        • Bicep support is currently experimental.
        • To opt-in set the AZURE_BICEP_FILE_EXPANSION configuration to true.
        • For more information see Using Bicep.
    "},{"location":"CHANGELOG-v1/#v160-b2107028-pre-release","title":"v1.6.0-B2107028 (pre-release)","text":"

    What's changed since v1.5.1:

    • New rules:
      • Application Gateways:
        • Check Application Gateways publish endpoints by HTTPS. #841
    • Engineering:
      • Bump PSRule dependency to v1.5.0. #832
    "},{"location":"CHANGELOG-v1/#v151","title":"v1.5.1","text":"

    What's changed since v1.5.0:

    • Bug fixes:
      • Fixed rule does not detect more restrictive NSG rules. #831
    "},{"location":"CHANGELOG-v1/#v150","title":"v1.5.0","text":"

    What's changed since v1.4.1:

    • New features:
      • Added Azure.GA_2021_06 baseline. #822
        • Includes rules released before or during June 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_03 as obsolete.
    • New rules:
      • Application Insights:
        • Check App Insights resources use workspace-based configuration. #813
        • Check App Insights resources meet naming requirements. #814
    • General improvements:
      • Exclude not applicable rules for templates generated with Bicep and PSArm. #815
      • Updated rule help to use docs pages for online version. #824
    • Engineering:
      • Bump PSRule dependency to v1.4.0. #823
      • Bump YamlDotNet dependency to v11.2.1. #821
      • Migrate project to Azure GitHub organization and updated links. #800
    • Bug fixes:
      • Fixed detection of parameters and variables with line breaks. #811

    What's changed since pre-release v1.5.0-B2107002:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v150-b2107002-pre-release","title":"v1.5.0-B2107002 (pre-release)","text":"

    What's changed since pre-release v1.5.0-B2106018:

    • New features:
      • Added Azure.GA_2021_06 baseline. #822
        • Includes rules released before or during June 2021 for Azure GA features.
        • Marked baseline Azure.GA_2021_03 as obsolete.
    • General improvements:
      • Updated rule help to use docs pages for online version. #824
    • Engineering:
      • Bump PSRule dependency to v1.4.0. #823
      • Bump YamlDotNet dependency to v11.2.1. #821
    "},{"location":"CHANGELOG-v1/#v150-b2106018-pre-release","title":"v1.5.0-B2106018 (pre-release)","text":"

    What's changed since v1.4.1:

    • New rules:
      • Application Insights:
        • Check App Insights resources use workspace-based configuration. #813
        • Check App Insights resources meet naming requirements. #814
    • General improvements:
      • Exclude not applicable rules for templates generated with Bicep and PSArm. #815
    • Engineering:
      • Bump YamlDotNet dependency to v11.2.0. #801
      • Migrate project to Azure GitHub organization and updated links. #800
    • Bug fixes:
      • Fixed detection of parameters and variables with line breaks. #811
    "},{"location":"CHANGELOG-v1/#v141","title":"v1.4.1","text":"

    What's changed since v1.4.0:

    • Bug fixes:
      • Fixed boolean string conversion case. #793
      • Fixed case sensitive property matching. #794
      • Fixed automatic expansion of template parameter files. #796
        • Template parameter files are not automatically expanded by default.
        • To enable this, set the AZURE_PARAMETER_FILE_EXPANSION configuration option.
    "},{"location":"CHANGELOG-v1/#v140","title":"v1.4.0","text":"

    What's changed since v1.3.2:

    • New features:
      • Automatically expand template from parameter files for analysis. #772
        • Previously templates needed to be exported with Export-AzRuleTemplateData.
        • To export template data automatically use PSRule cmdlets with -Format File.
    • New rules:
      • Cognitive Search:
        • Check search services meet index SLA replica requirement. #761
        • Check search services meet query SLA replica requirement. #762
        • Check search services meet naming requirements. #763
        • Check search services use a minimum SKU. #764
        • Check search services use managed identities. #765
      • Azure Kubernetes Service:
        • Check clusters use AKS-managed Azure AD integration. #436
        • Check clusters have local account disabled (preview). #786
        • Check clusters have an auto-upgrade channel set (preview). #787
        • Check clusters limit access network access to the API server. #788
        • Check clusters used Azure RBAC for Kubernetes authorization. #789
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.20.5. #767
    • General improvements:
      • Automatically nest template sub-resources for analysis. #746
        • Sub-resources such as diagnostic logs or configurations are automatically nested.
        • Automatic nesting a resource requires:
          • The parent resource is defined in the same template.
          • The sub-resource depends on the parent resource.
      • Added support for source location references to template files. #781
        • Output includes source location to resources exported from a templates.
    • Bug fixes:
      • Fixed string index parsing in expressions with whitespace. #775
      • Fixed base for DateTimeAdd is not a valid string. #777
    • Engineering:
      • Added source link to project. #783

    What's changed since pre-release v1.4.0-B2105057:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v140-b2105057-pre-release","title":"v1.4.0-B2105057 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105050:

    • New rules:
      • Azure Kubernetes Service:
        • Check clusters use AKS-managed Azure AD integration. #436
        • Check clusters have local account disabled (preview). #786
        • Check clusters have an auto-upgrade channel set (preview). #787
        • Check clusters limit access network access to the API server. #788
        • Check clusters used Azure RBAC for Kubernetes authorization. #789
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.20.5. #767
    • Engineering:
      • Added source link to project. #783
    "},{"location":"CHANGELOG-v1/#v140-b2105050-pre-release","title":"v1.4.0-B2105050 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105044:

    • General improvements:
      • Added support for source location references to template files. #781
        • Output includes source location to resources exported from a templates.
    "},{"location":"CHANGELOG-v1/#v140-b2105044-pre-release","title":"v1.4.0-B2105044 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105027:

    • New features:
      • Automatically expand template from parameter files for analysis. #772
        • Previously templates needed to be exported with Export-AzRuleTemplateData.
        • To export template data automatically use PSRule cmdlets with -Format File.
    • Bug fixes:
      • Fixed string index parsing in expressions with whitespace. #775
      • Fixed base for DateTimeAdd is not a valid string. #777
    "},{"location":"CHANGELOG-v1/#v140-b2105027-pre-release","title":"v1.4.0-B2105027 (pre-release)","text":"

    What's changed since pre-release v1.4.0-B2105020:

    • New rules:
      • Cognitive Search:
        • Check search services meet index SLA replica requirement. #761
        • Check search services meet query SLA replica requirement. #762
        • Check search services meet naming requirements. #763
        • Check search services use a minimum SKU. #764
        • Check search services use managed identities. #765
    "},{"location":"CHANGELOG-v1/#v140-b2105020-pre-release","title":"v1.4.0-B2105020 (pre-release)","text":"

    What's changed since v1.3.2:

    • General improvements:
      • Automatically nest template sub-resources for analysis. #746
        • Sub-resources such as diagnostic logs or configurations are automatically nested.
        • Automatic nesting a resource requires:
          • The parent resource is defined in the same template.
          • The sub-resource depends on the parent resource.
    "},{"location":"CHANGELOG-v1/#v132","title":"v1.3.2","text":"

    What's changed since v1.3.1:

    • Bug fixes:
      • Fixed rule reason reported the parameter inputObject is null. #753
    "},{"location":"CHANGELOG-v1/#v131","title":"v1.3.1","text":"

    What's changed since v1.3.0:

    • Engineering:
      • Bump PSRule dependency to v1.3.0. #749
      • Bump YamlDotNet dependency to v11.1.1. #742
    "},{"location":"CHANGELOG-v1/#v130","title":"v1.3.0","text":"

    What's changed since v1.2.1:

    • New rules:
      • Policy:
        • Check policy assignment display name and description are set. #725
        • Check policy assignment assigned by metadata is set. #726
        • Check policy exemption display name and description are set. #723
        • Check policy waiver exemptions have an expiry date set. #724
    • Removed rules:
      • Storage:
        • Remove Azure.Storage.UseEncryption as Storage Service Encryption (SSE) is always on. #630
          • SSE is on by default and can not be disabled.
    • General improvements:
      • Additional metadata added in parameter files is passed through with Get-AzRuleTemplateLink. #706
      • Improved binding support for File inputs. #480
        • Template and parameter file names now return a relative path instead of full path.
      • Added API version for each module resource. #729
    • Engineering:
      • Clean up depreciated warning message for configuration option azureAllowedRegions. #737
      • Clean up depreciated warning message for configuration option minAKSVersion. #738
      • Bump PSRule dependency to v1.2.0. #713
    • Bug fixes:
      • Fixed could not load file or assembly YamlDotNet. #741
        • This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.

    What's changed since pre-release v1.3.0-B2104040:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v130-b2104040-pre-release","title":"v1.3.0-B2104040 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2104034:

    • Bug fixes:
      • Fixed could not load file or assembly YamlDotNet. #741
        • This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.
    "},{"location":"CHANGELOG-v1/#v130-b2104034-pre-release","title":"v1.3.0-B2104034 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2104023:

    • New rules:
      • Policy:
        • Check policy assignment display name and description are set. #725
        • Check policy assignment assigned by metadata is set. #726
        • Check policy exemption display name and description are set. #723
        • Check policy waiver exemptions have an expiry date set. #724
    • Engineering:
      • Clean up depreciated warning message for configuration option azureAllowedRegions. #737
      • Clean up depreciated warning message for configuration option minAKSVersion. #738
    "},{"location":"CHANGELOG-v1/#v130-b2104023-pre-release","title":"v1.3.0-B2104023 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2104013:

    • General improvements:
      • Improved binding support for File inputs. #480
        • Template and parameter file names now return a relative path instead of full path.
      • Added API version for each module resource. #729
    "},{"location":"CHANGELOG-v1/#v130-b2104013-pre-release","title":"v1.3.0-B2104013 (pre-release)","text":"

    What's changed since pre-release v1.3.0-B2103007:

    • Engineering:
      • Bump PSRule dependency to v1.2.0. #713
    • Bug fixes:
      • Fixed export not expanding nested deployments. #715
    "},{"location":"CHANGELOG-v1/#v130-b2103007-pre-release","title":"v1.3.0-B2103007 (pre-release)","text":"

    What's changed since v1.2.0:

    • Removed rules:
      • Storage:
        • Remove Azure.Storage.UseEncryption as Storage Service Encryption (SSE) is always on. #630
          • SSE is on by default and can not be disabled.
    • General improvements:
      • Additional metadata added in parameter files is passed through with Get-AzRuleTemplateLink. #706
    "},{"location":"CHANGELOG-v1/#v121","title":"v1.2.1","text":"

    What's changed since v1.2.0:

    • Bug fixes:
      • Fixed export not expanding nested deployments. #715
    "},{"location":"CHANGELOG-v1/#v120","title":"v1.2.0","text":"

    What's changed since v1.1.4:

    • New features:
      • Added Azure.GA_2021_03 baseline. #673
        • Includes rules released before or during March 2021 for Azure GA features.
        • Marked baseline Azure.GA_2020_12 as obsolete.
    • New rules:
      • Key Vault:
        • Check vaults, keys, and secrets meet name requirements. #646
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.7. #696
    • General improvements:
      • Added support for user defined functions in templates. #682
    • Engineering:
      • Bump PSRule dependency to v1.1.0. #692

    What's changed since pre-release v1.2.0-B2103044:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v120-b2103044-pre-release","title":"v1.2.0-B2103044 (pre-release)","text":"

    What's changed since pre-release v1.2.0-B2103032:

    • New features:
      • Added Azure.GA_2021_03 baseline. #673
        • Includes rules released before or during March 2021 for Azure GA features.
        • Marked baseline Azure.GA_2020_12 as obsolete.
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.7. #696
    "},{"location":"CHANGELOG-v1/#v120-b2103032-pre-release","title":"v1.2.0-B2103032 (pre-release)","text":"

    What's changed since pre-release v1.2.0-B2103024:

    • New rules:
      • Key Vault:
        • Check vaults, keys, and secrets meet name requirements. #646
    • Engineering:
      • Bump PSRule dependency to v1.1.0. #692
    "},{"location":"CHANGELOG-v1/#v120-b2103024-pre-release","title":"v1.2.0-B2103024 (pre-release)","text":"

    What's changed since v1.1.4:

    • General improvements:
      • Added support for user defined functions in templates. #682
    "},{"location":"CHANGELOG-v1/#v114","title":"v1.1.4","text":"

    What's changed since v1.1.3:

    • Bug fixes:
      • Fixed handling of literal index with copyIndex function. #686
      • Fixed handling of inner scoped nested deployments. #687
    "},{"location":"CHANGELOG-v1/#v113","title":"v1.1.3","text":"

    What's changed since v1.1.2:

    • Bug fixes:
      • Fixed parsing of property names for functions across multiple lines. #683
    "},{"location":"CHANGELOG-v1/#v112","title":"v1.1.2","text":"

    What's changed since v1.1.1:

    • Bug fixes:
      • Fixed copy peer property resolve. #677
      • Fixed partial resource group or subscription object not populating. #678
      • Fixed lazy loading of environment and resource providers. #679
    "},{"location":"CHANGELOG-v1/#v111","title":"v1.1.1","text":"

    What's changed since v1.1.0:

    • Bug fixes:
      • Fixed support for parameter file schemas. #674
    "},{"location":"CHANGELOG-v1/#v110","title":"v1.1.0","text":"

    What's changed since v1.0.0:

    • New features:
      • Exporting template with Export-AzRuleTemplateData supports custom resource group and subscription. #651
        • Subscription and resource group used for deployment can be specified instead of using defaults.
        • ResourceGroupName parameter of Export-AzRuleTemplateData has been renamed to ResourceGroup.
        • Added a parameter alias for ResourceGroupName on Export-AzRuleTemplateData.
    • New rules:
      • All resources:
        • Check template parameters are defined. #631
        • Check location parameter is type string. #632
        • Check template parameter minValue and maxValue constraints are valid. #637
        • Check template resources do not use hard coded locations. #633
        • Check resource group location not referenced instead of location parameter. #634
        • Check increased debug detail is disabled for nested deployments. #638
    • General improvements:
      • Added support for matching template by name. #661
        • Get-AzRuleTemplateLink discovers <templateName>.json from <templateName>.parameters.json.
    • Engineering:
      • Bump PSRule dependency to v1.0.3. #648
    • Bug fixes:
      • Fixed Azure.VM.ADE to limit rule to exports only. #644
      • Fixed if condition values evaluation order. #652
      • Fixed handling of int parameters with large values. #653
      • Fixed handling of expressions split over multiple lines. #654
      • Fixed handling of bool parameter values within logical expressions. #655
      • Fixed copy loop value does not fall within the expected range. #664
      • Fixed template comparison functions handling of large integer values. #666
      • Fixed handling of createArray function with no arguments. #667

    What's changed since pre-release v1.1.0-B2102034:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v110-b2102034-pre-release","title":"v1.1.0-B2102034 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102023:

    • General improvements:
      • Added support for matching template by name. #661
        • Get-AzRuleTemplateLink discovers <templateName>.json from <templateName>.parameters.json.
    • Bug fixes:
      • Fixed copy loop value does not fall within the expected range. #664
      • Fixed template comparison functions handling of large integer values. #666
      • Fixed handling of createArray function with no arguments. #667
    "},{"location":"CHANGELOG-v1/#v110-b2102023-pre-release","title":"v1.1.0-B2102023 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102015:

    • New features:
      • Exporting template with Export-AzRuleTemplateData supports custom resource group and subscription. #651
        • Subscription and resource group used for deployment can be specified instead of using defaults.
        • ResourceGroupName parameter of Export-AzRuleTemplateData has been renamed to ResourceGroup.
        • Added a parameter alias for ResourceGroupName on Export-AzRuleTemplateData.
    "},{"location":"CHANGELOG-v1/#v110-b2102015-pre-release","title":"v1.1.0-B2102015 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102010:

    • Bug fixes:
      • Fixed if condition values evaluation order. #652
      • Fixed handling of int parameters with large values. #653
      • Fixed handling of expressions split over multiple lines. #654
      • Fixed handling of bool parameter values within logical expressions. #655
    "},{"location":"CHANGELOG-v1/#v110-b2102010-pre-release","title":"v1.1.0-B2102010 (pre-release)","text":"

    What's changed since pre-release v1.1.0-B2102001:

    • Engineering:
      • Bump PSRule dependency to v1.0.3. #648
    • Bug fixes:
      • Fixed Azure.VM.ADE to limit rule to exports only. #644
    "},{"location":"CHANGELOG-v1/#v110-b2102001-pre-release","title":"v1.1.0-B2102001 (pre-release)","text":"

    What's changed since v1.0.0:

    • New rules:
      • All resources:
        • Check template parameters are defined. #631
        • Check location parameter is type string. #632
        • Check template parameter minValue and maxValue constraints are valid. #637
        • Check template resources do not use hard coded locations. #633
        • Check resource group location not referenced instead of location parameter. #634
        • Check increased debug detail is disabled for nested deployments. #638
    • Engineering:
      • Bump PSRule dependency to v1.0.2. #635
    "},{"location":"CHANGELOG-v1/#v100","title":"v1.0.0","text":"

    What's changed since v0.19.0:

    • New rules:
      • All resources:
        • Check parameter default value type matches type. #311
        • Check location parameter defaults to resource group. #361
      • Front Door:
        • Check Front Door uses a health probe for each backend pool. #546
        • Check Front Door uses a dedicated health probe path backend pools. #547
        • Check Front Door uses HEAD requests for backend health probes. #613
      • Service Fabric:
        • Check Service Fabric clusters use AAD client authentication. #619
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.6. #603
    • General improvements:
      • Renamed Export-AzTemplateRuleData to Export-AzRuleTemplateData. #596
        • New name Export-AzRuleTemplateData aligns with prefix of other cmdlets.
        • Use of Export-AzTemplateRuleData is now deprecated and will be removed in the next major version.
        • Added alias to allow Export-AzTemplateRuleData to continue to be used.
        • Using Export-AzTemplateRuleData returns a deprecation warning.
      • Added support for environment template function. #517
    • Engineering:
      • Bump PSRule dependency to v1.0.1. #611

    What's changed since pre-release v1.0.0-B2101028:

    • No additional changes.
    "},{"location":"CHANGELOG-v1/#v100-b2101028-pre-release","title":"v1.0.0-B2101028 (pre-release)","text":"

    What's changed since pre-release v1.0.0-B2101016:

    • New rules:
      • All resources:
        • Check parameter default value type matches type. #311
    • General improvements:
      • Renamed Export-AzTemplateRuleData to Export-AzRuleTemplateData. #596
        • New name Export-AzRuleTemplateData aligns with prefix of other cmdlets.
        • Use of Export-AzTemplateRuleData is now deprecated and will be removed in the next major version.
        • Added alias to allow Export-AzTemplateRuleData to continue to be used.
        • Using Export-AzTemplateRuleData returns a deprecation warning.
    "},{"location":"CHANGELOG-v1/#v100-b2101016-pre-release","title":"v1.0.0-B2101016 (pre-release)","text":"

    What's changed since pre-release v1.0.0-B2101006:

    • New rules:
      • Service Fabric:
        • Check Service Fabric clusters use AAD client authentication. #619
    • Bug fixes:
      • Fixed reason Azure.FrontDoor.ProbePath so the probe name is included. #617
    "},{"location":"CHANGELOG-v1/#v100-b2101006-pre-release","title":"v1.0.0-B2101006 (pre-release)","text":"

    What's changed since v0.19.0:

    • New rules:
      • All resources:
        • Check location parameter defaults to resource group. #361
      • Front Door:
        • Check Front Door uses a health probe for each backend pool. #546
        • Check Front Door uses a dedicated health probe path backend pools. #547
        • Check Front Door uses HEAD requests for backend health probes. #613
    • Updated rules:
      • Azure Kubernetes Service:
        • Updated Azure.AKS.Version to 1.19.6. #603
    • General improvements:
      • Added support for environment template function. #517
    • Engineering:
      • Bump PSRule dependency to v1.0.1. #611
    • Redis Cache Enterprise
      • Check Redis Cache Enterprise uses minimum TLS 1.2 1179
    "},{"location":"about/","title":"What is PSRule for Azure?","text":"

    PSRule for Azure is a pre-built set of tests and documentation to help you configure Azure solutions. These tests allow you to check your Infrastructure as Code (IaC) before or after deployment to Azure. PSRule for Azure includes unit tests that check how Azure resources defined in ARM templates or Bicep code are configured.

    "},{"location":"about/#why-use-psrule-for-azure","title":"Why use PSRule for Azure?","text":"

    PSRule for Azure helps you identify changes to improve the quality of solutions deployed on Azure. PSRule for Azure uses the principles of the Azure Well-Architected Framework (WAF) to:

    • Suggest changes \u2014 you can use to improve the quality of your solution.
    • Link to documentation \u2014 to learn how this applies to your environment.
    • Demonstrate \u2014 how you can implement the change with examples. Examples are provided in Azure Bicep and ARM templates syntax.

    If you want to write your own tests, you can do that too in your choice of YAML, JSON, or PowerShell. However with over 400 tests already built, you can identify and fix issues day one.

    Get started with a sample repository

    To get started with a sample repository, see PSRule for Azure Quick Start on GitHub.

    "},{"location":"about/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"

    An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.

    "},{"location":"about/#who-uses-psrule-for-azure","title":"Who uses PSRule for Azure?","text":"

    Several first-party repositories use PSRule for Azure. Here's a few you may be familiar with:

    • Azure/ResourceModules - Common Azure Resource Modules Library
    • Azure/ALZ-Bicep - Azure Landing Zones (ALZ)
    • Azure/AKS-Construction - AKS Construction
    "},{"location":"analyzing-resources/","title":"Analyzing resources","text":"

    The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.

    Abstract

    This topics covers how you can test the state of deployed Azure resources that have been exported.

    Important

    This step requires that you have already exported the state of deployed Azure resources. Before continuing, complete Exporting rule data for the resources that will be tested.

    "},{"location":"analyzing-resources/#analyzing-exported-state","title":"Analyzing exported state","text":"

    The state of resources can be analyzed for exported state by using the Invoke-PSRule PowerShell cmdlet.

    For example:

    Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure';\n

    To filter results to only failed rules, use Invoke-PSRule -Outcome Fail. Passed, failed and error results are shown by default.

    For example:

    # Only show failed results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -Outcome Fail;\n

    The output of this example is:

       TargetName: storage\n\nRuleName                            Outcome    Recommendation\n--------                            -------    --------------\nAzure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk\nAzure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic\nAzure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts\n

    A summary of results can be displayed by using Invoke-PSRule -As Summary.

    For example:

    # Display as summary results\nInvoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -As Summary;\n

    The output of this example is:

    RuleName                            Pass  Fail  Outcome\n--------                            ----  ----  -------\nAzure.ACR.MinSku                    0     1     Fail\nAzure.AppService.PlanInstanceCount  0     1     Fail\nAzure.AppService.UseHTTPS           0     2     Fail\nAzure.Resource.UseTags              73    36    Fail\nAzure.SQL.ThreatDetection           0     1     Fail\nAzure.SQL.Auditing                  0     1     Fail\nAzure.Storage.UseReplication        1     7     Fail\nAzure.Storage.SecureTransferRequ... 2     6     Fail\nAzure.Storage.SoftDelete            0     8     Fail\n
    "},{"location":"analyzing-resources/#ignoring-rules","title":"Ignoring rules","text":"

    To prevent a rule executing you can either:

    • Exclude \u2014 The rule is not executed for any resource.
    • Suppress \u2014 The rule is not executed for a specific resource by name.

    To exclude a rule, set Rule.Exclude option within the ps-rule.yaml file.

    Docs

    rule:\nexclude:\n# Ignore the following rules for all resources\n- Azure.VM.UseHybridUseBenefit\n- Azure.VM.Standalone\n

    To suppress a rule, set Suppression option within the ps-rule.yaml file.

    Docs

    suppression:\nAzure.AKS.AuthorizedIPs:\n# Exclude the following externally managed AKS clusters\n- aks-cluster-prod-eus-001\nAzure.Storage.SoftDelete:\n# Exclude the following non-production storage accounts\n- storagedeveus6jo36t\n- storagedeveus1df278\n

    Tip

    Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

    "},{"location":"analyzing-resources/#advanced-configuration","title":"Advanced configuration","text":"

    Docs

    PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.

    "},{"location":"creating-your-pipeline/","title":"Creating your pipeline","text":"

    Abstract

    This topic covers how you can configuration continuous integration (CI) pipelines to tests Bicep and ARM templates automatically.

    You can use PSRule for Azure to validate Azure resources throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.

    Within the root directory of your infrastructure as code repository:

    GitHub ActionsAzure PipelinesGeneric with PowerShell

    Create a new GitHub Actions workflow by creating .github/workflows/analyze-arm.yaml.

    name: Analyze templates\non:\npush:\nbranches:\n- main\npull_request:\nbranches:\n- main\njobs:\nanalyze_arm:\nname: Analyze templates\nruns-on: ubuntu-latest\nsteps:\n- name: Checkout\nuses: actions/checkout@v3\n# Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\n

    Create a new Azure DevOps YAML pipeline by creating .azure-pipelines/analyze-arm.yaml.

    steps:\n# Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    Create a pipeline in any CI environment by using PowerShell.

    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n

    This will automatically install compatible versions of all dependencies.

    Tip

    If this is your first time implementing PSRule for Azure on a live repository, you may want to consider setting continue on error. This will allow you to try out PSRule without preventing pull requests (PRs) from being merged.

    "},{"location":"creating-your-pipeline/#parameters","title":"Parameters","text":"

    Several parameters are available to customize the behavior of the pipeline. In addition, many of these parameters are also available as configuration options configurable within ps-rule.yaml.

    Some of the most common parameters are listed below. For a full list of parameters see the readme for GitHub Actions or Azure Pipelines.

    "},{"location":"creating-your-pipeline/#limiting-input-to-a-specific-path","title":"Limiting input to a specific path","text":"

    By default, PSRule will scan all files and folders within the repository or current working path. You can use the inputPath parameter to limit the analysis to a specific file or directory path.

    Tip

    The inputPath parameter only accepts a relative path. Both file and directory paths are supported. For example: azure/modules/ if you have a azure/modules/ directory in the root of your repository. Be careful not to specify a leading / such as /azure/modules/. On Linux / is the root directory, which makes this a fully qualified path instead of a relative path.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\ninputPath: azure/modules/\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\ninputPath: azure/modules/\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath 'azure/modules/' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#configuring-a-baseline","title":"Configuring a baseline","text":"

    You can set the baseline parameter to specify the name of a baseline to use. A baseline is a set of rules and configuration. PSRule for Azure ships with multiple baselines to choose from. See working with baselines for more information.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\nbaseline: Azure.GA_2023_09\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\nbaseline: Azure.GA_2023_09\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Baseline 'Azure.GA_2023_09' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#continue-on-error","title":"Continue on error","text":"

    By default, PSRule breaks or stops the pipeline if any rules fail or errors occur. When adopting PSRule for Azure or a new baseline you may want to run PSRule without stopping the pipeline.

    To do this, configure the PSRule for Azure step to continue on error.

    GitHub ActionsAzure PipelinesGeneric with PowerShell

    Set the continue-on-error property to true.

    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\ncontinue-on-error: true\nwith:\nmodules: 'PSRule.Rules.Azure'\n

    Set the continueOnError property to true.

    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ncontinueOnError: true\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    Set the ErrorAction parameter of Assert-PSRule to Continue.

    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Continue;\n
    "},{"location":"creating-your-pipeline/#adding-additional-modules","title":"Adding additional modules","text":"

    You can add additional modules to the modules parameter by using comma (,) separating each module name.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure,PSRule.Monitor'\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure,PSRule.Monitor'\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure', 'PSRule.Monitor')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#outputting-results","title":"Outputting results","text":"

    You can configure PSRule to output results into a file by using the outputFormat and outputPath parameters. For details on the formats that are supported see analysis output.

    GitHub ActionsAzure PipelinesGeneric with PowerShell
    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\noutputFormat: Sarif\noutputPath: reports/ps-rule-results.sarif\n
    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\noutputFormat: Sarif\noutputPath: reports/ps-rule-results.sarif\n
    # Analyze Azure resources using PSRule for Azure\n$modules = @('PSRule.Rules.Azure')\nInstall-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;\nAssert-PSRule -InputPath '.' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Module $modules -Format File -ErrorAction Stop;\n
    "},{"location":"creating-your-pipeline/#configuration","title":"Configuration","text":"

    Configuration options for PSRule for Azure are set within the ps-rule.yaml file. To set options, create a new file named ps-rule.yaml in the root directory of your repository.

    Tip

    This file should be committed to your repository so it is available when your pipeline runs.

    "},{"location":"creating-your-pipeline/#expand-template-parameter-files","title":"Expand template parameter files","text":"

    Docs

    PSRule for Azure can automatically expand Azure template parameter files. When enabled, PSRule for Azure automatically resolves parameter and template file context at runtime.

    To enabled this feature, set the Configuration.AZURE_PARAMETER_FILE_EXPANSION option to true. This option can be set within the ps-rule.yaml file.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of Azure parameter files\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"creating-your-pipeline/#expand-bicep-source-files","title":"Expand Bicep source files","text":"

    Docs

    PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from .bicep files.

    To enabled this feature, set the Configuration.AZURE_BICEP_FILE_EXPANSION option to true. This option can be set within the ps-rule.yaml file.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of bicep source files\nAZURE_BICEP_FILE_EXPANSION: true\n
    "},{"location":"creating-your-pipeline/#advanced-configuration","title":"Advanced configuration","text":"

    Docs

    PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.

    "},{"location":"creating-your-pipeline/#recommended-content","title":"Recommended content","text":"
    • Suppression and excluding rules
    • Using Bicep source

    "},{"location":"deprecations/","title":"Deprecations","text":""},{"location":"deprecations/#deprecations-for-v200","title":"Deprecations for v2.0.0","text":""},{"location":"deprecations/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"

    The following configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure.

    We plan to have all the old option names renamed and they will not longer work from v2. To upgrade use the new names instead. Until v2, the old option names are still work and will take precedence if new and old are configured.

    New name Old name Available from AZURE_AKS_CLUSTER_MINIMUM_VERSION Azure_AKSMinimumVersion v1.12.0 AZURE_AKS_POOL_MINIMUM_MAXPODS Azure_AKSNodeMinimumMaxPods TBA - not available AZURE_RESOURCE_ALLOWED_LOCATIONS Azure_AllowedRegions v1.30.0 AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME Azure_MinimumCertificateLifetime TBA - not available

    Note

    Configuration options marked TBA are not available yet. Please use the old names until they are available. Check the change log and the upgrade notes for more information on a future release.

    Important

    New option names will work from the release specified by Available from. Configuring these options prior to that release will have no affect. For details on configuring these options see upgrade notes for details.

    "},{"location":"expanding-source-files/","title":"Expanding source files","text":"

    PSRule for Azure supports analyzing resources contained within Azure Infrastructure as Code.

    Abstract

    This topic covers what source expansion is, why it's important, and how to use it within PSRule for Azure.

    "},{"location":"expanding-source-files/#source-expansion","title":"Source expansion","text":"

    PSRule for Azure goes beyond linting Azure Bicep and template files for syntax. Source expansion performs context specific static analysis on Azure resources. Azure resources are analyzed before deployment as if they are deployed.

    This provides some unique benefits such as:

    • Improve success \u2014 Azure resources are resolved before deployment, increasing success by finding errors earlier such as within a PR.
      • Detect common templates issues such as missing parameters and JSON structure.
      • Identify deployment issues such as invalid resource names and incorrect resource identifiers.
    • As deployed \u2014 Analysis of Azure resources against Azure WAF as if they are deployed.
      • Parameters, conditional resources, functions (built-in and user defined), variables, and copy loops are resolved.
      • Azure resource names are shown in passing and failing results. Resolving issues with resource configurations can be targeted by resource.
      • Resource file locations for template and parameter files are included in results.
    • Suppression by resource name \u2014 Azure resource names can be used to apply exceptions.
      • Suppression allows for individual resources to be excluded from rules by name.
    • Offline support \u2014 Static analysis is performed against source files instead of deployed resources.
      • Some functions that may be included in templates dynamically query Azure for current state. For these functions standard placeholder values are used by default. Functions that use placeholders include reference, list*.
    "},{"location":"expanding-source-files/#feature-support","title":"Feature support","text":"

    Source expansion is supported with:

    • Azure template and parameter files \u2014 Azure templates are expanded from parameter files. Link parameter files to templates by metadata or naming convention. See Using templates for a detailed explanation of how to do this.
    • Azure Bicep deployments \u2014 Files with the .bicep extension are detected and expanded. See Using Bicep source for a detailed explanation of how to do this.
    • Azure Bicep modules with tests \u2014 Reusable Bicep modules can be expanded with tests. See Using Bicep source for a detailed explanation of how to do this.

    "},{"location":"expanding-source-files/#limitations","title":"Limitations","text":"

    Currently the following limitations apply:

    • Required parameters in must be provided in parameter files or Bicep deployments.
    • Nested templates are expanded, external templates are not.
      • Deployment resources that link to an external template are returned as a resource.
    • Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:
      • The parent resource is defined in the same template.
      • The sub-resource depends on the parent resource.
    • The environment() template function always returns values for Azure public cloud.
    • References to Key Vault secrets are not expanded. A placeholder value is used instead.
    • The reference() function will return objects for resources within the same template. For resources that are not in the same template, a placeholder value is used instead.
    • Multi-line strings are not supported.
    • Template expressions up to a maximum of 100,000 characters are supported.

    In addition, currently the following limitation apply to using Bicep source files:

    • The Bicep CLI must be installed. When using GitHub Actions or Azure Pipelines the Bicep CLI is pre-installed.
    • Location of issues in Bicep source files is not supported.
    • Expansion of Bicep source files times out after 5 seconds by default. The timeout can be overridden by setting the AZURE_BICEP_FILE_EXPANSION_TIMEOUT option.

    "},{"location":"expanding-source-files/#strong-type","title":"Strong type","text":"

    String parameters are commonly used to pass values such as a resource Id or location. PSRule for Azure provides additional support to allow parameters to be strongly typed. When a parameter is strongly typed, the value is checked against the type during expansion.

    To configure a strong type for a parameter set the strongType metadata property on the parameter. The strong type will be set to the resource type that the parameter will accept, such as Microsoft.OperationalInsights/workspaces.

    TemplateBicep
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"workspaceId\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The resource identifier for a Log Analytics workspace.\",\n\"strongType\": \"Microsoft.OperationalInsights/workspaces\"\n}\n}\n}\n}\n
    @metadata({\n  strongType: 'Microsoft.OperationalInsights/workspaces'\n})\n@description('The resource identifier for a Log Analytics workspace.')\nparam workspaceId string\n

    Strong type also supports the following non-resource type values:

    • location - Specifies the parameter must contain any valid Azure location.
    "},{"location":"expanding-source-files/#scope-functions","title":"Scope functions","text":"

    Azure deployments support a number of scope functions can be used within Infrastructure as Code. When using PSRule for Azure, these functions have a default meaning that can be configured.

    When configuring scope functions, only the properties you want to override has to be specified. Unspecified properties will inherit from the defaults.

    "},{"location":"expanding-source-files/#subscription","title":"Subscription","text":"

    The subscription() function will return the following unless overridden:

    subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n

    To override, configure AZURE_SUBSCRIPTION.

    "},{"location":"expanding-source-files/#resource-group","title":"Resource Group","text":"

    The resourceGroup() function will return the following unless overridden:

    name: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\nprovisioningState: 'Succeeded'\n

    To override, configure AZURE_RESOURCE_GROUP.

    "},{"location":"expanding-source-files/#tenant","title":"Tenant","text":"

    The tenant() function will return the following unless overridden:

    countryCode: 'US'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule'\n

    To override, configure AZURE_TENANT.

    "},{"location":"expanding-source-files/#management-group","title":"Management Group","text":"

    The managementGroup() function will return the following unless overridden:

    name: 'psrule-test'\nproperties:\ndisplyName: 'PSRule Test Management Group'\n

    To override, configure AZURE_MANAGEMENT_GROUP.

    "},{"location":"export-rule-data/","title":"Exporting rule data","text":"

    The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.

    Abstract

    This topics covers how you can export the current state of Azure resources deployed into a subscription. After the current state has been exported, offline analysis can be performed against the saved state.

    Important

    Before continuing, complete the steps from Installing locally. To export data from a subscription, Azure PowerShell modules must be installed. Exporting rule data can also be automated and scheduled with Azure Automation Service. However, for this scenario we will focus how to run this process interactively.

    To perform analysis on Azure resources the current configuration state is exported to a JSON file format. The exported state is processed later during analysis.

    • What's exported \u2014 Configurations such as:
      • Resource SKUs, names, tags, and settings configured for an Azure resource.
    • What's not exported \u2014 Resource data such as:

      • The contents of blobs stored on a storage account, or databases tables.
    "},{"location":"export-rule-data/#export-an-azure-subscription","title":"Export an Azure subscription","text":"

    The state of resources from the current Azure subscription will be exported by using the following commands:

    # STEP 1: Authenticate to Azure, only required if not currently connected\nConnect-AzAccount;\n# STEP 2: Confirm the current subscription context\nGet-AzContext;\n# STEP 3: Exports Azure resources to JSON files\nExport-AzRuleData -OutputPath 'out/';\n
    "},{"location":"export-rule-data/#additional-options","title":"Additional options","text":"

    By default, resource data for the current subscription context will be exported.

    To export resource data for specific subscriptions use:

    • -Subscription - to specify subscriptions by id or name.
    • -Tenant - to specify subscriptions within an Azure Active Directory Tenant by id.

    For example:

    # Export data from two specific subscriptions\nExport-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';\n

    To export specific resource data use:

    • -ResourceGroupName - to filter resources by Resource Group.
    • -Tag - to filter resources based on tag.

    For example:

    # Export information from two resource groups within the current subscription context\nExport-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';\n

    To export resource data for all subscription contexts use:

    • -All - to export resource data for all subscription contexts.

    For example:

    # Export data from all subscription contexts\nExport-AzRuleData -All;\n
    "},{"location":"faq/","title":"Frequently Asked Questions (FAQ)","text":"

    Continue reading for FAQ relating to PSRule for Azure. For general FAQ see PSRule - Frequently Asked Questions (FAQ), including:

    • How is PSRule different to Pester?
    • How do I configure PSRule?
    • How do I ignore a rule?
    • How do exclude or ignore files from being processed?
    • How do I disable or suppress the not processed warning?
    • How do I layer on custom rules on top of an existing module?

    Note

    If you have a question that is not answered here, please join or start a discussion.

    "},{"location":"faq/#what-is-a-rule","title":"What is a rule?","text":"

    A rule is a named set of checks and documentation. You can find the documentation for each rule under reference.

    "},{"location":"faq/#what-is-a-baseline","title":"What is a baseline?","text":"

    A baseline combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule. Quarterly baselines provide a stable checkpoint of rules when you need to stagger adoption of new rules.

    Continue reading working with baselines for a detailed breakdown.

    "},{"location":"faq/#is-terraform-supported","title":"Is Terraform supported?","text":"

    Currently PSRule for Azure supports testing Azure resources from Infrastructure as Code (IaC) with:

    • Azure Resource Manager (ARM) templates.
    • Azure Bicep deployments.

    Checking Terraform from HashiCorp Configuration Language (HCL) is not supported at this time. If this feature is important to you, please upvote \ud83d\udc4d the issue on GitHub.

    What is supported? After resources are deployed to Azure, PSRule for Azure can be used to check the Azure resources in-flight.

    This methods works for Azure resources regardless of how they are deployed. Use this method for analyzing resources deployed via the Azure Portal, Terraform, Pulumi, or other tools.

    For instructions on how to do this see Exporting rule data.

    "},{"location":"faq/#what-methods-are-supported-for-checking-resources","title":"What methods are supported for checking resources?","text":"

    PSRule for Azure supports two methods for analyzing Azure resources:

    • Pre-flight \u2014 Before resources are deployed from an ARM template or Bicep. Use pre-flight analysis to:
      • Implement checks within Pull Requests (PRs).
      • Improve alignment of resources to WAF recommendations.
      • Identify issues that prevent successful resource deployments on Azure.
      • Integrate continual improvement and standardization of Azure resource configurations.
      • Implement release gates between environments.
      • For more information see Creating your pipeline.
    • In-flight \u2014 After resources are deployed to an Azure subscription. Use in-flight analysis to:

      • Implement release gates between environments for non-native tools such as Terraform.
      • Performing offline analysis in split-environments.
      • For more information see Exporting rule data.
    "},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-resource-group-tagging","title":"How do I create a custom rule to enforce resource group tagging?","text":"

    PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework. Use of resource and resource group tags is recommended in the WAF, however implementation may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.

    We have a walk through scenario Enforcing custom tags to get you started.

    "},{"location":"faq/#how-do-i-create-a-custom-rule-to-enforce-code-ownership","title":"How do I create a custom rule to enforce code ownership?","text":"

    GitHub, Azure DevOps, and other DevOps platforms may implement code ownership. This process involves assigning a team or an individual review and approval responsibility. In GitHub or Azure DevOps implementation, ownership is linked to the file path.

    When a repository contains resources that different teams would approve how do you:

    • Ensure resources are created in a path that triggers the correct approval?

    We have a walk through scenario Enforcing code ownership to get you started.

    "},{"location":"faq/#do-you-have-sample-code","title":"Do you have sample code?","text":"

    In addition to the walk through scenarios, we have a quick start template here. The repository contains sample ARM templates, Bicep, and pipeline code to get you started.

    In GitHub you can simply use the repository as a template for your own project.

    "},{"location":"faq/#do-i-need-powershell-experience-to-start-using-psrule-for-azure","title":"Do I need PowerShell experience to start using PSRule for Azure?","text":"

    No. You can start using built-in rules and CI with Azure Pipelines or GitHub Actions. If we didn't tell you, you might not even know that PowerShell runs under the covers.

    To perform local validation, some PowerShell setup is required but we step you through that. See How to install PSRule for Azure for details.

    To start writing your own custom rules you can use YAML, JSON, or PowerShell. PowerShell experience is required for some scenarios. We have a walk through scenario Enforcing custom tags to get you started.

    "},{"location":"faq/#what-permissions-do-i-need-to-export-rule-data","title":"What permissions do I need to export rule data?","text":"

    When exporting data for in-flight analysis, the default built-in Reader role to a subscription is required for:

    • Exporting rule data with Export-AzRuleData.
    • Exporting rule data from templates with Export-AzRuleTemplateData when online features are used.
      • Optionally -ResourceGroupName and -Subscription parameter can be used; these require access Reader access.
    "},{"location":"faq/#what-permissions-do-i-need-to-analyze-exported-rule-data","title":"What permissions do I need to analyze exported rule data?","text":"

    When exporting data for in-flight analysis, no access to Azure is required after data has been exported to JSON.

    "},{"location":"faq/#should-i-continue-to-use-azure-advisor-defender-for-cloud-or-azure-policy","title":"Should I continue to use Azure Advisor, Defender for Cloud, or Azure Policy?","text":"

    Absolutely. PSRule for Azure does not replace Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.

    PSRule complements Azure Advisor, Microsoft Defender for Cloud, and Azure Policy features by:

    • Recommending turning on and using features of Azure Advisor, Microsoft Defender for Cloud, or Azure Policy.
    • Providing offline analysis in split environments where the analyst has no access to Azure subscriptions. Rule data for analysis can be exported out to a JSON file.
    • Providing the ability to analyze resources in Azure Resource Manager templates before deployment. Additionally, analysis can be performed in a CI process.
    • Providing the ability to layer on organization specific rules, as required.
    • Data collection requires limited permissions and requires no additional configuration.
    "},{"location":"faq/#what-do-the-different-severity-and-levels-for-rules-means","title":"What do the different severity and levels for rules means?","text":"

    PSRule for Azure annotates rules with three (3) severities which indicate how you should prioritize remediation. The following severities are defined:

    • Critical \u2014 Consider addressing these first, ideally within the next thirty (30) days. Rules identified as critical often have high impact and are highly likely to affect your services.
    • Important \u2014 Consider addressing these next, ideally within the next sixty (60) days. Rules identified as important often have a significant impact and are likely to affect your services.
    • Awareness \u2014 Consider addressing these last, ideally within the next ninty (90) days. Rules identified as awareness often have a moderate or low impact to the operation of your services.

    Tip

    Severities and suggested time frames are an indicator only. They may affect your environment, compliance, or security differently based on your specific requirements. If you feel the severity for a rule is broadly incorrect then please let as know. You can do this by joining or starting a discussion.

    Additionally, PSRule for Azure uses three (3) rule levels. These levels determine how PSRule provides feedback about failing cases. The following levels are defined:

    • Error \u2014 Rules defined as error will stop CI pipelines that are configured to break on error.
    • Warning \u2014 Rules defined as warning will not stop CI pipelines and will produce a warning.
    • Information \u2014 Rules defined as information will not stop CI pipelines.
    "},{"location":"faq/#traditional-unit-testing-vs-psrule-for-azure","title":"Traditional unit testing vs PSRule for Azure?","text":"

    You may already be using a unit test framework such as Pester to test infrastructure code. If you are, then you may have encountered the following challenges.

    For a general PSRule/ Pester comparison see How is PSRule different to Pester?

    "},{"location":"faq/#unit-testing-more-than-basic-json-structure","title":"Unit testing more than basic JSON structure","text":"

    Unit tests are unable to effectively test resources contained within Azure templates. Templates should be reusable, but this creates problems for testing when functions, conditions and copy loops are used. Template parameters could completely change the type, number of, or configuration of resources.

    PSRule resolves templates to allow analysis of the resources that would be deployed based on provided parameters.

    "},{"location":"faq/#standard-library-of-tests","title":"Standard library of tests","text":"

    When building unit tests for Azure resources, starting with an empty repository can be a daunting experience. While there are several open source repositories and samples around to get you started, you need to integrate these yourself.

    PSRule for Azure is distributed as a PowerShell module using the PowerShell Gallery. Using a PowerShell module makes it easy to install and update. The built-in rules allow you starting testing resources quickly, with minimal integration.

    For detailed examples see:

    • Validate Azure resources from templates with Azure Pipelines
    • Validate Azure resources from templates with continuous integration (CI)
    "},{"location":"faq/#collection-of-telemetry","title":"Collection of telemetry","text":"

    PSRule and PSRule for Azure currently do not collect any telemetry during installation or execution.

    PowerShell (used by PSRule for Azure) does collect basic telemetry by default. Collection of telemetry in PowerShell and how to opt-out is explained in about_Telemetry.

    "},{"location":"features/","title":"Features","text":""},{"location":"features/#learn-by-example","title":"Learn by example","text":"

    PSRule for Azure helps you quickly identify and fix issues to improve the quality of solutions deployed on Azure. Tests include documentation with official documentation references and examples. Use the Azure Bicep or template examples to adapt your solution to recommendations.

    Note

    Start exploring the list of rules included with PSRule for Azure.

    "},{"location":"features/#framework-aligned","title":"Framework aligned","text":"

    PSRule for Azure is aligned to the Azure Well-Architected Framework (WAF). Tests called rules check the configuration of Azure resources against WAF principles. Rules exist across five (5) WAF pillars:

    • Cost Optimization
    • Operational Excellence
    • Performance Efficiency
    • Reliability
    • Security

    To help you align your Infrastructure as Code (IaC) to WAF principles, PSRule for Azure includes documentation. Included are examples, references to WAF and product documentation. This allows you to explore and learn the context of each WAF principle.

    "},{"location":"features/#start-day-one","title":"Start day one","text":"

    PSRule for Azure includes over 400 rules for validating resources against configuration recommendations. Rules automatically detect and analyze resources from Azure IaC artifacts. This allows you to quickly light up unit testing of Azure resources from templates and Bicep deployments.

    Use the built-in rules to start enforcing testing quickly. Then layer on your own rules as your organization's requirements mature. Custom rules can be implemented quickly and work side-by-side with built-in rules.

    As new built-in rules are added and improved, download the latest version to start using them.

    Tip

    For detailed information on building custom rules see:

    • Enforcing custom tags.
    • Enforcing code ownership.
    "},{"location":"features/#devops-integrated","title":"DevOps integrated","text":"

    Azure resources can be validated throughout their lifecycle to support a DevOps culture. Start testing your Bicep and ARM templates from code by validating them offline before deployment.

    Pre-flight validation can be integrated into a continuous integration (CI) pipeline as unit tests to:

    • Shift-left \u2014 Identify configuration issues and provide fast feedback in PRs.
    • Quality gates \u2014 Implement quality gates between environments such as dev, test, and production.
    • Monitor continuously \u2014 Perform ongoing checks for configuration optimization opportunities.

    Learn

    You can learn more about Azure Bicep with the following links:

    • What is Bicep?
    • Learn modules for Azure Bicep
    "},{"location":"features/#cross-platform","title":"Cross-platform","text":"

    PSRule for Azure uses modern PowerShell libraries at its core, allowing it to go anywhere PowerShell can go. PSRule for Azure runs on MacOS, Linux, and Windows.

    PowerShell makes it easy to integrate PSRule into popular CI systems. Run natively or in a container depending on your platform. PSRule has native extensions for:

    • Azure Pipelines (Azure DevOps)
    • GitHub Actions
    • Visual Studio Code

    Additionally, PSRule for Azure can be installed locally or within Azure Cloud Shell. For installation options see installation.

    "},{"location":"install/","title":"How to install PSRule for Azure","text":"

    PSRule for Azure supports running within continuous integration (CI) systems or locally. It is shipped as a PowerShell module which makes it easy to install and distribute updates.

    Task Options Run tests within CI pipelines With GitHub Actions or Azure Pipelines or PowerShell Run tests locally during development With Visual Studio Code and PowerShell Create custom tests for your organization With Visual Studio Code and PowerShell

    Tip

    PSRule for Azure provides native integration to popular CI systems such as GitHub Actions and Azure Pipelines. If you are using a different CI system you can use the local install to run on MacOS, Linux, and Windows worker nodes.

    "},{"location":"install/#with-github-actions","title":"With GitHub Actions","text":"

    GitHub Action

    Install and use PSRule for Azure with GitHub Actions by referencing the microsoft/ps-rule action.

    StablePre-release

    Install the latest stable version of PSRule for Azure.

    GitHub Actions
    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\n

    Install the latest stable or pre-release version of PSRule for Azure.

    GitHub Actions
    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\nprerelease: true\n

    This will automatically install compatible versions of all dependencies.

    Note

    For additional examples on commonly configured parameters see Creating your pipeline.

    "},{"location":"install/#with-azure-pipelines","title":"With Azure Pipelines","text":"

    Extension

    Install and use PSRule for Azure with Azure Pipeline by using extension tasks. Install the extension from the marketplace, then use the ps-rule-assert task in pipeline steps.

    StablePre-release

    Install the latest stable version of PSRule for Azure.

    Azure Pipelines
    - task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    Install the latest stable or pre-release version of PSRule for Azure.

    Azure Pipelines
    - task: ps-rule-install@2\ndisplayName: Install PSRule for Azure (pre-release)\ninputs:\nmodule: PSRule.Rules.Azure\nprerelease: true\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\n

    This will automatically install compatible versions of all dependencies.

    Note

    For additional examples on commonly configured parameters see Creating your pipeline.

    "},{"location":"install/#with-visual-studio-code","title":"With Visual Studio Code","text":"

    Extension

    An extension for Visual Studio Code is available. The Visual Studio Code extension includes a built-in task to test locally and configuration schemas.

    To learn about Visual Studio Code support see the marketplace extension.

    For best results, configure the PSRule.Rules.Azure module using ps-rule.yaml by setting requires and include options.

    ps-rule.yaml
    requires:\nPSRule.Rules.Azure: '>=1.27.0'\ninclude:\nmodule:\n- PSRule.Rules.Azure\n

    Note

    Currently the Visual Studio Code extension relies on PSRule for Azure installed by PowerShell.

    "},{"location":"install/#with-powershell","title":"With PowerShell","text":"

    PSRule for Azure can be installed locally from the PowerShell Gallery using PowerShell. You can also use this option to install on CI workers that are not natively supported.

    "},{"location":"install/#prerequisites","title":"Prerequisites","text":"Operating System Tool Installation Link Windows Windows PowerShell 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell version 7.2.x or greater. link

    To use PSRule for Azure, PSRule a separate PowerShell module must be installed. The required version will automatically be installed along-side PSRule for Azure.

    Additionally, the exporting data from a subscription functionality requires the additional PowerShell modules:

    • Az.Accounts
    • Az.Resources

    Note

    Azure PowerShell modules are not installed automatically when installing PSRule for Azure. This has been changed from v1.16.0 due to module dependency chains in Azure DevOps. In most cases these modules will be pre-installed on the CI worker. For private CI workers, consider pre-installing these modules in a previous step.

    "},{"location":"install/#installing-powershell","title":"Installing PowerShell","text":"

    PowerShell 7.x can be installed on MacOS, Linux, and Windows but is not installed by default. For a list of platforms that PowerShell 7.2 is supported on and install instructions see Get PowerShell.

    "},{"location":"install/#getting-the-modules","title":"Getting the modules","text":"

    Module

    PSRule for Azure can be installed or updated from the PowerShell Gallery. Use the following command line examples from a PowerShell terminal to install or update PSRule for Azure.

    For the current userFor all users

    To install PSRule for Azure for the current user use:

    Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope CurrentUser\n

    To update PSRule for Azure for the current user use:

    Update-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser\n

    This will automatically install compatible versions of all dependencies.

    To install PSRule for Azure for all users (requires admin/ root permissions) use:

    Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope AllUsers\n

    To update PSRule for Azure for all users (requires admin/ root permissions) use:

    Update-Module -Name 'PSRule.Rules.Azure' -Scope AllUsers\n

    This will automatically install compatible versions of all dependencies.

    "},{"location":"install/#pre-release-versions","title":"Pre-release versions","text":"

    To use a pre-release version of PSRule for Azure add the -AllowPrerelease switch when calling Install-Module, Update-Module, or Save-Module cmdlets.

    Tip

    To install pre-release module versions, the latest version of PowerShellGet may be required.

    # Install the latest PowerShellGet version\nInstall-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\n

    Tip

    To install a pre-release version of PSRule and PSRule for Azure, install each in separate steps.

    For the current userFor all users

    To install PSRule for Azure for the current user use:

    Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope CurrentUser -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope CurrentUser -AllowPrerelease\n

    Open PowerShell with Run as administrator on Windows or sudo pwsh on Linux.

    To install PSRule for Azure for all users (requires admin/ root permissions) use:

    Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force\nInstall-Module -Name PSRule -Repository PSGallery -Scope AllUsers -AllowPrerelease\nInstall-Module -Name PSRule.Rules.Azure -Repository PSGallery -Scope AllUsers -AllowPrerelease\n
    "},{"location":"install/#building-from-source","title":"Building from source","text":"

    Source

    PSRule for Azure is provided as open source on GitHub. To build PSRule for Azure from source code:

    1. Clone the GitHub repository.
    2. Run ./build.ps1 from a PowerShell terminal in the cloned path.

    This build script will compile the module and documentation then output the result into out/modules/PSRule.Rules.Azure.

    "},{"location":"install/#development-dependencies","title":"Development dependencies","text":"Operating System Tool Overview Installation Link Windows Windows PowerShell Support for version 5.1 with .NET Framework 4.7.2 or greater. link Windows, MacOS, Linux PowerShell Version 7.2 or greater is support. link - - Multiple PowerShell modules are required (PlatyPS, Pester, PSScriptAnalyzer, PowerShellGet, PackageManagement, InvokeBuild, PSRule). Installed when you run the build.ps1 script - .NET .NET SDK v6 is required. link - Bicep CLI PSRule depends on the Bicep CLI to decompile (expand) Bicep modules to ARM link

    The following dependencies will be automatically installed if the required versions are not present:

    • PowerShell modules:
      • PlatyPS
      • Pester
      • PSScriptAnalyzer
      • PowerShellGet
      • PackageManagement
      • InvokeBuild
    • Bicep CLI

    These dependencies are only required for building and running tests for PSRule for Azure.

    "},{"location":"install/#troubleshooting","title":"Troubleshooting","text":"

    If the ./build.ps1 script fails, you can start troubleshooting this by:

    • Checking the prerequisites are installed installed (and the specific versions)
      • Check the PowerShell version enter the following statement in the PowerShell terminal: $PSVersionTable.PSVersion
      • Check the installed .NET version by entering the dotnet --list-sdks command in your terminal.
    • Check if your .NET setup is connected to any Nuget repositories and if there's any connectivity or authentication issues.
    • Installation of some pre-reqs may require admin privileges.
    "},{"location":"install/#limited-access-networks","title":"Limited access networks","text":"

    If you are on a network that does not permit Internet access to the PowerShell Gallery, download the required PowerShell modules on an alternative device that has access. PowerShell provides the Save-Module cmdlet that can be run from a PowerShell terminal to do this.

    The following command lines can be used to download the required modules using a PowerShell terminal. After downloading the modules, copy the module directories to devices with restricted Internet access.

    Runtime modulesDevelopment modules

    To save PSRule for Azure for offline use:

    $modules = @('PSRule', 'PSRule.Rules.Azure', 'Az.Accounts', 'Az.Resources')\nSave-Module -Name $modules -Path '.\\modules'\n

    This will save PSRule for Azure and all dependencies into the modules sub-directory.

    To save PSRule for Azure development module dependencies for offline use:

    $modules = @('PSRule', 'Az.Accounts', 'Az.Resources', 'PlatyPS', 'Pester',\n'PSScriptAnalyzer', 'PowerShellGet', 'PackageManagement', 'InvokeBuild')\nSave-Module -Name $modules -Repository PSGallery -Path '.\\modules';\n

    This will save required developments dependencies into the modules sub-directory.

    "},{"location":"integrations/","title":"Integrations","text":""},{"location":"integrations/#integrates-with-psrule-for-azure","title":"Integrates with PSRule for Azure","text":"

    The following tools also take advantage of PSRule for Azure.

    "},{"location":"integrations/#azure-governance-visualizer","title":"Azure Governance Visualizer","text":"

    Docs \u00b7 v6_major_20220521_1

    AzGovViz provides a convenient way to view your Azure governance and hierarchy. Additionally you can view recommendations from PSRule as you navigate to each level in your hierarchy.

    You can include PSRule recommendations in AzGovViz output by adding the -DoPSRule command-line switch. This and more is included in the documentation.

    "},{"location":"integrations/#template-analyzer","title":"Template Analyzer","text":"

    Docs \u00b7 v0.3.0

    Template Analyzer scans Azure templates and Bicep code to ensure security and best practice checks are being followed before deployment.

    By default, Template Analyzer will only include rules aligned to the Security Well-Architected Framework pillar. To include rules from other pillars, use the --include-non-security-rules command-line switch.

    "},{"location":"integrations/#microsoft-defender-for-devops","title":"Microsoft Defender for DevOps","text":"

    Docs \u00b7 Public Preview

    Microsoft Defender for DevOps (DfD) provides unified DevOps security management across multicloud and multiple-pipeline environments.

    In this preview, DfD will include PSRule for Azure rules aligned to the Security Well-Architected Framework pillar.

    "},{"location":"license-contributing/","title":"License and contributing","text":"

    PSRule for Azure is licensed with an MIT License, which means it's free to use and modify. But please check out the details.

    We open source at Microsoft.

    In addition to our team, we hope you will think about contributing too. Here is how you can get started:

    • Report issues.
    • Upvote existing issues that are important to you.
    • Improve documentation.
    • Contribute code.

    Please read our contributing guidelines and code of conduct to learn how to contribute.

    "},{"location":"related-projects/","title":"Related projects","text":"

    The PSRule project is distributed across multiple repositories. You can find out more by visiting each repository.

    Name Description microsoft/PSRule Core engine responsible for running rules. microsoft/ps-rule GitHub continious integration using GitHub Actions. microsoft/PSRule-pipelines Azure DevOps continious integration using Azure Pipelines. microsoft/PSRule-vscode Support for running and authoring rules within Visual Studio Code. microsoft/PSRule.Monitor Support for logging PSRule analysis results to Azure Monitor. microsoft/PSRule.Rules.CAF A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule."},{"location":"samples/","title":"Samples","text":""},{"location":"samples/#quick-start-repository","title":"Quick Start repository","text":"

    Template

    You can clone, download, or use as a template for your own repository. This repository contains the following samples for PSRule for Azure:

    • Azure Templates \u2014 Starter Azure Resource Manager (ARM) templates and parameter files.
    • Azure Bicep \u2014 Starter Azure Bicep deployments and test files.
    • GitHub Actions \u2014 Starter workflow for checking Azure Infrastructure as Code (IaC).
    • Azure Pipelines \u2014 Starter pipelines for checking Azure Infrastructure as Code (IaC).
    • Custom rules \u2014 Example custom rules that enforce organization specific requirements.
    • PSRule options \u2014 Example options for using PSRule for Azure.

    "},{"location":"samples/#psrule-samples","title":"PSRule samples","text":"

    Samples

    A community collection of samples for PSRule. This repository includes samples for Azure as well as other use cases.

    "},{"location":"support/","title":"Support","text":"

    This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.

    Please search the existing issues before filing new issues to avoid duplicates.

    • For new issues, file your bug or feature request as a new issue.
    • For help, discussion, and support questions about using this project, join or start a discussion.
    "},{"location":"support/#microsoft-support-policy","title":"Microsoft Support Policy","text":"

    Support for this project/ product is limited to the resources listed above.

    "},{"location":"troubleshooting/","title":"Troubleshooting","text":"

    This article provides troubleshooting instructions for common errors.

    "},{"location":"troubleshooting/#bicep-compile-errors","title":"Bicep compile errors","text":"

    When expanding Bicep source files you may get an error including a BCPnnn code similar to the following:

    Error

    Exception calling \"GetResources\" with \"3\" argument(s): \"Bicep (0.14.46) compilation of '' failed with: Error BCP057: The name \"storageAccountName\" does not exist in the current context.

    This error is raised when Bicep fails to compile a source file. To resolve this issue:

    • You may need to update your Bicep source file before PSRule can expand it. Use guidance from the Bicep error message to help resolve the issue.
    • Check that you are using a version of Bicep that supports the Bicep features you are using. It may not always be clear which version of Bicep CLI PSRule for Azure is using if you have multiple versions installed. Using the Bicep CLI via az bicep is not the default, and you may need to set additional options to use it.

    Tip

    From PSRule for Azure v1.25.0 you can configure the minimum version of Bicep CLI required. If an earlier version is detected, PSRule for Azure will generate an error. See Configuring minimum version for details on how to configure this option.

    "},{"location":"troubleshooting/#bicep-version","title":"Bicep version","text":"

    When expanding Bicep source files you may get an error relating to the Bicep version you have installed. For example if you attempt to use a Bicep feature that is not supported by the version used by PSRule for Azure.

    PSRule for Azure uses the Bicep CLI installed on your machine or CI worker. By default, the Bicep CLI binary will be selected by your PATH environment variable.

    Optionally you can configure an alternative Bicep CLI binary to use by either:

    • By path \u2014 Set the PSRULE_AZURE_BICEP_PATH environment variable to the specified binary path.
    • From Azure CLI \u2014 Set the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable to true.

    For more details on installing and configuring the Bicep CLI, see Setup Bicep.

    "},{"location":"troubleshooting/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"

    When expanding Bicep source files you may get an error similar to the following:

    Error

    Bicep (0.4.1124) compilation of 'C:\\temp\\deploy.bicep' failed with: Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues.

    This error is raised when Bicep takes longer then the timeout to build a source file. The default timeout is 5 seconds.

    You can take steps to reduce your code complexity and reduce the time a build takes by:

    • Removing unnecessary nested module calls.
    • Cache bicep modules restored from a registry in continuous integration (CI) pipelines.

    To increase the timeout value, set the AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option. See Bicep compilation timeout for details on how to configure this option.

    "},{"location":"troubleshooting/#no-rules-or-no-azure-resources-are-found","title":"No rules or no Azure resources are found","text":"

    There is a few common causes of this issue including:

    • Check input format \u2014 PSRule for Azure must discover files to expand them.
      • When running PSRule for Azure using GitHub Actions or the Azure Pipelines extension:
        • Your pipeline must be set to inputType: repository, which is the default value.
        • PSRule for Azure will not work with inputType set to inputPath.
        • You may have set this parameter because you wanted to use the inputPath parameter. Setting the inputType is not a requirement for using the inputPath parameter. The inputPath parameter can be used independently.
      • When running PSRule for Azure from PowerShell:
        • Your command-line must use the -Format File parameter.
        • Your command-line must use the -InputPath or -f parameter followed by a file or directory path.
        • For example: Assert-PSRule -Module PSRule.Rules.Azure -Format File -f 'modules/'.
    • Check expansion is enabled \u2014 Expansion must be enabled to analyze Azure Infrastructure as Code. See using templates and using Bicep source for details on how to enable expansion.
    • Check parameter files are linked \u2014 Parameter files must be linked to ARM templates or Bicep source files. See using templates for details on how to link using metadata or naming convention.

    Note

    If your pipeline is still not finding any Azure resources, please join or start a discussion.

    "},{"location":"troubleshooting/#custom-rules-are-not-running","title":"Custom rules are not running","text":"

    There is a few common causes of this issue including:

    • Check rule path \u2014 By default, PSRule will look for rules in the .ps-rule/ directory. This directory is the root for your repository or the current working path by default. On case-sensitive file systems such as Linux, this directory name is case-sensitive. See Storing and naming rules for more information.
    • Check file name suffix \u2014 PSRule only looks for files with the .Rule.ps1, .Rule.yaml, or .Rule.jsonc suffix. On case-sensitive file systems such as Linux, this file suffix is case-sensitive. See Storing and naming rules for more information.
    • Check binding configuration \u2014 PSRule uses binding to work out which property to use for a resource type. To be able to use the -Type parameter or type properties in rules definitions, binding must be set. This is automatically configured for PSRule for Azure, however must be set in ps-rule.yaml for custom rules. See binding type for more information.
    • Check modules \u2014 PSRule for Azure is responsible for expanding Azure resources from Infrastructure as Code. Expansion occurs automatically in memory when enabled. For this to work, the module PSRule.Rules.Azure must be run with any custom rules. See using templates and using Bicep source for details on how to enable expansion.
    • Check include local option \u2014 When running PSRule for Azure with a baseline. Baselines such as quarterly baselines may use filters to limit the rules that are included. As a result, custom rules may not be included. To include custom rules set the Rule.IncludeLocal option to true. See Including custom rules for more information.

    Tip

    You may be able to use git mv to change the case of a file if it is committed to the repository incorrectly.

    "},{"location":"troubleshooting/#parameter-file-warns-of-metadata-property","title":"Parameter file warns of metadata property","text":"

    You may find while editing a .json parameter file the root metadata property is flagged with a warning.

    Warning

    The property 'metadata' is not allowed.

    Azure parameter file
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./storage.template.json\"\n},\n\"parameters\": {\n}\n}\n

    This doesn't affect the workings of the parameter file or deployment. The reason for the warning is that the metadata property has not been added to the parameter file JSON schema. However, the top level metadata property is ignored by Azure Resource Manager when deploying a template.

    "},{"location":"troubleshooting/#an-earlier-version-of-azaccounts-is-imported","title":"An earlier version of Az.Accounts is imported","text":"

    When running PSRule for Azure in Azure DevOps within the AzurePowerShell@5 task, you may see the following error.

    Error

    This module requires Az.Accounts version 2.8.0. An earlier version of Az.Accounts is imported in the current PowerShell session. Please open a new session before importing this module. This error could indicate that multiple incompatible versions of the Azure PowerShell cmdlets are installed on your system. Please see https://aka.ms/azps-version-error for troubleshooting information.

    This error is raised by a chained dependency failure importing a newer version of Az.Accounts. To avoid this issue attempt to install the exact versions of Az.Resources. In the AzurePowerShell@5 task before installing PSRule.

    Install-Module Az.Resources -RequiredVersion '5.6.0' -Force -Scope CurrentUser\n

    From PSRule for Azure v1.16.0, Az.Accounts and Az.Resources are no longer installed as dependencies. When using export commands from PSRule, you may need to install these modules.

    To install these modules, use the following PowerShell command:

    Install-Module Az.Resources -Force -Scope CurrentUser\n
    "},{"location":"troubleshooting/#could-not-load-file-or-assembly-yamldotnet","title":"Could not load file or assembly YamlDotNet","text":"

    PSRule >=1.3.0 uses an updated version of the YamlDotNet library. The PSRule for Azure <1.3.1 uses an older version of this library which may conflict.

    To avoid this issue:

    • Update to the latest version and use PSRule for Azure >=1.3.1 with PSRule >=1.3.0.
    • Alternatively, when using PSRule for Azure <1.3.1 use PSRule =1.2.0.

    To install the latest module version of PSRule use the following commands:

    Install-Module -Name PSRule.Rules.Azure -MinimumVersion 1.3.1 -Scope CurrentUser -Force;\n

    For the PSRule GitHub Action, use >=1.4.0.

    - name: Run PSRule analysis\nuses: microsoft/ps-rule@v2.9.0\n
    "},{"location":"upgrade-notes/","title":"Upgrade notes","text":"

    This document contains notes to help upgrade from previous versions of PSRule for Azure.

    "},{"location":"upgrade-notes/#upgrading-to-v200","title":"Upgrading to v2.0.0","text":"

    PSRule for Azure v2.0.0 is a planned future release. It's not yet available, but you can take these steps to proactively prepare for the release.

    "},{"location":"upgrade-notes/#realigned-configuration-option-names","title":"Realigned configuration option names","text":"

    Several configuration options will be renamed in upcoming releases of PSRule for Azure. This is part of a ongoing effort to align the naming of configuration options across PSRule for Azure. For information on other options that will be renamed see deprecations.

    You only need to take action if you have explicitly set old configuration option names.

    The old option names may be set in:

    • An option file such as ps-rule.yaml.
    • A custom baseline.
    • An environment variable.

    To locate any configurations, search for the old option names within your Infrastructure as Code repo.

    New name Old name Available from AZURE_AKS_CLUSTER_MINIMUM_VERSION Azure_AKSMinimumVersion v1.12.0 AZURE_RESOURCE_ALLOWED_LOCATIONS Azure_AllowedRegions v1.30.0

    To update your configuration, use the new name instead.

    Note

    Environment variables are prefixed by PSRULE_CONFIGURATION_ and are case sensitive.

    Options fileBashGitHub ActionsAzure Pipelines

    Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION option in ps-rule.yaml.

    # YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nconfiguration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.3\n

    Set the PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION environment variable.

    # Bash: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nexport PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION=\"1.27.3\"\n

    Set the PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION environment variable.

    # GitHub Actions: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nenv:\nPSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.3'\n

    Set the PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION environment variable.

    # Azure Pipelines: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.27.3\nvariables:\n- name: PSRULE_CONFIGURATION_AZURE_AKS_CLUSTER_MINIMUM_VERSION\nvalue: '1.27.3'\n
    "},{"location":"upgrade-notes/#removal-of-supportstags-function","title":"Removal of SupportsTags function","text":"

    The SupportsTags function is a PowerShell function used for filtering rules. Previously you could use this function to only run a rule against resources that support tags. As of v1.15.0 this function has been deprecated for removal in the next major release v2.0.0.

    From v2.0.0 the SupportsTags function will not longer work.

    The SupportsTags function was previously only available for PowerShell rules and not well documented. Instead you can use the Azure.Resource.SupportsTags selector introduced in v1.15.0. This selector supports the the same features but also supports YAML and JSON rules in addition to PowerShell.

    To upgrade your PowerShell rules use the -With parameter to set Azure.Resource.SupportsTags. For example:

    # Synopsis: Old rule using the SupportsTags function\nRule 'Local.MyRule' -If { (SupportsTags) } {\n# Rule logic goes here\n}\n# Synopsis: Rule updated using the Azure.Resource.SupportsTags selector\nRule 'Local.MyRule' -With 'Azure.Resource.SupportsTags' {\n# Rule logic goes here\n}\n

    To read more about the selector, see the documentation.

    "},{"location":"using-bicep/","title":"Using Bicep source","text":"

    PSRule for Azure discovers and analyzes Azure resources contained within Bicep files. To enable this feature, you need to:

    • Enable expansion.
    • For modules (if used):
      • Define a deployment or parameters file.
      • Configure path exclusions.

    Abstract

    This topic covers how you can validate Azure resources within .bicep files. To learn more about why this is important see Expanding source files.

    "},{"location":"using-bicep/#enabling-expansion","title":"Enabling expansion","text":"

    To expand Bicep deployments configure ps-rule.yaml with the AZURE_BICEP_FILE_EXPANSION option.

    ps-rule.yaml
    # YAML: Enable expansion for Bicep source files.\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION: true\n

    Note

    If you are using JSON parameter files exclusively, you do not need to set this option. Instead continue reading using parameter files.

    "},{"location":"using-bicep/#setup-bicep","title":"Setup Bicep","text":"

    To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines. For details on how to configure Bicep for PSRule for Azure see Setup Bicep.

    "},{"location":"using-bicep/#building-files","title":"Building files","text":"

    It's not nessecary to build .bicep files with bicep build or az bicep build. PSRule will automatically detect and build .bicep files. You may choose to pre-build .bicep files if the Bicep CLI is not available when PSRule is run.

    Important

    If using this method, follow using templates instead. Using bicep build transpiles Bicep code into an Azure template .json.

    "},{"location":"using-bicep/#testing-bicep-modules","title":"Testing Bicep modules","text":"

    Bicep allows you to separate out complex details into separate files called modules. To expand resources, any parameters must be resolved.

    Tip

    If you are not familar with the concept of expansion within PSRule for Azure see Expanding source files.

    Two types of parameters exist, required (also called mandatory) and optional. An optional parameter is any parameter with a default value. Required parameters do not have a default value and must be specified.

    Example modules/storage/main.bicep

    // Required parameter\nparam name string\n\n// Optional parameters\nparam location string = resourceGroup().location\nparam sku string = 'Standard_LRS'\n

    To specify required parameters for a module, create a deployment or test that references the module.

    Example deploy.bicep

    // Deploy storage account to production subscription\nmodule storageAccount './modules/storage/main.bicep' = {\n  name: 'deploy-storage'\n  params: {\n    name: 'stpsrulebicep001'\n    sku: 'Standard_GRS'\n  }\n}\n

    Example modules/storage/.tests/main.tests.bicep

    // Test with only required parameters\nmodule test_required_params '../main.bicep' = {\n  name: 'test_required_params'\n  params: {\n    name: 'sttest001'\n  }\n}\n
    "},{"location":"using-bicep/#configuring-path-exclusions","title":"Configuring path exclusions","text":"

    Unless configured, PSRule will discover all .bicep files when expansion is enabled. Bicep module files with required parameters will not be able be expanded and should be excluded. Instead expand resources from deployments or tests.

    To do this configure ps-rule.yaml with the input.pathIgnore option.

    Example ps-rule.yaml

    configuration:\n# Enable expansion for Bicep source files.\nAZURE_BICEP_FILE_EXPANSION: true\ninput:\npathIgnore:\n# Exclude bicepconfig.json\n- 'bicepconfig.json'\n# Exclude module files\n- 'modules/**/*.bicep'\n# Include test files from modules\n- '!modules/**/*.tests.bicep'\n

    Note

    In this example, Bicep files such as deploy.bicep in other directories will be expanded.

    "},{"location":"using-bicep/#using-parameter-files","title":"Using parameter files","text":"

    When using Bicep, you don't need to use parameter files. You can call .bicep files directly from other .bicep files with modules by using the module keyword.

    Alternatively, Bicep supports two options for parameter files:

    • JSON parameter files \u2014 This format uses conventional JSON syntax compatible with ARM templates.
    • Bicep parameter files \u2014 This format uses Bicep language from a .bicepparam file to reference a Bicep module.

    Each option is described in more detail in the following sections.

    "},{"location":"using-bicep/#using-json-parameter-files","title":"Using JSON parameter files","text":"

    You can choose to expand and test a Bicep module from JSON parameter files by metadata.

    When using parameter files exclusively, the AZURE_BICEP_FILE_EXPANSION configuration option does not need to be set. Instead set the AZURE_PARAMETER_FILE_EXPANSION configuration option to true. This option will discover Bicep files from parameter metadata.

    Example ps-rule.yaml

    configuration:\n# Enable expansion for Bicep module from parameter files.\nAZURE_PARAMETER_FILE_EXPANSION: true\ninput:\npathIgnore:\n# Exclude bicepconfig.json\n- 'bicepconfig.json'\n# Exclude module files\n- 'modules/**/*.bicep'\n

    Example template.parameters.json

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./template.bicep\"\n},\n\"parameters\": {\n\"storageAccountName\": {\n\"value\": \"bicepstorage001\"\n},\n\"tags\": {\n\"value\": {\n\"env\": \"test\"\n}\n}\n}\n}\n
    "},{"location":"using-bicep/#using-bicep-parameter-files","title":"Using Bicep parameter files","text":"

    Experimental \u00b7 v1.27.0

    You can use .bicepparam files to reference your Bicep modules as a method for providing parameters. Using the Bicep parameter file format, allows you to get many of the benefits of the Bicep language.

    For example:

    using 'template.bicep'\n\nparam storageAccountName = 'bicepstorage001'\nparam tags = {\n  env: 'test'\n}\n

    Presently, to use this feature you must:

    1. Enable the experimental feature in bicepconfig.json.
    2. Enable expansion of Bicep parameter files in ps-rule.yaml.

    For example:

    bicepconfig.json
    {\n\"experimentalFeaturesEnabled\": {\n\"paramsFiles\": true\n}\n}\n
    ps-rule.yaml
    configuration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: true\n

    Experimental - Learn more

    Bicep parameter files are a work in progress. This feature will be transitioned to stable after the Bicep CLI support is finalized.

    Learn

    To learn more about Bicep parameter files see Create parameters files for Bicep deployment.

    "},{"location":"using-bicep/#restoring-modules-from-a-private-registry","title":"Restoring modules from a private registry","text":"

    Bicep modules can be stored in a private registry. Storing modules in a private registry gives you a central location to reference modules across your organization.

    To test Bicep deployments which uses modules stored in a private registry, these modules must be restored. The restore process automatically occurs when PSRule is run, however some additional steps are required to authenticate.

    To prepare your registry for storing Bicep modules see Create private registry for Bicep modules.

    To configure authentication for PSRule to a private registry:

    • Configure bicepconfig.json
    • Granting access to a private registry
    • Set pipeline environment variables

    Some organizations may want to expose Bicep modules publicly. This can be configured by enabling anonymous pull access. To configure your registry see Make your container registry content publicly available.

    Note

    To use anonymous pull access to a registry you must use a minimum of Bicep CLI version 0.15.31. You can configure PSRule to check for the minimum Bicep version. See configuring minimum version for information on how to enable this check.

    "},{"location":"using-bicep/#configure-bicepconfigjson","title":"Configure bicepconfig.json","text":"

    To authenticate to a private registry, configure bicepconfig.json by setting credentialPrecedence. This setting determines the order to find a credential to use when authenticating to the registry.

    Use the following credential type based on your environment as the first value of the credentialPrecedence setting:

    • Environment \u2014 Use environment variables to authenticate to the registry. This is the most common scenario for CI pipelines and works for cloud-hosted or self-hosted agents/ private runners.
    • ManagedIdentity \u2014 Use a managed identity to authenticate to the registry. This may be applicable for scenarios where you are using self-hosted agents or private runners. You must configure a System-Assigned managed identity for the Azure Virtual Machine or Virtual Machine Scale Set.

    Example bicepconfig.json

    {\n\"credentialPrecedence\": [\n\"Environment\",\n\"AzureCLI\",\n]\n}\n

    Tip

    The bicepconfig.json configures the Bicep CLI. You should commit this file into a repository along with your Bicep code.

    "},{"location":"using-bicep/#granting-access-to-a-private-registry","title":"Granting access to a private registry","text":"

    To access a private registry use an Azure AD identity which has been granted permissions to pull Bicep modules. When using Environment credential type, see create a service principal that can access resources to create the identity. If you are using the ManagedIdentity credential type, an identity is created for when you configure the managed identity.

    After configuring the identity, grant access using the AcrPull built-in RBAC role on the Azure Container Registry.

    "},{"location":"using-bicep/#set-pipeline-environment-variables","title":"Set pipeline environment variables","text":"

    When using the Environment credential type, environment variables should be set in the pipeline. Typically, the following three environment variables should be set:

    • AZURE_CLIENT_ID \u2014 The Client ID (also called Application ID) of an App Registration in Azure AD. This will be represented as a GUID.
    • AZURE_CLIENT_SECRET \u2014 A valid secret that was generated for the App Registration.
    • AZURE_TENANT_ID \u2014 The Tenant ID that identifies your specific Azure AD tenant where your App Registration is created. This will be represented as a GUID.

    Note

    The environment credential type also supports other environment variables that may be applicable to your environment. To see a list visit EnvironmentCredential Class.

    GitHub ActionsAzure Pipelines

    Configure the microsoft/ps-rule action with Azure environment variables.

    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables using GitHub encrypted secrets\nAZURE_CLIENT_ID: ${{ secrets.BICEP_REGISTRY_CLIENTID }}\nAZURE_CLIENT_SECRET: ${{ secrets.BICEP_REGISTRY_CLIENTSECRET }}\nAZURE_TENANT_ID: ${{ secrets.BICEP_REGISTRY_TENANTID }}\n

    Important

    Environment variables can be configured in the workflow or from a secret. To keep BICEP_REGISTRY_CLIENTSECRET secure, use an encrypted secret.

    Configure the ps-rule-assert task with Azure environment variables.

    - task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\nenv:\n# Define environment variables within Azure Pipelines\nAZURE_CLIENT_ID: $(BICEPREGISTRYCLIENTID)\nAZURE_CLIENT_SECRET: $(BICEPREGISTRYCLIENTSECRET)\nAZURE_TENANT_ID: $(BICEPREGISTRYTENANTID)\n

    Important

    Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep BICEPREGISTRYCLIENTSECRET secure, use a variable group linked to an Azure Key Vault.

    "},{"location":"using-bicep/#recommended-content","title":"Recommended content","text":"
    • Setup Bicep
    • Bicep compilation timeout
    • Troubleshooting
    "},{"location":"using-templates/","title":"Using templates","text":"

    PSRule for Azure discovers and analyzes Azure resources contained within template and parameter files. To enable this feature, you need to:

    • Enable expansion.
    • Link parameter files to templates.

    Abstract

    This topic covers how you can validate Azure resources within template .json files. To learn more about why this is important see Expanding source files.

    "},{"location":"using-templates/#enabling-expansion","title":"Enabling expansion","text":"

    To expand parameter files configure ps-rule.yaml with the AZURE_PARAMETER_FILE_EXPANSION option.

    ps-rule.yaml
    # YAML: Enable expansion for template expansion.\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"using-templates/#linking-templates","title":"Linking templates","text":"

    PSRule for Azure automatically detects parameter files and uses the following logic to link templates or Bicep modules.

    • By metadata \u2014 Check parameter file for a metadata link identifying the associated template.
    • By naming convention \u2014 Check for matching template files using file naming convention.

    Note

    Metadata links take priority over naming convention. For details on both options continue reading.

    Tip

    Linking templates also applies to Bicep modules when you are using .json parameter files.

    "},{"location":"using-templates/#by-metadata","title":"By metadata","text":"

    A parameter file can be linked to an associated template or Bicep module by setting metadata. To link a template within a parameter file, set the metadata.template property to the path of the template.

    PSRule for Azure supports either:

    • Relative to repository \u2014 By default, the path is relative to the root of the repository.
    • Relative to template \u2014 To use a path relative to the parameter file, prefix the path with ./.

    Tip

    Referencing a path outside of the repository is blocked as this could lead to unintended exposure.

    Relative to repositoryRelative to parameter file

    The following example shows linking to a template which is stored within a hierarchical template/ sub-directory.

    Example

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"templates/storage/v1/template.json\"\n},\n\"parameters\": {\n}\n}\n

    The following example shows linking to a template that is in the same directory as the parameter file.

    Example

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./storage.template.json\"\n},\n\"parameters\": {\n}\n}\n

    Additional benefits you get by using metadata links include:

    • You can share a common set of versioned templates across multiple deployments in a repository. This works great to mono-repositories.
    • You can discover all the deployments using a specific template by reading metadata. PSRule for Azure includes the Get-AzRuleTemplateLink cmdlet to list parameter file links.

    Tip

    By default, metadata links are not required. By configuring the AZURE_PARAMETER_FILE_METADATA_LINK option to true, this can be enforced. When configured, PSRule for Azure will fail parameter files that do not contain a metadata link. For details on AZURE_PARAMETER_FILE_METADATA_LINK see Configuring expansion.

    Note

    Bicep modules can also be expanded from parameter files. Instead of specifing a template path, you can specify the path to a Bicep file.

    Note

    You may find while editing a .json parameter file the root metadata property is flagged with a warning. For example Property metadata is not allowed.. This doesn't affect the workings of the parameter file or deployment. If you like a detailed description continue reading Troubleshooting.

    "},{"location":"using-templates/#by-naming-convention","title":"By naming convention","text":"

    When metadata links are not set, PSRule will fallback to use a naming convention to link to template files.

    Example

    A parameter file named azuredeploy.parameters.json links to the template file named azuredeploy.json.

    PSRule for Azure supports linking by naming convention when:

    • Parameter files end with .parameters.json linking to ARM templates or Bicep modules.
    • The parameter file prefix matches the file name of the template or Bicep module. For example, azuredeploy.parameters.json links to azuredeploy.json or azuredeploy.bicep.
    • If both an ARM template and Bicep module exist, the template (.json) is preferred. For example, azuredeploy.parameters.json chooses azuredeploy.json over azuredeploy.bicep if both exist.
    • Both parameter file and template or Bicep module must be in the same directory.

    The following is not currently supported:

    • Using a different naming convention for parameter files such as <templateName>.param.json.
    • Template or parameter files with alternative file extensions such as .jsonc.
    "},{"location":"versioning/","title":"Changes and versioning","text":"

    PSRule for Azure uses semantic versioning to declare breaking changes. The latest module version can be installed from the PowerShell Gallery. For a list of module changes please see the change log.

    "},{"location":"versioning/#pre-releases","title":"Pre-releases","text":"

    Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Module versions and change log details for pre-releases will be removed as stable releases are made available.

    Important

    Pre-release versions should be considered work in progress. These releases should not be used in production. We may introduce breaking changes between a pre-release as we work towards a stable version release.

    "},{"location":"versioning/#experimental-features","title":"Experimental features","text":"

    From time to time we may ship experiential features. These features are generally marked experimental in the change log as these features ship. Experimental features may ship in stable releases, however to use them you may need to:

    • Enable or explicitly reference them.

    Important

    Experimental features should be considered work in progress. These features may be incomplete and should not be used in production. We may introduce breaking changes for experimental features as we work towards a general release for the feature.

    "},{"location":"versioning/#reporting-bugs","title":"Reporting bugs","text":"

    If you experience an issue with an pre-release or experimental feature please let us know by logging an issue as a bug.

    "},{"location":"working-with-baselines/","title":"Working with baselines","text":"

    A baseline is a standard PSRule artifact that combines rules and configuration. PSRule for Azure provides several baselines that can be referenced when running PSRule.

    Abstract

    This topic covers how to use the baselines shipped with PSRule for Azure.

    "},{"location":"working-with-baselines/#quarterly-baselines","title":"Quarterly baselines","text":"

    PSRule for Azure ships new rules on a monthly cadence. As new rules are added, existing pipelines that previously passed may fail based on additional requirements. It is generally expected that files committed to an integration branch such as main continue to pass.

    PSRule for Azure addresses this through quarterly baselines that provide:

    • Greater consistency \u2014 Quarterly baselines provide a stable checkpoint of rules to use. Each quarterly baseline includes rules for generally available (GA) and preview Azure features to date. Rules released after the quarterly baseline are added to the next quarterly baseline. New quarterly baselines are released every three (3) months. Baselines are named Azure.GA_yyyy_mm and Azure.Preview_yyyy_mm based on the release year/ month.
    • Incremental adoption \u2014 It may not be possibly to implement new rules immediately. Existing backlogs or timelines may make it impossible to add new requirements until a future sprint. In a future sprint, bump the quarterly baseline to the latest release to get the additional rules.

    Considerations for adopting a quarterly baseline include:

    • The quarterly baselines older than the latest are flagged as obsolete. Obsolete baselines can still be used, however will generate a warning.
    • As Azure evolves there may be cases where a feature change means a rule is no longer required. In these cases, a rule may be removed from PSRule for Azure and any applicable baselines.
    • Separate quarterly baselines for Azure GA and preview features are provided. The baseline for GA features is named Azure.GA_yyyy_mm and preview features is named Azure.Preview_yyyy_mm.

    Important

    When using a quarterly baseline, by default PSRule will ignore custom/ standalone rules. To include custom rules, set the Rule.IncludeLocal option to true. This is described further in including custom rules.

    Note

    The preview quarterly baselines includes Azure features released under preview only. This is different from the Azure.Preview baseline which contains GA and preview features.

    "},{"location":"working-with-baselines/#limitations","title":"Limitations","text":"

    Quarterly baselines don't address all cases where a previously passing pipeline may fail, specifically:

    • As bugs are identified they are corrected and shipped in the next minor or patch release. If the rule was not correctly working previously, failures may be generated after the fix. To workaround this you can either:
      • Create a temporary suppression to ignore the issue.
      • Install a previous version of the PSRule for Azure module.
    • Rule configuration defaults change. Currently rule configuration defaults are not included in quarterly baselines. To workaround this, override the rule configuration option by setting the value in ps-rule.yaml.
    "},{"location":"working-with-baselines/#additional-standard-baselines","title":"Additional standard baselines","text":"

    In additional to quarterly baselines, some additional baselines exist:

    • Azure.Default - Includes rules for GA Azure features. This is the default baseline that is used when no baseline is specified. Rules for Azure features that are within the scope of a public or private preview are not included.
    • Azure.Preview - Includes all rules for GA and preview Azure features.
    • Azure.All - Includes all Azure rules shipped with PSRule for Azure. This is functionally the same as Azure.Preview however intended for internal use only.
    • Azure.MCSB.v1 - Includes rules related to Microsoft cloud security benchmark (MCSB) controls. This baseline is currently experimental and may change in future releases. You can learn more about MCSB within PSRule for Azure in the Microsoft cloud security benchmark (MCSB) topic.

    "},{"location":"working-with-baselines/#using-baselines","title":"Using baselines","text":"

    To use a baseline within a CI pipeline specify the baseline by name. See reference for a list baselines shipped with PSRule for Azure.

    GitHub ActionsAzure PipelinesPowerShell

    Update your GitHub Actions workflow by specifying baseline: <name_of_baseline>.

    # Analyze Azure resources using PSRule for Azure\n- name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: 'PSRule.Rules.Azure'\nbaseline: 'Azure.GA_2023_09'\n

    Update your Azure DevOps YAML pipeline by specifying baseline: <name_of_baseline>.

    # Analyze Azure resources using PSRule for Azure\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: 'PSRule.Rules.Azure'\nbaseline: 'Azure.GA_2023_09'\n

    Update your PowerShell command-line with -Baseline <name_of_baseline>.

    With Assert-PSRule
    Assert-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_09'\n
    With Invoke-PSRule
    Invoke-PSRule -Format File -InputPath '.' -Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2023_09'\n
    "},{"location":"working-with-baselines/#creating-baselines","title":"Creating baselines","text":"

    To create your own baselines see the PSRule help topic about_PSRule_Baseline.

    "},{"location":"working-with-baselines/#including-custom-rules","title":"Including custom rules","text":"

    v1.8.0

    The quarterly baselines shipped with PSRule for Azure target a subset of rules for GA Azure features. When you specify a baseline, custom rules you create and store in .ps-rule/ will be ignored by default.

    To change this behavior, set the Rule.IncludeLocal option to true. This option can be set in ps-rule.yaml.

    ps-rule.yaml
    # YAML: Enable custom rules that don't exist in the baseline\nrule:\nincludeLocal: true\n
    "},{"location":"benchmark/results-v1.10.4/","title":"Results v1.10.4","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|----------:|----------:|----------:|----------:| | Template | 74.25 ms | 4.140 ms | 12.206 ms | 6000.0000 | 1000.0000 | 27 MB | | PropertyCopyLoop | 47.84 ms | 0.936 ms | 1.615 ms | 4444.4444 | 222.2222 | 18 MB | | UserDefinedFunctions | 28.87 ms | 0.574 ms | 1.224 ms | 1500.0000 | 62.5000 | 6 MB |

    "},{"location":"benchmark/results-v1.11.0/","title":"Results v1.11.0","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| | Template | 78.97 ms | 2.842 ms | 8.246 ms | 6000.0000 | 1000.0000 | 27 MB | | PropertyCopyLoop | 47.83 ms | 0.954 ms | 2.033 ms | 4400.0000 | 200.0000 | 18 MB | | UserDefinedFunctions | 29.42 ms | 0.587 ms | 1.172 ms | 1500.0000 | 62.5000 | 6 MB |

    "},{"location":"benchmark/results-v1.14.3/","title":"Results v1.14.3","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n[Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\nDefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| | Template | 80.07 ms | 2.250 ms | 6.598 ms | 6666.6667 | 666.6667 | 28 MB | | PropertyCopyLoop | 52.08 ms | 0.955 ms | 0.798 ms | 4500.0000 | 125.0000 | 18 MB | | UserDefinedFunctions | 35.51 ms | 0.705 ms | 1.635 ms | 1600.0000 | 66.6667 | 7 MB |

    "},{"location":"benchmark/results-v1.15.0/","title":"Results v1.15.0","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=6.0.202\n[Host]     : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\nDefaultJob : .NET Core 3.1.24 (CoreCLR 4.700.22.16002, CoreFX 4.700.22.17909), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Median | Gen 0 | Gen 1 | Allocated | |----------------------- |----------------:|----------------:|----------------:|----------------:|----------:|----------:|-------------:| | Template | 58,758,457.6 ns | 1,368,418.79 ns | 3,859,649.48 ns | 57,989,600.0 ns | 6000.0000 | 2000.0000 | 28,881,656 B | | PropertyCopyLoop | 35,152,022.3 ns | 699,686.11 ns | 1,206,924.16 ns | 34,927,013.3 ns | 4466.6667 | 133.3333 | 19,040,308 B | | UserDefinedFunctions | 19,601,380.5 ns | 382,322.59 ns | 560,403.50 ns | 19,517,700.0 ns | 1562.5000 | 62.5000 | 6,821,540 B | | ResolvePolicyAliasPath | 2,194.6 ns | 42.05 ns | 84.93 ns | 2,154.7 ns | 0.2861 | - | 1,200 B | | GetResourceType | 293.9 ns | 1.82 ns | 1.52 ns | 293.9 ns | 0.0858 | - | 360 B |

    "},{"location":"benchmark/results-v1.8.1/","title":"Results v1.8.1","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|----------:|----------:| | Template | 49.11 ms | 1.871 ms | 5.307 ms | 5000.0000 | 1000.0000 | 21 MB | | PropertyCopyLoop | 42.65 ms | 0.815 ms | 1.001 ms | 3812.5000 | 125.0000 | 15 MB | | UserDefinedFunctions | 26.26 ms | 0.518 ms | 1.126 ms | 1125.0000 | 31.2500 | 5 MB |

    "},{"location":"benchmark/results-v1.9.1/","title":"Results v1.9.1","text":"

    BenchmarkDotNet=v0.13.1, OS=Windows 10.0.22000\nIntel Core i7-1065G7 CPU 1.30GHz, 1 CPU, 8 logical and 4 physical cores\n.NET SDK=5.0.404\n[Host]     : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\nDefaultJob : .NET Core 3.1.22 (CoreCLR 4.700.21.56803, CoreFX 4.700.21.57101), X64 RyuJIT\n
    | Method | Mean | Error | StdDev | Gen 0 | Gen 1 | Allocated | |--------------------- |---------:|---------:|---------:|----------:|---------:|----------:| | Template | 54.28 ms | 1.081 ms | 1.443 ms | 5333.3333 | 555.5556 | 21 MB | | PropertyCopyLoop | 42.15 ms | 0.823 ms | 0.881 ms | 3833.3333 | 166.6667 | 15 MB | | UserDefinedFunctions | 25.76 ms | 0.510 ms | 1.076 ms | 1125.0000 | 31.2500 | 5 MB |

    "},{"location":"commands/Export-AzPolicyAssignmentData/","title":"Export-AzPolicyAssignmentData","text":"

    Export policy assignment data.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#default-default","title":"Default (Default)","text":"
    Export-AzPolicyAssignmentData [-OutputPath <String>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#name","title":"Name","text":"
    Export-AzPolicyAssignmentData [-Name <String>] [-Scope <String>] [-PolicyDefinitionId <String>]\n [-OutputPath <String>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#id","title":"Id","text":"
    Export-AzPolicyAssignmentData -Id <String> [-PolicyDefinitionId <String>] [-OutputPath <String>] [-PassThru]\n [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#includedescendent","title":"IncludeDescendent","text":"
    Export-AzPolicyAssignmentData [-Scope <String>] [-IncludeDescendent] [-OutputPath <String>] [-PassThru]\n [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#description","title":"Description","text":"

    This is an experimental cmdlet.

    Export policy assignment data.

    By default the current subscription context will be exported. i.e Get-AzContext

    Policy assignment data will be exported to the current working directory by default as JSON files, one per subscription.

    All output files include a .assignment.json extension by default.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#example-1","title":"Example 1","text":"
    Export-AzPolicyAssignmentData\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:01 PM         740098 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n

    Export policy assignment data from current subscription context.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#example-2","title":"Example 2","text":"
    Export-AzPolicyAssignmentData -Name '000000000000000000000000' -Scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:15 PM           4185 \ue60b  00000000-0000-0000-0000-000000000000.assignment.json\n

    Export policy assignment with specific name and scope.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#example-3","title":"Example 3","text":"
    Export-AzPolicyAssignmentData -Id '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PolicyRG/providers/Microsoft.Authorization/policyAssignments/000000000000000000000000'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   7:42 PM           4185 \ue60b  00000000-0000-0000-0000-00000000000.assignment.json\n

    Export policy assignment with specific resource ID.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#-name","title":"-Name","text":"

    Specifies the name of the policy assignment.

    Type: String\nParameter Sets: Name\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-id","title":"-Id","text":"

    Specifies the fully qualified resource ID for the policy assignment.

    Type: String\nParameter Sets: Id\nAliases: AssignmentId\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-scope","title":"-Scope","text":"

    Specifies the scope at which the policy is applied for the assignment.

    Type: String\nParameter Sets: Name, IncludeDescendent\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-policydefinitionid","title":"-PolicyDefinitionId","text":"

    Specifies the ID of the policy definition of the policy assignment.

    Type: String\nParameter Sets: Name, Id\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-includedescendent","title":"-IncludeDescendent","text":"

    Causes the list of returned policy assignments to include all assignments related to the given scope, including those from ancestor scopes and those from descendent scopes.

    Type: SwitchParameter\nParameter Sets: IncludeDescendent\nAliases:\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing policy assignment data.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#none","title":"None","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#systemiofileinfo","title":"System.IO.FileInfo","text":"

    Return FileInfo for each of the output files created, one per subscription context. This is the default.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#psobject","title":"PSObject","text":"

    Return an object for each Azure resource, and configuration exported. This is returned when the -PassThru switch is used.

    "},{"location":"commands/Export-AzPolicyAssignmentData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/","title":"Export-AzPolicyAssignmentRuleData","text":"

    Export JSON based rules from policy assignment data.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#syntax","title":"SYNTAX","text":"
    Export-AzPolicyAssignmentRuleData [-Name <String>] -AssignmentFile <String>\n [-ResourceGroup <ResourceGroupReference>] [-Subscription <SubscriptionReference>] [-OutputPath <String>]\n [-RulePrefix <String>] [-PassThru] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#description","title":"Description","text":"

    This is an experimental cmdlet.

    Export JSON based rules from policy assignment data.

    Policy assignment data generated from Export-AzPolicyAssignmentData is used to generate JSON rules.

    By default this is an offline process, requiring no connectivity to Azure.

    Policy definitions with the Disabled effect are ignored.

    The subscription() function will return the following unless overridden:

    • subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • displayName: 'PSRule Test Subscription'
    • state: 'NotDefined'

    The resourceGroup() function will return the following unless overridden:

    • name: 'ps-rule-test-rg'
    • location: 'eastus'
    • tags: { }
    • properties:
      • provisioningState: 'Succeeded'

    To override, set the AZURE_SUBSCRIPTION and AZURE_RESOURCE_GROUP in configuration.

    The rule prefix Azure is also applied to the policy names unless overridden with -RulePrefix or AZURE_POLICY_RULE_PREFIX in configuration.

    Currently the following limitations apply:

    • field() expressions are not expanded.
    • Field/Value count expressions are not supported.
    • Template functions with value cannot be expanded e.g. \"value\": \"[substring(field('name'), 0, 3)]\".
    • Any of the above will lead to errors when emitting JSON rules.
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-1","title":"Example 1","text":"
    Export-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json\n
    Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n

    Export JSON rules to file in current working directory.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-2","title":"Example 2","text":"
    $subscription = @{\nsubscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\ndisplayName = 'My Azure Subscription'\ntenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\nExport-AzPolicyAssignmentRuleData -Name \"policy\" -AssignmentFile .\\00000000-0000-0000-0000-000000000000.assignment.json -Subscription $subscription\n
    Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        26/03/2022   9:41 PM            361 \uf15b  definitions-policy.Rule.jsonc\n

    Export JSON rules to file in current working directory using a specific subscription.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#example-3","title":"Example 3","text":"
    Get-AzPolicyAssignmentDataSource | Export-AzPolicyAssignmentRuleData\n
    Mode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a---        27/03/2022  11:26 AM            721 \uf15b  definitions-export-1b474938.Rule.jsonc\n

    Export JSON rules from the current working directory using discovered assignment sources in the current working directory.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-name","title":"-Name","text":"

    The name of the assignment. If not specified export-<xxxxxxxx> will be used as the name of the assignment.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-assignmentfile","title":"-AssignmentFile","text":"

    The absolute or relative path to an assignment data file.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing resources.

    If this parameter is not specified, output will be written to the current working path. The file name definitions-<name>.Rule.jsonc will be used when this parameter is not set or a directory is specified. Where <name> is the name of the assignment specified by -Name.

    This parameter has no affect when -PassThru is used.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-ruleprefix","title":"-RulePrefix","text":"

    By default, policy rule names use the Azure prefix e.g. Azure.Policy.e749c2d003da.

    When -RulePrefix is specified, the default prefix is overridden.

    For example, with -RulePrefix 'CustomPolicyPrefix' this would generate the policy rule name CustomPolicyPrefix.Policy.e749c2d003da.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-resourcegroup","title":"-ResourceGroup","text":"

    A name or hashtable of the Resource Group in the assignment data file. This Resource Group specified here will be used to resolve the resourceGroup() function.

    When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.

    Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#-subscription","title":"-Subscription","text":"

    The name or hashtable of the Subscription in the assignment data file. This subscription specified here will be used to resolve the subscription() function.

    When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.

    Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzPolicyAssignmentRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzPolicyAssignmentRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleData/","title":"Export-AzRuleData","text":"

    Export resource configuration data from one or more Azure subscriptions.

    "},{"location":"commands/Export-AzRuleData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleData/#default-default","title":"Default (Default)","text":"
    Export-AzRuleData [[-OutputPath] <String>] [-Subscription <String[]>] [-Tenant <String[]>]\n [-ResourceGroupName <String[]>] [-Tag <Hashtable>] [-PassThru] [-SkipDiscovery] [-ResourceId <String[]>]\n [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleData/#all","title":"All","text":"
    Export-AzRuleData [[-OutputPath] <String>] [-ResourceGroupName <String[]>] [-Tag <Hashtable>] [-PassThru]\n [-All] [-WhatIf] [-Confirm] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleData/#description","title":"Description","text":"

    Export resource configuration data from deployed resources in one or more Azure subscriptions.

    If no filters are specified then the current subscription context will be exported. i.e. Get-AzContext

    To export all subscriptions contexts use the -All switch. When the -All switch is used, all subscriptions contexts will be exported. i.e. Get-AzContext -ListAvailable

    Resource data will be exported to the current working directory by default as JSON files, one per subscription.

    "},{"location":"commands/Export-AzRuleData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleData/#example-1","title":"Example 1","text":"
    Export-AzRuleData\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n

    Export resource configuration data from current subscription context.

    "},{"location":"commands/Export-AzRuleData/#example-2","title":"Example 2","text":"
    Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000002.json\n

    Export resource configuration data from subscriptions by name.

    "},{"location":"commands/Export-AzRuleData/#example-3","title":"Example 3","text":"
    Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'\n
    Directory: C:\\\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         1/07/2019 10:03 AM        7304948 00000000-0000-0000-0000-000000000001.json\n

    Export resource configuration data from two resource groups within the current subscription context.

    "},{"location":"commands/Export-AzRuleData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleData/#-all","title":"-All","text":"

    By default, resources from the current subscription context are extracted. Use -All to extract resource data for all subscription contexts instead.

    Type: SwitchParameter\nParameter Sets: All\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing resources.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-resourcegroupname","title":"-ResourceGroupName","text":"

    Optionally filter resources by Resource Group name.

    Type: String[]\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-subscription","title":"-Subscription","text":"

    Optionally filter resources by subscription, Id or Name.

    Type: String[]\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-tag","title":"-Tag","text":"

    Optionally filter resources based on tag.

    Type: Hashtable\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-tenant","title":"-Tenant","text":"

    Optionally filter resources by a unique Tenant identifer.

    Type: String[]\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-resourceid","title":"-ResourceId","text":"

    A list of resource Ids to expand.

    Type: String[]\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByValue)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-skipdiscovery","title":"-SkipDiscovery","text":"

    Determines if resource discovery is skipped. When skipped resources are expanded based on provided resource Ids.

    Type: SwitchParameter\nParameter Sets: Default\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-confirm","title":"-Confirm","text":"

    Prompts you for confirmation before running the cmdlet.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases: cf\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#-whatif","title":"-WhatIf","text":"

    Shows what would happen if the cmdlet runs. The cmdlet is not run.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases: wi\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzRuleData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleData/#none","title":"None","text":""},{"location":"commands/Export-AzRuleData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleData/#systemiofileinfo","title":"System.IO.FileInfo","text":"

    Return FileInfo for each of the output files created, one per subscription. This is the default.

    "},{"location":"commands/Export-AzRuleData/#psobject","title":"PSObject","text":"

    Return an object for each Azure resource, and configuration exported. This is returned when the -PassThru switch is used.

    "},{"location":"commands/Export-AzRuleData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Export-AzRuleTemplateData/","title":"Export-AzRuleTemplateData","text":"

    Export resource configuration data from Azure templates.

    "},{"location":"commands/Export-AzRuleTemplateData/#syntax","title":"SYNTAX","text":""},{"location":"commands/Export-AzRuleTemplateData/#template-default","title":"Template (Default)","text":"
    Export-AzRuleTemplateData [[-Name] <String>] -TemplateFile <String> [-ParameterFile <String[]>]\n [-ResourceGroup <ResourceGroupReference>] [-Subscription <SubscriptionReference>] [-OutputPath <String>]\n [-PassThru] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleTemplateData/#source","title":"Source","text":"
    Export-AzRuleTemplateData [[-Name] <String>] -SourceFile <String> [-ResourceGroup <ResourceGroupReference>]\n [-Subscription <SubscriptionReference>] [-OutputPath <String>] [-PassThru] [<CommonParameters>]\n
    "},{"location":"commands/Export-AzRuleTemplateData/#description","title":"Description","text":"

    Export resource configuration data by merging Azure Resource Manager (ARM) template and parameter files. Template and parameters are merged by resolving template parameters, variables and functions.

    This function does not check template files for strict compliance with Azure schemas.

    By default this is an offline process, requiring no connectivity to Azure. Some functions that may be included in templates dynamically query Azure for current state. For these functions standard placeholder values are used by default. Functions that use placeholders include reference, list*.

    The subscription() function will return the following unless overridden:

    • subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
    • displayName: 'PSRule Test Subscription'
    • state: 'NotDefined'

    The resourceGroup() function will return the following unless overridden:

    • name: 'ps-rule-test-rg'
    • location: 'eastus'
    • tags: { }
    • properties:
      • provisioningState: 'Succeeded'

    To override, set the AZURE_SUBSCRIPTION and AZURE_RESOURCE_GROUP in configuration.

    Currently the following limitations apply:

    • Nested templates are expanded, external templates are not.
      • Deployment resources that link to an external template are returned as a resource.
    • Sub-resources such as diagnostic logs or configurations are automatically nested. Automatic nesting a sub-resource requires:
      • The parent resource is defined in the same template.
      • The sub-resource depends on the parent resource.
    • The environment template function always returns values for Azure public cloud.
    • References to Key Vault secrets are not expanded. A placeholder value is used instead.
    • The reference() function will return objects for resources within the same template. For resources that are not in the same template, a placeholder value is used instead.
    • Multi-line strings are not supported.
    • Template expressions up to a maximum of 100,000 characters are supported.
    "},{"location":"commands/Export-AzRuleTemplateData/#examples","title":"Examples","text":""},{"location":"commands/Export-AzRuleTemplateData/#example-1","title":"Example 1","text":"
    Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n

    Export resource configuration data based on merging a template and parameter file together.

    "},{"location":"commands/Export-AzRuleTemplateData/#example-2","title":"Example 2","text":"
    Get-AzRuleTemplateLink | Export-AzRuleTemplateData;\n

    Recursively scan the current working path and export linked templates.

    "},{"location":"commands/Export-AzRuleTemplateData/#example-3","title":"Example 3","text":"
    $subscription = @{\nsubscriptionId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\ndisplayName = 'My Azure Subscription'\ntenantId = 'nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn'\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -Subscription $subscription;\n

    Export linked templates from the current working path using a specific subscription.

    "},{"location":"commands/Export-AzRuleTemplateData/#example-4","title":"Example 4","text":"
    $rg = @{\nname = 'my-test-rg'\nlocation = 'australiaeast'\ntags = @{\nenv = 'prod'\n}\n}\nGet-AzRuleTemplateLink | Export-AzRuleTemplateData -ResourceGroup $rg;\n

    Export linked templates from the current working path using a specific resource group.

    "},{"location":"commands/Export-AzRuleTemplateData/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Export-AzRuleTemplateData/#-name","title":"-Name","text":"

    The name of the deployment. If not specified export-<xxxxxxxx> will be used as the name of the deployment.

    This parameter is used by the deployment() function and is also used to name the output file.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: 0\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-templatefile","title":"-TemplateFile","text":"

    The absolute or relative file path to an Azure Resource Manager template file.

    Type: String\nParameter Sets: Template\nAliases:\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-parameterfile","title":"-ParameterFile","text":"

    The absolute or relative file path to one or more Azure Resource Manager template parameter files.

    Type: String[]\nParameter Sets: Template\nAliases: TemplateParameterFile\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-sourcefile","title":"-SourceFile","text":"

    The absolute or relative file path to a file of a Bicep file.

    Type: String\nParameter Sets: Source\nAliases: f, FullName\nRequired: True\nPosition: Named\nDefault value: None\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-outputpath","title":"-OutputPath","text":"

    The path to store generated JSON files containing resources.

    If this parameter is not specified, output will be written to the current working path. The file name resources-<name>.json will be used when this parameter is not set or a directory is specified. Where <name> is the name of the deployment specified by -Name.

    This parameter has no affect when -PassThru is used.

    Type: String\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-passthru","title":"-PassThru","text":"

    By default, FileInfo objects are returned to the pipeline for each JSON file created. When -PassThru is specified, JSON files are not created and Azure resource objects are returned to the pipeline instead.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-resourcegroup","title":"-ResourceGroup","text":"

    A name or hashtable of the Resource Group where the deployment will occur. This Resource Group specified here will be used to resolve the resourceGroup() function.

    When the name of Resource Group is specified, the Resource Group will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Resource Group.

    Alternately, a hashtable of a Resource Group object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: ResourceGroupReference\nParameter Sets: (All)\nAliases: ResourceGroupName\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#-subscription","title":"-Subscription","text":"

    The name or hashtable of the Subscription where the deployment will occur. This subscription specified here will be used to resolve the subscription() function.

    When a subscription name is specified, the Subscription will be looked up and used during export. This requires an authenticated connection to Azure with permissions to read the specified Subscription.

    Alternately, a hashtable of a Subscription object can be specified. This option does not require an authenticated Azure connection. The hashtable will override the defaults for any specified properties.

    For more details see about_PSRule_Azure_Configuration.

    Type: SubscriptionReference\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Export-AzRuleTemplateData/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Export-AzRuleTemplateData/#inputs","title":"INPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring","title":"System.String","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemstring_1","title":"System.String[]","text":""},{"location":"commands/Export-AzRuleTemplateData/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemiofileinfo","title":"System.IO.FileInfo","text":""},{"location":"commands/Export-AzRuleTemplateData/#systemobject","title":"System.Object","text":""},{"location":"commands/Export-AzRuleTemplateData/#notes","title":"Notes","text":""},{"location":"commands/Export-AzRuleTemplateData/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/","title":"Get-AzPolicyAssignmentDataSource","text":"

    Get policy assignment sources.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#syntax","title":"SYNTAX","text":"
    Get-AzPolicyAssignmentDataSource [-InputPath <String[]>] [[-Path] <String>] [<CommonParameters>]\n
    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#description","title":"Description","text":"

    This is an experimental cmdlet.

    Get policy assignment sources. By default *.assignment.json sources are discovered from the current working directory.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#examples","title":"Examples","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#example-1","title":"Example 1","text":"
    Get-AzPolicyAssignmentDataSource\n
    AssignmentFile\n--------------\nC:\\00000000-0000-0000-0000-000000000001.assignment.json\nC:\\Users\\user\\00000000-0000-0000-0000-000000000002.assignment.json\n

    Gets policy assignment sources from any *.assignment.json sources within any folder in the current working directory path.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-inputpath","title":"-InputPath","text":"

    A path or filter to search for assignment files within the path specified by -Path. By default, files with *.assignment.json suffix will be used.

    When searching for assignment files all sub-directories will be scanned. To perform a shallow search, prefix input paths with ./.

    Type: String[]\nParameter Sets: (All)\nAliases: f, AssignmentFile, FullName\nRequired: False\nPosition: Named\nDefault value: '*.assignment.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n
    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#-path","title":"-Path","text":"

    Sets the path to search for assignment files in. By default, this is the current working path.

    Type: String\nParameter Sets: (All)\nAliases: p\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Get-AzPolicyAssignmentDataSource/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#psrulerulesazurepipelinepolicyassignmentsource","title":"PSRule.Rules.Azure.Pipeline.PolicyAssignmentSource","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#notes","title":"Notes","text":""},{"location":"commands/Get-AzPolicyAssignmentDataSource/#related-links","title":"RELATED LINKS","text":""},{"location":"commands/Get-AzRuleTemplateLink/","title":"Get-AzRuleTemplateLink","text":"

    Get a metadata link to a Azure template file.

    "},{"location":"commands/Get-AzRuleTemplateLink/#syntax","title":"SYNTAX","text":"
    Get-AzRuleTemplateLink [[-InputPath] <String[]>] [-SkipUnlinked] [[-Path] <String>] [<CommonParameters>]\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#description","title":"Description","text":"

    Gets a link between an Azure Resource Manager (ARM) parameter file and its referenced template file. Parameter files reference a template file by defining metadata. Alternatively, template files are discovered by naming convention.

    By default, when parameter files without a matching template are discovered an error is raised.

    To reference a template, set the metadata.template property to a file path. Referencing templates outside of the path specified with -Path is not permitted.

    To discover template files by naming convention:

    • Both template and parameter files must be in the same sub-directory.
    • The parameter file must end with .parameters.json.
    • The parameter file must be named <templateName>.parameters.json.
    • The template file must be named <templateName>.json.

    For more information see the about_PSRule_Azure_Metadata_Link topic.

    "},{"location":"commands/Get-AzRuleTemplateLink/#examples","title":"Examples","text":""},{"location":"commands/Get-AzRuleTemplateLink/#example-1","title":"Example 1","text":"
    Get-AzRuleTemplateLink\n

    Get links from any *.parameters.json files within any folder in the current working path.

    "},{"location":"commands/Get-AzRuleTemplateLink/#parameters","title":"PARAMETERS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#-inputpath","title":"-InputPath","text":"

    A path or filter to search for parameter files within the path specified by -Path. By default, files with *.parameters.json suffix will be used.

    When searching for parameter files all sub-directories will be scanned. To perform a shallow search, prefix input paths with ./.

    Type: String[]\nParameter Sets: (All)\nAliases: f, TemplateParameterFile, FullName\nRequired: False\nPosition: 1\nDefault value: '*.parameters.json'\nAccept pipeline input: True (ByPropertyName)\nAccept wildcard characters: True\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#-skipunlinked","title":"-SkipUnlinked","text":"

    Use this option to ignore parameter files that have no matching template. By default, when parameter files without a matching template are discovered an error is raised.

    Type: SwitchParameter\nParameter Sets: (All)\nAliases:\nRequired: False\nPosition: Named\nDefault value: None\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#-path","title":"-Path","text":"

    Sets the path to search for parameter files in. By default, this is the current working path.

    Type: String\nParameter Sets: (All)\nAliases: p\nRequired: False\nPosition: 0\nDefault value: $PWD\nAccept pipeline input: False\nAccept wildcard characters: False\n
    "},{"location":"commands/Get-AzRuleTemplateLink/#commonparameters","title":"CommonParameters","text":"

    This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

    "},{"location":"commands/Get-AzRuleTemplateLink/#inputs","title":"INPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#systemstring","title":"System.String[]","text":""},{"location":"commands/Get-AzRuleTemplateLink/#outputs","title":"OUTPUTS","text":""},{"location":"commands/Get-AzRuleTemplateLink/#psrulerulesazuredatametadataitemplatelink","title":"PSRule.Rules.Azure.Data.Metadata.ITemplateLink","text":""},{"location":"commands/Get-AzRuleTemplateLink/#notes","title":"Notes","text":""},{"location":"commands/Get-AzRuleTemplateLink/#related-links","title":"RELATED LINKS","text":"

    about_PSRule_Azure_Metadata_Link

    "},{"location":"commands/PSRule.Rules.Azure/","title":"PSRule.Rules.Azure Module","text":""},{"location":"commands/PSRule.Rules.Azure/#description","title":"Description","text":"

    Validate Azure resources and infrastructure as code using PSRule.

    "},{"location":"commands/PSRule.Rules.Azure/#psrule-cmdlets","title":"PSRule Cmdlets","text":""},{"location":"commands/PSRule.Rules.Azure/#export-azruledata","title":"Export-AzRuleData","text":"

    Export resource configuration data from one or more Azure subscriptions.

    "},{"location":"commands/PSRule.Rules.Azure/#export-azruletemplatedata","title":"Export-AzRuleTemplateData","text":"

    Export resource configuration data from Azure templates.

    "},{"location":"commands/PSRule.Rules.Azure/#get-azruletemplatelink","title":"Get-AzRuleTemplateLink","text":"

    Get a metadata link to a Azure template file.

    "},{"location":"concepts/about_PSRule_Azure_Configuration/","title":"Configuration options","text":"

    Describes PSRule configuration options specific to PSRule for Azure.

    "},{"location":"concepts/about_PSRule_Azure_Configuration/#description","title":"Description","text":"

    PSRule exposes configuration options that can be used to customize execution of PSRule.Rules.Azure. This topic describes what configuration options are available.

    PSRule configuration options can be specified by setting the configuration option in ps-rule.yaml. Additionally, configuration options can be configured in a baseline or set at runtime. For details of setting configuration options see PSRule options.

    The following configurations options are available for use:

    • AZURE_AKS_CLUSTER_MINIMUM_VERSION
    • Azure_AKSNodeMinimumMaxPods
    • Azure_AllowedRegions
    • Azure_MinimumCertificateLifetime
    • AZURE_PARAMETER_FILE_EXPANSION
    • AZURE_POLICY_WAIVER_MAX_EXPIRY
    • AZURE_RESOURCE_GROUP
    • AZURE_SUBSCRIPTION
    • AZURE_POLICY_IGNORE_LIST
    • AZURE_POLICY_RULE_PREFIX
    • AZURE_APIM_MIN_API_VERSION
    • AZURE_COSMOS_DEFENDER_PER_ACCOUNT
    • AZURE_STORAGE_DEFENDER_PER_ACCOUNT

    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"

    This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.

    Syntax:

    configuration:\nAzure_AKSMinimumVersion: string # A version string\n

    Default:

    # YAML: The default Azure_AKSMinimumVersion configuration option\nconfiguration:\nAzure_AKSMinimumVersion: 1.20.5\n

    Example:

    # YAML: Set the Azure_AKSMinimumVersion configuration option to 1.19.7\nconfiguration:\nAzure_AKSMinimumVersion: 1.19.7\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_aksnodeminimummaxpods","title":"Azure_AKSNodeMinimumMaxPods","text":"

    This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a maxPods option is used to determine the maximum number of pods for each node in the node pool.

    Syntax:

    configuration:\nAzure_AKSNodeMinimumMaxPods: integer\n

    Default:

    # YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 50\n

    Example:

    # YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 30\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_allowedregions","title":"Azure_AllowedRegions","text":"

    This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.

    By default, Azure_AllowedRegions is not configured. The rule Azure.Resource.AllowedRegions is skipped when no allowed locations are configured.

    Syntax:

    configuration:\nAzure_AllowedRegions: array # An array of regions\n

    Default:

    # YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\nAzure_AllowedRegions: []\n

    Example:

    # YAML: Set the Azure_AllowedRegions configuration option to Australia East, Australia South East\nconfiguration:\nAzure_AllowedRegions:\n- 'australiaeast'\n- 'australiasoutheast'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"

    This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.

    Syntax:

    configuration:\nAzure_MinimumCertificateLifetime: integer\n

    Default:

    # YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\nAzure_MinimumCertificateLifetime: 30\n

    Example:

    # YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\nAzure_MinimumCertificateLifetime: 90\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_parameter_file_expansion","title":"AZURE_PARAMETER_FILE_EXPANSION","text":"

    This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded.

    Parameter files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_PARAMETER_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"

    This configuration option determines the maximum number of days in the future for a waiver policy exemption.

    Syntax:

    configuration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n

    Default:

    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n

    Example:

    # YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_resource_group","title":"AZURE_RESOURCE_GROUP","text":"

    This configuration option sets the resource group object used by the resourceGroup() function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -ResourceGroup is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_RESOURCE_GROUP:\nname: string\nlocation: string\ntags: object\nproperties:\nprovisioningState: string\n

    Default:

    # YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\nAZURE_RESOURCE_GROUP:\nname: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\nprovisioningState: 'Succeeded'\n

    Example:

    # YAML: Override the location of the resource group object.\nconfiguration:\nAZURE_RESOURCE_GROUP:\nlocation: 'australiasoutheast'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_subscription","title":"AZURE_SUBSCRIPTION","text":"

    This configuration option sets the subscription object used by the subscription() function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -Subscription is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: string\ntenantId: string\ndisplayName: string\nstate: string\n

    Default:

    # YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n

    Example:

    # YAML: Override the display name of the subscription object\nAZURE_SUBSCRIPTION:\ndisplayName: 'My test subscription'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"

    This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.

    Configure this option to ignore policy definitions that:

    • Already have a rule defined.
    • Are not relevant to testing Infrastructure as Code.

    Syntax:

    configuration:\nAZURE_POLICY_IGNORE_LIST: array\n

    Default:

    # YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\nAZURE_POLICY_IGNORE_LIST: []\n

    Example:

    # YAML: Add a custom policy definition to ignore\nAZURE_POLICY_IGNORE_LIST:\n- '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n- '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"

    This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to Azure.

    This configuration option will be ignored when -Prefix is used with Export-AzPolicyAssignmentRuleData.

    Syntax:

    configuration:\nAZURE_POLICY_RULE_PREFIX: string\n

    Default:

    # YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\nAZURE_POLICY_RULE_PREFIX: 'Azure'\n

    Example:

    # YAML: Override the prefix of exported policy rules\nAZURE_POLICY_RULE_PREFIX: 'AzureCustomPrefix'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"

    This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to '2021-08-01'.

    Syntax:

    configuration:\nAZURE_APIM_MIN_API_VERSION: string\n

    Default:

    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-08-01'\n

    Example:

    # YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"

    This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"concepts/about_PSRule_Azure_Configuration/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"

    This configuration option enables validation for that each storage account is associated with a Microsoft Defender for Storage resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"concepts/about_PSRule_Azure_Metadata_Link/","title":"PSRule_Azure_Metadata_Link","text":""},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#about_psrule_azure_metadata_link","title":"about_PSRule_Azure_Metadata_Link","text":"

    Describes how Azure Resource Manager (ARM) parameter files reference a template file.

    "},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#description","title":"Description","text":"

    Azure Resource Manager (ARM) supports storing additional metadata within parameter files. PSRule uses this metadata to link template and parameter files together to improve unit testing of templates.

    To reference a template within a parameter file:

    • Set the metadata.template property to the template.
    • Prefix a template file relative to the parameter file with ./. When ./ is not used, the template with is relative to the -Path parameter.

    For example:

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./Resources.Template.json\"\n},\n\"parameters\": {\n}\n}\n
    "},{"location":"concepts/about_PSRule_Azure_Metadata_Link/#see-also","title":"SEE ALSO","text":"
    • Get-AzRuleTemplateLink
    "},{"location":"concepts/policy-as-rules/","title":"Policy as rules","text":"

    PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:

    • Reuse controls \u2014 that have already deployed with implementation of guardrails in your environment. For example: Azure Cloud Adoption Framework or regulatory compliance standards.
    • Reduce deployment issues \u2014 by identifying Azure Policy controls that could prevent a deployment from succeeding.

    Abstract

    This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.

    Experimental - Learn more

    Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.

    "},{"location":"concepts/policy-as-rules/#limitations","title":"Limitations","text":"

    This feature does not support:

    • Resource provider modes \u2014 evaluate data plane information exposed at runtime. Policies that target resource provider modes are automatically ignored.
    • Disabled policies \u2014 Policy definitions with the effect Disabled are ignored.
    • Unassigned policies \u2014 Only policy definitions assigned to a scope are exported.
    • Policies that check for assessment status \u2014 Some policies use additional detection tools to check for compliance. Policies that check for assessment status are ignored.
    • Importing rules \u2014 Rules generated from policy assignments cannot be imported back into Azure Policy.
    "},{"location":"concepts/policy-as-rules/#using-policy-as-rules","title":"Using policy as rules","text":"

    Using policy as rules is a two step process:

    1. Export assignment data from Azure.
    2. Convert assignments to rules.
    "},{"location":"concepts/policy-as-rules/#export-assignment-data","title":"Export assignment data","text":"

    Run Export-AzPolicyAssignmentData to export assignments from Azure to an *.assignment.json file.

    Key points:

    • Before running this command, connect to an Azure subscription by installing the Az PowerShell module and using Connect-AzAccount.
    • This command has no required parameters, and by default will export all assignments from you current Azure subscription. You can change the current Azure subscription by using Set-AzContext.
    "},{"location":"concepts/policy-as-rules/#convert-assignments-to-rules","title":"Convert assignments to rules","text":"

    Run Export-AzPolicyAssignmentRuleData to convert assignments to rules. To run this command an -AssignmentFile parameter with the path to the assignment JSON file generated in the previous step.

    After the command completes a new file *.Rule.jsonc should be generated containing generated rules.

    "},{"location":"concepts/suppression/","title":"Suppression and excluding rules","text":"

    By default, PSRule will attempt to read and test all files. You can configure options to:

    • Control which files PSRule tests.
    • Disable specific rules that don't apply to your environment.
    • Configure exceptions for special cases.

    Abstract

    This topic covers how you can configure PSRule to ignore files, specific rules, or rules for special cases.

    "},{"location":"concepts/suppression/#excluding-a-rule","title":"Excluding a rule","text":"

    Docs

    You can exclude a rule to effectively disable the rule. When excluded, a rule is not used to test any Azure resources.

    To exclude a rule, set the Rule.Exclude option within the ps-rule.yaml file.

    ps-rule.yaml
    rule:\nexclude:\n# Ignore the following rules for all resources\n- Azure.VM.UseHybridUseBenefit\n- Azure.VM.Standalone\n
    "},{"location":"concepts/suppression/#suppress-a-rule-individually","title":"Suppress a rule individually","text":"

    Docs

    You can suppress a rule to effectively skip or ignore a rule for a specific case or exception.

    To suppress a rule, set Suppression option within the ps-rule.yaml file. PSRule allows you to specify the name of the rule and the name of the resources that will be suppressed.

    ps-rule.yaml
    suppression:\nAzure.Storage.SoftDelete:\n# Ignore soft delete on the following non-production storage accounts\n- storagedeveus6jo36t\n- storagedeveus1df278\n

    Tip

    Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

    "},{"location":"concepts/suppression/#suppressing-common-cases","title":"Suppressing common cases","text":"

    Docs

    If you need to commonly suppress a rule for multiple resources you can use a Suppression Group. A Suppression Group allow you to define a condition for when a rule should be suppressed.

    Example

    For example, suppose you want to suppress the Azure.Storage.SoftDelete rule for Storage Accounts based on a tag.

    A Suppression Group can be defined within a .Rule.yaml file within the .ps-rule/ sub-directory. Create this directory in your repository or current working path if it doesn't already exist.

    .ps-rule/Suppression.Rule.yaml
    ---\n# Synopsis: Ignore soft delete for development storage accounts\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\nname: Local.IgnoreNonProdStorage\nspec:\nrule:\n- Azure.Storage.SoftDelete\nif:\nfield: tags.env\nequals: dev\n

    Learn

    To learn more, see suppression groups and expressions.

    "},{"location":"concepts/suppression/#ignoring-files","title":"Ignoring files","text":"

    Docs

    To exclude or ignore files from being processed, configure the Input.PathIgnore option. This option allows you to ignore files using a path spec.

    To ignore files with common extensions, set the Input.PathIgnore option within the ps-rule.yaml file.

    ps-rule.yaml
    input:\npathIgnore:\n# Exclude files with these extensions\n- '*.md'\n- '*.png'\n# Exclude specific configuration files\n- 'bicepconfig.json'\n

    To ignore all files with some exceptions, set the Input.PathIgnore option within the ps-rule.yaml file.

    ps-rule.yaml
    input:\npathIgnore:\n# Exclude all files\n- '*'\n# Only process deploy.bicep files\n- '!**/deploy.bicep'\n

    Tip

    Some common file exclusions are recommended for working with Azure Bicep source files. See Configuring path exclusions for details.

    "},{"location":"customization/enforce-codeowners/","title":"Enforcing code ownership","text":"

    With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.

    Pull requests are a key concept within common Git workflows used with DevOps to enforce peer review. To support peer review across a team tools such as GitHub and Azure DevOps provide code ownership. Code ownership, allows mix discipline teams to direct peer reviews based the path of a changed file.

    For sensitive changes such as firewall or policy exemptions, peer reviews may form a security control. In these cases, it may be important that specific paths are used for Infrastructure as Code artifacts.

    Info

    Code ownership is implemented through CODEOWNERS in GitHub and required reviewers in Azure Repos.

    Abstract

    The following scenario shows how to create a custom rule to validate the file path of code artifacts. The scenario walks you through the process so that you can apply the same concepts for similar requirements.

    "},{"location":"customization/enforce-codeowners/#creating-a-new-rule","title":"Creating a new rule","text":"

    Within the .ps-rule sub-directory create a new file called Org.Azure.Rule.ps1. Use the following snippet to populate the rule file:

    # Synopsis: Policy exemptions must be stored under designated paths for review.\nRule 'Org.Azure.Policy.Path' -Type 'Microsoft.Authorization/policyExemptions' {\n$Assert.WithinPath($PSRule.Source['Parameter'], '.', @(\n'deployments/policy/'\n));\n}\n

    Some key points to call out with the rule snippet include:

    • The name of the rule is Org.Azure.Policy.Path. Each rule name must be unique.
    • The rule applies to resources with the type of Microsoft.Authorization/policyExemptions. i.e. Policy exemptions.
    • The synopsis comment above the rule is read and used as the default recommendation if the rule fails. The rule recommendation appears in output and is intended as an instruction to remediate the failure.
    • The assertion $Assert.WithinPath ensures the specifies path is within the deployments/policy/ sub-directory.
    • The automatic variable $PSRule.Source exposes the source path for the resource. PSRule for Azure exposes a Template and Parameter source for resources originating from a template.

    Tip

    For recommendations on naming and storing rules see storing custom rules.

    "},{"location":"customization/enforce-codeowners/#binding-type","title":"Binding type","text":"

    Rules packaged within PSRule for Azure will automatically detect Policy Exemptions by their type properties. Standalone rules will get their type binding configuration from ps-rule.yaml instead.

    To configure type binding:

    • Create/ update the ps-rule.yaml file within the root of the repository.
    • Add the following configuration snippet.
    # Configure binding options\nbinding:\ntargetType:\n- 'resourceType'\n- 'type'\n

    Some key points to call out include:

    • Configuring the binding for targetType allows rules to use the -Type parameter. Our custom rule uses -Type 'Microsoft.Authorization/policyExemptions'.
    • The binding configuration will use the resourceType property if it exists, alternative it will use type. If neither property exists, PSRule will use the object type.
    "},{"location":"customization/enforce-codeowners/#testing-locally","title":"Testing locally","text":"

    To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.

    Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File\n
    "},{"location":"customization/enforce-codeowners/#sample-code","title":"Sample code","text":"

    Grab the full sample code for each of these files from:

    • Org.Azure.Rule.ps1
    • ps-rule.yaml
    • policy-exemption.parameters.json
    • template.json
    "},{"location":"customization/enforce-custom-tags/","title":"Enforcing custom tags","text":"

    With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.

    Use of resource and resource group tags is recommended in the WAF, however implementations may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.

    Abstract

    The following scenario shows how to create a custom rule to validate Resource Group tags. The scenario walks you through the process so that you can apply the same concepts for similar requirements.

    "},{"location":"customization/enforce-custom-tags/#creating-a-new-rule","title":"Creating a new rule","text":"

    Within the .ps-rule sub-directory create a new file called Org.Azure.Rule.ps1. Use the following snippet to populate the rule file:

    # Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n$hasTags = $Assert.HasField($TargetObject, 'Tags')\nif (!$hasTags.Result) {\nreturn $hasTags\n}\n# <Code for custom tags goes here>\n}\n

    Some key points to call out with the rule snippet include:

    • The name of the rule is Org.Azure.RG.Tags. Each rule name must be unique.
    • The rule applies to resources with the type of Microsoft.Resources/resourceGroups. i.e. Resource Groups.
    • The synopsis comment above the rule is read and used as the default recommendation if the rule fails. The rule recommendation appears in output and is intended as an instruction to remediate the failure.
    • The assertion $Assert.HasField ensures that Resource Group has a tags property.
    • The automatic variable $TargetObject automatically exposes the current resource being processed.

    Tip

    For recommendations on naming and storing rules see storing custom rules.

    "},{"location":"customization/enforce-custom-tags/#adding-mandatory-tags","title":"Adding mandatory tags","text":"

    To require specific tags to be configured on Resource Groups append this code to the rule.

    # Require tags be case-sensitive\n$Assert.HasField($TargetObject.tags, 'costCentre', <# case-sensitive #> $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n

    Some key points to call out include:

    • The $Assert.HasField assertions are case-sensitive which differs from the previous snippet.
    • A list of supported assertions can be found here.
    • Comments can be added just like normal PowerShell code.
    Updated Rule

    The updated rule should look like:

    # Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n$hasTags = $Assert.HasField($TargetObject, 'Tags')\nif (!$hasTags.Result) {\nreturn $hasTags\n}\n# Require tags be case-sensitive\n$Assert.HasField($TargetObject.tags, 'costCentre', <# case-sensitive #> $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n}\n
    "},{"location":"customization/enforce-custom-tags/#limiting-tags-values","title":"Limiting tags values","text":"

    To require these tags to only accept allowed values, append this code to the rule.

    <#\nThe costCentre tag must:\n- Start with a letter.\n- Be followed by a number between 10000-9999999999.\n#>\n$Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n# Require specific values for environment tag\n$Assert.In($TargetObject, 'tags.env', @(\n'dev',\n'prod',\n'uat'\n), $True)\n

    Some key points to call out include:

    • Each of these assertions for the field value are case-sensitive.
    • Assertions can automatically traverse fields be using the dotted syntax. i.e. tags.costCentre.
    Completed rule

    The completed rule should look like:

    # Synopsis: Resource Groups must have all mandatory tags defined.\nRule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {\n$hasTags = $Assert.HasField($TargetObject, 'Tags')\nif (!$hasTags.Result) {\nreturn $hasTags\n}\n# Require tags be case-sensitive.\n$Assert.HasField($TargetObject.tags, 'costCentre', <# case-sensitive #> $True)\n$Assert.HasField($TargetObject.tags, 'env', $True)\n<#\n    The costCentre tag must:\n    - Start with a letter.\n    - Be followed by a number between 10000-9999999999.\n    #>\n$Assert.Match($TargetObject, 'tags.costCentre', '^([A-Z][1-9][0-9]{4,9})$', $True)\n# Require specific values for environment tag.\n$Assert.In($TargetObject, 'tags.env', @(\n'dev',\n'prod',\n'uat'\n), $True)\n}\n
    "},{"location":"customization/enforce-custom-tags/#binding-type","title":"Binding type","text":"

    Rules packaged within PSRule for Azure will automatically detect Resource Groups by their type properties. Standalone rules will get their type binding configuration from ps-rule.yaml instead.

    To configure type binding:

    • Create/ update the ps-rule.yaml file within the root of the repository.
    • Add the following configuration snippet.
    # Configure binding options\nbinding:\ntargetType:\n- 'resourceType'\n- 'type'\n

    Some key points to call out include:

    • Configuring the binding for targetType allows rules to use the -Type parameter. Our custom rule uses -Type 'Microsoft.Resources/resourceGroups'.
    • The binding configuration will use the resourceType property if it exists, alternative it will use type. If neither property exists, PSRule will use the object type.
    "},{"location":"customization/enforce-custom-tags/#testing-locally","title":"Testing locally","text":"

    To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.

    Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File\n
    "},{"location":"customization/enforce-custom-tags/#sample-code","title":"Sample code","text":"

    Grab the full sample code for each of these files from:

    • Org.Azure.Rule.ps1
    • ps-rule.yaml
    "},{"location":"customization/permit-outbound-management/","title":"Permit outbound management","text":"

    As discussed in Azure.NSG.LateralTraversal, outbound management traffic is expected from some subnets. Subnets that are expected allow outbound management traffic may include:

    • Privileged access workstations (PAWs)
    • Bastion hosts
    • Jump boxes

    As a result, you may want to suppress the Azure.NSG.LateralTraversal rule on NSGs for these special cases.

    Abstract

    This topic provides an example you can use to configure PSRule to ignore special case NSGs.

    "},{"location":"customization/permit-outbound-management/#create-a-suppression-group","title":"Create a suppression group","text":"

    Within the .ps-rule sub-directory create a file called Org.Azure.Suppressions.Rule.yaml. If the .ps-rule sub-directory does not exist, create it in the root of your repository.

    Use the following snippet to populate the suppression group:

    ---\n# Synopsis: Ignore NSG lateral movement for management subnet NSGs such as Azure Bastion.\napiVersion: github.com/microsoft/PSRule/v1\nkind: SuppressionGroup\nmetadata:\nname: Org.Azure.PermitOutboundManagement\nspec:\nrule:\n- PSRule.Rules.Azure\\Azure.NSG.LateralTraversal\nif:\nallOf:\n- type: '.'\nin:\n- Microsoft.Network/networkSecurityGroups\n# Suppress NSGs with bastion or management in thier name\n- name: '.'\ncontains:\n- bastion\n- management\n

    Some key points to call out with the suppression group snippet include:

    • The name of the suppression group is Org.Azure.PermitOutboundManagement. Each resource name must be unique.
    • The suppression group applies to:
      • The rule PSRule.Rules.Azure\\Azure.NSG.LateralTraversal.
      • Run against NSGs with the type Microsoft.Network/networkSecurityGroups.
      • When the name of the NSG contains bastion or management. The suppression group uses expressions to determine when a resource is suppressed. Update this condition to match your environment. For example, the following NSGs would be suppressed by this suppression group:
        • nsg-bastion-prod-eus-001
        • nsg-hub-management-prod-001
    • The synopsis comment above the suppression group is included in output as the explaination for the suppression.

    Tip

    Expressions can be combined within a suppression group using allOf or anyOf operators.

    "},{"location":"customization/storing-custom-rules/","title":"Storing custom rules","text":"

    PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework (WAF). In addition to WAF alignment you may have a requirement to enforce organization specific rules.

    For example:

    • Required tags on a resource group.
    • Code ownership for sensitive resource types.

    PSRule allows custom rules to be layered on. These custom rules work side-by-side with PSRule for Azure.

    "},{"location":"customization/storing-custom-rules/#using-a-standard-file-path","title":"Using a standard file path","text":"

    Rules can be standalone or packaged within a module. Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository. To reuse rules across multiple projects consider packaging these as a module.

    The instructions for packaging rules in a module can be found here:

    • Packaging rules in a module

    To store standalone rules we recommend that you:

    • Use .ps-rule/ \u2014 Create a sub-directory called .ps-rule in the root of your repository. Use all lower-case in the sub-directory name. Put any custom rules within this sub-directory.
    • Use files ending with .Rule.ps1 \u2014 PSRule uses a file naming convention to discover rules. We recommend using a file name that ends in .Rule.ps1.

    Note

    Build pipelines are often case-sensitive or run on Linux-based systems. Using the casing rule above reduces confusion latter when you configure continuous integration (CI).

    "},{"location":"customization/storing-custom-rules/#naming-rules","title":"Naming rules","text":"

    When running PSRule, rule names must be unique. PSRule for Azure uses the name prefix of Azure. on all rules and resources included in the module.

    Example

    The following names are examples of rules included within PSRule for Azure:

    • Azure.AKS.Version
    • Azure.AKS.AuthorizedIPs
    • Azure.SQL.MinTLS

    When naming custom rules we recommend that you:

    • Use a standard prefix \u2014 You can use the Local. or Org. prefix for standalone rules.
      • Alternatively choose a short prefix that identifies your organization.
    • Use dotted notation \u2014 Use dots to separate rule name.
    • Use a maximum length of 35 characters \u2014 The default view of Invoke-PSRule truncates longer names. PSRule supports longer rule names however if Invoke-PSRule is called directly consider using Format-List.
    "},{"location":"en/mcsb-v1/","title":"Microsoft cloud security benchmark","text":"

    Microsoft cloud security benchmark (MCSB) is a set of controls and recommendations that help improve the security of workloads on Azure and your multi-cloud environment. Controls from the MCSB are also mapped to industry frameworks, such as CIS, PCI-DSS, and NIST.

    If you are new to MCSB or are looking for guidance on how to use it, please see the Introduction to the Microsoft cloud security benchmark.

    "},{"location":"en/mcsb-v1/#microsoft-cloud-security-benchmark-v1","title":"Microsoft cloud security benchmark v1","text":"

    Is the latest version of the MCSB. Rules included within PSRule for Azure have been mapped to v1 so that you are able to understand the impact of the rules. This is particularly useful when you are looking to understand how to address a compliance requirement specific to your organization.

    The following controls are included in the Microsoft cloud security benchmark v1:

    • Network security (NS)
    • Identity Management (IM)
    • Privileged Access (PA)
    • Data Protection (DP)
    • Asset Management (AM)
    • Logging and Threat Detection (LT)
    • Incident Response (IR)
    • Posture and Vulnerability Management (PV)
    • Endpoint Security (ES)
    • Backup and Recovery (BR)
    • DevOps Security (DS)
    • Governance and Strategy (GS)

    "},{"location":"en/mcsb-v1/#using-the-mcsb-v1-baseline","title":"Using the MCSB v1 baseline","text":"

    Experimental \u00b7 v1.25.0

    To start using the MCSB v1 baseline with PSRule, configure the baseline parameter to use Azure.MCSB.v1. View the list of rules associated with the MCSB v1 baseline.

    Experimental - Learn more

    MCSB baselines are a work in progress and subject to change. We hope to add more rules to the baseline in the future. Join or start a discussion to let us know how we can improve this feature going forward.

    Note

    It's important to note that the MCSB v1 baseline is subset of rules from the Well-Architected Framework. Not all rules for the Well-Architected Framework are included in MCSB. Using the MCSB v1 baseline is useful to understand alignment with the MCSB and other industry frameworks / standards. For a complete set of rules for the Well-Architected Framework, consider using a quarterly baseline.

    "},{"location":"en/mcsb-v1/#recommended-content","title":"Recommended content","text":"
    • Overview of Microsoft cloud security benchmark (v1)
    • Using baselines
    "},{"location":"en/baselines/Azure.All/","title":"Azure.All","text":"

    Includes all Azure rules.

    "},{"location":"en/baselines/Azure.All/#rules","title":"Rules","text":"

    The following rules are included within Azure.All. This baseline includes a total of 401 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Default/","title":"Azure.Default","text":"

    Default baseline for Azure rules.

    "},{"location":"en/baselines/Azure.Default/#rules","title":"Rules","text":"

    The following rules are included within Azure.Default. This baseline includes a total of 385 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2020_06/","title":"Azure.GA_2020_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2020 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2020_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2020_06. This baseline includes a total of 137 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_09/","title":"Azure.GA_2020_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2020 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2020_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2020_09. This baseline includes a total of 153 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2020_12/","title":"Azure.GA_2020_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2020 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2020_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2020_12. This baseline includes a total of 177 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_03/","title":"Azure.GA_2021_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_03. This baseline includes a total of 192 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_06/","title":"Azure.GA_2021_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_06. This baseline includes a total of 206 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_09/","title":"Azure.GA_2021_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_09. This baseline includes a total of 225 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important"},{"location":"en/baselines/Azure.GA_2021_12/","title":"Azure.GA_2021_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2021 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2021_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2021_12. This baseline includes a total of 251 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness"},{"location":"en/baselines/Azure.GA_2022_03/","title":"Azure.GA_2022_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_03. This baseline includes a total of 267 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_06/","title":"Azure.GA_2022_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_06. This baseline includes a total of 271 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_09/","title":"Azure.GA_2022_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_09. This baseline includes a total of 303 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2022_12/","title":"Azure.GA_2022_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2022 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2022_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2022_12. This baseline includes a total of 341 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_03/","title":"Azure.GA_2023_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2023 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2023_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2023_03. This baseline includes a total of 361 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_06/","title":"Azure.GA_2023_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2023 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2023_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2023_06. This baseline includes a total of 376 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.GA_2023_09/","title":"Azure.GA_2023_09","text":"

    Include rules released September 2023 or prior for Azure GA features.

    "},{"location":"en/baselines/Azure.GA_2023_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.GA_2023_09. This baseline includes a total of 385 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.MCSB.v1/","title":"Azure.MCSB.v1","text":"

    Experimental

    This baseline is experimental and subject to change.

    Microsoft Cloud Security Benchmark v1.

    "},{"location":"en/baselines/Azure.MCSB.v1/#controls","title":"Controls","text":"

    The following rules are included within Azure.MCSB.v1. This baseline includes a total of 118 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important"},{"location":"en/baselines/Azure.Preview/","title":"Azure.Preview","text":"

    Includes rules for Azure GA and preview features.

    "},{"location":"en/baselines/Azure.Preview/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview. This baseline includes a total of 401 rules.

    Name Synopsis Severity Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Azure.ACR.Name Container registry names should meet naming requirements. Awareness Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Azure.APIM.Name API Management service names should meet naming requirements. Awareness Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Azure.APIM.ProductApproval Configure products to require approval. Important Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Azure.APIM.ProductSubscription Configure products to require a subscription. Important Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Azure.AppService.WebProbe Configure and enable instance health probes. Important Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Azure.CDN.HTTP Enforce HTTPS for client connections. Important Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Azure.LB.Probe Use a specific probe for web protocols. Important Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Azure.Route.Name Route table names should meet naming requirements. Awareness Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Azure.Template.LocationType Location parameters should use a string value. Important Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Azure.Template.TemplateFile Use ARM template files that are valid. Important Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Azure.VM.PublicKey Linux virtual machines should use public keys. Important Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Azure.VNET.PeerState VNET peering connections must be connected. Important Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important"},{"location":"en/baselines/Azure.Preview_2021_09/","title":"Azure.Preview_2021_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2021 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2021_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2021_09. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2021_12/","title":"Azure.Preview_2021_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2021 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2021_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2021_12. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2022_03/","title":"Azure.Preview_2022_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_03. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2022_06/","title":"Azure.Preview_2022_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_06. This baseline includes a total of 3 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important"},{"location":"en/baselines/Azure.Preview_2022_09/","title":"Azure.Preview_2022_09","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released September 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_09. This baseline includes a total of 5 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important"},{"location":"en/baselines/Azure.Preview_2022_12/","title":"Azure.Preview_2022_12","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released December 2022 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2022_12/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2022_12. This baseline includes a total of 5 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important"},{"location":"en/baselines/Azure.Preview_2023_03/","title":"Azure.Preview_2023_03","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released March 2023 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2023_03/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2023_03. This baseline includes a total of 5 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important"},{"location":"en/baselines/Azure.Preview_2023_06/","title":"Azure.Preview_2023_06","text":"

    Warning

    This baseline is obsolete. Consider switching to a newer baseline.

    Include rules released June 2023 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2023_06/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2023_06. This baseline includes a total of 15 rules.

    Name Synopsis Severity Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/baselines/Azure.Preview_2023_09/","title":"Azure.Preview_2023_09","text":"

    Include rules released September 2023 or prior for Azure preview only features.

    "},{"location":"en/baselines/Azure.Preview_2023_09/#rules","title":"Rules","text":"

    The following rules are included within Azure.Preview_2023_09. This baseline includes a total of 16 rules.

    Name Synopsis Severity Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important"},{"location":"en/rules/","title":"Reference","text":"

    The following rules and features are included in PSRule for Azure.

    Info

    The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.

    "},{"location":"en/rules/#rules","title":"Rules","text":"

    The following rules are included in PSRule for Azure.

    Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Preview AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Front Door. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.VM.NICAttached Network interfaces (NICs) should be attached. GA AZR-000258 Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. GA AZR-000281 Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. GA AZR-000283 Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Preview AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. Preview AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Preview AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000384 Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000385 Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Preview AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA"},{"location":"en/rules/Azure.ACR.AdminUser/","title":"Disable ACR admin user","text":"Azure.ACR.AdminUserAZR-000005Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 2020_06

    Use Azure AD identities instead of using the registry admin user.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#description","title":"Description","text":"

    Azure Container Registry (ACR) includes a built-in admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.

    Instead use role-based access control (RBAC). RBAC can be used to delegate registry permissions to an Azure AD (AAD) identity.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#recommendation","title":"Recommendation","text":"

    Consider disabling the admin user account and only use identity-based authentication for registry operations.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#examples","title":"Examples","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.adminUserEnabled to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.adminUserEnabled to false.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az acr update --admin-enabled false -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AdminUser/#links","title":"Links","text":"
    • Use identity-based authentication
    • Authenticate with a private Docker container registry
    • Best practices for Azure Container Registry
    • Use an Azure managed identity to authenticate to an Azure container registry
    • Azure Container Registry roles and permissions
    • What is Azure role-based access control (Azure RBAC)?
    • IM-1: Use centralized identity and authentication system
    • IM-3: Manage application identities securely and automatically
    • PA-1: Separate and limit highly privileged/administrative users
    • Azure Policy Regulatory Compliance controls for Azure Container Registry
    • Azure deployment reference
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/","title":"Anonymous pull access","text":"Azure.ACR.AnonymousAccessAZR-000401Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 Preview \u00b7 2023_09

    Disable anonymous pull access.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#description","title":"Description","text":"

    Azure Container Registry (ACR) allows you to pull or push content from an Azure container registry by being authenticated. However, it is possible to pull content from an Azure container registry by being unauthenticated (anonymous pull access).

    By default, access to pull or push content from an Azure container registry is only available to authenticated users.

    Generally speaking it is not a good practice to allow data-plane operations to unauthenticated users. However, anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#recommendation","title":"Recommendation","text":"

    Consider disabling anonymous pull access in scenarios that require user authentication.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#examples","title":"Examples","text":"","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.anonymousPullEnabled property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"anonymousPullEnabled\": false\n}\n}\n
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.anonymousPullEnabled property to false.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    anonymousPullEnabled: false\n  }\n}\n
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az acr update --name myregistry --anonymous-pull-enabled false\n
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#notes","title":"Notes","text":"

    The anonymous pull access feature is currently in preview. Anonymous pull access is only available in the Standard and Premium service tiers.

    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.AnonymousAccess/#links","title":"Links","text":"
    • Authentication with Azure AD
    • Make your container registry content publicly available
    • Azure security baseline for Container Registry
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.ACR.AnonymousAccess","AZR-000401"]},{"location":"en/rules/Azure.ACR.ContainerScan/","title":"Scan Container Registry images","text":"Azure.ACR.ContainerScanAZR-000002Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    Enable vulnerability scanning for container images.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#description","title":"Description","text":"

    A potential risk with container-based workloads is un-patched security vulnerabilities in:

    • Operating System base images.
    • Frameworks and runtime dependencies used by application code.

    It is important to adopt a strategy to actively scan images for security vulnerabilities. One option for scanning container images is to use Microsoft Defender for container registries. Microsoft Defender for container registries scans each container image pushed to the registry.

    Microsoft Defender for container registries scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.

    Container image vulnerability scanning with Microsoft Defender for container registries:

    • Is currently only available for Linux-hosted ACR registries.
    • The container registry must be accessible by Microsoft Defender for Container registries. Network access can not be restricted by firewall, Service Endpoints, or Private Endpoints.
    • Is supported in commercial clouds. Is not currently supported in sovereign or national clouds (e.g. US Gov, China Gov, etc.).
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Cloud to scan for security vulnerabilities in container images.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable container image scanning:

    • Set the Standard pricing tier for Microsoft Defender for container registries.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"ContainerRegistry\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable container image scanning:

    • Set the Standard pricing tier for Microsoft Defender for container registries.

    For example:

    Azure Bicep snippet
    resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'ContainerRegistry' --tier 'standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContainerScan/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for container registries
    • Container security in Microsoft Defender for Cloud
    • Secure the images and run time
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"en/rules/Azure.ACR.ContentTrust/","title":"Use trusted container images","text":"Azure.ACR.ContentTrustAZR-000009Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    Use container images signed by a trusted image publisher.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#description","title":"Description","text":"

    Azure Container Registry (ACR) content trust enables pushing and pulling of signed images. Signed images provides additional assurance that they have been built on a trusted source.

    To enable content trust, the container registry must be using a Premium SKU.

    Content trust is currently not supported in a registry that's encrypted with a customer-managed key. When using customer-managed keys, content trust can not be enabled.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#recommendation","title":"Recommendation","text":"

    Consider enabling content trust on registries, clients, and sign container images.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#examples","title":"Examples","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.trustPolicy.status to enabled.
    • Set properties.trustPolicy.type to Notary.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.trustPolicy.status to enabled.
    • Set properties.trustPolicy.type to Notary.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.ContentTrust/#links","title":"Links","text":"
    • Follow best practices for container security
    • Content trust in Azure Container Registry
    • Content trust in Docker
    • Overview of customer-managed keys
    • Azure deployment reference
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"en/rules/Azure.ACR.Firewall/","title":"Restrict network access to container registries","text":"Azure.ACR.FirewallAZR-000402Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 2023_09

    Limit network access of container registries to only trusted clients.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#description","title":"Description","text":"

    Azure Container Registry (ACR) allows you to restrict network access to trusted clients and networks instead of any client.

    Container registries using the Premium SKU can limit network access by setting firewall rules or using private endpoints. Firewall and private endpoints are not supported when using the Basic or Standard SKU.

    In general, network access should be restricted to harden against unauthorized access or exfiltration attempts. However may not be required when publishing and distributing public container images to external parties.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#recommendation","title":"Recommendation","text":"

    Consider restricting network access to trusted clients to harden against unauthorized access or exfiltration attempts.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#examples","title":"Examples","text":"","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled. OR
    • Set the properties.networkRuleSet.defaultAction property to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"properties\": {\n\"publicNetworkAccess\": \"Enabled\",\n\"networkRuleBypassOptions\": \"AzureServices\",\n\"networkRuleSet\": {\n\"defaultAction\": \"Deny\",\n\"ipRules\": [\n{\n\"action\": \"Allow\",\n\"value\": \"_PublicIPv4Address_\"\n}\n]\n}\n}\n}\n
    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Container Registries that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled. OR
    • Set the properties.networkRuleSet.defaultAction property to Deny.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    publicNetworkAccess: 'Enabled'\n    networkRuleBypassOptions: 'AzureServices'\n    networkRuleSet: {\n      defaultAction: 'Deny'\n      ipRules: [\n        {\n          action: 'Allow'\n          value: '_PublicIPv4Address_'\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#notes","title":"Notes","text":"

    Configuring firewall rules or using private endpoints is only available for the Premium SKU.

    When used with Microsoft Defender for Containers, you must enable trusted Microsoft services for the vulnerability assessment feature to be able to scan the registry.

    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.Firewall/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Restrict access using private endpoint
    • Restrict access using firewall rules
    • Allow trusted services to securely access a network-restricted container registry
    • Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
    • Azure security baseline for Container Registry
    • NS-2: Secure cloud services with network controls
    • Azure deployment reference
    ","tags":["Azure.ACR.Firewall","AZR-000402"]},{"location":"en/rules/Azure.ACR.GeoReplica/","title":"Geo-replicate container images","text":"Azure.ACR.GeoReplicaAZR-000004Error

    Reliability \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    Use geo-replicated container registries to compliment a multi-region container deployments.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#description","title":"Description","text":"

    A container registry is stored and maintained by default in a single region. Optionally geo-replication to one or more additional regions can be enabled.

    Geo-replicating container registries provides the following benefits:

    • Single registry/ image/ tag names can be used across multiple regions.
    • Network-close registry access within the region reduces latency.
    • As images are pulled from a local replicated registry, each pull does not incur additional egress costs.
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#recommendation","title":"Recommendation","text":"

    Consider using a geo-replicated container registry for multi-region deployments.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable geo-replication for Container Registries that pass this rule:

    • Set sku.name to Premium (required for geo-replication).
    • Add replications child resource with location set to the region to replicate to.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"_generator\": {\n\"name\": \"bicep\",\n\"version\": \"0.5.6.12127\",\n\"templateHash\": \"12610175857982700190\"\n}\n},\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"acrAdminUserEnabled\": {\n\"type\": \"bool\",\n\"defaultValue\": false,\n\"metadata\": {\n\"description\": \"Enable admin user that has push / pull permission to the registry.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\n\"Premium\"\n],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n}\n},\n\"acrReplicaLocation\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"Short name for registry replica location.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n},\n\"properties\": {\n\"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n}\n},\n{\n\"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n\"location\": \"[parameters('acrReplicaLocation')]\",\n\"properties\": {},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n]\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set sku.name to Premium (required for geo-replication).
    • Add replications child resource with location set to the region to replicate to.

    For example:

    Azure Bicep snippet
    resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.GeoReplica/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Geo-replicate multi-region deployments
    • Geo-replication in Azure Container Registry
    • Tutorial: Prepare a geo-replicated Azure container registry
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"en/rules/Azure.ACR.ImageHealth/","title":"Remove vulnerable container images","text":"Azure.ACR.ImageHealthAZR-000003Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    Remove container images with known vulnerabilities.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#description","title":"Description","text":"

    When Microsoft Defender for container registries is enabled, Microsoft Defender scans container images. Container images are scanned for known vulnerabilities and marked as healthy or unhealthy. Vulnerable container images should not be used.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#recommendation","title":"Recommendation","text":"

    Consider using removing container images with known vulnerabilities.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.ImageHealth/#links","title":"Links","text":"
    • Review and remediate recommendations
    • Introduction to Azure Defender for container registries
    • Overview of Microsoft Defender for Containers
    • Secure the images and run time
    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"en/rules/Azure.ACR.MinSku/","title":"Use ACR production SKU","text":"Azure.ACR.MinSkuAZR-000006Error

    Reliability \u00b7 Container Registry \u00b7 Rule \u00b7 2020_06

    ACR should use the Premium or Standard SKU for production deployments.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#description","title":"Description","text":"

    Azure Container Registry (ACR) provides a range of different service tiers (also known as SKUs). These service tiers provide different levels of performance and features.

    Three service tiers are available: Basic, Standard, and Premium. Basic container registries are only recommended for non-production deployments. Use a minimum of Standard for production container registries.

    The Premium SKU provides higher image throughput and included storage, and is required for:

    • Geo-replication
    • Availability zones
    • Private Endpoints
    • Firewall restrictions
    • Tokens and scope-maps
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#recommendation","title":"Recommendation","text":"

    Consider using the Premium Container Registry SKU for production deployments.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#examples","title":"Examples","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy registries that pass this rule:

    • Set the sku.name property to Premium or Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy registries that pass this rule:

    • Set the sku.name property to Premium or Standard.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.MinSku/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Container Registry SKUs
    • Geo-replication in Azure Container Registry
    • Best practices for Azure Container Registry
    • Azure deployment reference
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"en/rules/Azure.ACR.Name/","title":"Use valid registry names","text":"Azure.ACR.NameAZR-000007Error

    Operational Excellence \u00b7 Container Registry \u00b7 Rule \u00b7 2020_06

    Container registry names should meet naming requirements.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for container registry names are:

    • Between 5 and 50 characters long.
    • Alphanumerics.
    • Container registry names must be globally unique.
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet container registry naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#examples","title":"Examples","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    You could ensure that acrName parameter meets naming requirements by using MinLength and maxLength parameter properties. You could also use a uniqueString() function to ensure the name is globally unique.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\n\"Standard\"\n\"Premium\"\n],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n}\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    You could ensure that acrName parameter meets naming requirements by using @MinLength and @maxLength parameter decorators. You could also use a uniqueString() function to ensure the name is globally unique.

    For example:

    Azure Bicep snippet
    @description('Globally unique name of your Azure Container Registry')\n@minLength(5)\n@maxLength(50)\nparam acrName string = 'acr${uniqueString(resourceGroup().id)}'\n\n@description('Location for registry home replica.')\nparam location string = resourceGroup().location\n\n@description('Tier of your Azure Container Registry. Geo-replication requires Premium SKU.')\n@allowed([\n  'Standard'\n  'Premium'\n])\nparam acrSku string = 'Premium'\n\nresource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: acrSku\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n}\n\noutput acrLoginServer string = containerRegistry.properties.loginServer\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#notes","title":"Notes","text":"

    This rule does not check if container registry names are unique.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"en/rules/Azure.ACR.Quarantine/","title":"Use container image quarantine pattern","text":"Azure.ACR.QuarantineAZR-000008Error

    Security \u00b7 Container Registry \u00b7 Rule \u00b7 Preview \u00b7 2020_12

    Enable container image quarantine, scan, and mark images as verified.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#description","title":"Description","text":"

    Image quarantine is a configurable option for Azure Container Registry (ACR). When enabled, images pushed to the container registry are not available by default. Each image must be verified and marked as Passed before it is available to pull.

    To verify container images, integrate with an external security tool that supports this feature.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#recommendation","title":"Recommendation","text":"

    Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#examples","title":"Examples","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.quarantinePolicy.status to enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.quarantinePolicy.status to enabled.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#notes","title":"Notes","text":"

    Image quarantine for Azure Container Registry is currently in preview.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Quarantine/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • How do I enable automatic image quarantine for a registry?
    • Quarantine Pattern
    • Secure the images and run time
    • Azure deployment reference
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"en/rules/Azure.ACR.Retention/","title":"Configure ACR retention policies","text":"Azure.ACR.RetentionAZR-000010Error

    Cost Optimization \u00b7 Container Registry \u00b7 Rule \u00b7 Preview \u00b7 2020_12

    Use a retention policy to cleanup untagged manifests.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#description","title":"Description","text":"

    Retention policy is a configurable option of Premium Azure Container Registry (ACR). When a retention policy is configured, untagged manifests in the registry are automatically deleted. A manifest is untagged when a more recent image is pushed using the same tag. i.e. latest.

    The retention policy (in days) can be set to 0-365. The default is 7 days.

    To configure a retention policy, the container registry must be using a Premium SKU.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#recommendation","title":"Recommendation","text":"

    Consider enabling a retention policy for untagged manifests.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#examples","title":"Examples","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.retentionPolicy.status to enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Registries that pass this rule:

    • Set properties.retentionPolicy.status to enabled.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#notes","title":"Notes","text":"

    Retention policies for Azure Container Registry is currently in preview.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.Retention/#links","title":"Links","text":"
    • Scalable storage
    • Set a retention policy for untagged manifests
    • Lock a container image in an Azure container registry
    • Azure deployment reference
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"en/rules/Azure.ACR.SoftDelete/","title":"Use ACR soft delete policy","text":"Azure.ACR.SoftDeleteAZR-000310Error

    Reliability \u00b7 Container Registry \u00b7 Rule \u00b7 Preview \u00b7 2022_09

    Azure Container Registries should have soft delete policy enabled.

    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#description","title":"Description","text":"

    Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.

    This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.

    Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.

    Current preview limitations:

    • ACR currently doesn't support manually purging soft deleted artifacts.
    • The soft delete policy doesn't support a geo-replicated registry.
    • ACR doesn't allow enabling both the retention policy and the soft delete policy. See retention policy for untagged manifests.
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#recommendation","title":"Recommendation","text":"

    Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.

    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an Azure Container Registry that pass this rule:

    • Set the properties.policies.softDeletePolicy.status property to enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2023-01-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"days\": 30,\n\"status\": \"enabled\"\n},\n\"softDeletePolicy\": {\n\"retentionDays\": 90,\n\"status\": \"enabled\"\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an Azure Container Registry that pass this rule:

    • Set the properties.policies.softDeletePolicy.status property to enabled.

    For example:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        days: 30\n        status: 'enabled'\n      }\n      softDeletePolicy: {\n        retentionDays: 90\n        status: 'enabled'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az acr config soft-delete update -r '<name>' --days 90 --status enabled\n
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.SoftDelete/#links","title":"Links","text":"
    • Data Management for Reliability
    • Azure Container Registry (ACR) soft delete policy
    • Azure Container Registry service tiers
    • Policy for untagged manifests
    • Azure deployment reference
    ","tags":["Azure.ACR.SoftDelete","AZR-000310"]},{"location":"en/rules/Azure.ACR.Usage/","title":"Container registry storage usage","text":"Azure.ACR.UsageAZR-000001Error

    Cost Optimization \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    Regularly remove deprecated and unneeded images to reduce storage usage.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#description","title":"Description","text":"

    Each ACR SKU has an amount of included storage. When the amount of included storage is exceeded, additional storage costs per GiB are accrued.

    It is good practice to regularly clean-up orphaned (or dangling) images. These images are a result of pushing updated images with the same tag.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing deprecated and unneeded images to reduce storage consumption. Also consider upgrading to the Premium SKU for Basic or Standard registries to increase included storage.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ACR.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Azure Container Registry service tiers
    • Scalable storage
    • Manage registry size
    • Delete container images in Azure Container Registry using the Azure CLI
    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"en/rules/Azure.ADX.DiskEncryption/","title":"Use disk encryption for Azure Data Explorer clusters","text":"Azure.ADX.DiskEncryptionAZR-000013Error

    Security \u00b7 Data Explorer \u00b7 Rule \u00b7 2022_03

    Use disk encryption for Azure Data Explorer (ADX) clusters.

    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#description","title":"Description","text":"

    Azure storage is encrypted at rest, however computing resources can additionally use disk encryption. Disk encryption provides additional security for data at rest.

    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#recommendation","title":"Recommendation","text":"

    Consider enabling disk encryption on Azure Data Explorer clusters.

    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#examples","title":"Examples","text":"","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set properties.enableDiskEncryption to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Kusto/clusters\",\n\"apiVersion\": \"2021-08-27\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D11_v2\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"enableDiskEncryption\": true\n}\n}\n
    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set properties.enableDiskEncryption to true.

    For example:

    Azure Bicep snippet
    resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n
    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.DiskEncryption/#links","title":"Links","text":"
    • Data encryption in Azure
    • Secure your cluster using Disk Encryption in Azure Data Explorer
    • Azure deployment reference
    ","tags":["Azure.ADX.DiskEncryption","AZR-000013"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/","title":"Use managed identities for Data Explorer clusters","text":"Azure.ADX.ManagedIdentityAZR-000012Error

    Security \u00b7 Data Explorer \u00b7 Rule \u00b7 2022_03

    Configure Data Explorer clusters to use managed identities to access Azure resources securely.

    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#description","title":"Description","text":"

    A managed identity allows your cluster to access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Kusto/clusters\",\n\"apiVersion\": \"2021-08-27\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D11_v2\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"enableDiskEncryption\": true\n}\n}\n
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities overview
    • Configure managed identities for your Azure Data Explorer cluster
    • Managed identities for Azure resources
    • Azure deployment reference
    ","tags":["Azure.ADX.ManagedIdentity","AZR-000012"]},{"location":"en/rules/Azure.ADX.SLA/","title":"Use an SLA for Azure Data Explorer clusters","text":"Azure.ADX.SLAAZR-000014Error

    Reliability \u00b7 Data Explorer \u00b7 Rule \u00b7 2022_03

    Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.

    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#description","title":"Description","text":"

    When choosing a SKU for an ADX cluster you should consider the SLA that is included in the SKU. ADX clusters offer a range of offerings. Development SKUs are designed for early non-production use and do not include any SLA.

    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#recommendation","title":"Recommendation","text":"

    Consider using a production ready SKU that includes a SLA.

    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#examples","title":"Examples","text":"","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set sku.tier to Standard.
    • Set sku.name to non-development SKU such as Standard_D11_v2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Kusto/clusters\",\n\"apiVersion\": \"2021-08-27\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D11_v2\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"enableDiskEncryption\": true\n}\n}\n
    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set sku.tier to Standard.
    • Set sku.name to non-development SKU such as Standard_D11_v2.

    For example:

    Azure Bicep snippet
    resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_D11_v2'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    enableDiskEncryption: true\n  }\n}\n
    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.SLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Data Explorer pricing
    • Azure deployment reference
    ","tags":["Azure.ADX.SLA","AZR-000014"]},{"location":"en/rules/Azure.ADX.Usage/","title":"Remove unused Data Explorer clusters","text":"Azure.ADX.UsageAZR-000011Error

    Cost Optimization \u00b7 Data Explorer \u00b7 Rule \u00b7 2022_03

    Regularly remove unused resources to reduce costs.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#description","title":"Description","text":"

    Billing starts for an Azure Data Explorer (ADX) cluster after it is provisioned. To store data in an ADX cluster, you must first create a database. Clusters without any databases are considered unused.

    Additionally, ADX clusters can stopped. Stopping an ADX cluster deallocates and removes compute resources. While in the stopped state, compute charges are not incurred. Any data stored in the cluster is persisted while the cluster is stopped.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing Data Explorer clusters that are not used.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing ADX clusters deployed (in-flight) and running within Azure. If the cluster is stopped, this rule is ignored.

    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.ADX.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Pricing
    • Stop and restart the cluster
    • Automatic stop of inactive Azure Data Explorer clusters
    ","tags":["Azure.ADX.Usage","AZR-000011"]},{"location":"en/rules/Azure.AKS.AuditLogs/","title":"AKS clusters should collect security-based audit logs","text":"Azure.AKS.AuditLogsAZR-000022Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_09

    AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.

    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#description","title":"Description","text":"

    To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:

    • kube-audit or kube-audit-admin, or both.
      • kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.
      • kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log.
    • guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out.
    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to capture security-based audit logs from AKS clusters.

    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the kube-audit/kube-audit-admin and guard categories.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n},\n\"resources\": [\n{\n\"apiVersion\": \"2016-09-01\",\n\"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n\"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"kube-audit\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"kube-audit-admin\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"guard\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n],\n\"metrics\": []\n}\n}\n]\n}\n
    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Monitoring AKS data reference
    • Collect resource logs
    • Template reference
    ","tags":["Azure.AKS.AuditLogs","AZR-000022"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/","title":"Restrict access to AKS API server endpoints","text":"Azure.AKS.AuthorizedIPsAZR-000030Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_06

    Restrict access to API server endpoints to authorized IP addresses.

    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#description","title":"Description","text":"

    In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.

    All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.

    Restricting authorized IP addresses for the API server as the following limitations:

    • Requires AKS clusters configured with a Standard Load Balancer SKU.
    • This feature is not compatible with clusters that use Public IP per Node.

    When configuring this feature you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32.

    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#recommendation","title":"Recommendation","text":"

    Consider restricting network traffic to the API server endpoints to trusted IP addresses. Include output IP addresses for cluster nodes and any range where administration will occur from.

    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#examples","title":"Examples","text":"","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --api-server-authorized-ip-ranges '0.0.0.0/32'\n
    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AuthorizedIPs/#links","title":"Links","text":"
    • Network security
    • Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)
    • Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.AuthorizedIPs","AZR-000030"]},{"location":"en/rules/Azure.AKS.AutoScaling/","title":"Enable AKS cluster autoscaler","text":"Azure.AKS.AutoScalingAZR-000019Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_09

    Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present.

    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#description","title":"Description","text":"

    In addition to perform manual scaling, AKS clusters support autoscaling. Autoscaling reduces manual intervention required to scale a cluster to keep up with application demands.

    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#recommendation","title":"Recommendation","text":"

    Consider enabling autoscaling for AKS clusters deployed with virtual machine scale sets.

    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set enable autoscaling for an AKS cluster:

    • Set properties.agentPoolProfiles[*].enableAutoScaling to true.
    • Set properties.agentPoolProfiles[*].type to VirtualMachineScaleSets.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-autoscaler","title":"Enable cluster autoscaler","text":"Azure CLI snippet
    az aks update \\\n--name '<name>' \\\n--resource-group '<resource_group>' \\\n--enable-cluster-autoscaler \\\n--min-count '<min_count>' \\\n--max-count '<max_count>'\n
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#enable-cluster-nodepool-autoscaler","title":"Enable cluster nodepool autoscaler","text":"Azure CLI snippet
    az aks nodepool update \\\n--name '<name>' \\\n--resource-group '<resource_group>' \\\n--cluster-name '<cluster_name>' \\\n--enable-cluster-autoscaler \\\n--min-count '<min_count>' \\\n--max-count '<max_count>'\n
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoScaling/#links","title":"Links","text":"
    • Autoscale with Azure compute services
    • Autoscaling
    • Automatically scale a cluster to meet application demands on Azure Kubernetes Service (AKS)
    • Scaling options for applications in Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.AutoScaling","AZR-000019"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/","title":"Set AKS auto-upgrade channel","text":"Azure.AKS.AutoUpgradeAZR-000036Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_12

    Configure AKS to automatically upgrade to newer supported AKS versions as they are made available.

    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#description","title":"Description","text":"

    In additional to performing manual upgrades, AKS supports auto-upgrades. Auto-upgrades reduces manual intervention required to maintain an AKS cluster.

    To configure auto-upgrades select a release channel instead of the default none. The following release channels are available:

    • none - Disables auto-upgrades. The default setting.
    • patch - Automatically upgrade to the latest supported patch version of the current minor version.
    • stable - Automatically upgrade to the latest supported patch release of the recommended minor version. This is N-1 of the current AKS non-preview minor version.
    • rapid - Automatically upgrade to the latest supported patch of the latest support minor version.
    • node-image - Automatically upgrade to the latest node image version. Normally upgraded weekly.
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#recommendation","title":"Recommendation","text":"

    Consider enabling auto-upgrades for AKS clusters by setting an auto-upgrade channel.

    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#examples","title":"Examples","text":"","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to an upgrade channel such as stable.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to an upgrade channel such as stable.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'\n
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AutoUpgrade/#links","title":"Links","text":"
    • Automation overview
    • Supported Kubernetes versions in Azure Kubernetes Service
    • Support policies for Azure Kubernetes Service
    • Set auto-upgrade channel
    • Azure deployment reference
    ","tags":["Azure.AKS.AutoUpgrade","AZR-000036"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/","title":"AKS clusters should use Availability zones in supported regions","text":"Azure.AKS.AvailabilityZoneAZR-000021Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_09

    AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.

    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#description","title":"Description","text":"

    AKS clusters using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.

    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for AKS clusters deployed with virtual machine scale sets.

    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"availabilityZones\" is null, [] or not set when the AKS cluster is deployed to a virtual machine scale set and there are supported availability zones for the given region.

    Configure AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Compute and resource type virtualMachineScaleSets.

    # YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for an AKS cluster:

    • Set properties.agentPoolProfiles[*].availabilityZones to any or all of [\"1\", \"2\", \"3\"].
    • Set properties.agentPoolProfiles[*].type to VirtualMachineScaleSets.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\",\n\"availabilityZones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#create-aks-cluster-in-zone-1-2-and-3","title":"Create AKS Cluster in Zone 1, 2 and 3","text":"Azure CLI snippet
    az aks create \\\n--resource-group '<resource_group>' \\\n--name '<cluster_name>' \\\n--generate-ssh-keys \\\n--vm-set-type VirtualMachineScaleSets \\\n--load-balancer-sku standard \\\n--node-count '<node_count>' \\\n--zones 1 2 3\n
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Create an Azure Kubernetes Service (AKS) cluster that uses availability zones
    • Use zone-aware services
    ","tags":["Azure.AKS.AvailabilityZone","AZR-000021"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/","title":"Use Azure Policy Add-on with AKS clusters","text":"Azure.AKS.AzurePolicyAddOnAZR-000028Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_12

    Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.

    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#description","title":"Description","text":"

    AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints.

    Examples of policies include:

    • Enforce HTTPS ingress in Kubernetes cluster.
    • Do not allow privileged containers in Kubernetes cluster.
    • Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster.
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#recommendation","title":"Recommendation","text":"

    Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.

    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.addonProfiles.azurepolicy.enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.addonProfiles.azurepolicy.enabled to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#notes","title":"Notes","text":"

    Azure Policy for AKS clusters is generally available (GA). Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.

    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzurePolicyAddOn/#links","title":"Links","text":"
    • Governance, risk, and compliance
    • Understand Azure Policy for Kubernetes clusters
    • Secure your cluster with Azure Policy
    • Azure deployment reference
    ","tags":["Azure.AKS.AzurePolicyAddOn","AZR-000028"]},{"location":"en/rules/Azure.AKS.AzureRBAC/","title":"Use Azure RBAC for Kubernetes Authorization","text":"Azure.AKS.AzureRBACAZR-000032Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_06

    Use Azure RBAC for Kubernetes Authorization with AKS clusters.

    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#description","title":"Description","text":"

    Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.

    • Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
    • Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.

    Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).

    When Azure RBAC is enabled:

    • Azure AD principals will be validated exclusively by Azure RBAC.
    • Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#recommendation","title":"Recommendation","text":"

    Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.

    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#examples","title":"Examples","text":"","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.aadProfile.enableAzureRBAC to true.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --enable-azure-rbac\n
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.AzureRBAC/#links","title":"Links","text":"
    • Authorization with Azure AD
    • Use Azure RBAC for Kubernetes Authorization
    • Access and identity options for Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.AzureRBAC","AZR-000032"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/","title":"AKS clusters using Azure CNI should use large subnets","text":"Azure.AKS.CNISubnetSizeAZR-000020Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_09

    AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.

    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#description","title":"Description","text":"

    In addition to kubenet, AKS clusters support Azure Container Networking Interface (CNI). This enables every pod to be accessed directly from the subnet via an IP address. Each node supports a maximum number of pods, which are reserved as IP addresses. This approach requires more capacity planning ahead of time, and can result in IP address exhaustion or the need to rebuild AKS clusters into larger subnets as application workloads begin to grow.

    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#recommendation","title":"Recommendation","text":"

    Consider allocating a larger subnet (/23 or bigger) to your AKS cluster.

    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using Export in-flight resource data.

    This rule fails when the CNI subnet size is smaller than /23.

    Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to set the minimum AKS CNI cluster subnet size.

    # YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n
    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.CNISubnetSize/#links","title":"Links","text":"
    • Plan for growth
    • Configure Azure CNI networking in Azure Kubernetes Service (AKS)
    • Use kubenet networking with your own IP address ranges in Azure Kubernetes Service (AKS)
    • Tutorial: Configure Azure CNI networking in Azure Kubernetes Service (AKS) using Ansible
    ","tags":["Azure.AKS.CNISubnetSize","AZR-000020"]},{"location":"en/rules/Azure.AKS.ContainerInsights/","title":"Enable AKS Container insights","text":"Azure.AKS.ContainerInsightsAZR-000041Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_09

    Enable Container insights to monitor AKS cluster workloads.

    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#description","title":"Description","text":"

    With Container insights, you can use performance charts and health status to monitor AKS clusters, nodes and pods. Container insights delivers quick, visual and actionable information: from the CPU and memory pressure of your nodes to the logs of individual Kubernetes pods.

    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#recommendation","title":"Recommendation","text":"

    Consider enabling Container insights for AKS clusters. Monitoring containers is critical, especially when running production AKS clusters at scale with multiple applications.

    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#examples","title":"Examples","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Container insights for an AKS cluster:

    • Set properties.addonProfiles.omsAgent.enabled to true.
    • Set Log Analytics workspace ID with properties.addonProfiles.omsAgent.config.logAnalyticsWorkspaceResourceID.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-default-log-analytics-workspace","title":"Enable for default Log Analytics workspace","text":"Azure CLI snippet
    az aks enable-addons \\\n--addons monitoring \\\n--name '<cluster_name>' \\\n--resource-group '<cluster_resource_group>'\n
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#enable-for-an-existing-log-analytics-workspace","title":"Enable for an existing Log Analytics workspace","text":"Azure CLI snippet
    az aks enable-addons \\\n--addons monitoring \\\n--name '<cluster_name>' \\\n--resource-group '<cluster_resource_group>' \\\n--workspace-resource-id '<workspace_id>'\n
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.ContainerInsights/#links","title":"Links","text":"
    • Container Insights
    • Monitor your Kubernetes cluster performance with Container insights
    • Container insights overview
    • Enable monitoring of a new Azure Kubernetes Service (AKS) cluster
    • Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed
    • Azure deployment reference
    ","tags":["Azure.AKS.ContainerInsights","AZR-000041"]},{"location":"en/rules/Azure.AKS.DNSPrefix/","title":"Use valid AKS cluster DNS prefix","text":"Azure.AKS.DNSPrefixAZR-000040Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.

    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#description","title":"Description","text":"

    The DNS prefix for AKS clusters has different requirements then the cluster name. The requirements for DNS prefixes are:

    • Between 1 and 54 characters long.
    • Alphanumerics and hyphens.
    • Start and end with alphanumeric.
    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#recommendation","title":"Recommendation","text":"

    Consider using a DNS prefix that meets naming requirements.

    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DNSPrefix/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.AKS.DNSPrefix","AZR-000040"]},{"location":"en/rules/Azure.AKS.DefenderProfile/","title":"Enable Defender profile","text":"Azure.AKS.DefenderProfileAZR-000370Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2023_03

    Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#description","title":"Description","text":"

    To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.

    These components are installed when the Defender profile is enabled on the cluster.

    The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#recommendation","title":"Recommendation","text":"

    Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#examples","title":"Examples","text":"","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable the Defender profile with Azure Kubernetes Service clusters:

    • Set the properties.securityProfile.defender.securityMonitoring.enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-01-02-preview\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityProfile\": {\n\"defender\": {\n\"logAnalyticsWorkspaceResourceId\": \"[parameters('logAnalyticsWorkspaceResourceId')]\",\n\"securityMonitoring\": {\n\"enabled\": true\n}\n}\n}\n}\n}\n
    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable the Defender profile with Azure Kubernetes Service clusters:

    • Set the properties.securityProfile.defender.securityMonitoring.enabled to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2023-01-02-preview' = {\n  location: location\n  name: clusterName\n  properties: {\n    securityProfile: {\n      defender: {\n        logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId\n        securityMonitoring: {\n          enabled: true\n        }\n      }\n    }\n  } \n}\n
    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#notes","title":"Notes","text":"

    Outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events is required.

    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.DefenderProfile/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for Containers
    • Defender for Containers architecture
    • Deploy the Defender profile
    • Required FQDN / application rules
    • Azure deployment reference
    ","tags":["Azure.AKS.DefenderProfile","AZR-000370"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/","title":"Use AKS Ephemeral OS disk","text":"Azure.AKS.EphemeralOSDiskAZR-000287Warning

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2022_09

    AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades.

    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#description","title":"Description","text":"

    By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss if the VM needs to be relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency.

    By contrast, ephemeral OS disks are stored only on the host machine, just like a temporary disk. This provides lower read/write latency, along with faster node scaling and cluster upgrades.

    Like the temporary disk, an ephemeral OS disk is included in the price of the virtual machine, so you incur no additional storage costs.

    NB: When a user does not explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given node pool configuration. The rule is therefore configured with -Level Warning as it can give inaccurate information.

    When using ephemeral OS, the OS disk must fit in the VM cache. The sizes for VM cache are available in the Azure documentation in parentheses next to IO throughput (\"cache size in GiB\").

    Examples:

    • Using the AKS default VM size Standard_DS2_v2 with the default OS disk size of 100GB as an example, this VM size supports ephemeral OS but only has 86GB of cache size. This configuration would default to managed disks if the user does not specify explicitly. If a user explicitly requested ephemeral OS, they would receive a validation error.
    • If a user requests the same Standard_DS2_v2 with a 60GB OS disk, this configuration would default to ephemeral OS: the requested size of 60GB is smaller than the maximum cache size of 86GB.
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#recommendation","title":"Recommendation","text":"

    AKS clusters should use ephemeral OS disks.

    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#examples","title":"Examples","text":"","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an AKS cluster that pass this rule:

    • Set properties.agentPoolProfiles.osDiskType to Ephemeral.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2022-06-02-preview\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Basic\",\n\"tier\": \"Paid\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"agentpool\",\n\"osDiskSizeGB\": 60,\n\"count\": \"[parameters('agentCount')]\",\n\"vmSize\": \"[parameters('agentVMSize')]\",\n\"osDiskType\": \"Ephemeral\",\n\"osType\": \"Linux\",\n\"mode\": \"System\"\n}\n],\n\"linuxProfile\": {\n\"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n\"ssh\": {\n\"publicKeys\": [\n{\n\"keyData\": \"[parameters('sshRSAPublicKey')]\"\n}\n]\n}\n}\n}\n}\n

    To deploy an AKS agent pool that pass this rule:

    • Set properties.osDiskType to Ephemeral.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters/agentPools\",\n\"apiVersion\": \"2022-07-01\",\n\"name\": \"[format('{0}/{1}', parameters('clusterName'), variables('poolName'))]\",\n\"properties\": {\n\"count\": \"[variables('minCount')]\",\n\"vmSize\": \"[variables('vmSize')]\",\n\"osDiskSizeGB\": 60,\n\"osType\": \"Linux\",\n\"osDiskType\": \"Ephemeral\",\n\"maxPods\": 50,\n\"mode\": \"User\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an AKS cluster that pass this rule:

    • Set properties.agentPoolProfiles.osDiskType to Ephemeral.

    For example:

    Azure Bicep snippet
    resource aks 'Microsoft.ContainerService/managedClusters@2022-06-02-preview' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Paid'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: 60\n        count: agentCount\n        vmSize: agentVMSize\n        osDiskType: 'Ephemeral'\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n

    To deploy an AKS agent pool that pass this rule:

    • Set properties.osDiskType to Ephemeral.

    For example:

    Azure Bicep snippet
    resource userPool 'Microsoft.ContainerService/managedClusters/agentPools@2022-07-01' = {\n  parent: cluster\n  name: poolName\n  properties: {\n    count: minCount\n    vmSize: vmSize\n    osDiskSizeGB: 60\n    osType: 'Linux'\n    osDiskType: 'Ephemeral'\n    maxPods: 50\n    mode: 'User'\n  }\n}\n
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.EphemeralOSDisk/#links","title":"Links","text":"
    • Performance efficiency checklist
    • Azure Kubernetes Service (AKS) Ephemeral OS
    • Azure deployment reference (managedclusters)
    • Azure deployment reference (agentpools)
    ","tags":["Azure.AKS.EphemeralOSDisk","AZR-000287"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/","title":"Disable HTTP application routing add-on","text":"Azure.AKS.HttpAppRoutingAZR-000035Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_12

    Disable HTTP application routing add-on in AKS clusters.

    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#description","title":"Description","text":"

    The HTTP application routing add-on is designed to quickly expose HTTP endpoints to the public internet. This may be helpful in some limited scenarios, but should not be used in production.

    When exposing application endpoints consider using an ingress controller that supports:

    • Security filtering behind web application firewall (WAF).
    • Encyption in transit over TLS.
    • Multiple replicas.

    Azure provides a production ready ingress controller Application Gateway Ingress Controller (AGIC).

    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#recommendation","title":"Recommendation","text":"

    Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.

    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#examples","title":"Examples","text":"","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.httpApplicationRouting.enabled to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.httpApplicationRouting.enabled to false.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.HttpAppRouting/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • HTTP application routing
    • Enable Application Gateway Ingress Controller add-on for an existing AKS cluster
    • Azure deployment reference
    ","tags":["Azure.AKS.HttpAppRouting","AZR-000035"]},{"location":"en/rules/Azure.AKS.LocalAccounts/","title":"Disable AKS local accounts","text":"Azure.AKS.LocalAccountsAZR-000031Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 Preview \u00b7 2021_06

    Enforce named user accounts with RBAC assigned permissions.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#description","title":"Description","text":"

    AKS clusters support Role-based Access Control (RBAC). RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.

    Additionally some default cluster local account credentials are enabled by default. When enabled, an identity with permissions can perform cluster actions using local account credentials. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts.

    In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '<resource-group>' -n '<cluster-name>' --admin will fail.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#recommendation","title":"Recommendation","text":"

    Consider enforcing usage of named accounts by disabling local Kubernetes account credentials.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#examples","title":"Examples","text":"","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.disableLocalAccounts to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.disableLocalAccounts to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-object-ids '<aad-group-id>' --disable-local\n
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#notes","title":"Notes","text":"

    This Azure feature is currently in preview. To use this feature you must first opt-in by registering the feature on a per-subscription basis.

    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.LocalAccounts/#links","title":"Links","text":"
    • Authorization with Azure AD
    • Security design principles
    • Disable local accounts (preview)
    • Access and identity options for Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.LocalAccounts","AZR-000031"]},{"location":"en/rules/Azure.AKS.ManagedAAD/","title":"Enable AKS-managed Azure AD","text":"Azure.AKS.ManagedAADAZR-000029Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_06

    Use AKS-managed Azure AD to simplify authorization and improve security.

    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#description","title":"Description","text":"

    AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.

    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#recommendation","title":"Recommendation","text":"

    Consider configuring AKS-managed Azure AD integration for AKS clusters.

    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#examples","title":"Examples","text":"","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.aadProfile.managed to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.aadProfile.managed to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-object-ids '<group_id>'\n
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedAAD/#links","title":"Links","text":"
    • Authorization with Azure AD
    • Security design principles
    • Access and identity options for Azure Kubernetes Service (AKS)
    • AKS-managed Azure Active Directory integration
    • Azure deployment reference
    ","tags":["Azure.AKS.ManagedAAD","AZR-000029"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/","title":"Use managed identities for AKS cluster authentication","text":"Azure.AKS.ManagedIdentityAZR-000025Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Configure AKS clusters to use managed identities for managing cluster infrastructure.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#description","title":"Description","text":"

    During the lifecycle of an AKS cluster, the control plane configures a number of Azure resources. This includes node pools, networking, storage and other supporting services.

    When making calls against the Azure REST APIs, an identity must be used to authenticate requests. The type of identity the control plane will use is configurable at cluster creation. Either a service principal or system-assigned managed identity can be used.

    By default, the service principal credentials are valid for one year. Service principal credentials must be rotated before expiry to prevent issues. You can update or rotate the service principal credentials at any time.

    Using a system-assigned managed identity abstracts the process of managing a service principal. The managed identity is automatically created/ removed with the cluster. Managed identities also reduce maintenance (and improve security) by automatically rotating credentials.

    Separately, applications within an AKS cluster may use managed identities with AAD Pod Identity.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider using managed identities during AKS cluster creation. Additionally, consider redeploying the AKS cluster with managed identities instead of service principals.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#notes","title":"Notes","text":"

    AKS clusters can not be updated to use managed identities for cluster infrastructure after deployment.

    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Use managed identities in Azure Kubernetes Service
    • What are managed identities for Azure resources?
    • Azure deployment reference
    ","tags":["Azure.AKS.ManagedIdentity","AZR-000025"]},{"location":"en/rules/Azure.AKS.MinNodeCount/","title":"Azure.AKS.MinNodeCount","text":"Azure.AKS.MinNodeCountAZR-000024Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    AKS clusters should have minimum number of nodes for failover and updates.

    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#description","title":"Description","text":"

    Kubernetes clusters should have minimum number of three (3) nodes for high availability and planned maintenance.

    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#recommendation","title":"Recommendation","text":"

    Use at least three (3) agent nodes. Consider deploying additional nodes as required to provide enough resiliency during nodes failures or planned maintenance.

    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.MinNodeCount/#links","title":"Links","text":"
    • Baseline architecture for an Azure Kubernetes Service (AKS) cluster
    • Create an AKS cluster
    • Azure deployment reference
    ","tags":["Azure.AKS.MinNodeCount","AZR-000024"]},{"location":"en/rules/Azure.AKS.Name/","title":"Use valid AKS cluster names","text":"Azure.AKS.NameAZR-000039Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Azure Kubernetes Service (AKS) cluster names should meet naming requirements.

    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for AKS cluster names are:

    • Between 1 and 63 characters long.
    • Alphanumerics, underscores, and hyphens.
    • Start and end with alphanumeric.
    • Cluster names must be unique within a resource group.
    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#notes","title":"Notes","text":"

    This rule does not check if cluster names are unique.

    Cluster DNS prefix has different naming requirements then cluster name. The requirements for DNS prefixes are:

    • Between 1 and 54 characters long.
    • Alphanumerics and hyphens.
    • Start and end with alphanumeric.
    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.AKS.Name","AZR-000039"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/","title":"AKS clusters use Network Policies","text":"Azure.AKS.NetworkPolicyAZR-000027Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Deploy AKS clusters with Network Policies enabled.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#description","title":"Description","text":"

    AKS clusters provides a platform to host containerized workloads. The running of these applications or services is orchestrated by Kubernetes. Workloads may elasticly scale or change network addressing.

    By default, all pods in an AKS cluster can send and receive traffic without limitations. Network Policy defines access policies for limiting network communication of pods. Using Network Policies allows network controls to be applied with the context of the workload.

    For improved security, define network policy rules to control the flow of traffic. For example, only permit backend components to receive traffic from frontend components.

    To use Network Policy it must be enabled at cluster deployment time. AKS supports two implementations of network policies, Azure Network Policies and Calico Network Policies. Azure Network Policies are supported by Azure support and engineering teams.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#recommendation","title":"Recommendation","text":"

    Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#examples","title":"Examples","text":"","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.networkProfile.networkPolicy to azure or calico.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"[parameters('upgradeChannel')]\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"[string(parameters('useSecretRotation'))]\"\n}\n},\n\"openServiceMesh\": {\n\"enabled\": \"[parameters('useOpenServiceMesh')]\"\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.networkProfile.networkPolicy to azure or calico.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: upgradeChannel\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: string(useSecretRotation)\n        }\n      }\n      openServiceMesh: {\n        enabled: useOpenServiceMesh\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#notes","title":"Notes","text":"

    Network Policy is a deployment time configuration. AKS clusters must be redeployed to enable Network Policy.

    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NetworkPolicy/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)
    • Best practices for network connectivity and security in Azure Kubernetes Service (AKS)
    • Network Policies
    • Azure deployment reference
    ","tags":["Azure.AKS.NetworkPolicy","AZR-000027"]},{"location":"en/rules/Azure.AKS.NodeMinPods/","title":"Nodes use a minimum number of pods","text":"Azure.AKS.NodeMinPodsAZR-000018Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.

    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#description","title":"Description","text":"

    Node pools within a Azure Kubernetes Cluster (AKS) support between 30 and 250 pods per node. The maximum number of pods for nodes within a node pool is set at deployment time.

    When deploying AKS clusters with kubernet networking the default maximum number of pods is 110. For Azure CNI AKS clusters, the default maximum number of pods is 30.

    In many environments, deploying DaemonSets for monitoring and management tools can exhaust the CNI default.

    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#recommendation","title":"Recommendation","text":"

    Consider deploying node pools with a minimum number of pods per node.

    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#examples","title":"Examples","text":"","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].maxPods property to at least 50 by default.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 5,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\"\n},\n{\n\"name\": \"user\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 20,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"User\",\n\"osDiskType\": \"Ephemeral\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"oidcIssuerProfile\": {\n\"enabled\": true\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"dependsOn\": [\n\"identity\"\n]\n}\n
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].maxPods property to at least 50 by default.

    For example:

    Azure Bicep snippet
    resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#notes","title":"Notes","text":"

    By default, this rule fails when node pools have maxPods set to less than 50.

    To configure this rule:

    • Override the Azure_AKSNodeMinimumMaxPods configuration value with the minimum maxPods.
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.NodeMinPods/#links","title":"Links","text":"
    • Plan for growth
    • Plan IP addressing for your cluster
    • Azure deployment reference
    ","tags":["Azure.AKS.NodeMinPods","AZR-000018"]},{"location":"en/rules/Azure.AKS.PlatformLogs/","title":"AKS clusters should collect platform diagnostic logs","text":"Azure.AKS.PlatformLogsAZR-000023Error

    Operational Excellence \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_09

    AKS clusters should collect platform diagnostic logs to monitor the state of workloads.

    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#description","title":"Description","text":"

    To capture platform logs from AKS clusters, the following diagnostic log/metric categories should be enabled:

    • cluster-autoscaler
      • Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster.
    • kube-apiserver
      • Logs from the Kubernetes API server.
    • kube-controller-manager
      • Gain deeper visibility of issues that may arise between Kubernetes and the Azure control plane. A typical example is the AKS cluster having a lack of permissions to interact with Azure.
    • kube-scheduler
      • Logs from the Kubernetes scheduler.
    • AllMetrics
      • Includes all platform metrics. Sends these values to Log Analytics workspace where it can be evaluated with other data using log queries.
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to capture platform logs from AKS clusters.

    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#notes","title":"Notes","text":"

    Configure AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST to enable selective log categories. By default all log categories are selected, as shown below.

    # YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', 'AllMetrics']\n
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the cluster-autoscaler, kube-apiserver, kube-controller-manager, kube-scheduler and AllMetrics categories.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Azure Kubernetes Cluster\",\n\"apiVersion\": \"2020-12-01\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n],\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"location\": \"[parameters('location')]\",\n\"name\": \"[parameters('clusterName')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 32,\n\"count\": 3,\n\"minCount\": 3,\n\"maxCount\": 10,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D2s_v3\",\n\"osType\": \"Linux\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[variables('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\",\n\"scaleSetPriority\": \"Regular\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"Standard\",\n\"serviceCidr\": \"192.168.0.0/16\",\n\"dnsServiceIP\": \"192.168.0.4\",\n\"dockerBridgeCidr\": \"172.17.0.1/16\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n}\n}\n},\n\"resources\": [\n{\n\"apiVersion\": \"2016-09-01\",\n\"type\": \"Microsoft.ContainerService/managedClusters/providers/diagnosticSettings\",\n\"name\": \"[concat(parameters('clusterName'), '/Microsoft.Insights/service')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"kube-apiserver\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"kube-controller-manager\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"kube-scheduler\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"cluster-autoscaler\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n],\n\"metrics\": [\n{\n\"category\": \"AllMetrics\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PlatformLogs/#links","title":"Links","text":"
    • Platform Monitoring
    • Monitoring AKS data reference
    • Collect resource logs
    • Template reference
    ","tags":["Azure.AKS.PlatformLogs","AZR-000023"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/","title":"AKS clusters use VM scale sets","text":"Azure.AKS.PoolScaleSetAZR-000017Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Deploy AKS clusters with nodes pools based on VM scale sets.

    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#description","title":"Description","text":"

    When deploying AKS clusters, Azure node pool VMs can be deployed using Availability Sets or VM Scale Sets. New AKS clusters default to VM scale set node pools.

    Deploying AKS clusters with scale set node pools is required for some cluster features such as multiple node pools and cluster autoscaler.

    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#recommendation","title":"Recommendation","text":"

    Multiple node pools and the cluster autoscaler can be used to improve the scalability and performance of a cluster while minimizing cost.

    Using VM scale sets is a deployment time configuration. Consider redeploying the AKS cluster with VM Scale Sets instead of Availability Sets.

    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#examples","title":"Examples","text":"","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].type property to VirtualMachineScaleSets for each node pool.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"system\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 5,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"System\",\n\"osDiskType\": \"Ephemeral\"\n},\n{\n\"name\": \"user\",\n\"osDiskSizeGB\": 0,\n\"minCount\": 3,\n\"maxCount\": 20,\n\"enableAutoScaling\": true,\n\"maxPods\": 50,\n\"vmSize\": \"Standard_D4s_v5\",\n\"type\": \"VirtualMachineScaleSets\",\n\"vnetSubnetID\": \"[parameters('clusterSubnetId')]\",\n\"mode\": \"User\",\n\"osDiskType\": \"Ephemeral\"\n}\n],\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"oidcIssuerProfile\": {\n\"enabled\": true\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"dependsOn\": [\n\"identity\"\n]\n}\n
    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the properties.agentPoolProfiles[].type property to VirtualMachineScaleSets for each node pool.

    For example:

    Azure Bicep snippet
    resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'system'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 5\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'System'\n        osDiskType: 'Ephemeral'\n      }\n      {\n        name: 'user'\n        osDiskSizeGB: 0\n        minCount: 3\n        maxCount: 20\n        enableAutoScaling: true\n        maxPods: 50\n        vmSize: 'Standard_D4s_v5'\n        type: 'VirtualMachineScaleSets'\n        vnetSubnetID: clusterSubnetId\n        mode: 'User'\n        osDiskType: 'Ephemeral'\n      }\n    ]\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolScaleSet/#links","title":"Links","text":"
    • Plan for growth
    • Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)
    • Scaling options for applications in Azure Kubernetes Service (AKS)
    • Azure deployment reference
    ","tags":["Azure.AKS.PoolScaleSet","AZR-000017"]},{"location":"en/rules/Azure.AKS.PoolVersion/","title":"Upgrade AKS node pool version","text":"Azure.AKS.PoolVersionAZR-000016Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    AKS node pools should match Kubernetes control plane version.

    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#description","title":"Description","text":"

    AKS supports multiple node pools. In a multi-node pool configuration, it is possible that the control plane and node pools could be running a different version of Kubernetes.

    Different versions of Kubernetes between the control plane and node pools is intended as a short term option to allow rolling upgrades. For general operation, the control plane and node pool Kubernetes versions should match.

    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#recommendation","title":"Recommendation","text":"

    Consider upgrading node pools to match AKS control plan version.

    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.PoolVersion/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Upgrade a cluster control plane with multiple node pools
    • Supported Kubernetes versions in Azure Kubernetes Service
    • Azure deployment reference
    ","tags":["Azure.AKS.PoolVersion","AZR-000016"]},{"location":"en/rules/Azure.AKS.SecretStore/","title":"AKS clusters use Key Vault to store secrets","text":"Azure.AKS.SecretStoreAZR-000033Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_12

    Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.

    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#description","title":"Description","text":"

    AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.

    The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation.

    Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal.

    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#recommendation","title":"Recommendation","text":"

    Consider deploying AKS clusters with the Secrets Store CSI Driver and store Secrets in Key Vault.

    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.enabled to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks enable-addons --addons azure-keyvault-secrets-provider -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStore/#links","title":"Links","text":"
    • Key and secret management considerations in Azure
    • Operational considerations
    • Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster
    • Automate the rotation of a secret for resources that use one set of authentication credentials
    • Automate the rotation of a secret for resources that have two sets of authentication credentials
    • Azure deployment reference
    ","tags":["Azure.AKS.SecretStore","AZR-000033"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/","title":"AKS clusters refresh secrets from Key Vault","text":"Azure.AKS.SecretStoreRotationAZR-000034Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2021_12

    Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.

    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#description","title":"Description","text":"

    AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod.

    When secrets are updated in Key Vault, pods may need to be restarted to pick up the new secrets. Enabling autorotation with the Secrets Store CSI Driver, automatically refreshed pods with new secrets. It does this by periodically polling for updates to the secrets in Key Vault. The default interval is every 2 minutes.

    The Secrets Store CSI Driver does not automatically change secrets in Key Vault. Updating the secrets in Key Vault must be done by an external process, such as an Azure Function.

    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#recommendation","title":"Recommendation","text":"

    Consider enabling autorotation of Secrets Store CSI Driver secrets for AKS clusters.

    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#examples","title":"Examples","text":"","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set Properties.addonProfiles.azureKeyvaultSecretsProvider.config.enableSecretRotation to true.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update --enable-secret-rotation -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.SecretStoreRotation/#links","title":"Links","text":"
    • Key and secret management considerations in Azure
    • Operational considerations
    • Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster
    • Automate the rotation of a secret for resources that use one set of authentication credentials
    • Automate the rotation of a secret for resources that have two sets of authentication credentials
    • Azure deployment reference
    ","tags":["Azure.AKS.SecretStoreRotation","AZR-000034"]},{"location":"en/rules/Azure.AKS.StandardLB/","title":"Use the Standard load balancer SKU","text":"Azure.AKS.StandardLBAZR-000026Error

    Performance Efficiency \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.

    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#description","title":"Description","text":"

    When deploying an AKS cluster, either a Standard or Basic load balancer SKU can be configured. A Standard load balancer SKU is required for several AKS features including:

    • Multiple node pools
    • Availability zones
    • Authorized IP ranges

    These features improve the scalability and reliability of the cluster.

    AKS clusters can not be updated to use a Standard load balancer SKU after deployment. For switch to an Standard load balancer SKU, the cluster must be redeployed.

    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#recommendation","title":"Recommendation","text":"

    Consider using Standard load balancer SKU during AKS cluster creation. Additionally, consider redeploying the AKS clusters with a Standard load balancer SKU configured.

    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#examples","title":"Examples","text":"","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy clusters that pass this rule:

    • Set the properties.networkProfile.loadBalancerSku property to standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"[parameters('kubernetesVersion')]\",\n\"disableLocalAccounts\": true,\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"oidcIssuerProfile\": {\n\"enabled\": true\n},\n\"addonProfiles\": {\n\"azurepolicy\": {\n\"enabled\": true\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n}\n},\n\"dependsOn\": [\n\"identity\"\n]\n}\n
    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy clusters that pass this rule:

    • Set the properties.networkProfile.loadBalancerSku property to standard.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2023-04-01' = {\n  location: location\n  name: name\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: kubernetesVersion\n    disableLocalAccounts: true\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    oidcIssuerProfile: {\n      enabled: true\n    }\n    addonProfiles: {\n      azurepolicy: {\n        enabled: true\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.StandardLB/#links","title":"Links","text":"
    • Plan for growth
    • Use a Standard SKU load balancer in Azure Kubernetes Service (AKS)
    • LoadBalancer annotations
    • Azure deployment reference
    ","tags":["Azure.AKS.StandardLB","AZR-000026"]},{"location":"en/rules/Azure.AKS.UptimeSLA/","title":"Azure.AKS.UptimeSLA","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#online-version-httpsazuregithubiopsrulerulesazureenrulesazureaksuptimesla","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UptimeSLA/","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#use-aks-uptime-sla","title":"Use AKS Uptime SLA","text":"

    AKS clusters should have Uptime SLA enabled for a financially backed SLA.

    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#description","title":"Description","text":"

    Azure Kubernetes Service (AKS) offers two pricing tiers for cluster management.

    The Standard tier is suitable for financially backed SLA scenarios as it enables Uptime SLA by default on the cluster.

    Benefits:

    • The Free tier SKU imposes in-flight request limits of 50 mutating and 100 read-only calls. The Standard tier SKU automatically scales out based on the load.
    • The Free tier SKU is recommended only for cost-sensitive non-production workloads with 10 or fewer agent nodes. The Standard tier SKU configures more resources for the control plane and will dynamically scale to handle the request load from more nodes.
    • AKS recommends the use of the Standard tier for production workloads to ensure availability of control plane components. Clusters on the Free tier, by contrast come with limited resources for the control plane and are not suitable for production workloads.
    • Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use Availability Zones.
    • Uptime SLA guarantees 99.9% of availability for clusters that don't use Availability Zones.
    • AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.
    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#recommendation","title":"Recommendation","text":"

    Consider enabling Uptime SLA for a financially backed SLA.

    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an AKS cluster that pass this rule:

    • Set sku.tier to Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Basic\",\n\"tier\": \"Standard\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": [\n{\n\"name\": \"agentpool\",\n\"osDiskSizeGB\": \"[parameters('osDiskSizeGB')]\",\n\"count\": \"[parameters('agentCount')]\",\n\"vmSize\": \"[parameters('agentVMSize')]\",\n\"osType\": \"Linux\",\n\"mode\": \"System\"\n}\n],\n\"linuxProfile\": {\n\"adminUsername\": \"[parameters('linuxAdminUsername')]\",\n\"ssh\": {\n\"publicKeys\": [\n{\n\"keyData\": \"[parameters('sshRSAPublicKey')]\"\n}\n]\n}\n}\n}\n}\n
    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an AKS cluster that pass this rule:

    • Set sku.tier to Standard.

    For example:

    Azure Bicep snippet
    resource aks 'Microsoft.ContainerService/managedClusters@2023-02-01' = {\n  name: clusterName\n  location: location\n  sku: {\n    name: 'Basic'\n    tier: 'Standard'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: [\n      {\n        name: 'agentpool'\n        osDiskSizeGB: osDiskSizeGB\n        count: agentCount\n        vmSize: agentVMSize\n        osType: 'Linux'\n        mode: 'System'\n      }\n    ]\n    linuxProfile: {\n      adminUsername: linuxAdminUsername\n      ssh: {\n        publicKeys: [\n          {\n            keyData: sshRSAPublicKey\n          }\n        ]\n      }\n    }\n  }\n}\n
    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#notes","title":"Notes","text":"

    Basic and Paid are removed in the 2023-02-01 and 2023-02-02 Preview API version, and this will be a breaking change in API versions 2023-02-01 and 2023-02-02 Preview or newer.

    "},{"location":"en/rules/Azure.AKS.UptimeSLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Kubernetes Service (AKS) Uptime SLA
    • Free and Standard pricing tiers for Azure Kubernetes Service (AKS) cluster management
    • Azure deployment reference
    "},{"location":"en/rules/Azure.AKS.UseRBAC/","title":"AKS clusters use RBAC","text":"Azure.AKS.UseRBACAZR-000038Error

    Security \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    Deploy AKS cluster with role-based access control (RBAC) enabled.

    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#description","title":"Description","text":"

    AKS supports granting access to cluster resources using role-based access control (RBAC). Additionally Azure Active Directory (AAD) integration with AKS allows, RBAC to be granted based on AAD user or group.

    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#recommendation","title":"Recommendation","text":"

    Azure AD integration with AKS provides granular access control for Kubernetes resources using RBAC.

    RBAC is a deployment time configuration. Consider redeploying the AKS cluster with RBAC enabled.

    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.UseRBAC/#links","title":"Links","text":"
    • Access and identity options for Azure Kubernetes Service (AKS)
    • Authorization with Azure AD
    • Best practices for authentication and authorization in Azure Kubernetes Service (AKS)
    • Using RBAC Authorization
    • Azure deployment reference
    • Use role-based access control (RBAC)
    ","tags":["Azure.AKS.UseRBAC","AZR-000038"]},{"location":"en/rules/Azure.AKS.Version/","title":"Upgrade Kubernetes version","text":"Azure.AKS.VersionAZR-000015Error

    Reliability \u00b7 Azure Kubernetes Service \u00b7 Rule \u00b7 2020_06

    AKS control plane and nodes pools should use a current stable release.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#description","title":"Description","text":"

    The AKS Kubernetes support policy provides support for the latest generally available (GA) three minor versions (N-2). This version support policy is based on the Kubernetes community support policy, who maintain the Kubernetes project. As the Kubernetes releases new minor versions, the old minor versions are deprecated and eventually removed from support.

    When your cluster or cluster nodes are running a version that is no longer supported, you may:

    • Encounter issues that may adversely affect the reliability of your cluster and cause down time.
    • Have bugs or security vulnerabilities that have already been mitigated by the Kubernetes community.
    • Introduce additional risk to your cluster and applications when you upgrade to a supported version.

    Additionally, AKS provides Platform Support for subset of components following an N-3.

    AKS supports a feature called cluster auto-upgrade, which can be used to reduce operational overhead of upgrading your cluster. This feature allows you to configure your cluster to automatically upgrade to the latest supported minor version of Kubernetes. When you enable cluster auto-upgrade, the control plane and node pools are upgraded to the latest supported minor version. Two channels are available for cluster auto-upgrade that maintain Kubernetes minor versions stable and rapid. For details on the differences between the two channels, see the references below.

    You are able to define a planned maintenance window to schedule and control upgrades to your cluster. Use the Planned Maintenance window to schedule upgrades to your cluster during times of low business impact. Alternatively, consider using blue / green clusters.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#recommendation","title":"Recommendation","text":"

    Consider upgrading AKS control plane and nodes pools to the latest stable version of Kubernetes. Also consider enabling cluster auto-upgrade within a maintenance window to minimize operational overhead of cluster upgrades.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#examples","title":"Examples","text":"","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to rapid or stable. OR
    • Set properties.kubernetesVersion to a newer stable version.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerService/managedClusters\",\n\"apiVersion\": \"2023-07-01\",\n\"name\": \"[parameters('clusterName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"UserAssigned\",\n\"userAssignedIdentities\": {\n\"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]\": {}\n}\n},\n\"properties\": {\n\"kubernetesVersion\": \"1.26.6\",\n\"enableRBAC\": true,\n\"dnsPrefix\": \"[parameters('dnsPrefix')]\",\n\"agentPoolProfiles\": \"[variables('allPools')]\",\n\"aadProfile\": {\n\"managed\": true,\n\"enableAzureRBAC\": true,\n\"adminGroupObjectIDs\": \"[parameters('clusterAdmins')]\",\n\"tenantID\": \"[subscription().tenantId]\"\n},\n\"networkProfile\": {\n\"networkPlugin\": \"azure\",\n\"networkPolicy\": \"azure\",\n\"loadBalancerSku\": \"standard\",\n\"serviceCidr\": \"[variables('serviceCidr')]\",\n\"dnsServiceIP\": \"[variables('dnsServiceIP')]\",\n\"dockerBridgeCidr\": \"[variables('dockerBridgeCidr')]\"\n},\n\"autoUpgradeProfile\": {\n\"upgradeChannel\": \"stable\"\n},\n\"addonProfiles\": {\n\"httpApplicationRouting\": {\n\"enabled\": false\n},\n\"azurepolicy\": {\n\"enabled\": true,\n\"config\": {\n\"version\": \"v2\"\n}\n},\n\"omsagent\": {\n\"enabled\": true,\n\"config\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('workspaceId')]\"\n}\n},\n\"kubeDashboard\": {\n\"enabled\": false\n},\n\"azureKeyvaultSecretsProvider\": {\n\"enabled\": true,\n\"config\": {\n\"enableSecretRotation\": \"true\"\n}\n}\n},\n\"podIdentityProfile\": {\n\"enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]\"\n]\n}\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy AKS clusters that pass this rule:

    • Set properties.autoUpgradeProfile.upgradeChannel to rapid or stable. OR
    • Set properties.kubernetesVersion to a newer stable version.

    For example:

    Azure Bicep snippet
    resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {\n  location: location\n  name: clusterName\n  identity: {\n    type: 'UserAssigned'\n    userAssignedIdentities: {\n      '${identity.id}': {}\n    }\n  }\n  properties: {\n    kubernetesVersion: '1.26.6'\n    enableRBAC: true\n    dnsPrefix: dnsPrefix\n    agentPoolProfiles: allPools\n    aadProfile: {\n      managed: true\n      enableAzureRBAC: true\n      adminGroupObjectIDs: clusterAdmins\n      tenantID: subscription().tenantId\n    }\n    networkProfile: {\n      networkPlugin: 'azure'\n      networkPolicy: 'azure'\n      loadBalancerSku: 'standard'\n      serviceCidr: serviceCidr\n      dnsServiceIP: dnsServiceIP\n      dockerBridgeCidr: dockerBridgeCidr\n    }\n    autoUpgradeProfile: {\n      upgradeChannel: 'stable'\n    }\n    addonProfiles: {\n      httpApplicationRouting: {\n        enabled: false\n      }\n      azurepolicy: {\n        enabled: true\n        config: {\n          version: 'v2'\n        }\n      }\n      omsagent: {\n        enabled: true\n        config: {\n          logAnalyticsWorkspaceResourceID: workspaceId\n        }\n      }\n      kubeDashboard: {\n        enabled: false\n      }\n      azureKeyvaultSecretsProvider: {\n        enabled: true\n        config: {\n          enableSecretRotation: 'true'\n        }\n      }\n    }\n    podIdentityProfile: {\n      enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'\n
    Azure CLI snippet
    az aks upgrade -n '<name>' -g '<resource_group>' --kubernetes-version '1.26.6'\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzAksCluster -Name '<name>' -ResourceGroupName '<resource_group>' -KubernetesVersion '1.26.6'\n
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#notes","title":"Notes","text":"

    A list of available Kubernetes versions can be found using the az aks get-versions -o table --location <location> CLI command. To configure this rule:

    • Override the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration value with the minimum Kubernetes version.

    If you must maintain AKS clusters for longer then the community support period, consider switch to Long Term Support (LTS). AKS LTS provides support for a specific Kubernetes version for a longer period of time. The first LTS release is 1.27.

    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.AKS.Version/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Automatically upgrade an Azure Kubernetes Service cluster
    • Supported Kubernetes versions in Azure Kubernetes Service
    • Support policies for Azure Kubernetes Service
    • Platform support policy
    • Blue-green deployment of AKS clusters
    • Long Term Support (LTS)
    • Azure deployment reference
    ","tags":["Azure.AKS.Version","AZR-000015"]},{"location":"en/rules/Azure.APIM.APIDescriptors/","title":"Use API descriptors","text":"Azure.APIM.APIDescriptorsAZR-000043Warning

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2020_09

    API Management APIs should have a display name and description.

    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#description","title":"Description","text":"

    Each API created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assist identification for management and usage.

    During monitoring from service provider and consumer perspectives:

    • Having a clear understanding of the purpose of an API is often important to during analysis.
    • Allows for accurate management and clean up of unused APIs.

    This information is visible within the developer portal and exported OpenAPI definitions.

    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#recommendation","title":"Recommendation","text":"

    Consider using display name and description fields on APIs to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.

    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#examples","title":"Examples","text":"","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management APIs that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/apis\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n\"properties\": {\n\"displayName\": \"Echo API\",\n\"description\": \"An echo API service.\",\n\"type\": \"http\",\n\"path\": \"echo\",\n\"serviceUrl\": \"https://echo.contoso.com\",\n\"protocols\": [\n\"https\"\n],\n\"apiVersion\": \"v1\",\n\"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n\"subscriptionRequired\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n\"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n]\n}\n
    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management APIs that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Bicep snippet
    resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    type: 'http'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n
    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.APIDescriptors/#links","title":"Links","text":"
    • Human-readable data
    • Import and publish your first API
    • Azure deployment reference
    ","tags":["Azure.APIM.APIDescriptors","AZR-000043"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/","title":"API management services should use Availability zones in supported regions","text":"Azure.APIM.AvailabilityZoneAZR-000052Error

    Reliability \u00b7 API Management \u00b7 Rule \u00b7 2021_12

    API management services deployed with Premium SKU should use availability zones in supported regions for high availability.

    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#description","title":"Description","text":"

    API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.

    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for API management services deployed with Premium SKU.

    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is null, [] or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.

    Configure AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.ApiManagement and resource type services.

    # YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for a API management service

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match sku.capacity.
    • Set properties.additionalLocations[*].zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match properties.additionalLocations[*].sku.capacity.
    • Set sku.name and/or properties.additionalLocations[*].sku.name to Premium.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-01-01-preview\",\n\"name\": \"[parameters('service_api_mgmt_test2_name')]\",\n\"location\": \"Australia East\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 3\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"properties\": {\n\"publisherEmail\": \"john.doe@contoso.com\",\n\"publisherName\": \"contoso\",\n\"notificationSenderEmail\": \"apimgmt-noreply@mail.windowsazure.com\",\n\"hostnameConfigurations\": [\n{\n\"type\": \"Proxy\",\n\"hostName\": \"[concat(parameters('service_api_mgmt_test2_name'), '.azure-api.net')]\",\n\"negotiateClientCertificate\": false,\n\"defaultSslBinding\": true,\n\"certificateSource\": \"BuiltIn\"\n}\n],\n\"additionalLocations\": [\n{\n\"location\": \"East US\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 3\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"disableGateway\": false\n}\n],\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"false\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"false\"\n},\n\"virtualNetworkType\": \"None\",\n\"disableGateway\": false,\n\"apiVersionConstraint\": {}\n}\n}\n
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for a API management service

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match sku.capacity.
    • Set properties.additionalLocations[*].zones to a minimum of two zones from [\"1\", \"2\", \"3\"], ensuring the number of zones match properties.additionalLocations[*].sku.capacity.
    • Set sku.name and/or properties.additionalLocations[*].sku.name to Premium.

    For example:

    Azure Bicep snippet
    resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2021-01-01-preview' = {\n  name: service_api_mgmt_test2_name\n  location: 'Australia East'\n  sku: {\n    name: 'Premium'\n    capacity: 3\n  }\n  zones: [\n    '1',\n    '2',\n    '3'\n  ]\n  properties: {\n    publisherEmail: 'john.doe@contoso.com'\n    publisherName: 'contoso'\n    notificationSenderEmail: 'apimgmt-noreply@mail.windowsazure.com'\n    hostnameConfigurations: [\n      {\n        type: 'Proxy'\n        hostName: '${service_api_mgmt_test2_name}.azure-api.net'\n        negotiateClientCertificate: false\n        defaultSslBinding: true\n        certificateSource: 'BuiltIn'\n      }\n    ]\n    additionalLocations: [\n      {\n        location: 'East US'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        zones: [\n          '1'\n        ]\n        disableGateway: false\n      }\n    ]\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'false'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'false'\n    }\n    virtualNetworkType: 'None'\n    disableGateway: false\n    apiVersionConstraint: {}\n  }\n}\n
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Availability zone support for Azure API Management
    • Use zone-aware services
    ","tags":["Azure.APIM.AvailabilityZone","AZR-000052"]},{"location":"en/rules/Azure.APIM.CORSPolicy/","title":"Avoid wildcards in APIM CORS policies","text":"Azure.APIM.CORSPolicyAZR-000365Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2023_03

    Avoid using wildcard for any configuration option in CORS policies.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#description","title":"Description","text":"

    The API Management cors policy adds cross-origin resource sharing (CORS) support to an operation or APIs.

    CORS is not a security feature. CORS is a W3C standard that allows a server to relax the same-origin policy enforced by modern browsers. CORS uses HTTP headers that allows API Management (and other HTTP servers) to indicate any allowed origins.

    Using wildcard (*) in any policy is overly permissive and may reduce the effectiveness of browser same-origin policy enforcement.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#recommendation","title":"Recommendation","text":"

    Consider configuring the CORS policy by specifying explicit values for each property.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#examples","title":"Examples","text":"","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-api-management-policy","title":"Configure API Management policy","text":"

    To deploy API Management CORS policies that pass this rule:

    • When configuring cors policies provide the exact values for all propeties.
    • Avoid using wildcards for any property of the cors policy including:
      • allowed-origins
      • allowed-methods
      • allowed-headers
      • expose-headers

    For example a global scoped policy:

    API Management policy
    <policies>\n<inbound>\n<cors allow-credentials=\"true\">\n<allowed-origins>\n<origin>https://contoso.developer.azure-api.net</origin>\n<origin>https://developer.contoso.com</origin>\n</allowed-origins>\n<allowed-methods preflight-result-max-age=\"300\">\n<method>GET</method>\n<method>PUT</method>\n<method>POST</method>\n<method>PATCH</method>\n<method>HEAD</method>\n<method>DELETE</method>\n<method>OPTIONS</method>\n</allowed-methods>\n<allowed-headers>\n<header>Content-Type</header>\n<header>Cache-Control</header>\n<header>Authorization</header>\n</allowed-headers>\n</cors>\n</inbound>\n<backend>\n<forward-request />\n</backend>\n<outbound />\n<on-error />\n</policies>\n
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management CORS policies that pass this rule:

    • Configure an policy sub-resource.
    • Avoid using wildcards * for any CORS policy element in properties.value property. Instead provide exact values.

    For example a global scoped policy:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/policies\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n\"properties\": {\n\"value\": \"<policies><inbound><cors allow-credentials=\\\"true\\\"><allowed-origins><origin>https://contoso.developer.azure-api.net</origin><origin>https://developer.contoso.com</origin></allowed-origins><allowed-methods preflight-result-max-age=\\\"300\\\"><method>GET</method><method>PUT</method><method>POST</method><method>PATCH</method><method>HEAD</method><method>DELETE</method><method>OPTIONS</method></allowed-methods><allowed-headers><header>Content-Type</header><header>Cache-Control</header><header>Authorization</header></allowed-headers></cors></inbound><backend><forward-request /></backend><outbound /><on-error /></policies>\",\n\"format\": \"xml\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management CORS policies that pass this rule:

    • Configure an policy sub-resource.
    • Avoid using wildcards * for any CORS policy element in properties.value property. Instead provide exact values.

    For example a global scoped policy:

    Azure Bicep snippet
    resource globalPolicy 'Microsoft.ApiManagement/service/policies@2022-08-01' = {\n  parent: service\n  name: 'policy'\n  properties: {\n    value: '<policies><inbound><cors allow-credentials=\"true\"><allowed-origins><origin>https://contoso.developer.azure-api.net</origin><origin>https://developer.contoso.com</origin></allowed-origins><allowed-methods preflight-result-max-age=\"300\"><method>GET</method><method>PUT</method><method>POST</method><method>PATCH</method><method>HEAD</method><method>DELETE</method><method>OPTIONS</method></allowed-methods><allowed-headers><header>Content-Type</header><header>Cache-Control</header><header>Authorization</header></allowed-headers></cors></inbound><backend><forward-request /></backend><outbound /><on-error /></policies>'\n    format: 'xml'\n  }\n}\n
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#notes","title":"Notes","text":"

    The rule only checks against rawxml and xml policy formatted content.

    When using Azure Bicep, the policy XML can be loaded from an external file by using the loadTextContent function.

    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CORSPolicy/#links","title":"Links","text":"
    • Application threat analysis
    • CORS policy
    • Mitigate OWASP API threats
    • How CORS works
    • Policies in Azure API Management
    • File functions for Bicep
    • Azure deployment reference
    ","tags":["Azure.APIM.CORSPolicy","AZR-000365"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/","title":"API Management uses current certificates","text":"Azure.APIM.CertificateExpiryAZR-000051Error

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Renew certificates used for custom domain bindings.

    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#description","title":"Description","text":"

    When custom domains are configured within an API Management service. A certificate must be assigned to allow traffic to be transmitted using TLS.

    Each certificate has an expiry date, after which the certificate is not valid. After expiry, client connections to the API Management service will reject the certificate.

    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#recommendation","title":"Recommendation","text":"

    Consider renewing certificates before expiry to prevent service issues.

    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#notes","title":"Notes","text":"

    By default, this rule fails when certificates have less than 30 days remaining before expiry.

    To configure this rule:

    • Override the Azure_MinimumCertificateLifetime configuration value with the minimum number of days until expiry.
    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.CertificateExpiry/#links","title":"Links","text":"
    • Configure a custom domain name
    • Azure deployment reference
    ","tags":["Azure.APIM.CertificateExpiry","AZR-000051"]},{"location":"en/rules/Azure.APIM.Ciphers/","title":"Use secure ciphers for API Management","text":"Azure.APIM.CiphersAZR-000055Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2022_03

    API Management should not accept weak or deprecated ciphers for client or backend communication.

    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#description","title":"Description","text":"

    API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'.

    The following ciphers are considered weak or deprecated:

    • TripleDes168
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#recommendation","title":"Recommendation","text":"

    Consider disabling weak or deprecated ciphers from API Management Services. Also consider disabling weak or deprecated protocols.

    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#examples","title":"Examples","text":"","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to \"False\" (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to 'False' (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.Ciphers/#links","title":"Links","text":"
    • Data encryption in Azure
    • Manage protocols and ciphers in Azure API Management
    • Cryptographic Recommendations
    • Azure deployment reference
    ","tags":["Azure.APIM.Ciphers","AZR-000055"]},{"location":"en/rules/Azure.APIM.DefenderCloud/","title":"Onboard Defender for APIs","text":"Azure.APIM.DefenderCloudAZR-000387Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2023_06

    APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs.

    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#description","title":"Description","text":"

    Microsoft Defender for APIs provides additional security for APIs published in Azure API Management. Protection is provided by analyzing onboarded APIs.

    Which allows Microsoft Defender for Cloud to produce security findings. These security findings includes API recommendations and runtime threats.

    The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard. Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.

    To use Microsoft Defender for APIs:

    1. Enable the plan at the subscription level.
    2. Onboard each API to Microsoft Defender for APIs.
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider onboarding APIs published in Azure API Management to Microsoft Defender for APIs.

    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management APIs that pass this rule:

    • Deploy a Microsoft.Security/apiCollections sub-resource (extension resource).
    • Set the name property to the name as the API.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/apiCollections\",\n\"apiVersion\": \"2022-11-20-preview\",\n\"scope\": \"[format('Microsoft.ApiManagement/service/{0}', parameters('apiManagementServiceName'))]\",\n\"name\": \"[parameters('apiName')]\"\n}\n
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management APIs that pass this rule:

    • Deploy a Microsoft.Security/apiCollections sub-resource (extension resource).
    • Set the name property to the name as the API.

    For example:

    Azure Bicep snippet
    resource apiManagementService 'Microsoft.ApiManagement/service@2022-08-01' existing = {\n  name: apiManagementServiceName\n}\n\nresource onboardDefender 'Microsoft.Security/apiCollections@2022-11-20-preview' = {\n  name: apiName\n  scope: apiManagementService\n}\n
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#notes","title":"Notes","text":"

    Microsoft Defender for APIs is a preview feature and has the following limitations:

    • Not all regions are supported.
    • Only REST APIs published through Azure API Management are supported.
    • APIs published through a self-hosted gateway are not supported.
    • APIs defined within an API Management workspace are not supported.

    This rule may currently generate false positive results for APIs only hosted on self-hosted gateways or managed using workspaces.

    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.DefenderCloud/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for APIs
    • Support and prerequisites for Defender for APIs
    • Onboard Defender for APIs
    • Quickstart: Enable enhanced security features
    • Azure security baseline for API Management
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.APIM.DefenderCloud","AZR-000387"]},{"location":"en/rules/Azure.APIM.EncryptValues/","title":"Use encrypted named values","text":"Azure.APIM.EncryptValuesAZR-000045Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2023_06

    Encrypt all API Management named values with Key Vault secrets.

    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#description","title":"Description","text":"

    Named values can be used to manage constant string values and secrets across all API configurations and policies.

    Named values are a global collection of name/value pairs in each API Management instance, which may contain sensitive information.

    Secret values can be stored either as encrypted strings in API Management (custom secrets) or by referencing secrets in Azure Key Vault.

    All secrets in Key Vault are stored encrypted.

    Using Key Vault secrets is recommended because it helps improve API Management security by:

    • Granular access policies and audit logs can be used with secrets.
    • Making it easier to rotate secrets within Key Vault.
    • Secrets that are rotated in Key Vault are automatically refreshed within API Management within 4 hours. You can also manually refresh the secret using the Azure portal or via the management REST API.
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#recommendation","title":"Recommendation","text":"

    Consider encrypting all API Management named values with Key Vault secrets.

    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management named values that pass this rule:

    • Configure a named value sub-resource.
    • Configure the properties.keyVault.secretIdentifier property.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/namedValues\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('namedValue'))]\",\n\"properties\": {\n\"displayName\": \"[parameters('namedValue')]\",\n\"keyVault\": {\n\"identityClientId\": null,\n\"secretIdentifier\": \"[format('https://myVault.vault.azure.net/secrets/{0}', parameters('namedValue'))]\"\n},\n\"tags\": []\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management named values that pass this rule:

    • Configure a named value sub-resource.
    • Configure the properties.keyVault.secretIdentifier property.

    For example:

    Azure Bicep snippet
    resource apimNamedValue 'Microsoft.ApiManagement/service/namedValues@2022-08-01' = {\n  name: namedValue\n  parent: apim\n  properties: {\n    displayName: namedValue\n    keyVault: {\n      identityClientId: null\n      secretIdentifier: 'https://myVault.vault.azure.net/secrets/${namedValue}'\n    }\n    tags: []\n  }\n}\n
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#notes","title":"Notes","text":"

    Using Key Vault secrets requires a system-assigned or user-assigned managed identity assigned to the API Management instance. The identity needs permissions to get and list secrets from the Key Vault. Also make sure to read the Prerequisites for key vault integration section in links.

    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.EncryptValues/#links","title":"Links","text":"
    • Key storage
    • Prerequisites for key vault integration
    • Azure deployment reference
    ","tags":["Azure.APIM.EncryptValues","AZR-000045"]},{"location":"en/rules/Azure.APIM.HTTPBackend/","title":"Use HTTPS backend connections","text":"Azure.APIM.HTTPBackendAZR-000044Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Use HTTPS for communication to backend services.

    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#description","title":"Description","text":"

    When API Management connects to the backend API it can use HTTP or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.

    Additionally, when configuring backends:

    • Use a newer version of TLS such as TLS 1.2.
    • Use client certificate authentication from API Management to authenticate to the backend.
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#recommendation","title":"Recommendation","text":"

    Consider configuring only backend services configured with HTTPS-based URLs.

    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#examples","title":"Examples","text":"","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy APIs that pass this rule:

    • Set the properties.serviceUrl property to a URL that starts with https://.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/apis\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo-v1')]\",\n\"properties\": {\n\"displayName\": \"Echo API\",\n\"description\": \"An echo API service.\",\n\"path\": \"echo\",\n\"serviceUrl\": \"https://echo.contoso.com\",\n\"protocols\": [\n\"https\"\n],\n\"apiVersion\": \"v1\",\n\"apiVersionSetId\": \"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\",\n\"subscriptionRequired\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\",\n\"[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]\"\n]\n}\n

    To deploy API backends that pass this rule:

    • Set the properties.url property to a URL that starts with https://.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/backends\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n\"properties\": {\n\"title\": \"echo\",\n\"description\": \"A backend service for the Each API.\",\n\"protocol\": \"http\",\n\"url\": \"https://echo.contoso.com\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy APIs that pass this rule:

    • Set the properties.serviceUrl property to a URL that starts with https://.

    For example:

    Azure Bicep snippet
    resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {\n  parent: service\n  name: 'echo-v1'\n  properties: {\n    displayName: 'Echo API'\n    description: 'An echo API service.'\n    path: 'echo'\n    serviceUrl: 'https://echo.contoso.com'\n    protocols: [\n      'https'\n    ]\n    apiVersion: 'v1'\n    apiVersionSetId: version.id\n    subscriptionRequired: true\n  }\n}\n

    To deploy API backends that pass this rule:

    • Set the properties.url property to a URL that starts with https://.

    For example:

    Azure Bicep snippet
    resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    title: 'echo'\n    description: 'A backend service for the Each API.'\n    protocol: 'http'\n    url: 'https://echo.contoso.com'\n  }\n}\n
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPBackend/#links","title":"Links","text":"
    • Data encryption in Azure
    • Manage protocols and ciphers in Azure API Management
    • Secure backend services using client certificate authentication in Azure API Management
    • Azure deployment reference for APIs
    • Azure deployment reference for backends
    ","tags":["Azure.APIM.HTTPBackend","AZR-000044"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/","title":"Publish APIs through HTTPS connections","text":"Azure.APIM.HTTPEndpointAZR-000042Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Enforce HTTPS for communication to API clients.

    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#description","title":"Description","text":"

    When an client connects to API Management it can use HTTP or HTTPS. Each API can be configured to accept connection for HTTP and/ or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.

    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#recommendation","title":"Recommendation","text":"

    Consider setting the each API to only accept HTTPS connections. In the portal, this is done by configuring the HTTPS URL scheme.

    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.HTTPEndpoint/#links","title":"Links","text":"
    • Data encryption in Azure
    • Import and publish a back-end API
    ","tags":["Azure.APIM.HTTPEndpoint","AZR-000042"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/","title":"API Management uses a managed identity","text":"Azure.APIM.ManagedIdentityAZR-000053Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Configure managed identities to access Azure resources.

    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#description","title":"Description","text":"

    API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management.

    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each API Management instance. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Use managed identities in Azure API Management
    • Authenticate with managed identity
    • Azure deployment reference
    ","tags":["Azure.APIM.ManagedIdentity","AZR-000053"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/","title":"API Management API versions prior to 2021-08-01 will be retired","text":"Azure.APIM.MinAPIVersionAZR-000321Error

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2022_12

    API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.

    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#description","title":"Description","text":"

    On 30 September 2023, all API versions prior to 2021-08-01 will be retired and API calls using those API versions will fail. This means you'll no longer be able to create or manage your API Management services using your existing templates, tools, scripts, and programs until they've been updated. Data operations (such as accessing the APIs or Products configured on Azure API Management) will be unaffected by this update, including after 30 September 2023.

    From now through 30 September 2023, you can continue to use the templates, tools, and programs without impact. You can transition to API version 2021-08-01 or later at any point prior to 30 September 2023.

    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#recommendation","title":"Recommendation","text":"

    Limit control plane API calls to API Management with version '2021-08-01' or newer.

    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management services that pass this rule:

    • Set the apiVersion property to '2021-08-01' or newer.
    • Set the properties.apiVersionConstraint.minApiVersion property to '2021-08-01' or newer.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management services that pass this rule:

    • Use the API Version Microsoft.ApiManagement/service@2021-08-01 or newer.
    • Set the properties.apiVersionConstraint.minApiVersion property to '2021-08-01' or newer.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#notes","title":"Notes","text":"

    This rule fails:

    • When the properties.apiVersionConstraint.minApiVersion property is not configured.
    • When the properties.apiVersionConstraint.minApiVersion property value is less than the default value 2021-08-01 and no configuration option property value is set to overwrite the default value.
    • When the properties.apiVersionConstraint.minApiVersion property value is less than the configuration option property value specified.

    Important Currently, depending on how you delete an API Management instance, the instance is either soft-deleted and recoverable during a retention period, or it's permanently deleted:

    • When you use the Azure portal or REST API version 2020-06-01-preview or later to delete an API Management instance, it's soft-deleted.
    • An API Management instance deleted using a REST API version before 2020-06-01-preview is permanently deleted.

    Configure AZURE_APIM_MIN_API_VERSION to set the minimum API version used for control plane API calls to the API Management instance.

    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-08-01'\n
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MinAPIVersion/#links","title":"Links","text":"
    • Repeatable Infrastructure
    • Azure API Management API version retirements
    • Azure API Management soft-delete API versions
    • Azure deployment reference
    ","tags":["Azure.APIM.MinAPIVersion","AZR-000321"]},{"location":"en/rules/Azure.APIM.MultiRegion/","title":"Multi-region deployment","text":"Azure.APIM.MultiRegionAZR-000340Error

    Reliability \u00b7 API Management \u00b7 Rule \u00b7 2022_12

    API Management instances should use multi-region deployment to improve service availability.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#description","title":"Description","text":"

    Azure API Management supports multi-region deployment. Multi-region deployment provides availability of the API gateway in more than one region and provides service availability if one region goes offline.

    This feature is currently only available for the Premium tier of API Management.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#recommendation","title":"Recommendation","text":"

    Consider deploying an API Management service across multiple regions to improve service availability.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management instances that pass this rule:

    • Configure the properties.additionalLocations property.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-12-01-preview\",\n\"name\": \"[parameters('apiManagementServiceName')]\",\n\"location\": \"eastus\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"properties\": {\n\"additionalLocations\": [\n{\n\"location\": \"westeurope\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"disableGateway\": false\n}\n]\n}\n}\n
    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management instances that pass this rule:

    • Configure the properties.additionalLocations property.

    For example:

    Azure Bicep snippet
    resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#notes","title":"Notes","text":"

    This rule is only applicable for API Management instances configured with a Premium tier.

    It is recommended to configure zone redundancy if the region supports it.

    Virtual network settings must be configured in the added region, if networking is configured in the existing region or regions. The rule does not take this into consideration.

    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegion/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Azure API Management instance multi-region
    • Azure deployment reference
    ","tags":["Azure.APIM.MultiRegion","AZR-000340"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/","title":"Multi-region deployment gateways","text":"Azure.APIM.MultiRegionGatewayAZR-000341Error

    Reliability \u00b7 API Management \u00b7 Rule \u00b7 2022_12

    API Management instances should have multi-region deployment gateways enabled.

    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#description","title":"Description","text":"

    Azure API Management supports multi-region deployment. Deploy API Management in multiple locations to:

    • Provide active-active redundancy for API gateway requests across Azure regions.
    • Serve the request from the closest API gateway region to the original request.

    API gateways can be disabled to enabled you to test failover of your API workloads to another region. When disabled, an API gateway will not route API traffic. You should reenable API gateways after you have concluded failover testing to ensure that the API gateway is available for failover if another region becomes unavailable.

    If a region goes offline, API requests are automatically routed around the failed region to the next closest gateway.

    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#recommendation","title":"Recommendation","text":"

    Consider enabling each regional API gateway location for multi-region redundancy.

    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#examples","title":"Examples","text":"","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management instances that pass this rule:

    • Set the properties.additionalLocations.disableGateway property to false for each additional location.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-12-01-preview\",\n\"name\": \"[parameters('apiManagementServiceName')]\",\n\"location\": \"eastus\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"properties\": {\n\"additionalLocations\": [\n{\n\"location\": \"westeurope\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"disableGateway\": false\n}\n]\n}\n}\n
    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management instances that pass this rule:

    • Set the properties.additionalLocations.disableGateway property to false for each additional location.

    For example:

    Azure Bicep snippet
    resource apiManagementService 'Microsoft.ApiManagement/service@2021-12-01-preview' = {\n  name: apiManagementServiceName\n  location: 'eastus'\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  properties: {\n    additionalLocations: [\n      {\n        location: 'westeurope'\n        sku: {\n          name: 'Premium'\n          capacity: 1\n        }\n        disableGateway: false\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.MultiRegionGateway/#links","title":"Links","text":"
    • Resiliency and dependencies
    • About multi-region deployment
    • Azure deployment reference
    ","tags":["Azure.APIM.MultiRegionGateway","AZR-000341"]},{"location":"en/rules/Azure.APIM.Name/","title":"Use valid API Management service names","text":"Azure.APIM.NameAZR-000056Error

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2020_09

    API Management service names should meet naming requirements.

    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for API Management service names are:

    • Between 1 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start with letter.
    • End with letter or number.
    • API Management service names must be globally unique.
    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet API Management naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#notes","title":"Notes","text":"

    This rule does not check if API Management service names are unique.

    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.APIM.Name","AZR-000056"]},{"location":"en/rules/Azure.APIM.PolicyBase/","title":"Base element","text":"Azure.APIM.PolicyBaseAZR-000371Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2023_06

    Base element for any policy element in a section should be configured.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#description","title":"Description","text":"

    Determine the policy evaluation order by placement of the base (<base />) element in each section in the policy definition at each scope.

    API Management supports the following scopes Global (all API), Workspace, Product, API, or Operation.

    The base element inherits the policies configured in that section at the next broader (parent) scope. Otherwise inherited security or other controls may not apply. The base element can be placed before or after any policy element in a section, depending on the wanted evaluation order. However, if security controls are defined in inherited scopes it may decrease the effectiveness of these controls. For most cases, unless otherwise specified in the policy reference (such as cors) the base element should be specified as the first element in each section.

    A specific exception is at the Global scope. The Global scope does not need the base element because this is the peak scope from which all others inherit.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#recommendation","title":"Recommendation","text":"

    Consider configuring the base element for any policy element in a section.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#examples","title":"Examples","text":"","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management policies that pass this rule:

    • Configure an policy sub-resource.
    • Configure the base element before or after any policy element in a section in properties.value property.

    For example an API policy:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/apis/policies\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'policy')]\",\n\"properties\": {\n\"value\": \"<policies><inbound><base /><ip-filter action=\\\"allow\\\"><address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>\",\n\"format\": \"xml\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service/apis', parameters('name'))]\"\n],\n}\n
    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management policies that pass this rule:

    • Configure an policy sub-resource.
    • Configure the base element before or after any policy element in a section in properties.value property.

    For example an API policy:

    Azure Bicep snippet
    resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {\n  parent: api\n  name: 'policy'\n  properties: {\n    value: '<policies><inbound><base /><ip-filter action=\\\"allow\\\"><address-range from=\\\"10.1.0.1\\\" to=\\\"10.1.0.255\\\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>'\n    format: 'xml'\n  }\n}\n
    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#notes","title":"Notes","text":"

    The rule only checks against rawxml and xml policy formatted content. Global policies are excluded since they don't benefit from the base element.

    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.PolicyBase/#links","title":"Links","text":"
    • Secure application configuration and dependencies
    • Things to know
    • Mitigate OWASP API threats
    • Apply policies specified at different scopes
    • Azure deployment reference
    • Azure deployment reference
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.APIM.PolicyBase","AZR-000371"]},{"location":"en/rules/Azure.APIM.ProductApproval/","title":"Require approval for products","text":"Azure.APIM.ProductApprovalAZR-000047Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Configure products to require approval.

    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#description","title":"Description","text":"

    When publishing APIs through Azure API Management (APIM), APIs are assigned to products. Access to use an API is delegated through a product.

    When products do not require approval, users can create a subscription for a product without approval.

    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#recommendation","title":"Recommendation","text":"

    Consider configuring all API Management products to require approval.

    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductApproval/#links","title":"Links","text":"
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductApproval","AZR-000047"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/","title":"Use product descriptors","text":"Azure.APIM.ProductDescriptorsAZR-000049Warning

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2020_09

    API Management products should have a display name and description.

    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#description","title":"Description","text":"

    Each product created in API Management can have a display name and description set. Using easy to understand descriptions and metadata greatly assist identification for management and usage.

    During monitoring from service provider perspective:

    • Having a clear understanding of the purpose of a product is often important to during analysis.
    • Allows for accurate management and clean up of unused or old products.
    • Allows for accurate access control decisions.

    This information is visible within the developer portal.

    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#recommendation","title":"Recommendation","text":"

    Consider using display name and description fields on products to convey intended purpose and usage. Display name and description fields should be human readable and easy to understand.

    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#examples","title":"Examples","text":"","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management Products that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service/products\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'echo')]\",\n\"properties\": {\n\"displayName\": \"Echo\",\n\"description\": \"Echo API services for Contoso.\",\n\"approvalRequired\": true,\n\"subscriptionRequired\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ApiManagement/service', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management Products that pass this rule:

    • Set the properties.displayName with a human readable name.
    • Set the properties.description with an description of the APIs purpose.

    For example:

    Azure Bicep snippet
    resource product 'Microsoft.ApiManagement/service/products@2021-08-01' = {\n  parent: service\n  name: 'echo'\n  properties: {\n    displayName: 'Echo'\n    description: 'Echo API services for Contoso.'\n    approvalRequired: true\n    subscriptionRequired: true\n  }\n}\n
    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductDescriptors/#links","title":"Links","text":"
    • Human-readable data
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductDescriptors","AZR-000049"]},{"location":"en/rules/Azure.APIM.ProductSubscription/","title":"Require a subscription for products","text":"Azure.APIM.ProductSubscriptionAZR-000046Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Configure products to require a subscription.

    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#description","title":"Description","text":"

    When publishing APIs through Azure API Management (APIM), APIs can be secured using subscription keys. Client applications that consume published APIs must subscribe before making calls to those APIs.

    When combined with policies, subscriptions allow controls such as throttling to be implemented.

    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#recommendation","title":"Recommendation","text":"

    Consider configuring all API Management products to require a subscription.

    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductSubscription/#links","title":"Links","text":"
    • Subscriptions in Azure API Management
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductSubscription","AZR-000046"]},{"location":"en/rules/Azure.APIM.ProductTerms/","title":"Use API product legal terms","text":"Azure.APIM.ProductTermsAZR-000050Error

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2020_09

    Set legal terms for each product registered in API Management.

    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#description","title":"Description","text":"

    Within API Management a product is created to publish one or more APIs. For each product legal terms can be specified. When set, developers using the developer portal are required to accept the terms to subscribe to a product. Use these terms to set expectations on acceptable use of the included APIs.

    Acceptance of legal terms is bypassed when an administrator creates a subscription.

    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#recommendation","title":"Recommendation","text":"

    Consider configuring legal terms for all products to declare acceptable use of included APIs.

    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.ProductTerms/#links","title":"Links","text":"
    • Create and publish a product
    • Azure deployment reference
    ","tags":["Azure.APIM.ProductTerms","AZR-000050"]},{"location":"en/rules/Azure.APIM.Protocols/","title":"Use secure TLS versions for API Management","text":"Azure.APIM.ProtocolsAZR-000054Error

    Security \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    API Management should only accept a minimum of TLS 1.2 for client and backend communication.

    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#description","title":"Description","text":"

    API Management provides support for older TLS/ SSL protocols, which are disabled by default. These older versions are provided for compatibility but are not consider secure.

    The following protocols are considered weak or deprecated:

    • SSL 3.0
    • TLS 1.0
    • TLS 1.1
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.

    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#examples","title":"Examples","text":"","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to \"False\" (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ApiManagement/service\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\",\n\"capacity\": 1\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"publisherEmail\": \"[parameters('publisherEmail')]\",\n\"publisherName\": \"[parameters('publisherName')]\",\n\"customProperties\": {\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2\": \"True\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\": \"False\",\n\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256\": \"False\"\n},\n\"apiVersionConstraint\": {\n\"minApiVersion\": \"2021-08-01\"\n}\n}\n}\n
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy API Management Services that pass this rule:

    • Set the following keys to 'False' (as a string) within the properties.customProperties property:
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
      • Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.ApiManagement/service@2021-08-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Premium'\n    capacity: 1\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publisherEmail: publisherEmail\n    publisherName: publisherName\n    customProperties: {\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'\n      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'\n    }\n    apiVersionConstraint: {\n      minApiVersion: '2021-08-01'\n    }\n  }\n}\n
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.Protocols/#links","title":"Links","text":"
    • Data encryption in Azure
    • Manage protocols and ciphers in Azure API Management
    • Cryptographic Recommendations
    • Azure deployment reference
    ","tags":["Azure.APIM.Protocols","AZR-000054"]},{"location":"en/rules/Azure.APIM.SampleProducts/","title":"Remove default products","text":"Azure.APIM.SampleProductsAZR-000048Error

    Operational Excellence \u00b7 API Management \u00b7 Rule \u00b7 2020_06

    Remove starter and unlimited sample products.

    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#description","title":"Description","text":"

    API Management includes two sample products Starter and Unlimited. Accidentally adding APIs to these sample products may expose APIs more than intended.

    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#recommendation","title":"Recommendation","text":"

    Consider removing starter and unlimited sample products from API Management.

    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.APIM.SampleProducts/#links","title":"Links","text":"
    • Create and publish a product
    ","tags":["Azure.APIM.SampleProducts","AZR-000048"]},{"location":"en/rules/Azure.ASE.MigrateV3/","title":"Migrate to App Service Environment v3","text":"Azure.ASE.MigrateV3AZR-000319Error

    Operational Excellence \u00b7 App Service Environment \u00b7 Rule \u00b7 2022_12

    Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2.

    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#description","title":"Description","text":"

    The classic App Service Environment version 1 (ASEv1) and version 2 (ASEv2) will be retired on August 31, 2024. To avoid service disruption, migrate to App Service Environment version 3 (ASEv3). App Service Environment v3 has advantages and feature differences that provide enhanced support for your workloads and can reduce overall costs.

    App Service Environment v3 differs from earlier versions in the following ways:

    • There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.
    • You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. In this case, each App Service Plan on the App Service Environment will need to have a minimum of three instances so that they can be spread across zones. For more information, see Migrate App Service Environment to availability zone support.
    • You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant.
    • Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multi-tenant service, it's a lot faster.
    • Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts.
    • Scaling no longer blocks other scale operations within the App Service Environment v3. Only one scale operation can be in effect for a combination of OS and size. For example, while your Windows small App Service plan is scaling, you could kick off a scale operation to run at the same time on a Windows medium or anything else other than Windows small.
    • You can reach apps in an internal-VIP App Service Environment v3 across global peering. Such access wasn't possible in earlier versions.

    A few features that were available in earlier versions of App Service Environment aren't available in App Service Environment v3. For example, you can no longer do the following:

    • Monitor your traffic with Network Watcher or network security group (NSG) flow logs.
    • Perform a backup and restore operation on a storage account behind a firewall.
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#recommendation","title":"Recommendation","text":"

    Classic App Service Environments should migrate to App Service Environment v3.

    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#examples","title":"Examples","text":"","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy app service environments pass this rule:

    • Set kind to 'ASEV3'.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"_generator\": {\n\"name\": \"bicep\",\n\"version\": \"0.11.1.770\",\n\"templateHash\": \"13381170219553357893\"\n}\n},\n\"parameters\": {\n\"aseName\": {\n\"type\": \"string\",\n\"defaultValue\": \"001-ase\",\n\"metadata\": {\n\"description\": \"Name of the App Service Environment\"\n}\n},\n\"virtualNetworkName\": {\n\"type\": \"string\",\n\"defaultValue\": \"ase-001-vnet\",\n\"metadata\": {\n\"description\": \"The name of the vnet\"\n}\n},\n\"vnetResourceGroupName\": {\n\"type\": \"string\",\n\"defaultValue\": \"ase-001-rg\",\n\"metadata\": {\n\"description\": \"The resource group name that contains the vnet\"\n}\n},\n\"subnetName\": {\n\"type\": \"string\",\n\"defaultValue\": \"ase-001-sn\",\n\"metadata\": {\n\"description\": \"Subnet name that will contain the App Service Environment\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for the resources\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Web/hostingEnvironments\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('aseName')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"ASEV3\",\n\"tags\": {\n\"displayName\": \"App Service Environment\",\n\"usage\": \"Hosting awesome applications\",\n\"owner\": \"Platform\"\n},\n\"properties\": {\n\"virtualNetwork\": {\n\"id\": \"[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('vnetResourceGroupName')), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]\"\n}\n}\n}\n]\n}\n
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy app service environments pass this rule:

    • Set kind to 'ASEV3'.

    For example:

    Azure Bicep snippet
    @description('Name of the App Service Environment')\nparam aseName string = '001-ase'\n\n@description('The name of the vnet')\nparam virtualNetworkName string = 'ase-001-vnet'\n\n@description('The resource group name that contains the vnet')\nparam vnetResourceGroupName string = 'ase-001-rg'\n\n@description('Subnet name that will contain the App Service Environment')\nparam subnetName string = 'ase-001-sn'\n\n@description('Location for the resources')\nparam location string = resourceGroup().location\n\nresource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-05-01' existing = {\n  scope: resourceGroup(vnetResourceGroupName)\n  name: virtualNetworkName\n}\n\nresource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-05-01' existing = {\n  parent: virtualNetwork\n  name: subnetName\n}\n\nresource hostingEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' = {\n  name: aseName\n  location: location\n  kind: 'ASEV3'\n  tags: {\n    displayName: 'App Service Environment'\n    usage: 'Hosting awesome applications'\n    owner: 'Platform'\n  }\n  properties: {\n    virtualNetwork: {\n      id: subnet.id\n    }\n  }\n}\n
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASE.MigrateV3/#links","title":"Links","text":"
    • Infrastructure provisioning
    • App Service Environment version 1 and version 2 will be retired on 31 August 2024
    • Migrate to App Service Environment v3
    • Azure deployment reference
    ","tags":["Azure.ASE.MigrateV3","AZR-000319"]},{"location":"en/rules/Azure.ASG.Name/","title":"Use valid ASG names","text":"Azure.ASG.NameAZR-000085Error

    Operational Excellence \u00b7 Application Security Group \u00b7 Rule \u00b7 2021_12

    Application Security Group (ASG) names should meet naming requirements.

    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for ASG names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • ASG names must be unique within a resource group.
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Application Security Group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#examples","title":"Examples","text":"","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Security Groups that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('asgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Security Groups that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Bicep snippet
    resource asg 'Microsoft.Network/applicationSecurityGroups@2022-01-01' = {\n  name: asgName\n  location:location\n  properties: {}\n}\n
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#notes","title":"Notes","text":"

    This rule does not check if ASG names are unique.

    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.ASG.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.ASG.Name","AZR-000085"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/","title":"Audit App Configuration Store","text":"Azure.AppConfig.AuditLogsAZR-000311Error

    Security \u00b7 App Configuration \u00b7 Rule \u00b7 2022_09

    Ensure app configuration store audit diagnostic logs are enabled.

    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#description","title":"Description","text":"

    To capture logs that record interactions with data or the settings of the app configuration store, diagnostic settings must be configured.

    When configuring diagnostic settings, enable one of the following:

    • Audit category.
    • audit category group.
    • allLogs category group.

    Management operations for App Configuration Store are captured automatically within Azure Activity Logs.

    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to record interactions with data or the settings of the App Configuration Store.

    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an App Configuration Store that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable Audit category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"name\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The name of the App Configuration Store.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n},\n\"workspaceId\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The resource id of the Log Analytics workspace to send diagnostic logs to.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true\n}\n},\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"scope\": \"[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]\",\n\"name\": \"[format('{0}-diagnostic', parameters('name'))]\",\n\"properties\": {\n\"logs\": [\n{\n\"categoryGroup\": \"audit\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 90,\n\"enabled\": true\n}\n}\n],\n\"workspaceId\": \"[parameters('workspaceId')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an App Configuration Store that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable Audit category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n\nresource diagnostic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  scope: store\n  name: '${name}-diagnostic'\n  properties: {\n    logs: [\n      {\n        categoryGroup: 'audit'\n        enabled: true\n        retentionPolicy: {\n          days: 90\n          enabled: true\n        }\n      }\n    ]\n    workspaceId: workspaceId\n  }\n}\n
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy an App Configuration Store that pass this rule:

    • Configure the diagnosticSettingsProperties.logs parameter.
    • Enable Audit category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n    diagnosticSettingsProperties: {\n      diagnosticReceivers: {\n        workspaceId: workspaceId\n      }\n      logs: [\n        {\n          categoryGroup: 'audit'\n          enabled: true\n          retentionPolicy: {\n            days: 90\n            enabled: true\n          }\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.AuditLogs","AZR-000311"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/","title":"Use identity-based authentication for App Configuration","text":"Azure.AppConfig.DisableLocalAuthAZR-000291Error

    Security \u00b7 App Configuration \u00b7 Rule \u00b7 2022_09

    Authenticate App Configuration clients with Azure AD identities.

    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#description","title":"Description","text":"

    Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials, or by using an access key. Of these two types of authentication schemes, Azure AD provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.

    When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Azure AD will succeed.

    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy configuration stores that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2023-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true,\n\"publicNetworkAccess\": \"Disabled\"\n}\n}\n
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy configuration stores that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the params.disableLocalAuth parameter to true.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.DisableLocalAuth/#links","title":"Links","text":"
    • Centralize all identity systems
    • IM-1: Use centralized identity and authentication system
    • Authorize access to Azure App Configuration using Azure Active Directory
    • Disable access key authentication
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.DisableLocalAuth","AZR-000291"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/","title":"Geo-replicate app configuration store","text":"Azure.AppConfig.GeoReplicaAZR-000312Error

    Reliability \u00b7 App Configuration \u00b7 Rule \u00b7 2022_09

    Consider replication for app configuration store to ensure resiliency to region outages.

    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#description","title":"Description","text":"

    A app configuration store is stored and maintained by default in a single region.

    The app configuration geo-replication feature allows you to replicate your configuration store at-will to the regions of your choice. Each new replica will be in a different region and creates a new endpoint for your applications to send requests to. The original endpoint of your configuration store is called the Origin. The origin can't be removed, but otherwise behaves like any replica.

    Replicating your configuration store adds the following benefits:

    • Added resiliency for Azure outages.
    • Redistribution of request limits.
    • Regional compartmentalization.

    Geo-replication is currently a preview feature. During the preview geo-replication has additional limitations including support and regional availability.

    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#recommendation","title":"Recommendation","text":"

    Consider replication for app configuration store to ensure resiliency to region outages.

    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set sku.name to Standard (required for geo-replication).
    • Deploy a replica sub-resource (child resource).
    • Set location on replica sub-resource to a different location than the app configuration store.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"appConfigName\": {\n\"type\": \"string\",\n\"defaultValue\": \"configstore01\",\n\"metadata\": {\n\"description\": \"The name of the app configuration store.\"\n}\n},\n\"replicaName\": {\n\"type\": \"string\",\n\"defaultValue\": \"replica01\",\n\"metadata\": {\n\"description\": \"The name of the replica.\"\n}\n},\n\"appConfigLocation\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n},\n\"replicaLocation\": {\n\"type\": \"string\",\n\"defaultValue\": \"northeurope\",\n\"metadata\": {\n\"description\": \"The location where the replica will be deployed.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('appConfigName')]\",\n\"location\": \"[parameters('appConfigLocation')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true\n}\n},\n{\n\"type\": \"Microsoft.AppConfiguration/configurationStores/replicas\",\n\"apiVersion\": \"2022-03-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('appConfigName'), parameters('replicaName'))]\",\n\"location\": \"[parameters('replicaLocation')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('appConfigName'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set sku.name to Standard (required for geo-replication).
    • Deploy a replica sub-resource (child resource).
    • Set location on replica sub-resource to a different location than the app configuration store.

    For example:

    Azure Bicep snippet
    @description('The name of the app configuration store.')\nparam appConfigName string = 'configstore01'\n\n@description('The name of the replica.')\nparam replicaName string = 'replica01'\n\n@description('The location resources will be deployed.')\nparam appConfigLocation string = resourceGroup().location\n\n@description('The location where the replica will be deployed.')\nparam replicaLocation string = 'northeurope'\n\nresource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {\n  name: appConfigName\n  location: appConfigLocation\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n  }\n}\n\nresource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2022-03-01-preview' = {\n  name: replicaName\n  location: replicaLocation\n  parent: store\n}\n
    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.GeoReplica/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Resiliency and diaster recovery
    • Geo-replication overview
    • Enable geo-replication
    • Azure deployment reference
    ","tags":["Azure.AppConfig.GeoReplica","AZR-000312"]},{"location":"en/rules/Azure.AppConfig.Name/","title":"Use valid App Configuration store names","text":"Azure.AppConfig.NameAZR-000058Error

    Operational Excellence \u00b7 App Configuration \u00b7 Rule \u00b7 2020_12

    App Configuration store names should meet naming requirements.

    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for App Configuration store names are:

    • Between 5 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start and end with a letter or number.
    • App Configuration store names must be unique within a resource group.
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet App Configuration store naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy configuration stores that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true\n}\n}\n
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy configuration stores that pass this rule:

    • Set name to a value that meets the requirements.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n  }\n}\n
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#notes","title":"Notes","text":"

    This rule does not check if App Configuration store names are unique.

    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.AppConfig.Name","AZR-000058"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/","title":"Purge Protect App Configuration Stores","text":"Azure.AppConfig.PurgeProtectAZR-000313Error

    Reliability \u00b7 App Configuration \u00b7 Rule \u00b7 2022_12

    Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.

    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#description","title":"Description","text":"

    With purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.

    Purge protection is only available for configuration stores that use the standard SKU.

    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#recommendation","title":"Recommendation","text":"

    Consider enabling purge protection for app configuration stores.

    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2023-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true,\n\"publicNetworkAccess\": \"Disabled\"\n}\n}\n
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the params.enablePurgeProtection parameter to true.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.PurgeProtect/#links","title":"Links","text":"
    • Data management for reliability
    • Purge protection
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.PurgeProtect","AZR-000313"]},{"location":"en/rules/Azure.AppConfig.SKU/","title":"Use production App Configuration SKU","text":"Azure.AppConfig.SKUAZR-000057Error

    Reliability \u00b7 App Configuration \u00b7 Rule \u00b7 2020_12

    App Configuration should use a minimum size of Standard.

    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#description","title":"Description","text":"

    App Configuration is offered in two different SKUs; Free, and Standard. Standard includes additional features, increases scalability, and 99.9% SLA. The Free SKU does not include a SLA.

    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#recommendation","title":"Recommendation","text":"

    Consider upgrading App Configuration instances to Standard. Free instances are intended only for early development and testing scenarios.

    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#examples","title":"Examples","text":"","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy configuration stores that pass this rule:

    • Set the sku.name property to standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.AppConfiguration/configurationStores\",\n\"apiVersion\": \"2023-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"enablePurgeProtection\": true,\n\"publicNetworkAccess\": \"Disabled\"\n}\n}\n
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy configuration stores that pass this rule:

    • Set the sku.name property to standard.

    For example:

    Azure Bicep snippet
    resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#configure-with-bicep-public-registry","title":"Configure with Bicep Public Registry","text":"

    To deploy App Configuration Stores that pass this rule:

    • Set the params.skuName parameter to Standard.

    For example:

    Azure Bicep snippet
    module store 'br/public:app/app-configuration:1.1.1' = {\n  name: 'store'\n  params: {\n    skuName: 'Standard'\n    disableLocalAuth: true\n    enablePurgeProtection: true\n    publicNetworkAccess: 'Disabled'\n  }\n}\n
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppConfig.SKU/#links","title":"Links","text":"
    • Meet application platform requirements
    • App Configuration pricing
    • Which App Configuration tier should I use?
    • Public registry
    • Azure deployment reference
    ","tags":["Azure.AppConfig.SKU","AZR-000057"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/","title":"Application gateways should use Availability zones in supported regions","text":"Azure.AppGw.AvailabilityZoneAZR-000060Error

    Reliability \u00b7 Application Gateway \u00b7 Rule \u00b7 2021_09

    Application gateways should use availability zones in supported regions for high availability.

    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#description","title":"Description","text":"

    Application gateways using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Application gateway or Web Application Firewall (WAF) deployment can spread across multiple availability zones, which ensures the application gateway will continue running even if another zone has gone down. Backend pools for applications can be similarly distributed across availability zones.

    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for Application gateways deployed with V2 SKU (Standard_v2, WAF_v2).

    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is null, [] or not set when the Application gateway is deployed with V2 SKU (Standard_v2, WAF_v2) and there are supported availability zones for the given region.

    Configure AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Network and resource type applicationGateways.

    # YAML: The default AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for an Application gateway

    • Set zones to any or all of [\"1\", \"2\", \"3\"].
    • Set properties.sku.name and properties.sku.tier to Standard_v2 or WAF_v2.

    For example:

    Azure Template snippet
      {\n\"name\": \"appGw-001\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2019-09-01\",\n\"location\": \"[resourceGroup().location]\",\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"tags\": {},\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"autoscaleConfiguration\": {\n\"minCapacity\": 2,\n\"maxCapacity\": 3\n}\n}\n}\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for an Application gateway

    • Set zones to any or all of [\"1\", \"2\", \"3\"].
    • Set properties.sku.name and properties.sku.tier to Standard_v2 or WAF_v2.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: {\n      minCapacity: 2\n      maxCapacity: 3\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#create-wafv2-application-gateway-in-zone-1-2-and-3","title":"Create WAFv2 Application Gateway in Zone 1, 2 and 3","text":"Azure CLI snippet
    az network application-gateway create \\\n--name '<application_gateway_name>' \\\n--location '<location>' \\\n--resource-group '<resource_group>' \\\n--capacity '<capacity>' \\\n--sku WAF_v2 \\\n--public-ip-address '<public_ip_address>' \\\n--vnet-name '<virtual_network_name>' \\\n--subnet '<subnet_name>' \\\n--zones 1 2 3 \\\n--servers '<address_1>' '<address_2>'\n
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Autoscaling and Zone-redundant Application Gateway v2
    • Use zone-aware services
    • Azure Well-Architected Framework - Reliability
    ","tags":["Azure.AppGw.AvailabilityZone","AZR-000060"]},{"location":"en/rules/Azure.AppGw.MigrateV2/","title":"Migrate to Application Gateway v2","text":"Azure.AppGw.MigrateV2AZR-000376Error

    Operational Excellence \u00b7 Application Gateway \u00b7 Rule \u00b7 2023_06

    Use a Application Gateway v2 SKU.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#description","title":"Description","text":"

    The Application Gateway v1 SKUs (Standard and WAF) will be retired on April 28, 2026. To avoid service disruption, migrate to Application Gateway v2 SKUs.

    The v2 SKUs offers performance enhancements, security controls and adds support for critical new features like autoscaling, zone redundancy, support for static VIPs, header rewrite, key vault integration, mutual authentication (mTLS), Azure Kubernetes Service ingress controller and private link.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#recommendation","title":"Recommendation","text":"

    Migrate deprecated v1 Application Gateways to a v2 SKU before retirement to avoid service disruption.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set properties.sku.tier or properties.sku.name to Standard_v2 (Application Gateway) or WAF_v2 (Web Application Firewall).

    For example:

    Azure Template snippet
    {\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2022-07-01\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"capacity\": 2,\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n}\n}\n}\n
    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set properties.sku.tier or properties.sku.name to Standard_v2 (Application Gateway) or WAF_v2 (Web Application Firewall).

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2022-07-01' = {\n  name: \n  location: location\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#notes","title":"Notes","text":"

    This rule is applicable for both Application Gateways and Application Gateways with Web Application Firewall (WAF).

    Not all existing features under the v1 SKUs are supported in the v2 SKUs. The v2 SKUs are not currently available in all regions.

    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MigrateV2/#links","title":"Links","text":"
    • Infrastructure provisioning
    • Migrate your Application Gateways
    • What is Azure Application Gateway v2?
    • Azure deployment reference
    ","tags":["Azure.AppGw.MigrateV2","AZR-000376"]},{"location":"en/rules/Azure.AppGw.MinInstance/","title":"Use two or more Application Gateway instances","text":"Azure.AppGw.MinInstanceAZR-000061Error

    Reliability \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Application Gateways should use a minimum of two instances.

    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#description","title":"Description","text":"

    Application Gateways should use two or more instances to be covered by the Service Level Agreement (SLA). By having two or more instances this allows the App Gateway to meet high availability requirements and reduce downtime.

    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#recommendation","title":"Recommendation","text":"

    When using Application Gateway v1 or v2 with auto-scaling disabled, specify the number of instances to be two or more. When auto-scaling is enabled with Application Gateway v2, configure the minimum number of instances to be two or more.

    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set capacity for an Application gateway

    Autoscaling:

    • Set autoscaleConfiguration.minCapacity to any or all of 2.

    Manual Scaling:

    • Set sku.capacitiy to 2 or more.

    For example:

    Azure Template snippet
    {\n\"name\": \"appGw-001\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2019-09-01\",\n\"location\": \"[resourceGroup().location]\",\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"properties\": {\n\"sku\": {\n\"capacity\": 2, // Manual Scale\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"autoscaleConfiguration\": { //Autoscale\n\"minCapacity\": 2,\n\"maxCapacity\": 3\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Detection\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.0\"\n}\n}\n}\n
    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set capacity for an Application gateway

    Autoscaling:

    • Set autoscaleConfiguration.minCapacity to any or all of 2.

    Manual Scaling:

    • Set sku.capacitiy to 2 or more.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  properties: {\n    sku: {\n      capacity: 2 // Manual scale\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    autoscaleConfiguration: { // Autoscale\n      minCapacity: 1\n      maxCapacity: 2\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Detection'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.0'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinInstance/#links","title":"Links","text":"
    • Azure Application Gateway SLA
    • Azure deployment reference
    • Azure Well-Architected Framework - Reliability
    ","tags":["Azure.AppGw.MinInstance","AZR-000061"]},{"location":"en/rules/Azure.AppGw.MinSku/","title":"Use production Application Gateway SKU","text":"Azure.AppGw.MinSkuAZR-000062Error

    Operational Excellence \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Application Gateway should use a minimum instance size of Medium.

    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#description","title":"Description","text":"

    An Application Gateway is offered in different versions v1 and v2. When deploying an Application Gateway v1, three different instance sizes are available: Small, Medium and Large.

    Application Gateway v2, Standard_v2 and WAF_v2 SKUs don't offer different instance sizes.

    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#recommendation","title":"Recommendation","text":"

    Application Gateways using v1 SKUs should be deployed with an instance size of Medium or Large. Small instance sizes are intended for development and testing scenarios.

    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#examples","title":"Examples","text":"","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set the instance size for an Application Gateway V1:

    • Set properties.sku.name to Standard_Medium or Standard_Large.

    For example:

    Azure Template snippet
    {\n\"name\": \"appGw-001\",\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2019-09-01\",\n\"location\": \"[resourceGroup().location]\",\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"tags\": {},\n\"properties\": {\n\"sku\": {\n\"capacity\": 2,\n\"name\": \"Standard_Large\",\n\"tier\": \"Standard\"\n},\n\"enableHttp2\": false\n}\n}\n
    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set the instance size for an Application Gateway V1:

    • Set properties.sku.name to Standard_Medium or Standard_Large.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  properties: {\n    sku: {\n      capacity: 2\n      name: 'Standard_Large'\n      tier: 'Standard'\n    }\n    enableHttp2: false\n  }\n}\n
    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.MinSku/#links","title":"Links","text":"
    • Azure Application Gateway sizing
    • Azure Application Gateway SLA
    • Azure deployment reference
    • Azure Well-Architected Framework - Reliability
    ","tags":["Azure.AppGw.MinSku","AZR-000062"]},{"location":"en/rules/Azure.AppGw.Name/","title":"Use valid names","text":"Azure.AppGw.NameAZR-000348Error

    Operational Excellence \u00b7 Application Gateway \u00b7 Rule \u00b7 2022_12

    Application Gateways should meet naming requirements.

    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Application Gateway names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods and hyphens.
    • Start with alphanumeric.
    • End with alphanumeric or underscore.
    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Application Gateway naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#notes","title":"Notes","text":"

    This rule does not check if Application Gateways names are unique.

    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Application Gateway
    • Template reference
    ","tags":["Azure.AppGw.Name","AZR-000348"]},{"location":"en/rules/Azure.AppGw.OWASP/","title":"Use OWASP 3.x rules","text":"Azure.AppGw.OWASPAZR-000067Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules.

    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#description","title":"Description","text":"

    Application Gateways deployed with WAF features support configuration of OWASP rule sets for detection and / or prevention of malicious attacks. Two rule set versions are available; OWASP 2.x and OWASP 3.x.

    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateways to use OWASP 3.x rules instead of 2.x rule set versions.

    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#examples","title":"Examples","text":"","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.ruleSetType property to OWASP.
    • Set the properties.webApplicationFirewallConfiguration.ruleSetVersion property to a minimum of 3.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.ruleSetType property to OWASP.
    • Set the properties.webApplicationFirewallConfiguration.ruleSetVersion property to a minimum of 3.2.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true --rule-set-type OWASP --rule-set-version '3.2' -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention' -RuleSetType 'OWASP' -RuleSetVersion '3.2'\n
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.OWASP/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • OWASP ModSecurity Core Rule Set
    • Azure deployment reference
    ","tags":["Azure.AppGw.OWASP","AZR-000067"]},{"location":"en/rules/Azure.AppGw.Prevention/","title":"Use WAF prevention mode","text":"Azure.AppGw.PreventionAZR-000065Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Internet exposed Application Gateways should use prevention mode to protect backend resources.

    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#description","title":"Description","text":"

    Application Gateways with Web Application Firewall (WAF) enabled support two modes of operation:

    • Detection - Monitors and logs all threat alerts. In this mode, the WAF doesn't block incoming requests that are potentially malicious.
    • Protection - Blocks potentially malicious attack patterns that the rules detect.
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#recommendation","title":"Recommendation","text":"

    Consider switching Internet exposed Application Gateways to use prevention mode to protect backend resources.

    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#examples","title":"Examples","text":"","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.firewallMode property to Prevention.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.firewallMode property to Prevention.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: []\n      requestBodyCheck: true\n      maxRequestBodySizeInKb: 128\n      fileUploadLimitInMb: 100\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true --firewall-mode Prevention -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.Prevention/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Application Gateway WAF modes
    • Azure deployment reference
    ","tags":["Azure.AppGw.Prevention","AZR-000065"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/","title":"Application Gateways use a minimum TLS 1.2","text":"Azure.AppGw.SSLPolicyAZR-000064Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Application Gateway should only accept a minimum of TLS 1.2.

    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#description","title":"Description","text":"

    Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.

    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateway to accept a minimum of TLS 1.2.

    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule use a predefined or custom policy:

    • Custom \u2014 Set the properties.sslPolicy.policyType property to Custom.
      • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
      • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • Predefined \u2014 Set the properties.sslPolicy.policyType property to Predefined.
      • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"sslPolicy\": {\n\"policyType\": \"Custom\",\n\"minProtocolVersion\": \"TLSv1_2\",\n\"cipherSuites\": [\n\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\"\n]\n}\n}\n}\n
    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule use a predefined or custom policy:

    • Custom \u2014 Set the properties.sslPolicy.policyType property to Custom.
      • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
      • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • Predefined \u2014 Set the properties.sslPolicy.policyType property to Predefined.
      • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      policyType: 'Custom'\n      minProtocolVersion: 'TLSv1_2'\n      cipherSuites: [\n        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'\n        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'\n        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.SSLPolicy/#links","title":"Links","text":"
    • Data encryption in Azure
    • Application Gateway SSL policy overview
    • Configure SSL policy versions and cipher suites on Application Gateway
    • Overview of TLS termination and end to end TLS with Application Gateway
    • Azure deployment reference
    • Predefined TLS policy
    • Cipher suites
    • Limitations
    ","tags":["Azure.AppGw.SSLPolicy","AZR-000064"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/","title":"Expose frontend HTTP endpoints over HTTPS","text":"Azure.AppGw.UseHTTPSAZR-000059Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2021_09

    Application Gateways should only expose frontend HTTP endpoints over HTTPS.

    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#description","title":"Description","text":"

    Application Gateways support HTTP and HTTPS endpoints for backend and frontend traffic. When using frontend HTTP (80) endpoints, traffic between client and Application Gateway is not encrypted.

    Unencrypted communication could allow disclosure of information to an un-trusted party.

    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateways to only expose HTTPS endpoints. For client applications such as progressive web apps, consider redirecting HTTP traffic to HTTPS.

    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.frontendPorts.properties.port property to 443.

    Fors example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"sslPolicy\": {\n\"minProtocolVersion\": \"TLSv1_2\"\n},\n\"frontendPorts\": [\n{\n\"name\": \"https\",\n\"properties\": {\n\"Port\": 443\n}\n}\n]\n}\n}\n
    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.frontendPorts.properties.port property to 443.

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    sslPolicy: {\n      minProtocolVersion: 'TLSv1_2'\n    }\n    frontendPorts: [\n      {\n        name: 'https'\n        properties: {\n          Port: 443\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseHTTPS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Create an application gateway with HTTP to HTTPS redirection using the Azure portal
    • Azure deployment reference
    ","tags":["Azure.AppGw.UseHTTPS","AZR-000059"]},{"location":"en/rules/Azure.AppGw.UseWAF/","title":"Application Gateway uses WAF SKU","text":"Azure.AppGw.UseWAFAZR-000063Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Internet accessible Application Gateways should use protect endpoints with WAF.

    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#description","title":"Description","text":"

    Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.

    To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.

    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#recommendation","title":"Recommendation","text":"

    Consider deploying Application Gateways with a WAF SKU to protect against common attacks.

    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#examples","title":"Examples","text":"","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Deploy an Application Gateway with the WAF or WAF_v2 SKU.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Deploy an Application Gateway with the WAF or WAF_v2 SKU.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway update --sku WAF_v2 -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\n$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'\n
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.UseWAF/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Azure deployment reference
    ","tags":["Azure.AppGw.UseWAF","AZR-000063"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGw.WAFEnabledAZR-000066Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#description","title":"Description","text":"

    Security features of Application Gateways deployed with WAF may be toggled on or off.

    When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.

    To protect backend resources from potentially malicious network traffic, WAF must be enabled.

    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.

    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFEnabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Azure deployment reference
    ","tags":["Azure.AppGw.WAFEnabled","AZR-000066"]},{"location":"en/rules/Azure.AppGw.WAFRules/","title":"Application Gateway rules are enabled","text":"Azure.AppGw.WAFRulesAZR-000068Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2020_06

    Application Gateway Web Application Firewall (WAF) should have all rules enabled.

    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#description","title":"Description","text":"

    Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

    When OWASP rules are turned off, the protection they provide is disabled.

    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#recommendation","title":"Recommendation","text":"

    Consider enabling all OWASP rules within Application Gateway instances.

    Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.

    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#examples","title":"Examples","text":"","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.disabledRuleGroups.ruleGroupName property to $ruleName.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationGateways\",\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"appGw-001\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"WAF_v2\",\n\"tier\": \"WAF_v2\"\n},\n\"webApplicationFirewallConfiguration\": {\n\"enabled\": true,\n\"firewallMode\": \"Prevention\",\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\",\n\"disabledRuleGroups\": [\n{\n\"ruleGroupName\": \"exampleRule\",\n\"rules\": []\n}\n],\n\"requestBodyCheck\": true,\n\"maxRequestBodySizeInKb\": 128,\n\"fileUploadLimitInMb\": 100\n}\n}\n}\n
    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.webApplicationFirewallConfiguration.enabled property to true.

    For example:

    Azure Bicep snippet
    resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {\n  name: 'appGw-001'\n  location: location\n  properties: {\n    sku: {\n      name: 'WAF_v2'\n      tier: 'WAF_v2'\n    }\n    webApplicationFirewallConfiguration: {\n      enabled: true\n      firewallMode: 'Prevention'\n      ruleSetType: 'OWASP'\n      ruleSetVersion: '3.2'\n      disabledRuleGroups: [\n        {\n          ruleGroupName: 'exampleRule',\n          rules: []\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGw.WAFRules/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Web Application Firewall CRS rule groups and rules
    • Azure deployment reference
    ","tags":["Azure.AppGw.WAFRules","AZR-000068"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/","title":"Application Gateway WAF is enabled","text":"Azure.AppGwWAF.EnabledAZR-000309Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2022_09

    Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.

    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#description","title":"Description","text":"

    Security features of Application Gateways deployed with WAF may be toggled on or off.

    When WAF is disabled network traffic is still processed by the Application Gateway however detection and/ or prevention of malicious attacks does not occur.

    To protect backend resources from potentially malicious network traffic, WAF must be enabled.

    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF for Application Gateway instances connected to un-trusted or low-trust networks such as the Internet.

    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.policySettings.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"agwwaf\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"OWASP\",\n\"ruleSetVersion\": \"3.2\"\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"0.1\"\n}\n]\n},\n\"policySettings\": {\n\"state\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Gateways that pass this rule:

    • Set the properties.policySettings.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2022-01-01' = {\n  name: 'agwwaf'\n  location: location\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'OWASP'\n          ruleSetVersion: '3.2'\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '0.1'\n        }\n      ]\n    }\n    policySettings: {\n      state: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network application-gateway waf-config set --enabled true -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'\nSet-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $AppGw -Enabled $True -FirewallMode 'Prevention'\n
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Enabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Azure deployment reference
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.Enabled","AZR-000309"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/","title":"Application Gateway rules are enabled","text":"Azure.AppGwWAF.ExclusionsAZR-000303Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2022_09

    Application Gateway Web Application Firewall (WAF) should have all rules enabled.

    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#description","title":"Description","text":"

    Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

    When OWASP rules are turned off, the protection they provide is disabled.

    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#recommendation","title":"Recommendation","text":"

    Consider enabling all OWASP rules within Application Gateway instances.

    Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.

    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.Exclusions/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • What is Azure Web Application Firewall on Azure Application Gateway?
    • Web Application Firewall CRS rule groups and rules
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.Exclusions","AZR-000303"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/","title":"Use Application Gateway WAF policy in prevention mode","text":"Azure.AppGwWAF.PreventionModeAZR-000302Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2022_09

    Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#description","title":"Description","text":"

    Application Gateway WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

    • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Application Gateway instance must be configured.
    • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#recommendation","title":"Recommendation","text":"

    Consider setting Application Gateway WAF policy to use protection mode.

    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.PreventionMode/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.PreventionMode","AZR-000302"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/","title":"Use Recommended Application Gateway WAF policy rule groups","text":"Azure.AppGwWAF.RuleGroupsAZR-000304Error

    Security \u00b7 Application Gateway \u00b7 Rule \u00b7 2022_09

    Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#description","title":"Description","text":"

    Application Gateway WAF policies support two main Rule Groups.

    • OWASP - Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
    • Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.
    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#recommendation","title":"Recommendation","text":"

    Consider configuring Application Gateway WAF policy to use the recommended rule sets.

    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppGwWAF.RuleGroups/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Web Application Firewall CRS rule groups and rules
    • Bot protection overview
    • Web Application Firewall best practices
    ","tags":["Azure.AppGwWAF.RuleGroups","AZR-000304"]},{"location":"en/rules/Azure.AppInsights.Name/","title":"Use valid Application Insights resource names","text":"Azure.AppInsights.NameAZR-000070Error

    Operational Excellence \u00b7 Application Insights \u00b7 Rule \u00b7 2021_06

    Azure Application Insights resources names should meet naming requirements.

    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Application Insights resource names are:

    • Between 1 and 255 characters long.
    • Letters, numbers, hyphens, periods, underscores, and parenthesis.
    • Must not end in a period.
    • Resource names must be unique within a resource group.
    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Application Insights resource naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#notes","title":"Notes","text":"

    This rule does not check if Application Insights resource names are unique.

    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Define your naming convention
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.AppInsights.Name","AZR-000070"]},{"location":"en/rules/Azure.AppInsights.Workspace/","title":"Use workspace-based App Insights resources","text":"Azure.AppInsights.WorkspaceAZR-000069Error

    Operational Excellence \u00b7 Application Insights \u00b7 Rule \u00b7 2021_06

    Configure Application Insights resources to store data in workspaces.

    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#description","title":"Description","text":"

    Application Insights (App Insights) can be deployed as either classic or workspace-based resources. When configured as workspace-based, telemetry is sent from App Insights to a common Log Analytics workspace.

    Using a Log Analytics workspace for App Insights:

    • Makes it easier to query across applications.
    • Adds support for additional features of Log Analytics workspaces including:
      • Customer-Managed Keys (CMK).
      • Support for Azure Private Link.
      • Capacity Reservation tiers.
      • Faster data ingestion.

    App Insights resources can be configured as workspace-based either during or after initial deployment.

    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#recommendation","title":"Recommendation","text":"

    Consider using workspace-based Application Insights resources to collect telemetry in shared storage.

    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#examples","title":"Examples","text":"","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Application Insights resources that pass this rule:

    • Set the properties.WorkspaceResourceId property to a valid Log Analytics workspace.

    For example:

    Azure Template snippet
    {\n\"type\": \"microsoft.insights/components\",\n\"apiVersion\": \"2020-02-02\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"Application_Type\": \"web\",\n\"Flow_Type\": \"Redfield\",\n\"Request_Source\": \"IbizaAIExtension\",\n\"WorkspaceResourceId\": \"[parameters('workspaceId')]\"\n}\n}\n
    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Application Insights resources that pass this rule:

    • Set the properties.WorkspaceResourceId property to a valid Log Analytics workspace.

    For example:

    Azure Bicep snippet
    resource appInsights 'Microsoft.Insights/components@2020-02-02' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    Application_Type: 'web'\n    Flow_Type: 'Redfield'\n    Request_Source: 'IbizaAIExtension'\n    WorkspaceResourceId: workspaceId\n  }\n}\n
    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppInsights.Workspace/#links","title":"Links","text":"
    • Collection and storage
    • Migrate to workspace-based Application Insights resources
    • Azure resource template
    ","tags":["Azure.AppInsights.Workspace","AZR-000069"]},{"location":"en/rules/Azure.AppService.ARRAffinity/","title":"Disable Application Request Routing","text":"Azure.AppService.ARRAffinityAZR-000083Error

    Performance Efficiency \u00b7 App Service \u00b7 Rule \u00b7 2020_06

    Disable client affinity for stateless services.

    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#description","title":"Description","text":"

    Azure App Service apps use Application Request Routing (ARR) by default. ARR uses a cookie to route subsequent client requests back to the same instance when an app is scaled to two or more instances. This benefits stateful applications, which may hold session information in instance memory.

    For stateless applications, disabling ARR allows Azure App Service more evenly distribute load.

    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#recommendation","title":"Recommendation","text":"

    Azure App Service sites make use of Application Request Routing (ARR) by default. Consider disabling ARR affinity for stateless applications.

    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.ARRAffinity/#links","title":"Links","text":"
    • Design for performance efficiency
    • Configure an App Service app
    • Azure deployment reference
    ","tags":["Azure.AppService.ARRAffinity","AZR-000083"]},{"location":"en/rules/Azure.AppService.AlwaysOn/","title":"Use App Service Always On","text":"Azure.AppService.AlwaysOnAZR-000077Error

    Reliability \u00b7 App Service \u00b7 Rule \u00b7 2020_12

    Configure Always On for App Service apps.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#description","title":"Description","text":"

    Azure App Service apps are automatically unloaded when there's no traffic. Unloading apps reduces resource consumption when apps share a single App Services Plan. After an app have been unloaded, the next web request will trigger a cold start of the app. A cold start of the app can cause request timeouts.

    Web apps using continuous WebJobs or WebJobs triggered with a CRON expression must use always on to start.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#recommendation","title":"Recommendation","text":"

    Consider enabling Always On for each App Services app.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#examples","title":"Examples","text":"","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.alwaysOn to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.alwaysOn to true.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#notes","title":"Notes","text":"

    The Always On feature of App Service is not applicable to Azure Functions and Standard Logic Apps under most circumstances. To reduce false positives, this rule ignores apps based on Azure Functions and Standard Logic Apps.

    When running in a Consumption Plan or Premium Plan you should not enable Always On. On a Consumption plan the platform activates function apps automatically. On a Premium plan the platform keeps your desired number of pre-warmed instances always on automatically.

    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.AlwaysOn/#links","title":"Links","text":"
    • Azure App Service and reliability
    • Configure an App Service app
    • The Ultimate Guide to Running Healthy Apps in the Cloud
    • Always on with Azure Functions
    • Dedicated hosting plans for Azure Functions
    • Azure deployment reference
    ","tags":["Azure.AppService.AlwaysOn","AZR-000077"]},{"location":"en/rules/Azure.AppService.HTTP2/","title":"Use HTTP/2 connections for App Service apps","text":"Azure.AppService.HTTP2AZR-000078Error

    Performance Efficiency \u00b7 App Service \u00b7 Rule \u00b7 2020_12

    Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency.

    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#description","title":"Description","text":"

    Azure App Service has native support for HTTP/2, but by default it is disabled. HTTP/2 offers a number of improvements over HTTP/1.1, including:

    • Connections are fully multiplexed, instead of ordered and blocking.
    • Connections are reused, reducing connection establishment overhead.
    • Headers are compressed to reduce overhead.
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#recommendation","title":"Recommendation","text":"

    Consider using HTTP/2 for Azure Services apps to improve protocol efficiency.

    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#examples","title":"Examples","text":"","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.http20Enabled to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.http20Enabled to true.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.HTTP2/#links","title":"Links","text":"
    • Performance efficiency checklist
    • Configure an App Service app
    • Azure deployment reference
    ","tags":["Azure.AppService.HTTP2","AZR-000078"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/","title":"App Service apps uses a managed identity","text":"Azure.AppService.ManagedIdentityAZR-000082Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2020_12

    Configure managed identities to access Azure resources.

    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#description","title":"Description","text":"

    Azure App Service apps must authenticate to Azure resources such as Azure SQL Databases. App Service can use managed identities to authenticate to Azure resource without storing credentials.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • What are managed identities for Azure resources?
    • Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
    • How to use managed identities for App Service and Azure Functions
    • Azure deployment reference
    ","tags":["Azure.AppService.ManagedIdentity","AZR-000082"]},{"location":"en/rules/Azure.AppService.MinPlan/","title":"Use App Service production SKU","text":"Azure.AppService.MinPlanAZR-000072Error

    Performance Efficiency \u00b7 App Service \u00b7 Rule \u00b7 2020_06

    Use at least a Standard App Service Plan.

    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#description","title":"Description","text":"

    Azure App Services provide a range of different plans that can be used to scale your application. Each plan provides different levels of performance and features.

    To get you started a number of entry level plans are available. The Free, Shared, and Basic plans can be used for limited testing and development. However these plans are not suitable for production use. Production workloads are best suited to standard and premium plans with PremiumV3 the newest plan.

    This rule does not apply to consumption or elastic App Services Plans used for Azure Functions.

    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#recommendation","title":"Recommendation","text":"

    Consider using a standard or premium plan for hosting apps on Azure App Service.

    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.tier to a plan equal to or greater than Standard. For example: PremiumV3, PremiumV2, Premium, Standard

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/serverfarms\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('planName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"S1\",\n\"tier\": \"Standard\",\n\"capacity\": 2\n}\n}\n
    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.tier to a plan equal to or greater than Standard. For example: PremiumV3, PremiumV2, Premium, Standard

    For example:

    Azure Bicep snippet
    resource plan 'Microsoft.Web/serverfarms@2022-09-01' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n
    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinPlan/#links","title":"Links","text":"
    • Choose the right resources
    • Azure App Service plan overview
    • Manage an App Service plan in Azure
    • Configure PremiumV3 tier for Azure App Service
    • App Service pricing
    • Azure deployment reference
    ","tags":["Azure.AppService.MinPlan","AZR-000072"]},{"location":"en/rules/Azure.AppService.MinTLS/","title":"App Service minimum TLS version","text":"Azure.AppService.MinTLSAZR-000073Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2020_06

    App Service should reject TLS versions older than 1.2.

    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure App Service accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    App Service lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.

    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.minTlsVersion to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.minTlsVersion to 1.2.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Enforce TLS versions
    • Preparing for TLS 1.2 in Microsoft Azure
    • Insecure protocols
    • Azure Policy built-in definitions for Azure App Service
    • Azure deployment reference
    ","tags":["Azure.AppService.MinTLS","AZR-000073"]},{"location":"en/rules/Azure.AppService.NETVersion/","title":"Use a newer .NET version","text":"Azure.AppService.NETVersionAZR-000075Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2020_12

    Configure applications to use newer .NET versions.

    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#description","title":"Description","text":"

    Within a App Service app, the version of .NET used to run application/ site code is configurable. Older versions of .NET may not use the latest security features.

    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#recommendation","title":"Recommendation","text":"

    Consider updating the site to use a newer .NET version such as v6.0.

    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.netFrameworkVersion to a minimum of v4.0.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.netFrameworkVersion to a minimum of v4.0.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.NETVersion/#links","title":"Links","text":"
    • Security design principles
    • Set .NET Framework runtime version
    • Azure deployment reference
    ","tags":["Azure.AppService.NETVersion","AZR-000075"]},{"location":"en/rules/Azure.AppService.PHPVersion/","title":"Use a newer PHP runtime version","text":"Azure.AppService.PHPVersionAZR-000076Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2020_12

    Configure applications to use newer PHP runtime versions.

    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#description","title":"Description","text":"

    Within a App Service app, the version of PHP runtime used to run application/ site code is configurable. Older versions of PHP may not use the latest security features.

    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#recommendation","title":"Recommendation","text":"

    Consider updating the site to use a newer PHP runtime version such as 7.4.

    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#examples","title":"Examples","text":"","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.phpVersion to a minimum of 7.0.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"OFF\",\n\"phpVersion\": \"7.4\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.phpVersion to a minimum of 7.0.

    For example:

    Azure Bicep snippet
    resource webAppPHP 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'OFF'\n      phpVersion: '7.4'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PHPVersion/#links","title":"Links","text":"
    • Security design principles
    • Set PHP Version
    • Azure deployment reference
    ","tags":["Azure.AppService.PHPVersion","AZR-000076"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/","title":"Use two or more App Service Plan instances","text":"Azure.AppService.PlanInstanceCountAZR-000071Error

    Reliability \u00b7 App Service \u00b7 Rule \u00b7 2020_06

    App Service Plan should use a minimum number of instances for failover.

    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#description","title":"Description","text":"

    App Services Plans provides a configurable number of instances that will run apps. When a single instance is configured your app may be temporarily unavailable during unplanned interruptions. In most circumstances, Azure will self heal faulty app service instances automatically. However during this time there may interruptions to your workload.

    This rule does not apply to consumption or elastic App Services Plans.

    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#recommendation","title":"Recommendation","text":"

    Consider using an App Service Plan with at least two (2) instances.

    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#examples","title":"Examples","text":"","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.capacity to 2 or more.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/serverfarms\",\n\"apiVersion\": \"2021-01-15\",\n\"name\": \"[parameters('planName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"S1\",\n\"tier\": \"Standard\",\n\"capacity\": 2\n}\n}\n
    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services Plans that pass this rule:

    • Set sku.capacity to 2 or more.

    For example:

    Azure Bicep snippet
    resource appPlan 'Microsoft.Web/serverfarms@2021-01-15' = {\n  name: planName\n  location: location\n  sku: {\n    name: 'S1'\n    tier: 'Standard'\n    capacity: 2\n  }\n}\n
    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.PlanInstanceCount/#links","title":"Links","text":"
    • Resiliency and dependencies
    • Get started with Autoscale in Azure
    • Azure deployment reference
    ","tags":["Azure.AppService.PlanInstanceCount","AZR-000071"]},{"location":"en/rules/Azure.AppService.RemoteDebug/","title":"Disable App Service remote debugging","text":"Azure.AppService.RemoteDebugAZR-000074Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2020_12

    Disable remote debugging on App Service apps when not in use.

    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#description","title":"Description","text":"

    Remote debugging can be enabled on apps running within Azure App Services.

    To enable remote debugging, App Service allows connectivity to additional ports. While access to remote debugging ports is authenticated, the attack service for an app is increased.

    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#recommendation","title":"Recommendation","text":"

    Consider disabling remote debugging when not in use.

    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#examples","title":"Examples","text":"","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.remoteDebuggingEnabled to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.siteConfig.remoteDebuggingEnabled to false.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.RemoteDebug/#links","title":"Links","text":"
    • Configure general settings
    • Azure deployment reference
    ","tags":["Azure.AppService.RemoteDebug","AZR-000074"]},{"location":"en/rules/Azure.AppService.UseHTTPS/","title":"Enforce encrypted App Service connections","text":"Azure.AppService.UseHTTPSAZR-000084Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2020_06

    Azure App Service apps should only accept encrypted connections.

    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#description","title":"Description","text":"

    Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.

    Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.

    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#recommendation","title":"Recommendation","text":"

    When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#examples","title":"Examples","text":"","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy App Services that pass this rule:

    • Set properties.httpsOnly to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy App Services that pass this rule:

    • Set properties.httpsOnly to true.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {\n  name: name\n  location: location\n  kind: 'web'\n  properties: {\n    serverFarmId: appPlan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.UseHTTPS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Enforce HTTPS
    • Azure Policy built-in definitions for Azure App Service
    • Azure deployment reference
    ","tags":["Azure.AppService.UseHTTPS","AZR-000084"]},{"location":"en/rules/Azure.AppService.WebProbe/","title":"Web apps use health probes","text":"Azure.AppService.WebProbeAZR-000079Error

    Reliability \u00b7 App Service \u00b7 Rule \u00b7 2022_06

    Configure and enable instance health probes.

    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#description","title":"Description","text":"

    Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.

    Regular checks of the monitored path allow Azure App Service to route traffic based on availability.

    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#recommendation","title":"Recommendation","text":"

    Consider configuring a health probe to monitor instance availability.

    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a valid application path such as /healthz.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\",\n\"healthCheckPath\": \"/healthz\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a valid application path such as /healthz.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n      healthCheckPath: '/healthz'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbe/#links","title":"Links","text":"
    • Creating good health probes
    • Route traffic to healthy instances (App Service)
    • Health Check is now Generally Available
    • Azure deployment reference
    ","tags":["Azure.AppService.WebProbe","AZR-000079"]},{"location":"en/rules/Azure.AppService.WebProbePath/","title":"Web apps use a dedicated health probe path","text":"Azure.AppService.WebProbePathAZR-000080Error

    Reliability \u00b7 App Service \u00b7 Rule \u00b7 2022_06

    Configure a dedicated path for health probe requests.

    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#description","title":"Description","text":"

    Azure App Service monitors a specific path for each web app instance to determine health status. The monitored path should implement functional checks to determine if the app is performing correctly. The checks should include dependencies including those that may not be regularly called.

    Regular checks of the monitored path allow Azure App Service to route traffic based on availability.

    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#recommendation","title":"Recommendation","text":"

    Consider using a dedicated health probe endpoint that implements functional checks.

    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a dedicated application path such as /healthz.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\",\n\"healthCheckPath\": \"/healthz\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.healthCheckPath to a dedicated application path such as /healthz.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n      healthCheckPath: '/healthz'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebProbePath/#links","title":"Links","text":"
    • Creating good health probes
    • Health check path
    • Health Check is now Generally Available
    • Azure deployment reference
    ","tags":["Azure.AppService.WebProbePath","AZR-000080"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/","title":"Web apps disable insecure FTP","text":"Azure.AppService.WebSecureFtpAZR-000081Error

    Security \u00b7 App Service \u00b7 Rule \u00b7 2022_06

    Web apps should disable insecure FTP and configure SFTP when required.

    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#description","title":"Description","text":"

    Azure App Service supports configuration of FTP and SFTP for uploading site content. By default, both FTP and SFTP are enabled. In many circumstances, use of FTP or SFTP is not required for automated deployments.

    When interactive deployments are required consider using SFTP instead of FTP. Use of FTP alone is not sufficient to prevent disclosure of sensitive information that may be transferred.

    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#recommendation","title":"Recommendation","text":"

    Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#examples","title":"Examples","text":"","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.ftpsState to FtpsOnly or Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Web/sites\",\n\"apiVersion\": \"2021-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"kind\": \"web\",\n\"properties\": {\n\"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\",\n\"httpsOnly\": true,\n\"siteConfig\": {\n\"alwaysOn\": true,\n\"minTlsVersion\": \"1.2\",\n\"ftpsState\": \"FtpsOnly\",\n\"remoteDebuggingEnabled\": false,\n\"http20Enabled\": true,\n\"netFrameworkVersion\": \"v6.0\",\n\"healthCheckPath\": \"/healthz\"\n}\n},\n\"tags\": \"[parameters('tags')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]\"\n]\n}\n
    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Web Apps that pass this rule:

    • Set properties.siteConfig.ftpsState to FtpsOnly or Disabled.

    For example:

    Azure Bicep snippet
    resource webApp 'Microsoft.Web/sites@2021-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  kind: 'web'\n  properties: {\n    serverFarmId: plan.id\n    httpsOnly: true\n    siteConfig: {\n      alwaysOn: true\n      minTlsVersion: '1.2'\n      ftpsState: 'FtpsOnly'\n      remoteDebuggingEnabled: false\n      http20Enabled: true\n      netFrameworkVersion: 'v6.0'\n      healthCheckPath: '/healthz'\n    }\n  }\n  tags: tags\n}\n
    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.AppService.WebSecureFtp/#links","title":"Links","text":"
    • Data encryption in Azure
    • Deploy your app to Azure App Service using FTP/S
    • Azure deployment reference
    ","tags":["Azure.AppService.WebSecureFtp","AZR-000081"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/","title":"Use Microsoft Defender","text":"Azure.Arc.Kubernetes.DefenderAZR-000373Error

    Security \u00b7 Arc \u00b7 Rule \u00b7 2023_06

    Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.

    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#description","title":"Description","text":"

    Defender for Containers relies on the Defender extension for several features.

    To collect and provide data plane protections of Microsoft Defender for Containers, the extension must be deployed to the Arc connected Kubernetes cluster. The extension will deploy some additional daemon set and deployments to the cluster.

    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#recommendation","title":"Recommendation","text":"

    Consider deploying the Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters.

    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#examples","title":"Examples","text":"","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Arc-enabled Kubernetes clusters that pass this rule:

    • Deploy a Microsoft.KubernetesConfiguration/extensions sub-resource (extension resource).
    • Set the properties.extensionType property to microsoft.azuredefender.kubernetes.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KubernetesConfiguration/extensions\",\n\"apiVersion\": \"2022-11-01\",\n\"scope\": \"[format('Microsoft.Kubernetes/connectedClusters/{0}', parameters('name'))]\",\n\"name\": \"microsoft.azuredefender.kubernetes\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"extensionType\": \"microsoft.azuredefender.kubernetes\",\n\"configurationSettings\": {\n\"logAnalyticsWorkspaceResourceID\": \"[parameters('logAnalyticsWorkspaceResourceID')]\",\n\"auditLogPath\": \"/var/log/kube-apiserver/audit.log\"\n},\n\"configurationProtectedSettings\": {\n\"omsagent.secret.wsid\": \"[parameters('wsid')]\",\n\"omsagent.secret.key\": \"[parameters('key')]\"\n},\n\"autoUpgradeMinorVersion\": true,\n\"releaseTrain\": \"Stable\",\n\"scope\": {\n\"cluster\": {\n\"releaseNamespace\": \"azuredefender\"\n}\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Kubernetes/connectedClusters', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Arc-enabled Kubernetes clusters that pass this rule:

    • Deploy a Microsoft.KubernetesConfiguration/extensions sub-resource (extension resource).
    • Set the properties.extensionType property to microsoft.azuredefender.kubernetes.

    For example:

    Azure Bicep snippet
    resource defenderExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = {\n  name: 'microsoft.azuredefender.kubernetes'\n  scope: arcKubernetesCluster\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    extensionType: 'microsoft.azuredefender.kubernetes'\n    configurationSettings: {\n      logAnalyticsWorkspaceResourceID: logAnalyticsWorkspaceResourceID\n      auditLogPath: '/var/log/kube-apiserver/audit.log'\n    }\n    configurationProtectedSettings: {\n      'omsagent.secret.wsid': wsid\n      'omsagent.secret.key': key\n    }\n    autoUpgradeMinorVersion: true\n    releaseTrain: 'Stable'\n    scope: {\n      cluster: {\n        releaseNamespace: 'azuredefender'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Kubernetes.Defender/#links","title":"Links","text":"
    • Security operations
    • Defender for Containers architecture
    • Enable Microsoft Defender for Containers
    • LT-1: Enable threat detection capabilities
    • Azure deployment reference
    ","tags":["Azure.Arc.Kubernetes.Defender","AZR-000373"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.Arc.Server.MaintenanceConfigAZR-000374Error

    Operational Excellence \u00b7 Arc \u00b7 Rule \u00b7 2023_06

    Use a maintenance configuration for Arc-enabled servers.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#description","title":"Description","text":"

    Arc-enabled servers can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#recommendation","title":"Recommendation","text":"

    Consider automatically managing and applying operating system updates with a maintenance configuration.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Arc-enabled servers that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Maintenance/configurationAssignments\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('assignmentName')]\",\n\"location\": \"[parameters('location')]\",\n\"scope\": \"[format('Microsoft.HybridCompute/machines/{0}', parameters('name'))]\",\n\"properties\": {\n\"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.HybridCompute/machines', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Arc-enabled servers that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Bicep snippet
    resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: arcServer\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n
    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#notes","title":"Notes","text":"

    Operating system updates with Update Managment center is a preview feature. Not all regions or operating systems are supported, check out the LINKS section for supported regions. Update management center doesn't support driver updates.

    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Arc.Server.MaintenanceConfig/#links","title":"Links","text":"
    • Repeatable infrastructure
    • About Update management center
    • How to programmatically manage updates for Azure Arc-enabled servers
    • Manage Update configuration settings
    • Supported regions
    • Supported operating systems
    • Azure deployment reference
    ","tags":["Azure.Arc.Server.MaintenanceConfig","AZR-000374"]},{"location":"en/rules/Azure.Automation.AuditLogs/","title":"Audit Automation Account data access","text":"Azure.Automation.AuditLogsAZR-000088Error

    Security \u00b7 Automation Account \u00b7 Rule \u00b7 2021_12

    Ensure automation account audit diagnostic logs are enabled.

    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#description","title":"Description","text":"

    To capture logs that record interactions with data or the settings of the automation account, diagnostic settings must be configured.

    When configuring diagnostic settings, enabled one of the following:

    • AuditEvent category.
    • audit category group.
    • allLogs category group.

    Management operations for Automation Account is captured automatically within Azure Activity Logs.

    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to record interactions with data or the settings of the Automation Account.

    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"automationAccountName\": {\n\"defaultValue\": \"automation-account1\",\n\"type\": \"String\"\n},\n\"location\": {\n\"type\": \"String\"\n},\n\"workspaceId\": {\n\"type\": \"String\"\n}\n},\n\"variables\": {},\n\"resources\": [\n{\n\"type\": \"Microsoft.Automation/automationAccounts\",\n\"apiVersion\": \"2021-06-22\",\n\"name\": \"[parameters('automationAccountName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": false,\n\"sku\": {\n\"name\": \"Basic\"\n},\n\"encryption\": {\n\"keySource\": \"Microsoft.Automation\",\n\"identity\": {}\n}\n}\n},\n{\n\"comments\": \"Enable monitoring of Automation Account operations.\",\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"dependsOn\": [\n\"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n],\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"AuditEvent\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n
    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Template Reference
    ","tags":["Azure.Automation.AuditLogs","AZR-000088"]},{"location":"en/rules/Azure.Automation.EncryptVariables/","title":"Encrypt automation variables","text":"Azure.Automation.EncryptVariablesAZR-000086Error

    Security \u00b7 Automation Account \u00b7 Rule \u00b7 2020_06

    Azure Automation variables should be encrypted.

    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#description","title":"Description","text":"

    Azure Automation allows configuration properties to be saved as variables. Variables are a key/ value pairs, which may contain sensitive information.

    When variables are encrypted they can only be access from within the runbook context. Variables not encrypted are visible to anyone with read permissions.

    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#recommendation","title":"Recommendation","text":"

    Consider encrypting all automation account variables.

    Additionally consider, using Key Vault to store secrets. Key Vault improves security by tightly controlling access to secrets and improving management controls.

    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.EncryptVariables/#links","title":"Links","text":"
    • Variable assets in Azure Automation
    ","tags":["Azure.Automation.EncryptVariables","AZR-000086"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.Automation.ManagedIdentityAZR-000090Error

    Security \u00b7 Automation Account \u00b7 Rule \u00b7 2021_12

    Ensure Managed Identity is used for authentication.

    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#description","title":"Description","text":"

    Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.

    Using managed identities have the following benefits:

    • Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
    • Managed Identities can be used without any additional cost.
    • You don't have to specify the Run As connection object in your runbook code. You can access resources using your Automation Account's Managed Identity from a runbook.
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity for each Automation Account.

    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Automation Accounts that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Automation/automationAccounts\",\n\"apiVersion\": \"2021-06-22\",\n\"name\": \"[parameters('automation_account_name')]\",\n\"location\": \"australiaeast\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": false,\n\"sku\": {\n\"name\": \"Basic\"\n},\n\"encryption\": {\n\"keySource\": \"Microsoft.Automation\",\n\"identity\": {}\n}\n}\n}\n
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Automation Accounts that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automation_account_name\n  location: 'australiaeast'\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities
    • Using a system-assigned managed identity for an Azure Automation account
    • Using a user-assigned managed identity for an Azure Automation account
    • Azure deployment reference
    ","tags":["Azure.Automation.ManagedIdentity","AZR-000090"]},{"location":"en/rules/Azure.Automation.PlatformLogs/","title":"Automation accounts should collect platform diagnostic logs","text":"Azure.Automation.PlatformLogsAZR-000089Error

    Operational Excellence \u00b7 Automation Account \u00b7 Rule \u00b7 2021_12

    Ensure automation account platform diagnostic logs are enabled.

    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#description","title":"Description","text":"

    To capture platform logs from Automation Accounts, the following diagnostic log categories should be enabled:

    • JobLogs
    • JobStreams
    • DSCNodeStatus

    We can also enable all the above with the allLogs category group.

    To capture metric log categories, th following must be enabled as well:

    • AllMetrics - Total Jobs, Total Update Deployment Machine Runs, Total Update Deployment Runs
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to capture platform logs from Automation accounts.

    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#notes","title":"Notes","text":"

    Configure AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST to enable selective log categories. By default all log categories are selected, as shown below.

    # YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AllMetrics']\n
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#examples","title":"Examples","text":"","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the JobLogs, JobStreams, DSCNodeStatus and AllMetrics categories.

    For example:

    Azure Template snippet
    {\n\"parameters\": {\n\"automationAccountName\": {\n\"defaultValue\": \"automation-account1\",\n\"type\": \"String\"\n},\n\"location\": {\n\"type\": \"String\"\n},\n\"workspaceId\": {\n\"type\": \"String\"\n}\n},\n\"variables\": {},\n\"resources\": [\n{\n\"type\": \"Microsoft.Automation/automationAccounts\",\n\"apiVersion\": \"2021-06-22\",\n\"name\": \"[parameters('automationAccountName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": false,\n\"sku\": {\n\"name\": \"Basic\"\n},\n\"encryption\": {\n\"keySource\": \"Microsoft.Automation\",\n\"identity\": {}\n}\n}\n},\n{\n\"comments\": \"Enable monitoring of Automation Account operations.\",\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"name\": \"[concat(parameters('automationAccountName'), '/Microsoft.Insights/service')]\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"dependsOn\": [\n\"[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]\"\n],\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"JobLogs\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"JobStreams\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n},\n{\n\"category\": \"DSCNodeStatus\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n],\n\"metrics\": [\n{\n\"category\": \"AllMetrics\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Automation accounts that pass this rule:

    • Deploy a diagnostic settings sub-resource.
    • Enable logging for the JobLogs, JobStreams, DSCNodeStatus and AllMetrics categories.

    For example:

    Azure Bicep snippet
    param automationAccountName string = 'automation-account1'\nparam location string\nparam workspaceId string\n\nresource automationAccountResource 'Microsoft.Automation/automationAccounts@2021-06-22' = {\n  name: automationAccountName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: false\n    sku: {\n      name: 'Basic'\n    }\n    encryption: {\n      keySource: 'Microsoft.Automation'\n      identity: {}\n    }\n  }\n}\n\nresource automationAccountName_Microsoft_Insights_service 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'diagnosticSettings'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'JobLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'JobStreams'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      },\n      {\n        category: 'DSCNodeStatus'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n    metrics: [\n      {\n        category: 'AllMetrics'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  dependsOn: [\n    automationAccountResource\n  ]\n}\n
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.PlatformLogs/#links","title":"Links","text":"
    • Platform Monitoring
    • Forward Azure Automation job data to Azure Monitor logs
    • Template Reference
    ","tags":["Azure.Automation.PlatformLogs","AZR-000089"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/","title":"Use short lived web hooks","text":"Azure.Automation.WebHookExpiryAZR-000087Error

    Security \u00b7 Automation Account \u00b7 Rule \u00b7 2020_06

    Do not create webhooks with an expiry time greater than 1 year (default).

    ","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#description","title":"Description","text":"

    Do not create webhooks with an expiry time greater than 1 year (default).

    ","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.Automation.WebHookExpiry/#recommendation","title":"Recommendation","text":"

    An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function.

    ","tags":["Azure.Automation.WebHookExpiry","AZR-000087"]},{"location":"en/rules/Azure.BV.Immutable/","title":"Immutability","text":"Azure.BV.ImmutableAZR-000398Error

    Security \u00b7 Backup Vault \u00b7 Rule \u00b7 2023_09

    Ensure immutability is configured to protect backup data.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#description","title":"Description","text":"

    Immutability is supported for Backup vaults by configuring the Immutable vault setting.

    Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

    For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.

    The Immutable vault setting is not enabled per default.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#recommendation","title":"Recommendation","text":"

    Consider configuring immutability to protect backup data from accidental or malicious deletion.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Backup vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DataProtection/backupVaults\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('vaultName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securitySettings\": {\n\"immutabilitySettings\": {\n\"state\": \"Locked\"\n}\n}\n}\n}\n
    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Backup vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Bicep snippet
    resource backupVault 'Microsoft.DataProtection/backupVaults@2022-11-01-preview' = {\n  name: vaultName\n  location: location\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#notes","title":"Notes","text":"

    Note that immutability locking Locked is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using Locked. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider Unlocked.

    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.BV.Immutable/#links","title":"Links","text":"
    • Security design principles
    • Immutable vault for Azure Backup
    • Restricted operations
    • Manage Azure Backup Immutable vault operations
    • Azure security baseline for Azure Backup
    • Backup and restore plan to protect against ransomware
    • BR-2: Protect backup and recovery data
    • Azure deployment reference
    ","tags":["Azure.BV.Immutable","AZR-000398"]},{"location":"en/rules/Azure.Bastion.Name/","title":"Use valid names","text":"Azure.Bastion.NameAZR-000349Error

    Operational Excellence \u00b7 Bastion \u00b7 Rule \u00b7 2022_12

    Bastion hosts should meet naming requirements.

    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Bastion host names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods and hyphens.
    • Start with alphanumeric.
    • End with alphanumeric or underscore.
    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Bastion host naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#notes","title":"Notes","text":"

    This rule does not check if Bastion host names are unique.

    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.Bastion.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Bastion host
    • Azure deployment reference
    ","tags":["Azure.Bastion.Name","AZR-000349"]},{"location":"en/rules/Azure.CDN.EndpointName/","title":"Use valid CDN endpoint names","text":"Azure.CDN.EndpointNameAZR-000091Error

    Operational Excellence \u00b7 Content Delivery Network \u00b7 Rule \u00b7 2020_09

    Azure CDN Endpoint names should meet naming requirements.

    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for CDN endpoint names are:

    • Between 1 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start and end with a letter or number.
    • CDN endpoint names must be globally unique.
    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet CDN endpoint naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#notes","title":"Notes","text":"

    This rule does not check if CDN endpoint names are unique.

    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.EndpointName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.CDN.EndpointName","AZR-000091"]},{"location":"en/rules/Azure.CDN.HTTP/","title":"Use HTTPS client connections","text":"Azure.CDN.HTTPAZR-000093Error

    Security \u00b7 Content Delivery Network \u00b7 Rule \u00b7 2020_06

    Enforce HTTPS for client connections.

    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#description","title":"Description","text":"

    When a client connect to CDN content it can use HTTP or HTTPS. Support for both HTTP and HTTPS is enabled by default. When using HTTP, sensitive information may be exposed to an untrusted party.

    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#recommendation","title":"Recommendation","text":"

    Consider disabling HTTP support on the CDN endpoint origin.

    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.HTTP/#links","title":"Links","text":"
    • Data encryption in Azure
    • Configure HTTPS on an Azure CDN custom domain
    ","tags":["Azure.CDN.HTTP","AZR-000093"]},{"location":"en/rules/Azure.CDN.MinTLS/","title":"Azure CDN endpoint minimum TLS version","text":"Azure.CDN.MinTLSAZR-000092Error

    Security \u00b7 Content Delivery Network \u00b7 Rule \u00b7 2020_09

    Azure CDN endpoints should reject TLS versions older than 1.2.

    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure CDN endpoints accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    To configure the minimum TLS version, a custom domain must be configured.

    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring a custom domain and setting the minimum supported TLS version to be 1.2.

    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Preparing for TLS 1.2 in Microsoft Azure
    • REST API Custom Domains - Enable Custom Https
    • Azure deployment reference
    ","tags":["Azure.CDN.MinTLS","AZR-000092"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/","title":"Use Front Door Standard Or Premium SKU","text":"Azure.CDN.UseFrontDoorAZR-000286Error

    Performance Efficiency \u00b7 Front Door \u00b7 Rule \u00b7 2022_09

    Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.

    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#description","title":"Description","text":"

    Using a CDN is a good way to minimize the load on your application, and maximize availability and performance.

    Standard content delivery network (CDN) capability includes the ability to cache files closer to end users to speed up delivery of static files. However, with dynamic web applications, caching that content in edge locations isn't possible because the server generates the content in response to user behavior. Speeding up the delivery of such content is more complex than traditional edge caching and requires an end-to-end solution that finely tunes each element along the entire data path from inception to delivery. With Azure CDN dynamic site acceleration (DSA) optimization, the performance of web pages with dynamic content is measurably improved.

    Azure Front Door Standard or Premium SKU offers modern cloud Content Delivery Network (CDN). These SKUs in particular provides fast, reliable, and secure access between users and dynamic web content across the globe.

    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#recommendation","title":"Recommendation","text":"

    Consider using Front Door Standard or Premium SKU to improve performance.

    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#examples","title":"Examples","text":"","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an front door profile that pass this rule:

    • Set sku.name to Standard_AzureFrontDoor or Premium_AzureFrontDoor.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"myFrontDoor\",\n\"location\": \"global\",\n\"sku\": {\n\"name\": \"Standard_AzureFrontDoor\"\n}\n}\n
    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an front door profile that pass this rule:

    • Set sku.name to Standard_AzureFrontDoor or Premium_AzureFrontDoor.

    For example:

    Azure Bicep snippet
    resource frontDoorProfile 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n}\n
    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.CDN.UseFrontDoor/#links","title":"Links","text":"
    • Performance efficiency checklist
    • Azure Front Door tiers
    • What are the comparisons between Azure CDN product features?
    • Azure deployment reference
    ","tags":["Azure.CDN.UseFrontDoor","AZR-000286"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/","title":"Use identity-based authentication for Cogitive Services accounts","text":"Azure.Cognitive.DisableLocalAuthAZR-000282Error

    Security \u00b7 Cognitive Services \u00b7 Rule \u00b7 2022_09

    Authenticate requests to Cognitive Services with Azure AD identities.

    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#description","title":"Description","text":"

    To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits.

    With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys.

    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to authenticate requests to Cogitive Services accounts. Once configured, disable authentication based on access keys.

    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • Authenticate with Azure Active Directory
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.DisableLocalAuth","AZR-000282"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/","title":"Use Managed Identity for Cognitive Services accounts","text":"Azure.Cognitive.ManagedIdentityAZR-000281Error

    Security \u00b7 Cognitive Services \u00b7 Rule \u00b7 2022_09

    Configure managed identities to access Azure resources.

    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#description","title":"Description","text":"

    Cognitive Services must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Cognitive Services can use managed identities.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Cognitive Services account.

    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.ManagedIdentity","AZR-000281"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/","title":"Use Cognitive Service Private Endpoints","text":"Azure.Cognitive.PrivateEndpointsAZR-000283Error

    Security \u00b7 Cognitive Services \u00b7 Rule \u00b7 2022_09

    Use Private Endpoints to access Cognitive Services accounts.

    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#description","title":"Description","text":"

    By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.

    Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.

    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#recommendation","title":"Recommendation","text":"

    Consider accessing Cognitive Services accounts by Private Endpoints and disabling public endpoints.

    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PrivateEndpoints/#links","title":"Links","text":"
    • Traffic flow security in Azure
    • Configure Azure Cognitive Services virtual networks
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.PrivateEndpoints","AZR-000283"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/","title":"Restrict Cognitive Service endpoints","text":"Azure.Cognitive.PublicAccessAZR-000280Error

    Security \u00b7 Cognitive Services \u00b7 Rule \u00b7 2022_09

    Restrict access of Cognitive Services accounts to authorized virtual networks.

    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#description","title":"Description","text":"

    By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.

    Configure service endpoints and private links where appropriate.

    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#recommendation","title":"Recommendation","text":"

    Consider configuring network access restrictions for Cognitive Services accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.

    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny, or
    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.CognitiveServices/accounts\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"S0\"\n},\n\"kind\": \"CognitiveServices\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n},\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny, or
    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'S0'\n  }\n  kind: 'CognitiveServices'\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.Cognitive.PublicAccess/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Configure Azure Cognitive Services virtual networks
    • Azure Policy built-in policy definitions for Azure Cognitive Services
    • Azure deployment reference
    ","tags":["Azure.Cognitive.PublicAccess","AZR-000280"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/","title":"Retired API version","text":"Azure.ContainerApp.APIVersionAZR-000400Error

    Operational Excellence \u00b7 Container App \u00b7 Rule \u00b7 2023_09

    Migrate from retired API version to a supported version.

    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#description","title":"Description","text":"

    The API Azure Container Apps control plane API versions 2022-06-01-preview and 2022-11-01-preview are on the retirement path and will be retired on the November 16, 2023.

    This means you'll no longer be able to create or manage your Azure Container Apps using your existing templates, tools, scripts and programs until they've been updated to a supported API version.

    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#recommendation","title":"Recommendation","text":"

    Consider migrating from retired API version to a supported version.

    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set apiVersion to a supported version.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\"\n}\n
    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set apiVersion to a supported version.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {\n  name: appName\n  location: location\n}\n
    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.APIVersion/#links","title":"Links","text":"
    • Repeatable Infrastructure
    • Azure Container Apps API versions retirements
    • Azure Container Apps latest API versions
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.APIVersion","AZR-000400"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/","title":"Disable session affinity","text":"Azure.ContainerApp.DisableAffinityAZR-000378Error

    Performance Efficiency \u00b7 Container App \u00b7 Rule \u00b7 2023_06

    Disable session affinity to prevent unbalanced distribution.

    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#description","title":"Description","text":"

    Container apps allows you to configure session affinity (sticky sessions). When enabled, this feature route requests from the same client to the same replica.

    This feature might be useful for stateful applications that require a consistent connection to the same replica. However, if your application does not store large amounts of state or cached data in memory (stateless application design pattern), session affinity might decrease your throughput because one replica could get overloaded with requests, while others are dormant.

    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#recommendation","title":"Recommendation","text":"

    Consider disabling session affinity to evenly distribute requests across each replica.

    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.stickySessions.affinity to none or don't specify the property at all.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"external\": false,\n\"stickySessions\": {\n\"affinity\": \"None\"\n}\n}\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.stickySessions.affinity to none or don't specify the property at all.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n        stickySessions: {\n          affinity: 'none'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.DisableAffinity/#links","title":"Links","text":"
    • Avoid a requirement to store server-side session state
    • Session affinity
    • Session Affinity in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.DisableAffinity","AZR-000378"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/","title":"Disable external ingress","text":"Azure.ContainerApp.ExternalIngressAZR-000362Error

    Security \u00b7 Container App \u00b7 Rule \u00b7 2023_03

    Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.

    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#description","title":"Description","text":"

    Container apps allows you to expose your container app to the Internet, your VNET, or to other container apps within the same environment by enabling ingress.

    When inbound access to the app is required, configure the ingress. Applications that do batch processing or consume events may not require ingress to be enabled.

    When external ingress is configured, communication outside the container apps environment is enabled from your private VNET or the Internet. To restrict communication to a private VNET your Container App Environment must be deployed on a custom VNET with an Internal load balancer.

    If communication outside your Container Apps Environment is not required, disable external ingress.

    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#recommendation","title":"Recommendation","text":"

    Consider disabling external ingress.

    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.external to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"external\": false\n}\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set properties.configuration.ingress.external to false.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#notes","title":"Notes","text":"

    This rule is skipped by default because there are common cases where external ingress is required. If you don't need external ingress, enable this rule by:

    • Setting the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to true.
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.ExternalIngress/#links","title":"Links","text":"
    • Networking architecture in Azure Container Apps
    • Set up HTTPS or TCP ingress in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.ExternalIngress","AZR-000362"]},{"location":"en/rules/Azure.ContainerApp.Insecure/","title":"Disable insecure container app ingress","text":"Azure.ContainerApp.InsecureAZR-000094Error

    Security \u00b7 Container App \u00b7 Rule \u00b7 2023_06

    Ensure insecure inbound traffic is not permitted to the container app.

    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#description","title":"Description","text":"

    Container Apps by default will automatically redirect any HTTP requests to HTTPS. In this default configuration any inbound requests will occur over a minimum of TLS 1.2. This secure by default behavior can be overridden by allowing insecure HTTP traffic.

    Unencrypted communication to Container Apps could allow disclosure of information to an untrusted party.

    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#recommendation","title":"Recommendation","text":"

    Consider disabling insecure traffic and require all inbound traffic to be over TLS 1.2.

    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resource that pass this rule:

    • Set properties.configuration.ingress.allowInsecure to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"managedEnvironmentId\": \"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"allowInsecure\": false\n}\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]\"\n]\n}\n
    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resource that pass this rule:

    • Set properties.configuration.ingress.allowInsecure to false.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  properties: {\n    managedEnvironmentId: containerEnv.id\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        allowInsecure: false\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.Insecure/#links","title":"Links","text":"
    • Data encryption in Azure
    • Ingress in Azure Container Apps
    • Container Apps ARM template API specification
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.Insecure","AZR-000094"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/","title":"Use managed identity for authentication","text":"Azure.ContainerApp.ManagedIdentityAZR-000361Error

    Security \u00b7 Container App \u00b7 Rule \u00b7 2023_03

    Ensure managed identity is used for authentication.

    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#description","title":"Description","text":"

    Using managed identities have the following benefits:

    • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
    • You can use role-based access control to grant specific permissions to a managed identity.
    • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
    • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
    • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
    • You can use managed identity to create connections for Dapr-enabled applications via Dapr components.
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity for each container app.

    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {}\n}\n
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {}\n}\n
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#notes","title":"Notes","text":"

    Using managed identities in scale rules isn't supported.

    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.ManagedIdentity","AZR-000361"]},{"location":"en/rules/Azure.ContainerApp.Name/","title":"Use valid container app names","text":"Azure.ContainerApp.NameAZR-000360Error

    Operational Excellence \u00b7 Container App \u00b7 Rule \u00b7 2023_03

    Container Apps should meet naming requirements.

    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for container app names are:

    • Between 2 and 32 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Start with letter and end with alphanumeric.
    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#recommendation","title":"Recommendation","text":"

    Consider using container app names thas meets naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#notes","title":"Notes","text":"

    This rule does not check if container app names are unique.

    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for container app resource
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.Name","AZR-000360"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/","title":"Disable public access","text":"Azure.ContainerApp.PublicAccessAZR-000363Error

    Security \u00b7 Container App \u00b7 Rule \u00b7 2023_03

    Ensure public network access for Container Apps environment is disabled.

    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#description","title":"Description","text":"

    Container apps environments allows you to expose your container app to the Internet.

    Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.

    Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.

    This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.

    To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#recommendation","title":"Recommendation","text":"

    Consider disabling public network access.

    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps environments that pass this rule:

    • Set a custom VNET by configuring properties.vnetConfiguration.infrastructureSubnetId with the resource Id of a subnet.
    • Set properties.vnetConfiguration.internal to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('envName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"vnetConfiguration\": {\n\"dockerBridgeCidr\": \"[parameters('dockerBridgeCidr')]\",\n\"infrastructureSubnetId\": \"[parameters('infrastructureSubnetId')]\",\n\"internal\": true,\n\"outboundSettings\": {},\n\"platformReservedCidr\": \"[parameters('platformReservedCidr')]\",\n\"platformReservedDnsIP\": \"[parameters('platformReservedDnsIP')]\",\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps environments that pass this rule:

    • Set a custom VNET by configuring properties.vnetConfiguration.infrastructureSubnetId with the resource Id of a subnet.
    • Set properties.vnetConfiguration.internal to true.

    For example:

    Azure Bicep snippet
    resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {\n  name: envName\n  location: location\n  properties: {\n    vnetConfiguration: {\n      dockerBridgeCidr: dockerBridgeCidr\n      infrastructureSubnetId: infrastructureSubnetId\n      internal: true\n      outboundSettings: {}\n      platformReservedCidr: platformReservedCidr\n      platformReservedDnsIP: platformReservedDnsIP\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.PublicAccess/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Networking architecture in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.PublicAccess","AZR-000363"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/","title":"IP ingress restrictions mode","text":"Azure.ContainerApp.RestrictIngressAZR-000380Error

    Security \u00b7 Container App \u00b7 Rule \u00b7 2023_06

    IP ingress restrictions mode should be set to allow action for all rules defined.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#description","title":"Description","text":"

    Container apps supports restricting inbound traffic by IP addresses.

    This allows container apps to restrict inbound HTTP or TCP traffic by allowing or denying access to a specific list of IP address ranges.

    However, configuring a rule with the Deny action leads to traffic being denied from the IPv4 address or range, but allows all other traffic.

    Instead by configuring a rule or multiple rules with the Allow action traffic is allowed from the IPv4 address or range, but denies all other traffic.

    When no IP restriction rules are defined, all inbound traffic is allowed.

    IP ingress restrictions mode can be used for container apps within external and internal environments, but internal ones are limited to private addresses only, where external ones supports both public and private addresses.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#recommendation","title":"Recommendation","text":"

    Consider configuring IP restrictions to limit ingress traffic to allowed IP addresses.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Create one or more rules to allow traffic by configuring properties.configuration.ingress.ipSecurityRestrictions.
    • For each rule defined in properties.configuration.ingress.ipSecurityRestrictions to action Allow.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": \"[variables('containers')]\"\n},\n\"configuration\": {\n\"ingress\": {\n\"external\": false,\n\"ipSecurityRestrictions\": [\n{\n\"action\": \"Allow\",\n\"description\": \"ClientIPAddress_1\",\n\"ipAddressRange\": \"10.1.1.1/32\",\n\"name\": \"ClientIPAddress_1\"\n},\n{\n\"action\": \"Allow\",\n\"description\": \"ClientIPAddress_2\",\n\"ipAddressRange\": \"10.1.2.1/32\",\n\"name\": \"ClientIPAddress_2\"\n}\n]\n}\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Create one or more rules to allow traffic by configuring properties.configuration.ingress.ipSecurityRestrictions.
    • For each rule defined in properties.configuration.ingress.ipSecurityRestrictions to action Allow.

    For example:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n   properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: containers\n    }\n    configuration: {\n      ingress: {\n        external: false\n        ipSecurityRestrictions: [\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_1'\n            ipAddressRange: '10.1.1.1/32'\n            name: 'ClientIPAddress_1'\n          }\n          {\n            action: 'Allow'\n            description: 'ClientIPAddress_2'\n            ipAddressRange: '10.1.2.1/32'\n            name: 'ClientIPAddress_2'\n          }\n        ]\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#notes","title":"Notes","text":"

    All rules must be the same type. It is not supported to combine allow rules and deny rules. If no rules are defined at all, the rule will not pass as it expects at least one allow rule to be configured.

    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.RestrictIngress/#links","title":"Links","text":"
    • Network security and containment
    • Networking architecture in Azure Container Apps
    • IP restrictions
    • Set up IP ingress restrictions in Azure Container Apps
    • Azure security baseline for Azure Container Apps
    • NS-2: Secure cloud services with network controls
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.RestrictIngress","AZR-000380"]},{"location":"en/rules/Azure.ContainerApp.Storage/","title":"Persistant storage","text":"Azure.ContainerApp.StorageAZR-000364Error

    Reliability \u00b7 Container App \u00b7 Rule \u00b7 2023_03

    Use of Azure Files volume mounts to persistent storage container data.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#description","title":"Description","text":"

    Container apps allows you to use different types of storage. This can be achieved by using volume mounts.

    There are considerations to be taken, whether persistant storage is suitable for your app or if non-persistant storage is suitable. Apps may require no storage.

    By default all files created inside a container are stored on a writable container layer.

    Some considerations when using container file system storage:

    • The data doesn\u2019t persist when that container no longer exists, and it can be difficult to get the data out of the container if another process needs it.
    • There are no capacity guarantees. The available storage depends on the amount of disk space available in the container.

    Usage examples for this can be a stateless web API or a single page application (that just calls APIs).

    Some considerations when using storage volume mounts:

    • Ephemeral volume
      • Files are persisted for the lifetime of the replica.
        • If a container in a replica restarts, the files in the volume remain.
      • Any containers in the replica can mount the same volume.
      • A container can mount multiple ephemeral volumes.
    • Azure Files volume
      • Files written under the mount location are persisted to the file share.
      • Files in the share are available via the mount location.
      • Multiple containers can mount the same file share, including ones that are in another replica, revision, or container app
      • All containers that mount the share can access files written by any other container or method.
      • More than one Azure Files volume can be mounted in a single container.

    Usage examples for this can be a main app container that write log files that are processed by a sidecar container or writing files to a file share to make data accessible by other systems.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#recommendation","title":"Recommendation","text":"

    Consider using Azure File volume mounts to persistent storage across containers and replicas.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#examples","title":"Examples","text":"","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Container Apps that pass this rule:

    • Configure the properties.template.volumes array to define a volume or several volumes.
    • For each volume use the storageType of AzureFile.
    • For each container in the template that you want to mount storage, define a volume mount in the properties.template.containers.volumeMounts array.

    For example with an Azure Files volume:

    Azure Template snippet
    {\n\"type\": \"Microsoft.App/containerApps\",\n\"apiVersion\": \"2022-10-01\",\n\"name\": \"[parameters('appName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"environmentId\": \"[parameters('environmentId')]\",\n\"template\": {\n\"revisionSuffix\": \"\",\n\"containers\": [\n{\n\"image\": \"mcr.microsoft.com/azuredocs/containerapps-helloworld:latest\",\n\"name\": \"simple-hello-world-container\",\n\"resources\": {\n\"cpu\": \"[json('.25')]\",\n\"memory\": \".5Gi\"\n},\n\"volumeMounts\": [\n{\n\"mountPath\": \"/myfiles\",\n\"volumeName\": \"azure-files-volume\"\n}\n]\n}\n],\n\"scale\": {\n\"minReplicas\": 1,\n\"maxReplicas\": 3\n},\n\"volumes\": [\n{\n\"name\": \"azure-files-volume\",\n\"storageType\": \"AzureFile\",\n\"storageName\": \"myazurefiles\"\n}\n]\n}\n}\n}\n
    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Container Apps that pass this rule:

    • Configure the properties.template.volumes array to define a volume or several volumes.
    • For each volume use the storageType of AzureFile.
    • For each container in the template that you want to mount storage, define a volume mount in the properties.template.containers.volumeMounts array.

    For example with an Azure Files volume:

    Azure Bicep snippet
    resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {\n  name: appName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    environmentId: environmentId\n    template: {\n      revisionSuffix: ''\n      containers: [\n        {\n          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'\n          name: 'simple-hello-world-container'\n          resources: {\n            cpu: json('.25')\n            memory: '.5Gi'\n          }\n          volumeMounts: [\n            {\n              mountPath: '/myfiles'\n              volumeName: 'azure-files-volume'\n            }\n          ]\n        }\n      ]\n      scale: {\n        minReplicas: 1\n        maxReplicas: 3\n      }\n      volumes: [\n        {\n          name: 'azure-files-volume'\n          storageType: 'AzureFile'\n          storageName: 'myazurefiles'\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#notes","title":"Notes","text":"

    To enable Azure Files storage, a storage definition must be defined in the Container Apps Environment.

    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.ContainerApp.Storage/#links","title":"Links","text":"
    • Reliability design principles
    • Use storage mounts in Azure Container Apps
    • Azure deployment reference
    ","tags":["Azure.ContainerApp.Storage","AZR-000364"]},{"location":"en/rules/Azure.Cosmos.AccountName/","title":"Use valid Cosmos DB account names","text":"Azure.Cosmos.AccountNameAZR-000096Error

    Operational Excellence \u00b7 Cosmos DB \u00b7 Rule \u00b7 2021_09

    Cosmos DB account names should meet naming requirements.

    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Cosmos DB account names are:

    • Between 3 and 44 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Start and end with letters and numbers.
    • Cosmos DB account names must be globally unique.
    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#notes","title":"Notes","text":"

    This rule does not check if Cosmos DB account names are unique.

    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.AccountName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Cosmos.AccountName","AZR-000096"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Cosmos.DefenderCloudAZR-000382Error

    Security \u00b7 Cosmos DB \u00b7 Rule \u00b7 2023_06

    Enable Microsoft Defender for Azure Cosmos DB.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#description","title":"Description","text":"

    Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.

    Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

    Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

    Microsoft Defender for Cosmos DB can be enabled at the resource level, but the general recommandation is to enable it at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones. However, enabling it at resource level can be done to protect a specific Azure Cosmos DB account.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/advancedThreatProtectionSettings\",\n\"apiVersion\": \"2019-01-01\",\n\"scope\": \"[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('accountName'))]\",\n\"name\": \"current\",\n\"properties\": {\n\"isEnabled\": true\n},\n\"dependsOn\": [\n\"cosmosDbAccount\"\n]\n}\n
    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForCosmosDb 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {\n  scope: cosmosDbAccount\n  name: 'current'\n  properties: {\n    isEnabled: true\n  }\n}\n
    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#notes","title":"Notes","text":"

    Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API. When Microsoft Defender for Cosmos DB is enabled at the subscription level, the resource level enablement has no effect as it will be handled by the plan at the subscription level.

    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DefenderCloud/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Azure Cosmos DB
    • Enable Microsoft Defender for Azure Cosmos DB
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Cosmos DB
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Cosmos.DefenderCloud","AZR-000382"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/","title":"Restrict user access to data operations in Azure Cosmos DB","text":"Azure.Cosmos.DisableMetadataWriteAZR-000095Error

    Security \u00b7 Cosmos DB \u00b7 Rule \u00b7 2021_09

    Use Azure AD identities for management place operations in Azure Cosmos DB.

    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#description","title":"Description","text":"

    Cosmos DB provides two authorization options for interacting with the database:

    • Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations.
    • Keys and resource tokens. Can be used to authorize resource management and data operations.

    Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.

    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#recommendation","title":"Recommendation","text":"

    Consider limiting key and resource tokens to data plane operations only. Use Azure AD identities for authorizing account and resource management operations.

    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#examples","title":"Examples","text":"","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cosmos DB accounts that pass this rule:

    • Set the Properties.disableKeyBasedMetadataWriteAccess property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DocumentDB/databaseAccounts\",\n\"apiVersion\": \"2021-06-15\",\n\"name\": \"[parameters('dbAccountName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"consistencyPolicy\": {\n\"defaultConsistencyLevel\": \"Session\"\n},\n\"databaseAccountOfferType\": \"Standard\",\n\"locations\": [\n{\n\"locationName\": \"[parameters('location')]\",\n\"failoverPriority\": 0,\n\"isZoneRedundant\": false\n}\n],\n\"disableKeyBasedMetadataWriteAccess\": true\n}\n}\n
    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cosmos DB accounts that pass this rule:

    • Set the Properties.disableKeyBasedMetadataWriteAccess property to true.

    For example:

    Azure Bicep snippet
    resource dbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' = {\n  name: dbAccountName\n  location: location\n  properties: {\n    consistencyPolicy: {\n      defaultConsistencyLevel: 'Session'\n    }\n    databaseAccountOfferType: 'Standard'\n    locations: [\n      {\n        locationName: location\n        failoverPriority: 0\n        isZoneRedundant: false\n      }\n    ]\n    disableKeyBasedMetadataWriteAccess: true\n  }\n}\n
    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.Cosmos.DisableMetadataWrite/#links","title":"Links","text":"
    • Use identity-based authentication
    • Restrict user access to data operations in Azure Cosmos DB
    • Secure access to data in Azure Cosmos DB
    • How does Azure Cosmos DB secure my database?
    • Access control in the Azure Cosmos DB SQL API
    • Azure resource template
    ","tags":["Azure.Cosmos.DisableMetadataWrite","AZR-000095"]},{"location":"en/rules/Azure.DataFactory.Version/","title":"Use Data Factory v2","text":"Azure.DataFactory.VersionAZR-000097Error

    Operational Excellence \u00b7 Data Factory \u00b7 Rule \u00b7 2020_06

    Consider migrating to DataFactory v2.

    ","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#description","title":"Description","text":"

    Consider migrating to DataFactory v2.

    ","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.DataFactory.Version/#recommendation","title":"Recommendation","text":"

    Consider migrating to DataFactory v2.

    ","tags":["Azure.DataFactory.Version","AZR-000097"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/","title":"Enable secure connectivity for Databricks workspaces","text":"Azure.Databricks.SecureConnectivityAZR-000393Error

    Security \u00b7 Databricks \u00b7 Rule \u00b7 2023_09

    Use Databricks workspaces configured for secure cluster connectivity.

    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#description","title":"Description","text":"

    An Azure Databricks workspace uses one or more runtime clusters to execute data processing workloads.

    When configuring Databricks workspaces, runtime clusters can be configured with or without public IP addresses. Secure cluster connectivity is used when a Databricks workspace is deployed without public IP addresses. Use secure cluster connectivity to simplify security and administration of Databricks networking within Azure.

    With secure cluster connectivity enabled:

    • An outbound connection over HTTPS from the runtime cluster is used to communicate to the control plane.
    • No open ports or IP public addressing is required.
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#recommendation","title":"Recommendation","text":"

    Consider configuring Databricks workspaces to use secure cluster connectivity.

    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#examples","title":"Examples","text":"","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy workspaces that pass this rule:

    • Set the properties.parameters.enableNoPublicIp.value property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Databricks/workspaces\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"managedResourceGroupId\": \"[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]\",\n\"parameters\": {\n\"enableNoPublicIp\": {\n\"value\": true\n}\n}\n}\n}\n
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy workspaces that pass this rule:

    • Set the properties.parameters.enableNoPublicIp.value property to true.

    For example:

    Azure Bicep snippet
    resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    managedResourceGroupId: managedRg.id\n    parameters: {\n      enableNoPublicIp: {\n        value: true\n      }\n    }\n  }\n}\n
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Databricks.SecureConnectivity/#links","title":"Links","text":"
    • Public endpoints
    • Secure cluster connectivity (No Public IP / NPIP)
    • Network access
    • Azure Databricks architecture overview
    • Azure resource deployment
    ","tags":["Azure.Databricks.SecureConnectivity","AZR-000393"]},{"location":"en/rules/Azure.Defender.Api/","title":"Set Microsoft Defender for APIs to the Standard tier","text":"Azure.Defender.ApiAZR-000377Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_06

    Enable Microsoft Defender for APIs.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#description","title":"Description","text":"

    Microsoft Defender for APIs provides additional security for APIs published in Azure API Management.

    Protection is provided by analyzing onboarded APIs. Which allows Microsoft Defender for Cloud to produce security findings.

    The inventory and security findings for onboarded APIs is reviewed in the Defender for Cloud API Security dashboard.

    These security findings includes API recommendations and runtime threats.

    Defender for APIs can be enabled together with the Defender CSPM plan, offering further capabilities.

    Microsoft Defender for APIs can be enabled at the subscription level.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for APIs to provide additional security for APIs published in Azure API Management.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#examples","title":"Examples","text":"","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Api\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure Bicep snippet
    resource defenderForApi 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Api'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Api' --tier 'standard'\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for APIs:

    • Set the Standard pricing tier for Microsoft Defender for APIs.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Api' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#notes","title":"Notes","text":"

    Microsoft Defender for APIs is a preview feature. Currently only REST APIs published in Azure API Management is supported. Not all regions are supported.

    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.Api/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for APIs
    • Support and prerequisites for Defender for APIs
    • Onboard Defender for APIs
    • Quickstart: Enable enhanced security features
    • Azure security baseline for API Management
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Api","AZR-000377"]},{"location":"en/rules/Azure.Defender.AppServices/","title":"Configure Microsoft Defender for App Services to the Standard tier","text":"Azure.Defender.AppServicesAZR-000295Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2022_09

    Enable Microsoft Defender for App Service.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#description","title":"Description","text":"

    Many attacks are performed first by probing web applications to find and exploit weaknesses. It is crucial to secure your applications, even while running in PaaS services like App Service.

    Microsoft Defender for App Service identifies attacks over App Service thanks to cloud scale data analysis. It offers:

    • Hardening capabilities for your App Services through assessments and security recommendations.
    • Detection of threats at different levels such as underlying VMs, internal logs, I/O to your App Service, etc.
    • Protection against common attack patterns like MITRE ATT&CK or even dangling DNS.

    The solution is particularly efficient as it can can identify attack methodologies applying to multiple targets. The log data and the infrastructure together are used to enhance Defender for App Service globally.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for App Service to protect your web apps and APIs.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#examples","title":"Examples","text":"","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for App Service:

    • Set the Standard pricing tier for Microsoft Defender for App Service.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"AppServices\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for App Service:

    • Set the Standard pricing tier for Microsoft Defender for App Service.

    For example:

    Azure Bicep snippet
    resource defenderForAppService 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'AppServices'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'AppServices' --tier 'standard'\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.AppServices/#links","title":"Links","text":"
    • Securing applications and PaaS deployments
    • Introduction to Microsoft Defender for App Service
    • App Service security best practices
    ","tags":["Azure.Defender.AppServices","AZR-000295"]},{"location":"en/rules/Azure.Defender.Arm/","title":"Set Microsoft Defender for ARM to the Standard tier","text":"Azure.Defender.ArmAZR-000354Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_03

    Enable Microsoft Defender for Azure Resource Manager (ARM).

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#description","title":"Description","text":"

    Microsoft Defender for ARM provides additional protection for control plane activities. It does this by detecting suspicious activities such as disabling security features or attempts at lateral movement.

    Protection is provided by analyzing telemetry from Azure Resource Manager operations. Which allows Microsoft Defender for Cloud to detect anomalous activities regardless of the tool used to perform the operation. For example: Azure CLI, Azure Portal, PowerShell, REST API, Terraform, etc.

    When anomalous activities occur, Microsoft Defender for ARM shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

    Microsoft Defender for ARM can be enabled at the subscription level.

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Arm\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure Bicep snippet
    resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Arm'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Arm' --tier 'standard'\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Resource Manager:

    • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Arm/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Resource Manager
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Resource Manager
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Arm","AZR-000354"]},{"location":"en/rules/Azure.Defender.Containers/","title":"Set Microsoft Defender for Containers to the Standard tier","text":"Azure.Defender.ContainersAZR-000290Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2022_09

    Enable Microsoft Defender for Containers.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#description","title":"Description","text":"

    Container-based workloads should be carefully monitored the following three core security aspects:

    • Environment hardening : continuously assess your clusters to provide visibility into misconfigurations and threats.
    • Runtime threat protection : to generate security alerts for suspicious activities.
    • Vulnerability assessment : for images stored in ACR registries and running in Azure Kubernetes Service.

    It is important to adopt a strategy to actively perform those three aspects. One option for doing so is to use Microsoft Defender for Containers.

    Defender for Cloud continuously assesses the configurations of your clusters. If any misconfigurations is found, it generates security recommendations. The recommendations available in the Recommendations page allow you to investigate and remediate issues.

    Defender for Containers also provides real-time threat protection for your containerized environments. If any suspicious activities is detected, Defender for Container generates an alert. Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs.

    Defender for Containers scans images on push, import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, the container image is pulled and executed in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Microsoft Defender for Cloud.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Containers to protect your container-based workloads.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Containers\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure Bicep snippet
    resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Containers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Containers' --tier 'standard'\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Containers:

    • Set the Standard pricing tier for Microsoft Defender for Containers.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.Containers/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for Containers
    • Secure the images and run time
    • Azure security baseline for Container Registry
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Containers","AZR-000290"]},{"location":"en/rules/Azure.Defender.CosmosDb/","title":"Set Microsoft Defender for Cosmos DB to the Standard tier","text":"Azure.Defender.CosmosDbAZR-000379Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_06

    Enable Microsoft Defender for Azure Cosmos DB.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#description","title":"Description","text":"

    Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.

    Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

    Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

    Microsoft Defender for Cosmos DB can be enabled at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#examples","title":"Examples","text":"","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"CosmosDbs\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure Bicep snippet
    resource defenderForCosmosDb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CosmosDbs'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure CLI snippet
    az security pricing create -n 'CosmosDbs' --tier 'standard'\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Azure Cosmos DB accounts:

    • Set the Standard pricing tier for Microsoft Defender for Azure Cosmos DB.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#notes","title":"Notes","text":"

    Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API.

    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.CosmosDb/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Azure Cosmos DB
    • Enable Microsoft Defender for Azure Cosmos DB
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Cosmos DB
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.CosmosDb","AZR-000379"]},{"location":"en/rules/Azure.Defender.Cspm/","title":"Set Microsoft Defender Cloud Security Posture Management to the Standard plan","text":"Azure.Defender.CspmAZR-000372Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_06

    Enable Microsoft Defender Cloud Security Posture Management Standard plan.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#description","title":"Description","text":"

    Microsoft Defender Cloud Security Posture Management (CSPM) provides additional visibility across cloud environments to quickly detect configuration errors and remediate them through automation. It does this by keeping constant eye on the security state of your cloud resources in different environments.

    By enabling the Defender Cloud CSPM Standard plan, Microsoft Defender provides advanced posture management capabilities such as:

    • Attack path analysis
    • Cloud security explorer
    • Advanced threat hunting
    • Security governance capabilities
    • Tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region

    Microsoft Defender Cloud Security Posture Management (CSPM) can be enabled at the subscription level.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender Cloud Security Posture Management (CSPM) Standard plan to provide additional visibility across cloud environments.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#examples","title":"Examples","text":"","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"CloudPosture\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure Bicep snippet
    resource defenderCspm 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'CloudPosture'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    TTo enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure CLI snippet
    az security pricing create -n 'CloudPosture' --tier 'standard'\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender Cloud Security Posture Management Standard plan:

    • Set the Standard pricing tier for Microsoft Defender Cloud Security Posture Management.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'CloudPosture' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#notes","title":"Notes","text":"

    This rule applies when analyzing resources before deployed (pre-flight) and deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Cspm/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Cloud Security Posture Management (CSPM)
    • Quickstart: Enable enhanced security features
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Cspm","AZR-000372"]},{"location":"en/rules/Azure.Defender.Dns/","title":"Set Microsoft Defender for DNS to the Standard tier","text":"Azure.Defender.DnsAZR-000353Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_03

    Enable Microsoft Defender for DNS.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#description","title":"Description","text":"

    Microsoft Defender for DNS provides additional protection for virtual networks and resources. It does this by monitoring Azure-provided DNS for suspicious and anomalous activity. By analyzing telemetry for DNS, Microsoft Defender for DNS can detect and alert on persistent threats such as:

    • Data exfiltration from your Azure resources using DNS tunneling.
    • Malware communicating with command and control servers.
    • DNS attacks - communication with malicious DNS resolvers.
    • Communication with domains used for malicious activities such as phishing and crypto mining.

    Microsoft Defender for DNS can be enabled at the subscription level.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for DNS to provide additional protection to virtual network and resources.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#examples","title":"Examples","text":"","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"Dns\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure Bicep snippet
    resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'Dns'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure CLI snippet
    az security pricing create -n 'Dns' --tier 'standard'\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for DNS:

    • Set the Standard pricing tier for Microsoft Defender for DNS.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'Dns' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.Dns/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for DNS
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure DNS
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Dns","AZR-000353"]},{"location":"en/rules/Azure.Defender.KeyVault/","title":"Set Microsoft Defender for Key Vault to the Standard tier","text":"Azure.Defender.KeyVaultAZR-000352Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_03

    Enable Microsoft Defender for Key Vault.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#description","title":"Description","text":"

    Microsoft Defender for Key Vault provides additional protection for keys and secrets stored in Key Vaults. It does this by detecting unusual and potentially harmful attempts to access or exploit Key Vault accounts. This protection is provided by analyzing telemetry from Key Vault and Microsoft Defender for Cloud.

    When anomalous activities occur, Defender for Key Vault shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

    Microsoft Defender for Key Vault can be enabled at the subscription level for all Key Vaults in the subscription. Azure Policy can be used to automatically enable Microsoft Defender for Key Vault a subscription.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Key Vault to provide additional protection to Key Vaults.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#examples","title":"Examples","text":"","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"KeyVaults\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure Bicep snippet
    resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'KeyVaults'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure CLI snippet
    az security pricing create -n 'KeyVaults' --tier 'standard'\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for Key Vault:

    • Set the Standard pricing tier for Microsoft Defender for Key Vault.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.KeyVault/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Key Vault
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Key Vault
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.KeyVault","AZR-000352"]},{"location":"en/rules/Azure.Defender.OssRdb/","title":"Set Microsoft Defender for open-source relational databases to the Standard tier","text":"Azure.Defender.OssRdbAZR-000381Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_06

    Enable Microsoft Defender for open-source relational databases.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#description","title":"Description","text":"

    Microsoft Defender for open-source relational databases provides additional security for open-source relational databases.

    The following open-source relational databases are supported:

    • Azure Database for PostgreSQL
    • Azure Database for MySQL
    • Azure Database for MariaDB

    Protection is provided by analyzing onboarded databases for unusual and potentially harmful attempts to access or exploit databases. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

    Security alerts for onboarded databases shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

    Microsoft Defender for open-source relational databases can be enabled at the subscription level and by doing so ensures all supported databases in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for for open-source relational databases to provide additional security for open-source relational databases.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#examples","title":"Examples","text":"","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"OpenSourceRelationalDatabases\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure Bicep snippet
    resource defenderForOssRdb 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'OpenSourceRelationalDatabases'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure CLI snippet
    az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard'\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for open-source relational databases:

    • Set the Standard pricing tier for Microsoft Defender for open-source relational databases.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#notes","title":"Notes","text":"

    Microsoft Defender for open-source relational databases is currently available only for the single server deployment model for PostgreSQL and the single server deployment model for MySQL. For PostgreSQL, MySQL and MariaDB General Purpose and Memory Optimized tiers are required in order to be protected.

    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.OssRdb/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for open-source relational databases
    • Enable Defender for OSS RDBs
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Azure Database for PostgreSQL - Single Server
    • Azure security baseline for Azure Database for MySQL - Single Server
    • Azure security baseline for Azure Database for MariaDB
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.OssRdb","AZR-000381"]},{"location":"en/rules/Azure.Defender.SQL/","title":"Configure Microsoft Defender for SQL to the Standard tier","text":"Azure.Defender.SQLAZR-000294Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2022_09

    Enable Microsoft Defender for SQL servers.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#description","title":"Description","text":"

    SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL represents a single go-to location to manage security capabilities.

    Enabling Defender for SQL automatically enables the following advanced SQL security capabilities:

    • Vulnerability Assessment: discover, track, and provide guidance to remediate potential database vulnerabilities.
    • Advanced Threat Protection: continuous monitoring of your databases, detection of suspect activities and more.

    When enable at subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for SQL to protect your SQL databases.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"SqlServers\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure Bicep snippet
    resource defenderForSQL 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServers'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure CLI snippet
    az security pricing create -n 'SqlServers' --tier 'standard'\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To enable Microsoft Defender for SQL:

    • Set the Standard pricing tier for Microsoft Defender for SQL.

    For example:

    Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQL/#links","title":"Links","text":"
    • Security operations in Azure
    • Azure SQL Database and security
    • Introduction to Microsoft Defender for SQL
    • Azure security baseline for Azure SQL
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.SQL","AZR-000294"]},{"location":"en/rules/Azure.Defender.SQLOnVM/","title":"Configure Microsoft Defender for SQL Servers on machines to the Standard tier","text":"Azure.Defender.SQLOnVMAZR-000297Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2022_09

    Enable Microsoft Defender for SQL servers on machines.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#description","title":"Description","text":"

    SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL Servers on machines represents a single go-to location to manage security capabilities.

    Enabling Defender for SQL automatically enables vulnerability Assessment for your SQL databases hosted in a VM. It discovers, tracks, and provides guidance to remediate potential database vulnerabilities.

    Enabling at subscription level doesn't protect all your SQL servers. A Log Analytics agent must be deployed on the machine and the Log Analytics workspace must have Defender for SQL enabled.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#examples","title":"Examples","text":"","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for SQL servers on machines:

    • Set the Standard pricing tier for Microsoft Defender for SQL servers on machines.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"SqlServerVirtualMachines\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for SQL servers on machines:

    • Set the Standard pricing tier for Microsoft Defender for SQL servers on machines.

    For example:

    Azure Bicep snippet
    resource defenderForSQLOnVM 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServerVirtualMachines'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'SqlServerVirtualMachines' --tier 'standard'\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.SQLOnVM/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for SQL Servers on machines
    • Security considerations for SQL Server on Azure Virtual Machines
    • Azure Security Benchmark - Data protection
    ","tags":["Azure.Defender.SQLOnVM","AZR-000297"]},{"location":"en/rules/Azure.Defender.Servers/","title":"Configure Microsoft Defender for Servers to the Standard tier and P2","text":"Azure.Defender.ServersAZR-000293Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2022_09

    Enable Microsoft Defender for Servers.

    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#description","title":"Description","text":"

    Microsoft Defender for Servers automatically deploys an agent into your Windows and Linux machines to protect them.

    With the unified integration of Microsoft Defender for Endpoint (MDE) you benefit from features like:

    • Threat and vulnerability management : to discover vulnerabilities and misconfigurations in real time
    • Security Policy and Regulatory Compliance integration
    • Qualys integration for real time identification of vulnerabilities without any license needed
    • Threat detection at OS level, network layer and control plane
    • Just-in-time (JIT) access : to reduce your machine's surface attack
    • And more.
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Servers P2 to protect your virtual machines.

    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#examples","title":"Examples","text":"","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for Servers:

    • Set the Standard pricing tier for Microsoft Defender for Servers and set the P2 sub plan.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"VirtualMachines\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"P2\"\n}\n}\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for Servers:

    • Set the Standard pricing tier for Microsoft Defender for Servers and set the P2 sub plan.

    For example:

    Azure Bicep snippet
    resource defenderForServers 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'VirtualMachines'\n  properties: {\n    pricingTier: 'Standard',\n    subPlan: 'P2'\n  }\n}\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'VirtualMachines' --tier 'standard'\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'\n
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Servers/#links","title":"Links","text":"
    • Monitor Azure resources in Microsoft Defender for Cloud
    • Introduction to Microsoft Defender for Containers
    • Azure Monitor agent auto-provisioning
    ","tags":["Azure.Defender.Servers","AZR-000293"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/","title":"Malware Scanning","text":"Azure.Defender.Storage.MalwareScanAZR-000383Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_06

    Enable Malware Scanning in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#description","title":"Description","text":"

    Microsoft Defender for Storage provides additional security for storage accounts.

    One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

    Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

    Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

    This can be helpful when:

    • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
    • To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

    When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

    Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#recommendation","title":"Recommendation","text":"

    Consider using Malware Scanning in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Malware Scanning in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an OnUploadMalwareScanning extension.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"StorageAccounts\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"DefenderForStorageV2\",\n\"extensions\": [\n{\n\"name\": \"OnUploadMalwareScanning\",\n\"isEnabled\": \"True\",\n\"additionalExtensionProperties\": {\n\"CapGBPerMonthPerStorageAccount\": \"5000\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Malware Scanning in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an OnUploadMalwareScanning extension.

    For example:

    Azure Bicep snippet
    resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'OnUploadMalwareScanning'\n        isEnabled: 'True'\n        additionalExtensionProperties: {\n          CapGBPerMonthPerStorageAccount: '5000'\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#notes","title":"Notes","text":"

    This feature is currently in preview.

    The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as Malware Scanning.

    Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.MalwareScan/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Malware Scanning in Defender for Storage
    • Limitations
    • Setting up response to Malware Scanning
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Storage.MalwareScan","AZR-000383"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/","title":"Sensitive data threat detection","text":"Azure.Defender.Storage.SensitiveDataAZR-000385Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2023_06

    Enable sensitive data threat detection in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#description","title":"Description","text":"

    Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.

    The sensitive data threat detection capability helps teams:

    • Identity where sensitive data is stored.
    • Detect possible security incidents resulting is data exposure.

    When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).

    Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#recommendation","title":"Recommendation","text":"

    Consider using sensitive data threat detection in Microsoft Defender for Storage.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#examples","title":"Examples","text":"","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable sensitive data threat detection in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an SensitiveDataDiscovery extension.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"StorageAccounts\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"DefenderForStorageV2\",\n\"extensions\": [\n{\n\"name\": \"SensitiveDataDiscovery\",\n\"isEnabled\": \"True\",\n}\n]\n}\n}\n
    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable sensitive data threat detection in Microsoft Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
    • Configure an SensitiveDataDiscovery extension.

    For example:

    Azure Bicep snippet
    resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n    extensions: [\n      {\n        name: 'SensitiveDataDiscovery'\n        isEnabled: 'True'\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#notes","title":"Notes","text":"

    This feature is currently in preview.

    The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as sensitive data threat detection.

    Sensitive data threat detection is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage.SensitiveData/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Sensitive data threat detection in Defender for Storage
    • Support and prerequisites for data-aware security posture
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    ","tags":["Azure.Defender.Storage.SensitiveData","AZR-000385"]},{"location":"en/rules/Azure.Defender.Storage/","title":"Azure.Defender.Storage","text":""},{"location":"en/rules/Azure.Defender.Storage/#online-version-httpsazuregithubiopsrulerulesazureenrulesazuredefenderstorage","title":"online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage/","text":""},{"location":"en/rules/Azure.Defender.Storage/#configure-microsoft-defender-for-storage-to-the-standard-tier","title":"Configure Microsoft Defender for Storage to the Standard tier","text":"

    Enable Microsoft Defender for Storage.

    "},{"location":"en/rules/Azure.Defender.Storage/#description","title":"Description","text":"

    Microsoft Defender for Storage provides additional security for storage accounts.

    Protection is provided by:

    • Continuously analyzing data and control plane logs from protected storage accounts.
    • Malicious scanning by performing a full malware scan on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
    • Sensitive data threat detection by a smart sampling method to find resources with sensitive data.

    Which allows Microsoft Defender for Cloud to discover and mitigate potential threats.

    Security findings for onboarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.

    Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    "},{"location":"en/rules/Azure.Defender.Storage/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.

    "},{"location":"en/rules/Azure.Defender.Storage/#examples","title":"Examples","text":""},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To enable Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"StorageAccounts\",\n\"properties\": {\n\"pricingTier\": \"Standard\",\n\"subPlan\": \"DefenderForStorageV2\"\n}\n}\n
    "},{"location":"en/rules/Azure.Defender.Storage/#configure-with-bicep","title":"Configure with Bicep","text":"

    To enable Defender for Storage:

    • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.

    For example:

    Azure Bicep snippet
    resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard'\n    subPlan: 'DefenderForStorageV2'\n  }\n}\n
    "},{"location":"en/rules/Azure.Defender.Storage/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'\n
    "},{"location":"en/rules/Azure.Defender.Storage/#notes","title":"Notes","text":"

    The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption. Some features within the new plan is still in preview, but these are configurable.

    Currently only the Blob Storage, Azure Files and Azure Data Lake Storage Gen2 service is supported by Defender for Storage.

    "},{"location":"en/rules/Azure.Defender.Storage/#links","title":"Links","text":"
    • Storage security guide
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Storage
    • Migrate from Defender for Storage (classic) to the new plan
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    • Azure deployment reference
    "},{"location":"en/rules/Azure.DefenderCloud.Contact/","title":"Set Security Center contact details","text":"Azure.DefenderCloud.ContactAZR-000209Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2020_06

    Microsoft Defender for Cloud email and phone contact details should be set.

    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#description","title":"Description","text":"

    Security contact details configured in Microsoft Defender for Cloud are used by Microsoft to notify you in response to certain security events.

    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#recommendation","title":"Recommendation","text":"

    Consider configuring Microsoft Defender for Cloud email and phone contact details.

    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Contact/#link","title":"LINK","text":"
    • Quickstart: Configure email notifications for security alerts
    ","tags":["Azure.DefenderCloud.Contact","AZR-000209"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/","title":"Enable Microsoft Defender for Cloud auto-provisioning","text":"Azure.DefenderCloud.ProvisioningAZR-000210Error

    Security \u00b7 Microsoft Defender for Cloud \u00b7 Rule \u00b7 2020_06

    Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.

    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#description","title":"Description","text":"

    Select resources such as virtual machines (VMs) and VM scale sets require an agent to be installed to collect additional information from the operating system (OS). This information is used to identify missing security updates and additional threats.

    By turning auto-provisioning on, Microsoft Defender for Cloud automatically deploys an Azure Monitor agent to VMs on a regular basis.

    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#recommendation","title":"Recommendation","text":"

    Consider enabling auto-provisioning to improve Azure Microsoft Defender for Cloud VM insights.

    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.DefenderCloud.Provisioning/#links","title":"Links","text":"
    • Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
    ","tags":["Azure.DefenderCloud.Provisioning","AZR-000210"]},{"location":"en/rules/Azure.Deployment.AdminUsername/","title":"Administrator Username Types","text":"Azure.Deployment.AdminUsernameAZR-000284Error

    Security \u00b7 Deployment \u00b7 Rule \u00b7 2022_09

    Use secure parameters for sensitive resource properties.

    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#description","title":"Description","text":"

    Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions. When specifing sensitive values use secure parameters such as secureString or secureObject.

    Sensitive values that use deterministic expressions such as hardcodes string literals or variables are not secure.

    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#recommendation","title":"Recommendation","text":"

    Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.

    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#examples","title":"Examples","text":"","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resources that pass this rule:

    • Use parameters to specify sensitive properties.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"zones\": [\n\"1\"\n],\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"Standard_D2s_v3\"\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('name')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\"\n},\n\"storageProfile\": {\n\"imageReference\": {\n\"publisher\": \"MicrosoftWindowsServer\",\n\"offer\": \"WindowsServer\",\n\"sku\": \"[parameters('sku')]\",\n\"version\": \"latest\"\n},\n\"osDisk\": {\n\"name\": \"[format('{0}-disk0', parameters('name'))]\",\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\",\n\"managedDisk\": {\n\"storageAccountType\": \"Premium_LRS\"\n}\n}\n},\n\"licenseType\": \"Windows_Server\",\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n}\n]\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n]\n}\n
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resources that pass this rule:

    • steps

    For example:

    Azure Bicep snippet
    @secure()\n@description('The name of the local administrator account.')\nparam adminUsername string\n\n@secure()\n@description('A password for the local administrator account.')\nparam adminPassword string\n\nresource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#notes","title":"Notes","text":"

    Configure AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES to specify sensitive property names. By default the following values are used:

    • adminUsername
    • administratorLogin
    • administratorLoginPassword
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.AdminUsername/#links","title":"Links","text":"
    • Infrastructure provisioning considerations in Azure
    • Use Azure Key Vault to pass secure parameter value during Bicep deployment
    • Integrate Azure Key Vault in your ARM template deployment
    ","tags":["Azure.Deployment.AdminUsername","AZR-000284"]},{"location":"en/rules/Azure.Deployment.Name/","title":"Use valid nested deployments names","text":"Azure.Deployment.NameAZR-000359Error

    Operational Excellence \u00b7 Deployment \u00b7 Rule \u00b7 2023_03

    Nested deployments should meet naming requirements of deployments.

    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure deployments names are:

    • Between 1 and 64 characters long.
    • Alphanumerics, underscores, parentheses, hyphens, and periods.
    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#recommendation","title":"Recommendation","text":"

    Consider using nested deployment names thas meets naming requirements of deployments. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#notes","title":"Notes","text":"

    This rule does not check if nested deployment names are unique.

    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions deployments resource
    • Using linked and nested templates when deploying Azure resources
    • Template reference
    ","tags":["Azure.Deployment.Name","AZR-000359"]},{"location":"en/rules/Azure.Deployment.OuterSecret/","title":"Secret value in deployment output","text":"Azure.Deployment.OuterSecretAZR-000331Error

    Security \u00b7 Deployment \u00b7 Rule \u00b7 2022_12

    Do not use Outer deployments when references SecureString or SecureObject parameters.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#description","title":"Description","text":"

    Template child deployments can be scoped as either outer or inner. When using outer scope evaluated deployments, parameters from the parent template are used directly within nested templates instead of enforcing secureString and secureObject types.

    When passing secure values to nested deployments always use inner scope deployments to ensure secure values are not logging. Bicep modules always use inner scope evaluated deployments.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#recommendation","title":"Recommendation","text":"

    Consider using inner deployments to prevent secure values from being exposed.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-azure-template","title":"Configure with Azure template","text":"

    Nested Deployments within an ARM template need the property expressionEvaluationOptions.Scope to be set to inner.

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminUsername\": {\n\"type\": \"securestring\",\n\"defaultValue\": \"admin\"\n}\n},\n\"resources\": [\n{\n\"name\": \"nestedDeployment-A\",\n\"type\": \"Microsoft.Resources/deployments\",\n\"apiVersion\": \"2020-10-01\",\n\"properties\": {\n\"expressionEvaluationOptions\": {\n\"scope\": \"inner\"\n},\n\"mode\": \"Incremental\",\n\"template\": {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminUsername\": {\n\"type\": \"securestring\",\n\"defaultValue\": \"password\"\n}\n},\n\"variables\": {},\n\"resources\": [\n{\n\"apiVersion\": \"2019-12-01\",\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"name\": \"vm-example\",\n\"location\": \"australiaeast\",\n\"properties\": {\n\"osProfile\": {\n\"computerName\": \"vm-example\",\n\"adminUsername\": \"[parameters('adminUsername')]\"\n}\n}\n}\n]\n}\n}\n}\n]\n}\n
    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#configure-with-bicep","title":"Configure with Bicep","text":"

    Bicep templates will do this by default when performing nested deployments.

    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OuterSecret/#links","title":"Links","text":"
    • Azure deployment reference
    • Deployment Function Scopes
    ","tags":["Azure.Deployment.OuterSecret","AZR-000331"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/","title":"Secret value in deployment output","text":"Azure.Deployment.OutputSecretValueAZR-000279Error

    Security \u00b7 Deployment \u00b7 Rule \u00b7 2022_06

    Avoid outputting sensitive deployment values.

    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#description","title":"Description","text":"

    Don't include any values in an ARM template or Bicep output that could potentially expose secrets. The output from a template is stored in the deployment history, so a malicious user could find that information.

    Examples of secrets are:

    • Parameters using the secureString or secureObject type.
    • Output from list* functions such as listKeys.
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#recommendation","title":"Recommendation","text":"

    Consider removing any output values that return secret values in code.

    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy securely pass secrets within Infrastructure as Code:

    • Define parameters with the secureString or secureObject type.
    • Avoid returning a secret in output values.

    Example using secureString type:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminPassword\": {\n\"type\": \"secureString\",\n\"metadata\": {\n\"description\": \"Local administrator password for virtual machine.\"\n}\n}\n},\n\"resources\": []\n}\n

    The following example fails because it returns a secret:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"adminPassword\": {\n\"type\": \"secureString\",\n\"metadata\": {\n\"description\": \"Local administrator password for virtual machine.\"\n}\n}\n},\n\"resources\": [],\n\"outputs\": {\n\"accountPassword\": {\n\"type\": \"string\",\n\"value\": \"[parameters('adminPassword')]\"\n}\n}\n}\n
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy securely pass secrets within Infrastructure as Code:

    • Mark secrets with the @secure() annotation.
    • Avoid returning a secret in output values.

    Example using @secure() annotation:

    Azure Bicep snippet
    @secure()\n@description('Local administrator password for virtual machine.')\nparam adminPassword string\n

    The following example fails because it returns a secret:

    Azure Bicep snippet
    output accountPassword string = adminPassword\n
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.OutputSecretValue/#links","title":"Links","text":"
    • Pipeline secret management
    • Test cases for ARM templates
    • Outputs should not contain secrets
    • List function
    ","tags":["Azure.Deployment.OutputSecretValue","AZR-000279"]},{"location":"en/rules/Azure.Deployment.SecureValue/","title":"Use secure resource values","text":"Azure.Deployment.SecureValueAZR-000316Error

    Security \u00b7 Deployment \u00b7 Rule \u00b7 2022_12

    Use secure parameters for setting properties of resources that contain sensitive information.

    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#description","title":"Description","text":"

    Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.

    Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.

    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#recommendation","title":"Recommendation","text":"

    Consider using secure parameters for sensitive resource properties.

    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#examples","title":"Examples","text":"","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure deployments that pass this rule:

    • Set the type of parameters used set sensitive resource properties to secureString or secureObject.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"secret\": {\n\"type\": \"secureString\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.KeyVault/vaults/secrets\",\n\"apiVersion\": \"2022-07-01\",\n\"name\": \"keyvault/good\",\n\"properties\": {\n\"value\": \"[parameters('secret')]\"\n}\n}\n]\n}\n
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure deployments that pass this rule:

    • Add the @secure() attribute on parameters used to set sensitive resource properties.

    For example:

    Azure Bicep snippet
    @secure()\nparam secret string\n\nresource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {\n  name: 'keyvault/good'\n  properties: {\n    value: secret\n  }\n}\n
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#notes","title":"Notes","text":"

    This rule checks the following resource type properties:

    • Microsoft.KeyVault/vaults/secrets:
      • properties.value
    • Microsoft.Compute/virtualMachineScaleSets:
      • properties.virtualMachineProfile.osProfile.adminPassword
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.Deployment.SecureValue/#links","title":"Links","text":"
    • Infrastructure provisioning considerations in Azure
    • Use Azure Key Vault to pass secure parameter value during Bicep deployment
    • Integrate Azure Key Vault in your ARM template deployment
    ","tags":["Azure.Deployment.SecureValue","AZR-000316"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/","title":"Use identity-based authentication for Event Grid topics","text":"Azure.EventGrid.DisableLocalAuthAZR-000100Error

    Security \u00b7 Event Grid \u00b7 Rule \u00b7 2022_09

    Authenticate publishing clients with Azure AD identities.

    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#description","title":"Description","text":"

    To publish events to Event Grid access keys, SAS tokens, or Azure AD identities can be used. With Azure AD authentication, the identity is validated against the Microsoft Identity Platform. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.

    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventGrid/topics\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('topicName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"publicNetworkAccess\": \"Disabled\",\n\"inputSchema\": \"CloudEventSchemaV1_0\"\n}\n}\n
    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {\n  name: topicName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n
    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • IM-1: Use centralized identity and authentication system
    • Authentication and authorization with Azure Active Directory
    • Disable key and shared access signature authentication
    • Azure deployment reference
    ","tags":["Azure.EventGrid.DisableLocalAuth","AZR-000100"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/","title":"Use Managed Identity for Event Grid Topics","text":"Azure.EventGrid.ManagedIdentityAZR-000099Error

    Security \u00b7 Event Grid \u00b7 Rule \u00b7 2021_12

    Use managed identities to deliver Event Grid Topic events.

    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#description","title":"Description","text":"

    When delivering events you can use Managed Identities to authenticate event delivery. You can enable either system-assigned identity or user-assigned identity but not both. You can have at most two user-assigned identities assigned to a topic or domain.

    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Event Grid Topic.

    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventGrid/topics\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('topicName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"publicNetworkAccess\": \"Disabled\",\n\"inputSchema\": \"CloudEventSchemaV1_0\"\n}\n}\n
    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {\n  name: topicName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n
    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Assign a managed identity to an Event Grid custom topic or domain
    • Authenticate event delivery to event handlers
    • Azure deployment reference
    ","tags":["Azure.EventGrid.ManagedIdentity","AZR-000099"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/","title":"Use Event Grid Private Endpoints","text":"Azure.EventGrid.TopicPublicAccessAZR-000098Error

    Security \u00b7 Event Grid \u00b7 Rule \u00b7 2021_12

    Use Private Endpoints to access Event Grid topics and domains.

    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#description","title":"Description","text":"

    By default, public network access is enabled for an Event Grid topic or domain. To allow access via private endpoints only, disable public network access.

    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#recommendation","title":"Recommendation","text":"

    Consider using Private Endpoints to access Event Grid topics and domains. To limit access to Event Grid topics and domains, disable public access.

    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventGrid/topics\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('topicName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"publicNetworkAccess\": \"Disabled\",\n\"inputSchema\": \"CloudEventSchemaV1_0\"\n}\n}\n
    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Grid Topics that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource eventGrid 'Microsoft.EventGrid/topics@2021-06-01-preview' = {\n  name: topicName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    publicNetworkAccess: 'Disabled'\n    inputSchema: 'CloudEventSchemaV1_0'\n  }\n}\n
    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventGrid.TopicPublicAccess/#links","title":"Links","text":"
    • Traffic flow security in Azure
    • Private Endpoints
    • Azure deployment reference
    ","tags":["Azure.EventGrid.TopicPublicAccess","AZR-000098"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/","title":"Use identity-based authentication for Event Hub namespaces","text":"Azure.EventHub.DisableLocalAuthAZR-000102Error

    Security \u00b7 Event Hub \u00b7 Rule \u00b7 2022_03

    Authenticate Event Hub publishers and consumers with Azure AD identities.

    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#description","title":"Description","text":"

    To publish or consume events from Event Hubs cryptographic keys, or Azure AD identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Azure AD authentication, the identity is validated against Azure AD. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.

    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to publish or consume events from Event Hub. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventHub/namespaces\",\n\"apiVersion\": \"2021-11-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"isAutoInflateEnabled\": true,\n\"maximumThroughputUnits\": 10,\n\"zoneRedundant\": true\n}\n}\n
    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource ns 'Microsoft.EventHub/namespaces@2021-11-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    isAutoInflateEnabled: true\n    maximumThroughputUnits: 10\n    zoneRedundant: true\n  }\n}\n
    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • Authorize access to Event Hubs resources using Azure Active Directory
    • Disabling Local/SAS Key authentication
    • Azure deployment reference
    ","tags":["Azure.EventHub.DisableLocalAuth","AZR-000102"]},{"location":"en/rules/Azure.EventHub.MinTLS/","title":"Minimum TLS version","text":"Azure.EventHub.MinTLSAZR-000356Error

    Security \u00b7 Event Hub \u00b7 Rule \u00b7 2023_03

    Event Hub namespaces should reject TLS versions older than 1.2.

    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#recommendation","title":"Recommendation","text":"

    Configure the minimum supported TLS version to be 1.2.

    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.minimumlTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.EventHub/namespaces\",\n\"apiVersion\": \"2022-01-01-preview\",\n\"name\": \"[parameters('eventHubNamespaceName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('eventHubSku')]\",\n\"tier\": \"[parameters('eventHubSku')]\",\n\"capacity\": 1,\n},\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n}\n}\n
    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Event Hub namespaces that pass this rule:

    • Set the properties.minimumlTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' = {\n  name: eventHubNamespaceName\n  location: location\n  sku: {\n    name: eventHubSku\n    tier: eventHubSku\n    capacity: 1\n  }\n  properties: {\n    minimumTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.EventHub.MinTLS","AZR-000356"]},{"location":"en/rules/Azure.EventHub.Usage/","title":"Remove unused Event Hub namespaces","text":"Azure.EventHub.UsageAZR-000101Error

    Cost Optimization \u00b7 Event Hub \u00b7 Rule \u00b7 2022_03

    Regularly remove unused resources to reduce costs.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#description","title":"Description","text":"

    Billing starts for an Event Hub namespace after it is provisioned. To receive events in a Event Hub namespace, you must first create an Event Hub. Namespaces without any Event Hubs are considered unused.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing Event Hub namespaces that are not used.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.EventHub.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Pricing
    ","tags":["Azure.EventHub.Usage","AZR-000101"]},{"location":"en/rules/Azure.Firewall.Mode/","title":"Configure deny on threat intel for classic managed Azure Firewalls","text":"Azure.Firewall.ModeAZR-000105Error

    Security \u00b7 Firewall \u00b7 Rule \u00b7 2020_06

    Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls.

    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#description","title":"Description","text":"

    Threat intelligence-based filtering can optionally be enabled on Azure Firewall. When enabled, Azure Firewall alerts and deny traffic to/ from known malicious IP addresses and domains.

    By default, Azure Firewall alerts on triggered threat intelligence rules.

    Specifically, this rule only applies using an Azure Firewall in classic management mode. If the Azure Firewall is connected to a Secured Virtual Hub this rule will not apply.

    Classic managed Azure Firewalls are standalone. Alternatively you can manage Azure Firewalls at scale through Firewall Manager by using policy. When using firewall policies, threat intelligence is configured centrally instead of on each firewall.

    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#recommendation","title":"Recommendation","text":"

    Consider configuring Azure Firewall to alert and deny IP addresses and domains detected as malicious. Alternatively, consider using firewall policies to manage Azure Firewalls at scale.

    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Firewalls that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/azureFirewalls\",\n\"apiVersion\": \"2021-05-01\",\n\"name\": \"[format('{0}_classic', parameters('name'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"AZFW_VNet\"\n},\n\"threatIntelMode\": \"Deny\"\n}\n}\n
    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Firewalls that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Bicep snippet
    resource firewall_classic 'Microsoft.Network/azureFirewalls@2021-05-01' = {\n  name: '${name}_classic'\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n
    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Mode/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Azure Firewall threat intelligence-based filtering
    • Azure network security overview
    • Azure deployment reference
    ","tags":["Azure.Firewall.Mode","AZR-000105"]},{"location":"en/rules/Azure.Firewall.Name/","title":"Use valid Firewall names","text":"Azure.Firewall.NameAZR-000103Error

    Operational Excellence \u00b7 Firewall \u00b7 Rule \u00b7 2021_12

    Firewall names should meet naming requirements.

    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Firewall names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Firewall names must be unique within a resource group.
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Firewall naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#examples","title":"Examples","text":"","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy firewalls that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/azureFirewalls\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"name\": \"AZFW_VNet\",\n\"tier\": \"Premium\"\n},\n\"firewallPolicy\": {\n\"id\": \"[resourceId('Microsoft.Network/firewallPolicies', format('{0}_policy', parameters('name')))]\"\n}\n},\n\"dependsOn\": [\n\"firewall_policy\"\n]\n}\n
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy firewalls that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Bicep snippet
    resource firewall 'Microsoft.Network/azureFirewalls@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      name: 'AZFW_VNet'\n      tier: 'Premium'\n    }\n    firewallPolicy: {\n      id: firewall_policy.id\n    }\n  }\n}\n
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#notes","title":"Notes","text":"

    This rule does not check if Firewall names are unique.

    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.Firewall.Name","AZR-000103"]},{"location":"en/rules/Azure.Firewall.PolicyMode/","title":"Threat intelligence-based filtering","text":"Azure.Firewall.PolicyModeAZR-000399Error

    Security \u00b7 Firewall \u00b7 Rule \u00b7 2023_09

    Deny high confidence malicious IP addresses, domains and URLs.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#description","title":"Description","text":"

    Threat intelligence-based filtering can optionally be enabled on Azure Firewall, by associating one or more policies with threat intelligence-based filtering configured.

    When configured, Azure Firewall alerts and deny traffic to/from known malicious IP addresses, domains and URLs.

    By default, threat intelligence-based filtering is enabled and in alert mode on each policy unless otherwise is specified.

    By configuring threat intelligence-based filtering in alert and deny mode, threat intelligence-based filtering may deny traffic before any configured rules are processed.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#recommendation","title":"Recommendation","text":"

    Consider configuring Azure Firewall to alert and deny IP addresses, domains and URLs detected as malicious.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Firewall polices that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/firewallPolicies\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"tier\": \"Premium\"\n},\n\"threatIntelMode\": \"Deny\"\n}\n}\n
    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Firewall polices that pass this rule:

    • Set the properties.threatIntelMode to Deny.

    For example:

    Azure Bicep snippet
    resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      tier: 'Premium'\n    }\n    threatIntelMode: 'Deny'\n  }\n}\n
    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#notes","title":"Notes","text":"

    Azure Firewall Premium SKU is required for associating standalone resource firewall policies. Only Standard and Premium firewall policies supports threat intelligence-based filtering in alert and deny mode.

    In order to take advantage of URL filtering with HTTPS traffic included in threat intelligence-based filtering, TLS inspection must be configured first.

    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyMode/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Azure Firewall threat intelligence-based filtering
    • Rule processing logic
    • Azure security baseline for Azure Firewall
    • NS-1: Establish network segmentation boundaries
    • Azure network security overview
    • Azure deployment reference
    ","tags":["Azure.Firewall.PolicyMode","AZR-000399"]},{"location":"en/rules/Azure.Firewall.PolicyName/","title":"Use valid Firewall policy names","text":"Azure.Firewall.PolicyNameAZR-000104Error

    Operational Excellence \u00b7 Firewall \u00b7 Rule \u00b7 2021_12

    Firewall policy names should meet naming requirements.

    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Firewall policy names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Firewall policy names must be unique within a resource group.
    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Firewall policy naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#notes","title":"Notes","text":"

    This rule does not check if Firewall policy names are unique.

    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.Firewall.PolicyName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Firewall.PolicyName","AZR-000104"]},{"location":"en/rules/Azure.FrontDoor.Logs/","title":"Audit Front Door Access","text":"Azure.FrontDoor.LogsAZR-000107Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Audit and monitor access through Front Door.

    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#description","title":"Description","text":"

    To capture network activity through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable FrontdoorAccessLog logs.

    Enable FrontdoorWebApplicationFirewallLog when web application firewall (WAF) policy is configured.

    Management operations for Front Door is captured automatically within Azure Activity Logs.

    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostics setting to log network activity through Front Door.

    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy a Front Door resource that passes this rule:

    • Deploy a diagnostic settings sub-resource.
      • Enable logging for the FrontdoorAccessLog category.
      • Enable logging for the FrontdoorWebApplicationFirewallLog category.

    For example:

    Azure Template snippet
    {\n\"resources\": [\n{\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('frontDoorName')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Standard_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2020-05-01-preview\",\n\"scope\": \"[format('Microsoft.Cdn/profiles/{0}', parameters('frontDoorName'))]\",\n\"name\": \"service\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workSpaceId')]\",\n\"logs\": [\n{\n\"category\": \"FrontdoorAccessLog\",\n\"enabled\": true\n},\n{\n\"category\": \"FrontdoorWebApplicationFirewallLog\",\n\"enabled\": true\n}\n]\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy a Front Door resource that passes this rule:

    • Deploy a diagnostic settings sub-resource.
      • Enable logging for the FrontdoorAccessLog category.
      • Enable logging for the FrontdoorWebApplicationFirewallLog category.

    For example:

    Azure Bicep snippet
    targetScope = 'resourceGroup'\nresource frontDoorResource 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: frontDoorName\n  location: 'Global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n}\n\nresource frontDoorInsightsResource 'Microsoft.Insights/diagnosticSettings@2020-05-01-preview' = {\n  name: 'frontDoorInsights'\n  scope: frontDoorResource\n  location: 'Global'\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'FrontdoorAccessLog'\n        enabled: true\n      }\n      {\n        category: 'FrontdoorWebApplicationFirewallLog'\n        enabled: true\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.Logs/#links","title":"Links","text":"
    • Monitoring metrics and logs in Azure Front Door Service
    • Create a Front Door Standard/Premium using Bicep
    • Security logs and alerts using Azure services
    ","tags":["Azure.FrontDoor.Logs","AZR-000107"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/","title":"Managed identity","text":"Azure.FrontDoor.ManagedIdentityAZR-000396Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2023_09

    Ensure Front Door uses a managed identity to authorize access to Azure resources.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#description","title":"Description","text":"

    When configuring a Standard or Premium SKU with a custom domain using bring your own certificate (BYOC) access to a Key Vault is required. Standard and Premium Front Door profiles support two methods for authorizing access to Azure resources:

    1. Using the Microsoft managed multi-tenant app registration.
      • Standard SKU profiles use the client ID 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8.
      • Premium SKU profiles use the client ID d4631ece-daab-479b-be77-ccb713491fc0.
    2. With a system or user assigned managed identity.

    The multi-tenant app registration has a number of challenges:

    • Only a single client ID is used for each SKU for all Azure Front Door profiles. If multiple Front Door profiles are deployed into a single subscription, it is not possible to restrict access so that each profile has access to it's own Key Vault.
    • A Entra ID (Azure AD) Global Administrator of must register the multi-tenant application for each tenant once before it can be used.

    Using an managed identity allows access to Key Vault to be granted using RBAC on an individual basis.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity to allow support for Azure AD authentication.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Front Door instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"myFrontDoor\",\n\"location\": \"global\",\n\"sku\": {\n\"name\": \"Standard_AzureFrontDoor\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n}\n}\n
    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Front Door instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource frontDoorProfile 'Microsoft.Cdn/profiles@2022-11-01-preview' = {\n  name: 'myFrontDoor'\n  location: 'global'\n  sku: {\n    name: 'Standard_AzureFrontDoor'\n  }\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n}\n
    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#notes","title":"Notes","text":"

    Currently Azure Front Door only supports authentication using an Entra ID (Azure AD) to Key Vault. To use a managed identity, the Standard or Premium SKU is required. Managed identities are not supported with the Classic SKU.

    If you only use Azure Front Door (AFD) managed certificates for custom domains, a managed identity is not required.

    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities for Azure Front Door
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.ManagedIdentity","AZR-000396"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/","title":"Front Door Minimum TLS","text":"Azure.FrontDoor.MinTLSAZR-000106Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Front Door Classic instances should reject TLS versions older than 1.2.

    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure Front Door accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Front Door lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.

    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.

    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy a Front Door resource that passes this rule:

    • Set each properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": [\n{\n\"name\": \"[variables('frontEndEndpointName')]\",\n\"properties\": {\n\"hostName\": \"[format('{0}.azurefd.net', parameters('name'))]\",\n\"sessionAffinityEnabledState\": \"Disabled\",\n\"customHttpsConfiguration\": {\n\"minimumTlsVersion\": \"1.2\"\n}\n}\n}\n],\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy a Front Door resource that passes this rule:

    • Set each properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${name}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n          customHttpsConfiguration: {\n            minimumTlsVersion: '1.2'\n          }\n        }\n      }\n    ]\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Preparing for TLS 1.2 in Microsoft Azure
    • Supported TLS versions
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.MinTLS","AZR-000106"]},{"location":"en/rules/Azure.FrontDoor.Name/","title":"Use valid Front Door names","text":"Azure.FrontDoor.NameAZR-000113Error

    Operational Excellence \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Front Door names should meet naming requirements.

    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Front Door names are:

    • Between 5 and 64 characters long.
    • Alphanumerics and hyphens.
    • Start and end with alphanumeric.
    • Front Door names must be globally unique.
    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Front Door naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#notes","title":"Notes","text":"

    This rule does not check if Front Door names are unique.

    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.Name","AZR-000113"]},{"location":"en/rules/Azure.FrontDoor.Probe/","title":"Use Health Probes for Front Door backends","text":"Azure.FrontDoor.ProbeAZR-000108Error

    Reliability \u00b7 Front Door \u00b7 Rule \u00b7 2021_03

    Use health probes to check the health of each backend.

    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#description","title":"Description","text":"

    The health and performance of an application can degrade over time. Degradation might not be noticeable until the application fails.

    Azure Front Door can use periodic health probes against backend endpoints to determine health status. When one or more backend in a pool is healthy traffic is routed to healthy endpoints only. If all endpoints in a pool is unhealthy Front Door sends the request to any enabled endpoint.

    Health probes allow Front Door to select a backend endpoint able to respond to the request.

    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#recommendation","title":"Recommendation","text":"

    Consider configuring and enabling a health probe for each Front Door backend.

    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Configure the properties.healthProbeSettings property of the originGroups sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Cdn/profiles/originGroups\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n\"properties\": {\n\"loadBalancingSettings\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 3\n},\n\"healthProbeSettings\": {\n\"probePath\": \"/healthz\",\n\"probeRequestType\": \"HEAD\",\n\"probeProtocol\": \"Http\",\n\"probeIntervalInSeconds\": 100\n}\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.enabledState property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"path\": \"/healthz\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120,\n\"healthProbeMethod\": \"HEAD\"\n}\n}\n],\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Configure the properties.healthProbeSettings property of the originGroups sub-resource.

    For example:

    Azure Bicep snippet
    resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.enabledState property to Enabled.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network front-door probe update --front-door-name '<front_door>' -n '<probe_name>' -g '<resource_group>' --enabled 'Enabled' --path '/healthz'\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '<probe_name>' -EnabledState 'Enabled' -Path '/healthz'\nSet-AzFrontDoor -Name '<front_door>' -ResourceGroupName '<resource_group>' -HealthProbeSetting $probeSetting\n
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.Probe/#links","title":"Links","text":"
    • Creating good health probes
    • Health probes
    • Supported HTTP methods for health probes
    • How Front Door determines backend health
    • Health Endpoint Monitoring pattern
    • Azure deployment reference (Premium / Standard)
    • Azure deployment reference (Classic)
    ","tags":["Azure.FrontDoor.Probe","AZR-000108"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/","title":"Use HEAD health probes for Front Door backends","text":"Azure.FrontDoor.ProbeMethodAZR-000109Error

    Reliability \u00b7 Front Door \u00b7 Rule \u00b7 2021_03

    Configure health probes to use HEAD requests to reduce performance overhead.

    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#description","title":"Description","text":"

    Azure Front Door supports sending HEAD or GET requests for health probes to backend endpoints. HTTP HEAD requests are identical to GET requests except that the server does not send a response body. As a result, HEAD request typically have a lower performance impact then GET request.

    By eliminating a response body:

    • The server has a smaller payload to return.
    • May be able to further optimize the request by reducing calls to APIs or databases.
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#recommendation","title":"Recommendation","text":"

    Consider configuring health probes to query backend health endpoints using HEAD requests to reduce performance overhead.

    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probeRequestType property to HEAD of the originGroups sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Cdn/profiles/originGroups\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n\"properties\": {\n\"loadBalancingSettings\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 3\n},\n\"healthProbeSettings\": {\n\"probePath\": \"/healthz\",\n\"probeRequestType\": \"HEAD\",\n\"probeProtocol\": \"Http\",\n\"probeIntervalInSeconds\": 100\n}\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.healthProbeMethod property to HEAD.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"path\": \"/healthz\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120,\n\"healthProbeMethod\": \"HEAD\"\n}\n}\n],\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probeRequestType property to HEAD of the originGroups sub-resource.

    For example:

    Azure Bicep snippet
    resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.healthProbeMethod property to HEAD.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network front-door probe update --front-door-name '<front_door>' -n '<probe_name>' -g '<resource_group>' --probeMethod 'HEAD' --path '/healthz'\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '<probe_name>' -HealthProbeMethod 'HEAD' -Path '/healthz'\nSet-AzFrontDoor -Name '<front_door>' -ResourceGroupName '<resource_group>' -HealthProbeSetting $probeSetting\n
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbeMethod/#links","title":"Links","text":"
    • Creating good health probes
    • Health probes
    • Supported HTTP methods for health probes
    • How Front Door determines backend health
    • Health Endpoint Monitoring pattern
    • Azure deployment reference (Premium / Standard)
    • Azure deployment reference (Classic)
    ","tags":["Azure.FrontDoor.ProbeMethod","AZR-000109"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/","title":"Use a Dedicated Health Endpoint for Front Door backends","text":"Azure.FrontDoor.ProbePathAZR-000110Error

    Reliability \u00b7 Front Door \u00b7 Rule \u00b7 2021_03

    Configure a dedicated path for health probe requests.

    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#description","title":"Description","text":"

    Azure Front Door monitors a specific path for each backend to determine health status. The monitored path should implement functional checks to determine if the backend is performing correctly. The checks should include dependencies including those that may not be regularly called.

    Regular checks of the monitored path allow Front Door to make load balancing decisions based on status.

    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#recommendation","title":"Recommendation","text":"

    Consider using a dedicated health probe endpoint that implements functional checks.

    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-template","title":"Configure with Azure template","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probePath property to a dedicated path of the originGroups sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cdn/profiles\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n}\n},\n{\n\"type\": \"Microsoft.Cdn/profiles/originGroups\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), parameters('name'))]\",\n\"properties\": {\n\"loadBalancingSettings\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 3\n},\n\"healthProbeSettings\": {\n\"probePath\": \"/healthz\",\n\"probeRequestType\": \"HEAD\",\n\"probeProtocol\": \"Http\",\n\"probeIntervalInSeconds\": 100\n}\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.path property to a dedicated path.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"path\": \"/healthz\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120,\n\"healthProbeMethod\": \"HEAD\"\n}\n}\n],\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-bicep","title":"Configure with Bicep","text":"Premium / StandardClassic

    To deploy a Front Door resource that passes this rule:

    • Set the properties.healthProbeSettings.probePath property to a dedicated path of the originGroups sub-resource.

    For example:

    Azure Bicep snippet
    resource afd_premium 'Microsoft.Cdn/profiles@2021-06-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n}\n\nresource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {\n  name: name\n  parent: afd_premium\n  properties: {\n    loadBalancingSettings: {\n      sampleSize: 4\n      successfulSamplesRequired: 3\n    }\n    healthProbeSettings: {\n      probePath: '/healthz'\n      probeRequestType: 'HEAD'\n      probeProtocol: 'Http'\n      probeIntervalInSeconds: 100\n    }\n  }\n}\n

    To deploy a Front Door resource that passes this rule:

    • Set each properties.healthProbeSettings[*].properties.path property to a dedicated path.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          enabledState: 'Enabled'\n          path: '/healthz'\n          protocol: 'Http'\n          intervalInSeconds: 120\n          healthProbeMethod: 'HEAD'\n        }\n      }\n    ]\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network front-door probe update --front-door-name '<front_door>' -n '<probe_name>' -g '<resource_group>' --path '/healthz'\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $probeSetting = New-AzFrontDoorHealthProbeSettingObject -Name '<probe_name>' -Path '/healthz'\nSet-AzFrontDoor -Name '<front_door>' -ResourceGroupName '<resource_group>' -HealthProbeSetting $probeSetting\n
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.ProbePath/#links","title":"Links","text":"
    • Creating good health probes
    • Health probes
    • Supported HTTP methods for health probes
    • How Front Door determines backend health
    • Health Endpoint Monitoring pattern
    • Azure deployment reference (Premium / Standard)
    • Azure deployment reference (Classic)
    ","tags":["Azure.FrontDoor.ProbePath","AZR-000110"]},{"location":"en/rules/Azure.FrontDoor.State/","title":"Enable Front Door Classic instance","text":"Azure.FrontDoor.StateAZR-000112Error

    Cost Optimization \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Enable Azure Front Door Classic instance.

    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#description","title":"Description","text":"

    The operational state of a Front Door Classic instance is configurable, either enabled or disabled. By default, a Front Door is enabled.

    Optionally, a Front Door Classic instance may be disabled to temporarily prevent traffic being processed.

    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#recommendation","title":"Recommendation","text":"

    Consider enabling the Front Door service or remove the instance if it is no longer required. This applies to Azure Front Door Classic instances only.

    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy a Front Door resource that passes this rule:

    • Set the properties.enabledState property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": \"[variables('frontendEndpoints')]\",\n\"loadBalancingSettings\": \"[variables('loadBalancingSettings')]\",\n\"backendPools\": \"[variables('backendPools')]\",\n\"healthProbeSettings\": \"[variables('healthProbeSettings')]\",\n\"routingRules\": \"[variables('routingRules')]\"\n}\n}\n
    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy a Front Door resource that passes this rule:

    • Set the properties.enabledState property to Enabled.

    For example:

    Azure Bicep snippet
    resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: name\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n    frontendEndpoints: frontendEndpoints\n    loadBalancingSettings: loadBalancingSettings\n    backendPools: backendPools\n    healthProbeSettings: healthProbeSettings\n    routingRules: routingRules\n  }\n}\n
    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.State/#links","title":"Links","text":"
    • Checklist - Optimize cost
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.State","AZR-000112"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/","title":"Use caching","text":"Azure.FrontDoor.UseCachingAZR-000320Error

    Performance Efficiency \u00b7 Front Door \u00b7 Rule \u00b7 2022_12

    Use caching to reduce retrieving contents from origins.

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#description","title":"Description","text":"

    Azure Front Door delivers large files without a cap on file size. Front Door uses a technique called object chunking. When a large file is requested, Front Door retrieves smaller pieces of the file from the backend. After receiving a full or byte-range file request, the Front Door environment requests the file from the backend in chunks of 8 MB.

    After the chunk arrives at the Front Door environment, it's cached and immediately served to the user. Front Door then pre-fetches the next chunk in parallel. This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency. This process continues until the entire file gets downloaded (if requested) or the client closes the connection.

    For more information on the byte-range request, read RFC 7233. Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache. Ensuing requests for the file or byte ranges are served from the cache. If the chunks aren't all cached, pre-fetching is used to request chunks from the backend. This optimization relies on the backend's ability to support byte-range requests. If the backend doesn't support byte-range requests, this optimization isn't effective.

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#recommendation","title":"Recommendation","text":"

    Use caching to reduce retrieving contents from origins and improve overall performance.

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#examples","title":"Examples","text":"","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy front door instances pass this rule:

    • Configure properties.routingRules.properties.routeConfiguration.cacheConfiguration.

    Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link Routing architecture overview for more information around this.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/frontDoors\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[parameters('frontDoorName')]\",\n\"location\": \"global\",\n\"properties\": {\n\"enabledState\": \"Enabled\",\n\"frontendEndpoints\": [\n{\n\"name\": \"[variables('frontEndEndpointName')]\",\n\"properties\": {\n\"hostName\": \"[format('{0}.azurefd.net', parameters('frontDoorName'))]\",\n\"sessionAffinityEnabledState\": \"Disabled\"\n}\n}\n],\n\"loadBalancingSettings\": [\n{\n\"name\": \"[variables('loadBalancingSettingsName')]\",\n\"properties\": {\n\"sampleSize\": 4,\n\"successfulSamplesRequired\": 2\n}\n}\n],\n\"healthProbeSettings\": [\n{\n\"name\": \"[variables('healthProbeSettingsName')]\",\n\"properties\": {\n\"path\": \"/\",\n\"protocol\": \"Http\",\n\"intervalInSeconds\": 120\n}\n}\n],\n\"backendPools\": [\n{\n\"name\": \"[variables('backendPoolName')]\",\n\"properties\": {\n\"backends\": [\n{\n\"address\": \"[parameters('backendAddress')]\",\n\"backendHostHeader\": \"[parameters('backendAddress')]\",\n\"httpPort\": 80,\n\"httpsPort\": 443,\n\"weight\": 50,\n\"priority\": 1,\n\"enabledState\": \"Enabled\"\n}\n],\n\"loadBalancingSettings\": {\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', parameters('frontDoorName'), variables('loadBalancingSettingsName'))]\"\n},\n\"healthProbeSettings\": {\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/healthProbeSettings', parameters('frontDoorName'), variables('healthProbeSettingsName'))]\"\n}\n}\n}\n],\n\"routingRules\": [\n{\n\"name\": \"[variables('routingRuleName')]\",\n\"properties\": {\n\"frontendEndpoints\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', parameters('frontDoorName'), variables('frontEndEndpointName'))]\"\n}\n],\n\"acceptedProtocols\": [\n\"Http\",\n\"Https\"\n],\n\"patternsToMatch\": [\n\"/*\"\n],\n\"routeConfiguration\": {\n\"@odata.type\": \"#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration\",\n\"cacheConfiguration\": {\n\"cacheDuration\": \"P12DT1H\",\n\"dynamicCompression\": \"Disabled\",\n\"queryParameters\": \"customerId\",\n\"queryParameterStripDirective\": \"StripAll\"\n},\n\"forwardingProtocol\": \"MatchRequest\",\n\"backendPool\": {\n\"id\": \"[resourceId('Microsoft.Network/frontDoors/backEndPools', parameters('frontDoorName'), variables('backendPoolName'))]\"\n}\n},\n\"enabledState\": \"Enabled\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy front door instances pass this rule:

    • Configure properties.routingRules.properties.routeConfiguration.cacheConfiguration.

    Important The rule checks also for rule sets (child resources) that are overwriting the cache configuration from routing rules. Check the link Routing architecture overview for more information around this.

    For example:

    Azure Bicep snippet
    @description('The name of the frontdoor resource.')\nparam frontDoorName string\n\n@description('The hostname of the backend. Must be an IP address or FQDN.')\nparam backendAddress string\n\nvar frontEndEndpointName = 'frontEndEndpoint'\nvar loadBalancingSettingsName = 'loadBalancingSettings'\nvar healthProbeSettingsName = 'healthProbeSettings'\nvar routingRuleName = 'routingRule'\nvar backendPoolName = 'backendPool'\n\nresource frontDoor 'Microsoft.Network/frontDoors@2021-06-01' = {\n  name: frontDoorName\n  location: 'global'\n  properties: {\n    enabledState: 'Enabled'\n\n    frontendEndpoints: [\n      {\n        name: frontEndEndpointName\n        properties: {\n          hostName: '${frontDoorName}.azurefd.net'\n          sessionAffinityEnabledState: 'Disabled'\n        }\n      }\n    ]\n\n    loadBalancingSettings: [\n      {\n        name: loadBalancingSettingsName\n        properties: {\n          sampleSize: 4\n          successfulSamplesRequired: 2\n        }\n      }\n    ]\n\n    healthProbeSettings: [\n      {\n        name: healthProbeSettingsName\n        properties: {\n          path: '/'\n          protocol: 'Http'\n          intervalInSeconds: 120\n        }\n      }\n    ]\n\n    backendPools: [\n      {\n        name: backendPoolName\n        properties: {\n          backends: [\n            {\n              address: backendAddress\n              backendHostHeader: backendAddress\n              httpPort: 80\n              httpsPort: 443\n              weight: 50\n              priority: 1\n              enabledState: 'Enabled'\n            }\n          ]\n          loadBalancingSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/loadBalancingSettings', frontDoorName, loadBalancingSettingsName)\n          }\n          healthProbeSettings: {\n            id: resourceId('Microsoft.Network/frontDoors/healthProbeSettings', frontDoorName, healthProbeSettingsName)\n          }\n        }\n      }\n    ]\n\n    routingRules: [\n      {\n        name: routingRuleName\n        properties: {\n          frontendEndpoints: [\n            {\n              id: resourceId('Microsoft.Network/frontDoors/frontEndEndpoints', frontDoorName, frontEndEndpointName)\n            }\n          ]\n          acceptedProtocols: [\n            'Http'\n            'Https'\n          ]\n          patternsToMatch: [\n            '/*'\n          ]\n          routeConfiguration: {\n            '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration'\n            cacheConfiguration: {\n              cacheDuration: 'P12DT1H'\n              dynamicCompression: 'Disabled'\n              queryParameters: 'customerId'\n              queryParameterStripDirective: 'StripAll'\n            }\n            forwardingProtocol: 'MatchRequest'\n            backendPool: {\n              id: resourceId('Microsoft.Network/frontDoors/backEndPools', frontDoorName, backendPoolName)\n            }\n          }\n          enabledState: 'Enabled'\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#notes","title":"Notes","text":"

    This rule only applies to Front Door Classic (Microsoft.Network/frontDoors).

    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseCaching/#links","title":"Links","text":"
    • Performance patterns
    • Caching with Azure Front Door
    • Routing architecture overview
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.UseCaching","AZR-000320"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/","title":"Front Door endpoints should use WAF","text":"Azure.FrontDoor.UseWAFAZR-000111Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Enable Web Application Firewall (WAF) policies on each Front Door endpoint.

    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#description","title":"Description","text":"

    Front Door endpoints can optionally be configured with a WAF policy. When configured, every incoming request through Front Door is filtered by the WAF policy.

    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#recommendation","title":"Recommendation","text":"

    Consider enabling a WAF policy on each Front Door endpoint.

    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.UseWAF/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Azure Web Application Firewall on Azure Front Door
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.UseWAF","AZR-000111"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoor.WAF.EnabledAZR-000115Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#description","title":"Description","text":"

    The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.

    When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.

    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF policy.

    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Enabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Azure deployment reference
    ","tags":["Azure.FrontDoor.WAF.Enabled","AZR-000115"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoor.WAF.ModeAZR-000114Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2020_06

    Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#description","title":"Description","text":"

    Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

    • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.
    • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#recommendation","title":"Recommendation","text":"

    Consider setting Front Door WAF policy to use protection mode.

    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Mode/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    ","tags":["Azure.FrontDoor.WAF.Mode","AZR-000114"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/","title":"Use valid Front Door WAF policy names","text":"Azure.FrontDoor.WAF.NameAZR-000116Error

    Operational Excellence \u00b7 Front Door \u00b7 Rule \u00b7 2020_12

    Front Door WAF policy names should meet naming requirements.

    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Front Door Web Application Firewall (WAF) policy names are:

    • Between 1 and 128 characters long.
    • Letters or numbers.
    • Start with a letter.
    • Unique within a resource group.
    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Front Door WAF policy naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#notes","title":"Notes","text":"

    This rule does not check if Front Door WAF policy names are unique.

    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoor.WAF.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.FrontDoor.WAF.Name","AZR-000116"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/","title":"Enable Front Door WAF policy","text":"Azure.FrontDoorWAF.EnabledAZR-000305Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2022_09

    Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources.

    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#description","title":"Description","text":"

    The operational state of a Front Door WAF policy instance is configurable, either enabled or disabled. By default, a WAF policy is enabled.

    When disabled, incoming requests bypass the WAF policy and are sent to back ends based on routing rules.

    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#recommendation","title":"Recommendation","text":"

    Consider enabling WAF policy.

    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.enabledState property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.enabledState property to Enabled.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Enabled/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.Enabled","AZR-000305"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/","title":"Avoid configuring Front Door WAF rule exclusions","text":"Azure.FrontDoorWAF.ExclusionsAZR-000307Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2022_09

    Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.

    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#description","title":"Description","text":"

    Front Door WAF supports exclusions lists.

    Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. However, it should be allowed and only used as a last resort.

    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#recommendation","title":"Recommendation","text":"

    Avoid configuring Front Door WAF rule exclusions.

    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Remove any rule exclusions by:
      • Set the exclusions property for each managed rule group to an empty array. OR
      • Remove the exclusions property for each managed rule group.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Remove any rule exclusions by:
      • Set the exclusions property for each managed rule group to an empty array. OR
      • Remove the exclusions property for each managed rule group.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.Exclusions/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall CRS rule groups and rules
    • Bot protection overview
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.Exclusions","AZR-000307"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/","title":"Use Front Door WAF policy in prevention mode","text":"Azure.FrontDoorWAF.PreventionModeAZR-000306Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2022_09

    Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#description","title":"Description","text":"

    Front Door WAF policies support two modes of operation, detection and prevention. By default, prevention is configured.

    • Detection - monitors and logs all requests which match a WAF rule. In this mode, the WAF doesn't take action against incoming requests. To log requests, diagnostics on the Front Door instance must be configured.
    • Protection - log and takes action against requests which match a WAF rule. The action to perform is configurable for each WAF rule.
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#recommendation","title":"Recommendation","text":"

    Consider setting Front Door WAF policy to use protection mode.

    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.mode property to Prevention.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Set the properties.policySettings.mode property to Prevention.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.PreventionMode/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.PreventionMode","AZR-000306"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/","title":"Use Recommended Front Door WAF policy rule groups","text":"Azure.FrontDoorWAF.RuleGroupsAZR-000308Error

    Security \u00b7 Front Door \u00b7 Rule \u00b7 2022_09

    Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.

    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#description","title":"Description","text":"

    Front Door WAF policies support two main Rule Groups.

    • OWASP - Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0. It is recommended to use the latest rule set.
    • Bot protection - Enable a managed bot protection rule set to block or log requests from known malicious IP addresses.
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#recommendation","title":"Recommendation","text":"

    Consider configuring Front Door WAF policy to use the recommended rule sets.

    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#examples","title":"Examples","text":"","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy WAF policies that pass this rule:

    • Add the Microsoft_DefaultRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 2.0 or greater.
    • Add the Microsoft_BotManagerRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 1.0 or greater.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/FrontDoorWebApplicationFirewallPolicies\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"Global\",\n\"sku\": {\n\"name\": \"Premium_AzureFrontDoor\"\n},\n\"properties\": {\n\"managedRules\": {\n\"managedRuleSets\": [\n{\n\"ruleSetType\": \"Microsoft_DefaultRuleSet\",\n\"ruleSetVersion\": \"2.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n},\n{\n\"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\n\"ruleSetVersion\": \"1.0\",\n\"ruleSetAction\": \"Block\",\n\"exclusions\": [],\n\"ruleGroupOverrides\": []\n}\n]\n},\n\"policySettings\": {\n\"enabledState\": \"Enabled\",\n\"mode\": \"Prevention\"\n}\n}\n}\n
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy WAF policies that pass this rule:

    • Add the Microsoft_DefaultRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 2.0 or greater.
    • Add the Microsoft_BotManagerRuleSet rule set to the properties.managedRules.managedRuleSets property.
      • Use the rule set version 1.0 or greater.

    For example:

    Azure Bicep snippet
    resource waf 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {\n  name: name\n  location: 'Global'\n  sku: {\n    name: 'Premium_AzureFrontDoor'\n  }\n  properties: {\n    managedRules: {\n      managedRuleSets: [\n        {\n          ruleSetType: 'Microsoft_DefaultRuleSet'\n          ruleSetVersion: '2.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n        {\n          ruleSetType: 'Microsoft_BotManagerRuleSet'\n          ruleSetVersion: '1.0'\n          ruleSetAction: 'Block'\n          exclusions: []\n          ruleGroupOverrides: []\n        }\n      ]\n    }\n    policySettings: {\n      enabledState: 'Enabled'\n      mode: 'Prevention'\n    }\n  }\n}\n
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.FrontDoorWAF.RuleGroups/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Securing PaaS deployments
    • Policy settings for Web Application Firewall on Azure Front Door
    • Web Application Firewall CRS rule groups and rules
    • Bot protection overview
    • Web Application Firewall best practices
    • Azure deployment reference
    ","tags":["Azure.FrontDoorWAF.RuleGroups","AZR-000308"]},{"location":"en/rules/Azure.Identity.UserAssignedName/","title":"Use valid Managed Identity names","text":"Azure.Identity.UserAssignedNameAZR-000117Error

    Operational Excellence \u00b7 User Assigned Managed Identity \u00b7 Rule \u00b7 2021_12

    Managed Identity names should meet naming requirements.

    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Managed Identity names are:

    • Between 3 and 128 characters long.
    • Letters, numbers, underscores, and hyphens.
    • Start with letters and numbers.
    • Managed Identity names must be unique within a resource group.
    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Managed Identity naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#notes","title":"Notes","text":"

    This rule does not check if Managed Identity names are unique.

    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.Identity.UserAssignedName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Identity.UserAssignedName","AZR-000117"]},{"location":"en/rules/Azure.IoTHub.MinTLS/","title":"Minimum TLS version","text":"Azure.IoTHub.MinTLSAZR-000357Error

    Security \u00b7 IoT Hub \u00b7 Rule \u00b7 2023_03

    IoT Hubs should reject TLS versions older than 1.2.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#recommendation","title":"Recommendation","text":"

    Configure the minimum supported TLS version to be 1.2.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy IoT Hubs that pass this rule:

    • Set the properties.minTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Devices/IotHubs\",\n\"apiVersion\": \"2022-04-30-preview\",\n\"name\": \"[parameters('iotHubName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"S1\",\n\"capacity\": 1,\n},\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n}\n}\n
    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy IoT Hubs that pass this rule:

    • Set the properties.minTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {\n  name: iotHubName\n  location: location\n  sku: {\n    name: 'S1'\n    capacity: 1\n  }\n  properties: {\n    minTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#notes","title":"Notes","text":"

    The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia

    The minTlsVersion property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.

    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.IoTHub.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Transport Layer Security (TLS) support in IoT Hub
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.IoTHub.MinTLS","AZR-000357"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/","title":"Limit access to Key Vault data","text":"Azure.KeyVault.AccessPolicyAZR-000118Error

    Security \u00b7 Key Vault \u00b7 Rule \u00b7 2020_06

    Use the principal of least privilege when assigning access to Key Vault.

    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#description","title":"Description","text":"

    Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.

    The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.

    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#recommendation","title":"Recommendation","text":"

    Consider assigning access to Key Vault data based on the principle of least privilege.

    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#azure-templates","title":"Azure templates","text":"

    To deploy Key Vaults that pass this rule:

    • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2022-07-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"accessPolicies\": [\n{\n\"objectId\": \"[parameters('objectId')]\",\n\"permissions\": {\n\"secrets\": [\n\"get\",\n\"list\",\n\"set\"\n]\n},\n\"tenantId\": \"[tenant().tenantId]\"\n}\n]\n}\n}\n
    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2022-07-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    accessPolicies: [\n      {\n        objectId: objectId\n        permissions: {\n          secrets: [\n            'get'\n            'list'\n            'set'\n          ]\n        }\n        tenantId: tenant().tenantId\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AccessPolicy/#links","title":"Links","text":"
    • Automate and use least privilege
    • Best practices to use Key Vault
    • Azure deployment reference
    ","tags":["Azure.KeyVault.AccessPolicy","AZR-000118"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/","title":"Enable Key Vault key auto-rotation","text":"Azure.KeyVault.AutoRotationPolicyAZR-000123Error

    Security \u00b7 Key Vault \u00b7 Rule \u00b7 2022_09

    Key Vault keys should have auto-rotation enabled.

    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#description","title":"Description","text":"

    Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.

    Key rotation is often a cause of many application outages. It's critical that the rotation of keys be scheduled and automated to ensure effectiveness.

    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#recommendation","title":"Recommendation","text":"

    Consider enabling auto-rotation on Key Vault keys.

    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set auto-rotation for a key:

    • Set properties.rotationPolicy.lifetimeActions[*].action.type to Rotate.
    • Set properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate to the time duration after key creation to rotate.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults/keys\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[concat(parameters('vaultName'), '/', 'key1')]\",\n\"properties\": {\n\"keyOps\": [\n\"sign\",\n\"verify\",\n\"wrapKey\",\n\"unwrapKey\",\n\"encrypt\",\n\"decrypt\"\n],\n\"keySize\": 2048,\n\"kty\": \"RSA\",\n\"rotationPolicy\": {\n\"lifetimeActions\": [\n{\n\"action\": {\n\"type\": \"Rotate\"\n},\n\"trigger\": {\n\"timeAfterCreate\": \"P18D\"\n}\n},\n{\n\"action\": {\n\"type\": \"Notify\"\n},\n\"trigger\": {\n\"timeAfterCreate\": \"P30D\"\n}\n}\n]\n}\n}\n}\n
    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set auto-rotation for a key:

    • Set properties.rotationPolicy.lifetimeActions[*].action.type to Rotate.
    • Set properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate to the time duration after key creation to rotate.

    For example:

    Azure Bicep snippet
    resource vaultName_key1 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = {\n  parent: vaultName_resource\n  name: 'key1'\n  properties: {\n    keyOps: [\n      'sign'\n      'verify'\n      'wrapKey'\n      'unwrapKey'\n      'encrypt'\n      'decrypt'\n    ]\n    keySize: 2048\n    kty: 'RSA'\n    rotationPolicy: {\n      lifetimeActions: [\n        {\n          action: {\n            type: 'rotate'\n          }\n          trigger: {\n            timeAfterCreate: 'P18D'\n          }\n        }\n        {\n          action: {\n            type: 'notify'\n          }\n          trigger: {\n            timeAfterCreate: 'P30D'\n          }\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.AutoRotationPolicy/#links","title":"Links","text":"
    • Operational considerations
    • IM-3: Manage application identities securely and automatically
    • Configure cryptographic key auto-rotation in Azure Key Vault
    • Azure deployment reference
    ","tags":["Azure.KeyVault.AutoRotationPolicy","AZR-000123"]},{"location":"en/rules/Azure.KeyVault.Firewall/","title":"Configure Azure Key Vault firewall","text":"Azure.KeyVault.FirewallAZR-000355Error

    Security \u00b7 Key Vault \u00b7 Rule \u00b7 2023_03

    Key Vault should only accept explicitly allowed traffic.

    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#description","title":"Description","text":"

    By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

    After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

    • Azure services on the trusted service list.
    • IP address or CIDR range.
    • Private endpoint connections.
    • Azure virtual network subnets with a Service Endpoint.

    If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:

    • enabledForDeployment - Azure Virtual Machines for deployment.
    • enabledForDiskEncryption - Azure Disk Encryption for volume encryption.
    • enabledForTemplateDeployment - Azure Resource Manager for template deployment.
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#recommendation","title":"Recommendation","text":"

    Consider configuring Key Vault firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"enableRbacAuthorization\": true,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\",\n\"bypass\": \"AzureServices\"\n}\n}\n}\n
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.Firewall/#links","title":"Links","text":"
    • Public endpoints
    • Configure Azure Key Vault firewalls and virtual networks
    • Azure security baseline for Key Vault - Disable Public Network Access
    • Azure Policies - Azure Key Vault should have firewall enabled
    • Azure Key Vault should have firewall enabled
    • Trusted services
    • Azure deployment reference
    ","tags":["Azure.KeyVault.Firewall","AZR-000355"]},{"location":"en/rules/Azure.KeyVault.KeyName/","title":"Use valid Key Vault Key names","text":"Azure.KeyVault.KeyNameAZR-000122Error

    Operational Excellence \u00b7 Key Vault \u00b7 Rule \u00b7 2021_03

    Key Vault Key names should meet naming requirements.

    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Key names are:

    • Between 1 and 127 characters long.
    • Alphanumerics and hyphens (dash).
    • Keys must be unique within a Key Vault.
    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#recommendation","title":"Recommendation","text":"

    Consider using key names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#notes","title":"Notes","text":"

    This rule does not check if Key names are unique.

    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.KeyName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.KeyVault.KeyName","AZR-000122"]},{"location":"en/rules/Azure.KeyVault.Logs/","title":"Audit Key Vault Data Access","text":"Azure.KeyVault.LogsAZR-000119Error

    Security \u00b7 Key Vault \u00b7 Rule \u00b7 2020_06

    Ensure audit diagnostics logs are enabled to audit Key Vault access.

    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#description","title":"Description","text":"

    To capture logs that record interactions with data or the settings of key vault, diagnostic settings must be configured.

    When configuring diagnostics settings, enable one of the following:

    • AuditEvent category.
    • audit category group.
    • allLogs category group.

    Management operations for Key Vault is captured automatically within Azure Activity Logs.

    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#recommendation","title":"Recommendation","text":"

    Configure audit diagnostics logs to audit Key Vault access.

    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy key vaults that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"enableRbacAuthorization\": true,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\",\n\"bypass\": \"AzureServices\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"scope\": \"[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]\",\n\"name\": \"logs\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"AuditEvent\",\n\"enabled\": true\n}\n]\n},\n\"dependsOn\": [\n\"[parameters('name')]\"\n]\n}\n]\n}\n
    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy key vaults that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable AuditEvent category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: 'logs'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Logs/#links","title":"Links","text":"
    • Security logs and alerts using Azure services
    • Best practices to use Key Vault
    • Azure Key Vault logging
    • Azure Key Vault security
    • Monitoring your Key Vault service with Key Vault insights
    • Azure deployment reference
    ","tags":["Azure.KeyVault.Logs","AZR-000119"]},{"location":"en/rules/Azure.KeyVault.Name/","title":"Use valid Key Vault names","text":"Azure.KeyVault.NameAZR-000120Error

    Operational Excellence \u00b7 Key Vault \u00b7 Rule \u00b7 2021_03

    Key Vault names should meet naming requirements.

    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault names are:

    • Between 3 and 24 characters long.
    • Alphanumerics and hyphens (dash).
    • Start with a letter.
    • End with a letter or digit.
    • Can not contain consecutive hyphens.
    • Key Vault names must be globally unique.
    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#notes","title":"Notes","text":"

    This rule does not check if Key Vault names are unique.

    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.KeyVault.Name","AZR-000120"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/","title":"Use Key Vault Purge Protection","text":"Azure.KeyVault.PurgeProtectAZR-000125Error

    Reliability \u00b7 Key Vault \u00b7 Rule \u00b7 2020_06

    Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.

    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#description","title":"Description","text":"

    Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.

    When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.

    Purge protection is not enabled by default.

    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#recommendation","title":"Recommendation","text":"

    Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.

    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[subscription().tenantId]\",\n\"enableSoftDelete\": true,\n\"softDeleteRetentionInDays\": 90,\n\"enablePurgeProtection\": true\n}\n}\n
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enablePurgeProtection property to true.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: subscription().tenantId\n    enableSoftDelete: true\n    softDeleteRetentionInDays: 90\n    enablePurgeProtection: true\n  }\n}\n
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az keyvault update -n '<name>' -g '<resource_group>' --enable-purge-protection\n
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.PurgeProtect/#links","title":"Links","text":"
    • Azure Key Vault soft-delete overview
    • Azure Key Vault security
    • Azure deployment reference
    ","tags":["Azure.KeyVault.PurgeProtect","AZR-000125"]},{"location":"en/rules/Azure.KeyVault.RBAC/","title":"Use Azure role-based access control","text":"Azure.KeyVault.RBACAZR-000388Warning

    Security \u00b7 Key Vault \u00b7 Rule \u00b7 2023_06

    Key Vaults should use Azure RBAC as the authorization system for the data plane.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#description","title":"Description","text":"

    Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.

    Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.

    Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.

    The Azure RBAC permission model is not enabled by default.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#recommendation","title":"Recommendation","text":"

    Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableRbacAuthorization property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[tenant().tenantId]\",\n\"softDeleteRetentionInDays\": 90,\n\"enableSoftDelete\": true,\n\"enablePurgeProtection\": true,\n\"enableRbacAuthorization\": true,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\",\n\"bypass\": \"AzureServices\"\n}\n}\n}\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableRbacAuthorization property to true.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: tenant().tenantId\n    softDeleteRetentionInDays: 90\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: 'Deny'\n      bypass: 'AzureServices'\n    }\n  }\n}\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az keyvault update -n '<name>' -g '<resource_group>' --enable-rbac-authorization\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization\n
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#notes","title":"Notes","text":"

    The RBAC permission model may not be suitable for all use cases. If this rule is not suitable for your use case, you can exclude or suppress the rule. For information about limitations see Azure role-based access control vs. access policies in the LINKS section.

    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.RBAC/#links","title":"Links","text":"
    • Role-based authorization
    • What is Azure role-based access control?
    • Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
    • Azure role-based access control vs. access policies
    • Migrate from vault access policy to an Azure role-based access control permission model
    • Azure security baseline for Key Vault
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.KeyVault.RBAC","AZR-000388"]},{"location":"en/rules/Azure.KeyVault.SecretName/","title":"Use valid Key Vault Secret names","text":"Azure.KeyVault.SecretNameAZR-000121Error

    Operational Excellence \u00b7 Key Vault \u00b7 Rule \u00b7 2021_03

    Key Vault Secret names should meet naming requirements.

    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Key Vault Secret names are:

    • Between 1 and 127 characters long.
    • Alphanumerics and hyphens (dash).
    • Secrets must be unique within a Key Vault.
    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#recommendation","title":"Recommendation","text":"

    Consider using secret names that meet Key Vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#notes","title":"Notes","text":"

    This rule does not check if Secret names are unique.

    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SecretName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Tagging and resource naming
    ","tags":["Azure.KeyVault.SecretName","AZR-000121"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/","title":"Use Key Vault Soft Delete","text":"Azure.KeyVault.SoftDeleteAZR-000124Error

    Reliability \u00b7 Key Vault \u00b7 Rule \u00b7 2020_06

    Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#description","title":"Description","text":"

    Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.

    By default, new Key Vaults created through the portal will have soft delete for 90 days configured.

    Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.

    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.

    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableSoftDelete property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.KeyVault/vaults\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"sku\": {\n\"family\": \"A\",\n\"name\": \"premium\"\n},\n\"tenantId\": \"[subscription().tenantId]\",\n\"enableSoftDelete\": true,\n\"softDeleteRetentionInDays\": 90,\n\"enablePurgeProtection\": true\n}\n}\n
    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Key Vaults that pass this rule:

    • Set the properties.enableSoftDelete property to true.

    For example:

    Azure Bicep snippet
    resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'premium'\n    }\n    tenantId: subscription().tenantId\n    enableSoftDelete: true\n    softDeleteRetentionInDays: 90\n    enablePurgeProtection: true\n  }\n}\n
    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.KeyVault.SoftDelete/#links","title":"Links","text":"
    • Azure Key Vault soft-delete overview
    • Azure Key Vault security
    • Azure deployment reference
    ","tags":["Azure.KeyVault.SoftDelete","AZR-000124"]},{"location":"en/rules/Azure.LB.AvailabilityZone/","title":"Load balancers should be zone-redundant","text":"Azure.LB.AvailabilityZoneAZR-000127Error

    Reliability \u00b7 Load Balancer \u00b7 Rule \u00b7 2021_09

    Load balancers deployed with Standard SKU should be zone-redundant for high availability.

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#description","title":"Description","text":"

    Load balancers using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A single zone redundant frontend IP address will survive zone failure. The frontend IP may be used to reach all (non-impacted) backend pool members no matter the zone. One or more availability zones can fail and the data path survives as long as one zone in the region remains healthy.

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using zone-redundant load balancers deployed with Standard SKU.

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is constrained to a single(zonal) zone, and passes when set to null, [] or [\"1\", \"2\", \"3\"].

    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure zone-redundancy for a load balancer.

    • Set sku.name to Standard.
    • Set properties.frontendIPConfigurations[*].zones to [\"1\", \"2\", \"3\"].

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-07-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/loadBalancers\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [],\n\"tags\": {},\n\"properties\": {\n\"frontendIPConfigurations\": [\n{\n\"name\": \"frontend-ip-config\",\n\"properties\": {\n\"privateIPAddress\": null,\n\"privateIPAddressVersion\": \"IPv4\",\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n}\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n],\n\"backendAddressPools\": [],\n\"probes\": [],\n\"loadBalancingRules\": [],\n\"inboundNatRules\": [],\n\"outboundRules\": []\n},\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"[parameters('tier')]\"\n}\n}\n
    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure zone-redundancy for a load balancer.

    • Set sku.name to Standard.
    • Set properties.frontendIPConfigurations[*].zones to ['1', '2', '3'].

    For example:

    Azure Bicep snippet
    resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.AvailabilityZone/#links","title":"Links","text":"
    • Azure deployment reference
    • Load Balancer and Availability Zones
    • Use zone-aware services
    ","tags":["Azure.LB.AvailabilityZone","AZR-000127"]},{"location":"en/rules/Azure.LB.Name/","title":"Use valid Load Balancer names","text":"Azure.LB.NameAZR-000129Error

    Operational Excellence \u00b7 Load Balancer \u00b7 Rule \u00b7 2020_06

    Load Balancer names should meet naming requirements.

    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Load Balancer names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Load Balancer names must be unique within a resource group.
    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Load Balancer naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#notes","title":"Notes","text":"

    This rule does not check if Load Balancer names are unique.

    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.LB.Name","AZR-000129"]},{"location":"en/rules/Azure.LB.Probe/","title":"Use specific load balancer probe","text":"Azure.LB.ProbeAZR-000126Error

    Reliability \u00b7 Load Balancer \u00b7 Rule \u00b7 2020_06

    Use a specific probe for web protocols.

    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#description","title":"Description","text":"

    A load balancer probe can be configured as TCP/ HTTP or HTTPS.

    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#recommendation","title":"Recommendation","text":"

    Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.

    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.Probe/#links","title":"Links","text":"
    • Load Balancer health probes
    • Creating good health probes
    • Health Endpoint Monitoring pattern
    ","tags":["Azure.LB.Probe","AZR-000126"]},{"location":"en/rules/Azure.LB.StandardSKU/","title":"Load balancers should use Standard SKU","text":"Azure.LB.StandardSKUAZR-000128Error

    Reliability \u00b7 Load Balancer \u00b7 Rule \u00b7 2021_09

    Load balancers should be deployed with Standard SKU for production workloads.

    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#description","title":"Description","text":"

    Standard Load Balancer enables you to scale your applications and create high availability for small scale deployments to large and complex multi-zone architectures. It supports inbound as well as outbound connections, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. It enables Availability Zones with zone-redundant and zonal front ends as well as cross-zone load balancing for public and internal scenarios. You can scale Network Virtual Appliance scenarios and make them more resilient by using internal HA Ports load balancing rules. It also provides new diagnostics insights with multi-dimensional metrics in Azure Monitor.

    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#recommendation","title":"Recommendation","text":"

    Consider using Standard SKU for load balancers deployed in production.

    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure Standard SKU for a load balancer.

    • Set sku.name to Standard.

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-07-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/loadBalancers\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [],\n\"tags\": {},\n\"properties\": {\n\"frontendIPConfigurations\": [\n{\n\"name\": \"frontend-ip-config\",\n\"properties\": {\n\"privateIPAddress\": null,\n\"privateIPAddressVersion\": \"IPv4\",\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/lb-rg/providers/Microsoft.Network/virtualNetworks/lb-vnet/subnets/default\"\n}\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n],\n\"backendAddressPools\": [],\n\"probes\": [],\n\"loadBalancingRules\": [],\n\"inboundNatRules\": [],\n\"outboundRules\": []\n},\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"[parameters('tier')]\"\n}\n}\n
    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure Standard SKU for a load balancer.

    • Set sku.name to Standard.

    For example:

    Azure Bicep snippet
    resource lb_001 'Microsoft.Network/loadBalancers@2021-02-01' = {\n  name: lbName\n  location: location\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    frontendIPConfigurations: [\n      {\n        name: 'frontendIPConfig'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: vnet.properties.subnets[1].id\n          }\n        }\n        zones: [\n          '1'\n          '2'\n          '3'\n        ]\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LB.StandardSKU/#links","title":"Links","text":"
    • Azure deployment reference
    • Why use Azure Load Balancer?
    • Azure Load Balancer SKUs
    • Meet application platform requirements
    ","tags":["Azure.LB.StandardSKU","AZR-000128"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/","title":"Limit Logic App HTTP request triggers","text":"Azure.LogicApp.LimitHTTPTriggerAZR-000130Error

    Security \u00b7 Logic App \u00b7 Rule \u00b7 2020_12

    Limit HTTP request trigger access to trusted IP addresses.

    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#description","title":"Description","text":"

    When a Logic App uses a HTTP request trigger by default any source IP address can trigger the workflow. Logic Apps can be configured to limit the IP addresses that are accepted to trigger the workflow.

    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#recommendation","title":"Recommendation","text":"

    Consider limiting Logic Apps with HTTP request triggers to trusted IP addresses.

    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.LogicApp.LimitHTTPTrigger/#links","title":"Links","text":"
    • Secure access and data in Azure Logic Apps
    • Azure security baseline for Logic Apps
    ","tags":["Azure.LogicApp.LimitHTTPTrigger","AZR-000130"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/","title":"Disable MariaDB Allow access to Azure services firewall rule","text":"Azure.MariaDB.AllowAzureAccessAZR-000342Error

    Security \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Determine if access from Azure services is required.

    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same Azure Database for MariaDB server instance. If network based access is permitted, authentication is still required.

    Enabling access from Azure services is useful in certain cases where fixed outgoing IP addresses isn't available for the services.

    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Where fixed outgoing IP addresses are available for the Azure services, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.

    Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Deploy a Microsoft.DBforMariaDB servers/firewallRules sub-resource (child resource).
    • Set the properties.startIpAddress and properties.endIpAddress property to a valid IPv4 address format.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"[parameters('skuTier')]\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mariadbVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": \"[parameters('backupRetentionDays')]\",\n\"geoRedundantBackup\": \"[parameters('geoRedundantBackup')]\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforMariaDB/servers/firewallRules\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"MariaDbServer001/FunctionApp\",\n\"properties\": {\n\"startIpAddress\": \"20.67.176.40\",\n\"endIpAddress\": \"20.67.176.40\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.DBforMariaDB/servers', parameters('serverName'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#configure-with-bicep","title":"Configure with Bicep","text":"
    • Deploy a Microsoft.DBforMariaDB servers/firewallRules sub-resource (child resource).
    • Set the properties.startIpAddress and properties.endIpAddress property to a valid IPv4 address format.

    For example:

    Azure Bicep snippet
    resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: backupRetentionDays\n      geoRedundantBackup: geoRedundantBackup\n    }\n  }\n}\n\nresource mariaDbServerFirewallRule 'Microsoft.DBforMariaDB/servers/firewallRules@2018-06-01' = {\n  name: 'MariaDbServer001/FunctionApp'\n  parent: mariaDbServer\n  properties: {\n    startIpAddress: '20.67.176.40'\n    endIpAddress: '20.67.176.40'\n  }\n}\n
    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.AllowAzureAccess/#links","title":"Links","text":"
    • Network security and containment
    • Azure Database for MariaDB firewall rules
    • Template reference
    ","tags":["Azure.MariaDB.AllowAzureAccess","AZR-000342"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/","title":"Use valid database names","text":"Azure.MariaDB.DatabaseNameAZR-000337Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB databases should meet naming requirements.

    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB database names are:

    • Between 1 and 63 characters long.
    • Alphanumerics and hyphens.
    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB database naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB database names are unique.

    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DatabaseName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.MariaDB.DatabaseName","AZR-000337"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MariaDB.DefenderCloudAZR-000330Error

    Security \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for MariaDB.

    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#description","title":"Description","text":"

    Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Enable Microsoft Defender for Cloud for Azure Database for MariaDB.

    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Deploy a Microsoft.DBforMariaDB/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('SkuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mariadbVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforMariaDB/servers/securityAlertPolicies\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"Default\",\n\"dependsOn\": [\"[parameters('serverName')]\"],\n\"properties\": {\n\"emailAccountAdmins\": true,\n\"emailAddresses\": [\"soc@contoso.com\"],\n\"retentionDays\": 14,\n\"state\": \"Enabled\",\n\"storageAccountAccessKey\": \"account-key\",\n\"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n}\n}\n]\n}\n
    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Deploy a Microsoft.DBforMariaDB/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource mariaDbServer 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}' \n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mariadbVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mariaDbDefender 'Microsoft.DBforMariaDB/servers/securityAlertPolicies@2018-06-01' = {\n  name: 'Default'\n  parent: MariaDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n
    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.DefenderCloud/#links","title":"Links","text":"
    • Security operations
    • Enable Microsoft Defender for open-source relational databases
    • Azure deployment reference
    ","tags":["Azure.MariaDB.DefenderCloud","AZR-000330"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/","title":"Review Azure MariaDB server firewall permitted public IP addresses","text":"Azure.MariaDB.FirewallIPRangeAZR-000344Error

    Security \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Determine if there is an excessive number of permitted IP addresses.

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity.

    Server-level firewall permitted IP addresses apply to all databases on the Azure Database for MariaDB server.

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    Review the number of Azure for MariaDB server firewall permitted public IP addresses configured. Consider to removing IP addresses that are no longer needed.

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#notes","title":"Notes","text":"

    This rule fails when the number of configured public IP addresses exceeds ten (10).

    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallIPRange/#links","title":"Links","text":"
    • Network security and containment
    • Azure Database for MariaDB server firewall rules
    • Create and manage Azure Database for MariaDB firewall rules by using the Azure portal
    • Azure deployment reference
    ","tags":["Azure.MariaDB.FirewallIPRange","AZR-000344"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/","title":"Review Azure MariaDB server firewall rules","text":"Azure.MariaDB.FirewallRuleCountAZR-000343Error

    Security \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity.

    Server-level firewall rules apply to all databases on the Azure Database for MariaDB server.

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    Review the number of Azure for MariaDB server firewall rules configured. Consider to removing rules that are no longer needed.

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#notes","title":"Notes","text":"

    This rule fails when the number of configured firewall rules exceeds ten (10).

    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleCount/#links","title":"Links","text":"
    • Network security and containment
    • Azure Database for MariaDB server firewall rules
    • Create and manage Azure Database for MariaDB firewall rules by using the Azure portal
    • Azure deployment reference
    ","tags":["Azure.MariaDB.FirewallRuleCount","AZR-000343"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/","title":"Use valid firewall rule names","text":"Azure.MariaDB.FirewallRuleNameAZR-000338Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB firewall rules should meet naming requirements.

    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB firewall rule names are:

    • Between 1 and 128 characters long.
    • Alphanumerics, hyphens, and underscores.
    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB firewall rule naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB firewall rule names are unique.

    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.FirewallRuleName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Template reference
    ","tags":["Azure.MariaDB.FirewallRuleName","AZR-000338"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MariaDB.GeoRedundantBackupAZR-000329Error

    Reliability \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB should store backups in a geo-redundant storage.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#description","title":"Description","text":"

    Geo-redundant backup helps to protect your Azure Database for MariaDB Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.

    When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center.

    Check out the NOTES and the LINKS section for more details about geo-redundant backup.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"

    Configure geo-redundant backup for Azure Database for MariaDB.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to Enabled.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#notes","title":"Notes","text":"

    This rule is only applicable for Azure Database for Maria DB Servers with General Purpose and Memory Optimized tiers. The Basic tier does not support geo-redundant backup storage.

    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.GeoRedundantBackup/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Backup and restore in Azure Database for MariaDB
    • Azure deployment reference
    ","tags":["Azure.MariaDB.GeoRedundantBackup","AZR-000329"]},{"location":"en/rules/Azure.MariaDB.MinTLS/","title":"Minimum TLS version","text":"Azure.MariaDB.MinTLSAZR-000335Error

    Security \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB servers should reject TLS versions older than 1.2.

    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure Database for MariaDB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#recommendation","title":"Recommendation","text":"

    Configure the minimum supported TLS version to be 1.2.

    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.minimalTlsVersion property to TLS1_2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.minimalTlsVersion property to TLS1_2.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS enforcement in Azure Database for MariaDB
    • Set TLS configurations for Azure Database for MariaDB
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.MariaDB.MinTLS","AZR-000335"]},{"location":"en/rules/Azure.MariaDB.ServerName/","title":"Use valid server names","text":"Azure.MariaDB.ServerNameAZR-000336Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB servers should meet naming requirements.

    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB server names are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • MariaDB server names must be globally unique.
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy servers that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy servers that pass this rule:

    • Set the name property to align to resource naming requirements.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB server names are unique.

    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.MariaDB.ServerName","AZR-000336"]},{"location":"en/rules/Azure.MariaDB.UseSSL/","title":"Encrypted connections","text":"Azure.MariaDB.UseSSLAZR-000334Error

    Security \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB servers should only accept encrypted connections.

    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#description","title":"Description","text":"

    Azure Database for MariaDB is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

    Unencrypted communication to MariaDB server instances could allow disclosure of information to an untrusted party.

    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#recommendation","title":"Recommendation","text":"

    Azure Database for MariaDB should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

    Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#examples","title":"Examples","text":"","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.sslEnforcement property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMariaDB/servers\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"Gen5\"\n},\n\"properties\": {\n\"sslEnforcement\": \"Enabled\",\n\"minimalTlsVersion\": \"TLS1_2\",\n\"createMode\": \"Default\",\n\"version\": \"10.3\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"publicNetworkAccess\": \"Disabled\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MariaDB Servers that pass this rule:

    • Set the properties.sslEnforcement property to Enabled.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.DBforMariaDB/servers@2018-06-01' = {\n  name: name\n  location: location\n  sku: {\n    name: sku\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: 'Gen5'\n  }\n  properties: {\n    sslEnforcement: 'Enabled'\n    minimalTlsVersion: 'TLS1_2'\n    createMode: 'Default'\n    version: '10.3'\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    publicNetworkAccess: 'Disabled'\n    storageProfile: {\n      storageMB: skuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.UseSSL/#links","title":"Links","text":"
    • Data encryption in Azure
    • SSL connectivity in Azure Database for MariaDB
    • Template reference
    ","tags":["Azure.MariaDB.UseSSL","AZR-000334"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/","title":"Use valid VNET rule names","text":"Azure.MariaDB.VNETRuleNameAZR-000339Error

    Operational Excellence \u00b7 Azure Database for MariaDB \u00b7 Rule \u00b7 2022_12

    Azure Database for MariaDB VNET rules should meet naming requirements.

    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Azure Database for MariaDB VNET rule names are:

    • Between 1 and 128 characters long.
    • Alphanumerics and hyphens.
    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Database for MariaDB VNET rule naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#notes","title":"Notes","text":"

    This rule does not check if Azure Database for MariaDB VNET rule names are unique.

    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.MariaDB.VNETRuleName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions Azure Database for MariaDB resources
    • Define your naming convention
    • Resource naming and tagging decision guide
    • Abbreviation examples for Azure resources
    • Azure deployment reference
    ","tags":["Azure.MariaDB.VNETRuleName","AZR-000339"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/","title":"Alert on service events","text":"Azure.Monitor.ServiceHealthAZR-000211Error

    Operational Excellence \u00b7 Monitor \u00b7 Rule \u00b7 2020_06

    Configure Service Health alerts to notify administrators.

    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#description","title":"Description","text":"

    Azure provides events and can alert administrators when one of the following occurs in your subscriptions:

    • Service issue
    • Planned maintenance
    • Health advisories
    • Security advisory
    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#recommendation","title":"Recommendation","text":"

    Consider configuring an alert to notify administrators when services you are using are potentially impacted.

    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.Monitor.ServiceHealth/#links","title":"Links","text":"
    • Service Health overview
    • Create activity log alerts on service notifications
    ","tags":["Azure.Monitor.ServiceHealth","AZR-000211"]},{"location":"en/rules/Azure.MySQL.AAD/","title":"Use AAD authentication with MySQL databases","text":"Azure.MySQL.AADAZR-000392Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2023_06

    Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#description","title":"Description","text":"

    Azure Database for MySQL offer two authentication models, Azure Active Directory (AAD) and MySQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over MySQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable MySQL authentication entirely for the flexible server deployment model.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.identityResourceId to the resource ID of the user-assigned identity used for AAD authentication.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/flexibleServers/administrators\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"identityResourceId\": \"[parameters('identityResourceId')]\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"mySqlFlexibleServer\"\n]\n}\n

    To deploy Azure Database for MySQL single servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/servers/administrators\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"mySqlSingleServer\"\n]\n}\n
    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.identityResourceId to the resource ID of the user-assigned identity used for AAD authentication.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview' = {\n  name: 'activeDirectory'\n  parent: mySqlFlexibleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    identityResourceId: identityResourceId\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n

    To deploy Azure Database for MySQL single servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforMySQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: mySqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n
    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#notes","title":"Notes","text":"

    For the flexible server deployment model a user-assigned identity is required in order to use AAD-authentication. The single server deployment model does not support enforcing AAD-authentication only.

    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Use Azure Active Directory for authenticating with MySQL - Flexible Server
    • Use Azure Active Directory for authenticating with MySQL - Single Server
    • Azure security baseline for Azure Database for MySQL - Flexible Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference Flexible Server
    • Azure deployment reference Single Server
    ","tags":["Azure.MySQL.AAD","AZR-000392"]},{"location":"en/rules/Azure.MySQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.MySQL.AADOnlyAZR-000394Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2023_09

    Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#description","title":"Description","text":"

    Azure Database for MySQL supports authentication with MySQL logins and Azure AD authentication.

    By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    Once you decide to use Azure AD authentication, you can disable authentication with MySQL logins.

    Azure AD-only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
    • Set the name to aad_auth_only.
    • Set the properties.value to ON.
    • Set the properties.source to user-override.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/flexibleServers/configurations\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]\",\n\"properties\": {\n\"value\": \"ON\",\n\"source\": \"user-override\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]\"\n]\n}\n
    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
    • Set the name to aad_auth_only.
    • Set the properties.value to ON.
    • Set the properties.source to user-override.

    For example:

    Azure Bicep snippet
    resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {\n  name: 'aad_auth_only'\n  parent: mySqlFlexibleServer\n  properties: {\n    value: 'ON'\n    source: 'user-override'\n  }\n}\n
    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.

    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Active Directory authentication for Azure Database for MySQL - Flexible Server
    • Azure security baseline for Azure Database for MySQL - Flexible Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.MySQL.AADOnly","AZR-000394"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/","title":"Disable MySQL Allow Azure access firewall rule","text":"Azure.MySQL.AllowAzureAccessAZR-000134Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2020_06

    Determine if access from Azure services is required.

    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same MySQL server instance. If network based access is permitted, authentication is still required.

    Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.

    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.

    Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.AllowAzureAccess/#links","title":"Links","text":"
    • Azure Database for MySQL server firewall rules
    ","tags":["Azure.MySQL.AllowAzureAccess","AZR-000134"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.MySQL.DefenderCloudAZR-000328Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for MySQL.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#description","title":"Description","text":"

    Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Enable Microsoft Defender for Cloud for Azure Database for MySQL.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mysqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('SkuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforMySQL/servers/securityAlertPolicies\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"Default\",\n\"dependsOn\": [\"[parameters('serverName')]\"],\n\"properties\": {\n\"emailAccountAdmins\": true,\n\"emailAddresses\": [\"soc@contoso.com\"],\n\"retentionDays\": 14,\n\"state\": \"Enabled\",\n\"storageAccountAccessKey\": \"account-key\",\n\"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n}\n}\n]\n}\n
    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource mysqlDefender 'Microsoft.DBforMySQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: mysqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n
    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#notes","title":"Notes","text":"

    This rule is only applicable for the Azure Database for MySQL Single Server deployment model.

    Azure Database for MySQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.

    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.DefenderCloud/#links","title":"Links","text":"
    • Security operations
    • Enable Microsoft Defender for open-source relational databases
    • Azure deployment reference
    ","tags":["Azure.MySQL.DefenderCloud","AZR-000328"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/","title":"Limit MySQL server firewall rule range","text":"Azure.MySQL.FirewallIPRangeAZR-000135Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2020_06

    Determine if there is an excessive number of permitted IP addresses.

    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    The MySQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.

    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallIPRange/#links","title":"Links","text":"
    • Create and manage Azure Database for MySQL firewall rules by using the Azure portal
    • Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal
    ","tags":["Azure.MySQL.FirewallIPRange","AZR-000135"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/","title":"Cleanup MySQL server firewall rules","text":"Azure.MySQL.FirewallRuleCountAZR-000133Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2020_06

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The MySQL server has greater then ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.FirewallRuleCount/#links","title":"Links","text":"
    • Create and manage Azure Database for MySQL firewall rules by using the Azure portal
    • Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal
    ","tags":["Azure.MySQL.FirewallRuleCount","AZR-000133"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.MySQL.GeoRedundantBackupAZR-000323Error

    Reliability \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2022_12

    Azure Database for MySQL should store backups in a geo-redundant storage.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#description","title":"Description","text":"

    Geo-redundant backup helps to protect your Azure Database for MySQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.

    When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for MySQL Flexible Server and the Azure Database for MySQL Single Server deployment model supports geo-redundant backup.

    For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either General Purpose or Memory Optimized tier is required.

    Check out the NOTES section for more details about geo-redundant backup for each of the deployment models.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"

    Configure geo-redundant backup for Azure Database for MySQL.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for MySQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/flexibleServers\",\n\"apiVersion\": \"2021-12-01-preview\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D16as\",\n\"tier\": \"GeneralPurpose\"\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storage\": {\n\"autoGrow\": \"Enabled\",\n\"iops\": \"[parameters('StorageIops')]\",\n\"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n},\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mysqlVersion')]\",\n\"backup\": {\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n},\n\"highAvailability\": {\n\"mode\": \"Disabled\"\n}\n}\n}\n

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforMySQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('skuCapacity')]\",\n\"size\": \"[format('{0}', parameters('SkuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('mysqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('SkuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for MySQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource mysqlDbServer 'Microsoft.DBforMySQL/flexibleServers@2021-12-01-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      autoGrow: 'Enabled'\n      iops: StorageIops\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: mysqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n

    To deploy Azure Database for MySQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource mysqlDbServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${SkuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: mysqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#notes","title":"Notes","text":"

    This rule is applicable for both the Azure Database for MySQL Flexible Server deployment model and the Azure Database for MySQL Single Server deployment model.

    For the Single Server deployment model, it runs only against 'General Purpose' and 'Memory Optimized' tiers. The 'Basic' tier does not support geo-redundant backup storage.

    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.GeoRedundantBackup/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Backup and restore in Azure Database for MySQL flexible servers
    • Backup and restore in Azure Database for MySQL single servers
    • Azure deployment reference flexible servers
    • Azure deployment reference single servers
    ","tags":["Azure.MySQL.GeoRedundantBackup","AZR-000323"]},{"location":"en/rules/Azure.MySQL.MinTLS/","title":"MySQL DB server minimum TLS version","text":"Azure.MySQL.MinTLSAZR-000132Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2020_09

    MySQL DB servers should reject TLS versions older than 1.2.

    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that MySQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2.

    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS enforcement in Azure Database for MySQL
    • Set TLS configurations for Azure Database for MySQL
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.MySQL.MinTLS","AZR-000132"]},{"location":"en/rules/Azure.MySQL.ServerName/","title":"Use valid MySQL DB server names","text":"Azure.MySQL.ServerNameAZR-000136Error

    Operational Excellence \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2020_12

    Azure MySQL DB server names should meet naming requirements.

    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for MySQL DB server names are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • MySQL DB server names must be globally unique.
    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure MySQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure MySQL DB server names are unique.

    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.MySQL.ServerName","AZR-000136"]},{"location":"en/rules/Azure.MySQL.UseFlexible/","title":"Use Azure Database for MySQL Flexible Server","text":"Azure.MySQL.UseFlexibleAZR-000325Warning

    Operational Excellence \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2022_12

    Use Azure Database for MySQL Flexible Server deployment model.

    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#description","title":"Description","text":"

    Azure Database for MySQL Single Server is on the retirement path. Upgrade to Azure Database for MySQL Flexible Server.

    Azure Database for MySQL Flexible Server provides additional options for resilience and scalability above the Single Server deployment model.

    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#recommendation","title":"Recommendation","text":"

    Migrate to Azure Database for MySQL Flexible Server deployment model.

    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseFlexible/#links","title":"Links","text":"
    • Infrastructure provisioning
    • Azure Database for MySQL Single Server deployment model retirement
    • Migrate from Single Server to Flexible Server
    • Comparing the MySQL deployment options in Azure
    • Azure deployment reference flexible servers
    ","tags":["Azure.MySQL.UseFlexible","AZR-000325"]},{"location":"en/rules/Azure.MySQL.UseSSL/","title":"Enforce encrypted MySQL connections","text":"Azure.MySQL.UseSSLAZR-000131Error

    Security \u00b7 Azure Database for MySQL \u00b7 Rule \u00b7 2020_06

    Enforce encrypted MySQL connections.

    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#description","title":"Description","text":"

    Azure Database for MySQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

    Unencrypted communication to MySQL server instances could allow disclosure of information to an untrusted party.

    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#recommendation","title":"Recommendation","text":"

    Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

    Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.MySQL.UseSSL/#links","title":"Links","text":"
    • Data encryption in Azure
    • SSL connectivity in Azure Database for MySQL
    ","tags":["Azure.MySQL.UseSSL","AZR-000131"]},{"location":"en/rules/Azure.NSG.AKSRules/","title":"No custom NSG rules for AKS managed NSGs","text":"Azure.NSG.AKSRulesAZR-000292Error

    Operational Excellence \u00b7 Network Security Group \u00b7 Rule \u00b7 2022_09

    AKS Network Security Group (NSG) should not have custom rules.

    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#description","title":"Description","text":"

    AKS manages the Network Security Group (NSG) allocated to the cluster. There should be no custom rules added as it may cause conflicts, break the AKS cluster or have an unexpected result.

    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#recommendation","title":"Recommendation","text":"

    Do not create custom Network Security Group (NSG) rules for an AKS managed NSG.

    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AKSRules/#links","title":"Links","text":"
    • AKS Network Security
    • Azure deployment reference
    ","tags":["Azure.NSG.AKSRules","AZR-000292"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/","title":"Avoid rules that allow any as an inbound source","text":"Azure.NSG.AnyInboundSourceAZR-000137Error

    Security \u00b7 Network Security Group \u00b7 Rule \u00b7 2020_06

    Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source.

    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#description","title":"Description","text":"

    NSGs filter network traffic for Azure services connected to a virtual network subnet. In addition to the built-in security rules, a number of custom rules may be defined. Custom security rules can be defined that allow or deny inbound or outbound communication.

    When defining custom rules, avoid using rules that allow any as the inbound source. The intent of custom rules that allow any inbound source may not be clearly understood by support teams. Additionally, custom rules with any inbound source may expose services if a public IP address is attached.

    When inbound network traffic from the Internet is intended also consider the following:

    • Use Application Gateway in-front of any web application workloads.
    • Use DDoS Protection Standard to protect public IP addresses.
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#recommendation","title":"Recommendation","text":"

    Consider updating inbound rules to use a specified source such as an IP range, application security group, or service tag. If inbound access from Internet-based sources is intended, consider using the service tag Internet.

    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#examples","title":"Examples","text":"","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the sourceAddressPrefix or sourceAddressPrefixes to a value other then * for inbound allow rules.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('nsgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"AllowLoadBalancerHealthInbound\",\n\"properties\": {\n\"description\": \"Allow inbound Azure Load Balancer health check.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 100,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"AzureLoadBalancer\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"AllowApplicationInbound\",\n\"properties\": {\n\"description\": \"Allow internal web traffic into application.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 300,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"10.0.0.0/8\",\n\"destinationPortRange\": \"443\",\n\"destinationAddressPrefix\": \"VirtualNetwork\"\n}\n},\n{\n\"name\": \"DenyAllInbound\",\n\"properties\": {\n\"description\": \"Deny all other inbound traffic.\",\n\"access\": \"Deny\",\n\"direction\": \"Inbound\",\n\"priority\": 4000,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"*\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"DenyTraversalOutbound\",\n\"properties\": {\n\"description\": \"Deny outbound double hop traversal.\",\n\"access\": \"Deny\",\n\"direction\": \"Outbound\",\n\"priority\": 200,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n

    To create an Application Security Group, use the Microsoft.Network/applicationSecurityGroups resource. For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/applicationSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('asgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the sourceAddressPrefix or sourceAddressPrefixes to a value other then * for inbound allow rules.

    For example:

    Azure Bicep snippet
    resource nsg 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {\n  name: nsgName\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n

    To create an Application Security Group, use the Microsoft.Network/applicationSecurityGroups resource. For example:

    resource asg 'Microsoft.Network/applicationSecurityGroups@2022-01-01' = {\n  name: asgName\n  location:location\n  properties: {}\n}\n
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.AnyInboundSource/#links","title":"Links","text":"
    • Best practices for endpoint security on Azure
    • Service Tags Overview
    • Network Security Groups
    • Logically segment subnets
    • What is Azure Application Gateway?
    • Azure DDoS Protection Standard overview
    • Azure deployment reference
    ","tags":["Azure.NSG.AnyInboundSource","AZR-000137"]},{"location":"en/rules/Azure.NSG.Associated/","title":"Associate NSGs or clean them up","text":"Azure.NSG.AssociatedAZR-000140Error

    Operational Excellence \u00b7 Network Security Group \u00b7 Rule \u00b7 2020_06

    Network Security Groups (NSGs) should be associated to a subnet or network interface.

    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#description","title":"Description","text":"

    NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.

    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#recommendation","title":"Recommendation","text":"

    Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads

    To find orphaned NSG's run the following Azure CLI command

    Azure CLI snippet
    az network nsg list -g $rgName --query \"[?(subnets==null) && (networkInterfaces==null)].id\" -o tsv\n
    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.Associated/#links","title":"Links","text":"
    • Operational excellence principles
    • Orphaned Resources Workbook
    • Modify, create and delete NSG's using the CLI
    • Azure deployment reference
    • Network security groups
    ","tags":["Azure.NSG.Associated","AZR-000140"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/","title":"Avoid denying all inbound traffic","text":"Azure.NSG.DenyAllInboundAZR-000138Error

    Operational Excellence \u00b7 Network Security Group \u00b7 Rule \u00b7 2020_06

    Avoid denying all inbound traffic.

    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#description","title":"Description","text":"

    Network Security Groups (NSGs) are configured to block all inbound network traffic by default. Blocking all inbound traffic will fail load balancer health probes and other required traffic.

    When using a custom deny all inbound rule, also add rules to allow permitted traffic. To permit network traffic, add a custom allow rule with a lower priority number then the deny all rule. Rules with a lower priority number will be processed first. 100 is the lowest priority number.

    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#recommendation","title":"Recommendation","text":"

    Consider using a higher priority number for deny all rules to allow permitted traffic rules to be added. Consider enabling Flow Logs on all critical subnets in your subscription as an auditability and security best practice.

    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#examples","title":"Examples","text":"","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the priority of rules to a number less than a deny all rule.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('nsgName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"AllowLoadBalancerHealthInbound\",\n\"properties\": {\n\"description\": \"Allow inbound Azure Load Balancer health check.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 100,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"AzureLoadBalancer\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"AllowApplicationInbound\",\n\"properties\": {\n\"description\": \"Allow internal web traffic into application.\",\n\"access\": \"Allow\",\n\"direction\": \"Inbound\",\n\"priority\": 300,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"10.0.0.0/8\",\n\"destinationPortRange\": \"443\",\n\"destinationAddressPrefix\": \"VirtualNetwork\"\n}\n},\n{\n\"name\": \"DenyAllInbound\",\n\"properties\": {\n\"description\": \"Deny all other inbound traffic.\",\n\"access\": \"Deny\",\n\"direction\": \"Inbound\",\n\"priority\": 4000,\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"*\",\n\"destinationPortRange\": \"*\",\n\"destinationAddressPrefix\": \"*\"\n}\n},\n{\n\"name\": \"DenyTraversalOutbound\",\n\"properties\": {\n\"description\": \"Deny outbound double hop traversal.\",\n\"access\": \"Deny\",\n\"direction\": \"Outbound\",\n\"priority\": 200,\n\"protocol\": \"Tcp\",\n\"sourcePortRange\": \"*\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n
    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Network Security Groups that pass this rule:

    • Set the priority of rules to a number less than a deny all rule.

    For example:

    Azure Bicep snippet
    resource nsg 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {\n  name: nsgName\n  location: location\n  properties: {\n    securityRules: [\n      {\n        name: 'AllowLoadBalancerHealthInbound'\n        properties: {\n          description: 'Allow inbound Azure Load Balancer health check.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 100\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'AzureLoadBalancer'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'AllowApplicationInbound'\n        properties: {\n          description: 'Allow internal web traffic into application.'\n          access: 'Allow'\n          direction: 'Inbound'\n          priority: 300\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '10.0.0.0/8'\n          destinationPortRange: '443'\n          destinationAddressPrefix: 'VirtualNetwork'\n        }\n      }\n      {\n        name: 'DenyAllInbound'\n        properties: {\n          description: 'Deny all other inbound traffic.'\n          access: 'Deny'\n          direction: 'Inbound'\n          priority: 4000\n          protocol: '*'\n          sourcePortRange: '*'\n          sourceAddressPrefix: '*'\n          destinationPortRange: '*'\n          destinationAddressPrefix: '*'\n        }\n      }\n      {\n        name: 'DenyTraversalOutbound'\n        properties: {\n          description: 'Deny outbound double hop traversal.'\n          access: 'Deny'\n          direction: 'Outbound'\n          priority: 200\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.DenyAllInbound/#links","title":"Links","text":"
    • Network security groups
    • Introduction to flow logging for network security groups
    • Virtual network service tags
    • Azure deployment reference
    ","tags":["Azure.NSG.DenyAllInbound","AZR-000138"]},{"location":"en/rules/Azure.NSG.LateralTraversal/","title":"Limit lateral traversal within subnets","text":"Azure.NSG.LateralTraversalAZR-000139Error

    Security \u00b7 Network Security Group \u00b7 Rule \u00b7 2020_06

    Deny outbound management connections from non-management hosts.

    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#description","title":"Description","text":"

    Network Security Groups (NSGs) are basic stateful firewalls that provide network isolation and security. NSGs allow or deny network traffic to and from Azure resources in an Azure virtual network. i.e. Traffic between VMs on the same or different subnet can be restricted. NSGs do this by enforcing ordered access rules for all traffic in or out services attached to a subnet.

    This micro-segmentation approach provides a control to reduce lateral movement between services.

    Typically, a subset of trusted hosts such as privileged access workstations (PAWs), bastion hosts, or jump boxes will be used for management. Management protocols originating from application workload hosts should be blocked.

    For example:

    • An SQL Server should not be used as a management host to manage other SQL Servers, or File Servers.
    • Configure dedicated management hosts to manage other hosts.

    This helps improve security in two ways:

    1. Reduces the attack surface that can be used in lateral traversal attacks.
    2. Limits the likelihood that privileged credentials will be exposed for outbound management.
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#recommendation","title":"Recommendation","text":"

    Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.

    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#notes","title":"Notes","text":"

    Specifically this rule checks if either 3389 (RDP) or 22 (SSH) has been blocked for outbound traffic.

    To suppress this rule for NSGs protecting subnets expected to allow outbound management traffic see Permit outbound management.

    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#examples","title":"Examples","text":"","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy NSGs that pass this rule:

    • Add an outbound security rule that denies TCP port 3389 and/ or 22.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"name\": \"[parameters('nsgName')]\",\n\"apiVersion\": \"2019-04-01\",\n\"location\": \"[resourceGroup().location]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"deny-hop-outbound\",\n\"properties\": {\n\"protocol\": \"*\",\n\"sourcePortRange\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n],\n\"access\": \"Deny\",\n\"priority\": 200,\n\"direction\": \"Outbound\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy NSGs that pass this rule:

    • Add an outbound security rule that denies TCP port 3389 and/ or 22.

    For example:

    Azure Bicep snippet
    resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {\n  name: 'nsg-001'\n  properties: {\n    securityRules: [\n      {\n        name: 'deny-hop-outbound'\n        properties: {\n          priority: 200\n          access: 'Deny'\n          protocol: 'Tcp'\n          direction: 'Outbound'\n          sourceAddressPrefix: 'VirtualNetwork'\n          destinationAddressPrefix: '*'\n          destinationPortRanges: [\n            '3389'\n            '22'\n          ]\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.LateralTraversal/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Logically segment subnets
    • Plan virtual networks
    • Network security groups
    • Permit outbound management
    • Azure deployment reference
    ","tags":["Azure.NSG.LateralTraversal","AZR-000139"]},{"location":"en/rules/Azure.NSG.Name/","title":"Use valid NSG names","text":"Azure.NSG.NameAZR-000141Error

    Operational Excellence \u00b7 Network Security Group \u00b7 Rule \u00b7 2020_06

    Network Security Group (NSG) names should meet naming requirements.

    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for NSG names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • NSG names must be unique within a resource group.
    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention. If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell or Bicep

    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#notes","title":"Notes","text":"

    This rule does not check if NSG names are unique.

    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.NSG.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.NSG.Name","AZR-000141"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/","title":"Use assigned by for policy assignments","text":"Azure.Policy.AssignmentAssignedByAZR-000144Error

    Operational Excellence \u00b7 Policy \u00b7 Rule \u00b7 2021_06

    Policy assignments should use assignedBy metadata.

    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#description","title":"Description","text":"

    When using the Azure Portal, policy assignment automatically set the assignedBy metadata. This metadata field is intended to indicate the person or team assigning the policy to a resource scope.

    When automating policy management, it may be helpful to identify assignments managed by code.

    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#recommendation","title":"Recommendation","text":"

    Consider setting assignedBy metadata for each policy assignment.

    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#azure-templates","title":"Azure templates","text":"

    To deploy policy assignments that pass this rule:

    • Set the properties.metadata.assignedBy property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Initiative assignment\",\n\"name\": \"assignment-001\",\n\"type\": \"Microsoft.Authorization/policyAssignments\",\n\"apiVersion\": \"2019-06-01\",\n\"properties\": {\n\"displayName\": \"Assignment 001\",\n\"description\": \"An example policy assignment.\",\n\"metadata\": {\n\"assignedBy\": \"DevOps pipeline\"\n},\n\"enforcementMode\": \"Default\"\n}\n}\n
    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentAssignedBy/#links","title":"Links","text":"
    • Azure Policy assignment structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.AssignmentAssignedBy","AZR-000144"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/","title":"Use descriptive policy assignments","text":"Azure.Policy.AssignmentDescriptorsAZR-000143Error

    Operational Excellence \u00b7 Policy \u00b7 Rule \u00b7 2021_06

    Policy assignments should use a display name and description.

    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#description","title":"Description","text":"

    Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the intent of the policy assignment.

    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#recommendation","title":"Recommendation","text":"

    Consider setting a display name and description for each policy assignment.

    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#azure-templates","title":"Azure templates","text":"

    To deploy policy assignments that pass this rule:

    • Set the properties.displayName property with a valid value.
    • Set the properties.description property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Initiative assignment\",\n\"name\": \"assignment-001\",\n\"type\": \"Microsoft.Authorization/policyAssignments\",\n\"apiVersion\": \"2019-06-01\",\n\"properties\": {\n\"displayName\": \"Assignment 001\",\n\"description\": \"An example policy assignment.\",\n\"metadata\": {\n\"assignedBy\": \"DevOps pipeline\"\n},\n\"enforcementMode\": \"Default\"\n}\n}\n
    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.AssignmentDescriptors/#links","title":"Links","text":"
    • Azure Policy assignment structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.AssignmentDescriptors","AZR-000143"]},{"location":"en/rules/Azure.Policy.Descriptors/","title":"Use descriptive policies","text":"Azure.Policy.DescriptorsAZR-000142Error

    Operational Excellence \u00b7 Policy \u00b7 Rule \u00b7 2020_06

    Policy and initiative definitions should use a display name, description, and category.

    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#description","title":"Description","text":"

    Policy and initiative definitions can be configured with a display name, description, and category. Use these additional properties to clearly convey the purpose when creating custom definitions.

    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#recommendation","title":"Recommendation","text":"

    Consider setting a display name, description and category for each policy and initiatives definition.

    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#azure-templates","title":"Azure templates","text":"

    To deploy initiative and policy definitions that pass this rule:

    • Set the properties.displayName property with a valid value.
    • Set the properties.description property with a valid value.
    • Set the properties.metadata.category property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"Initiative definition\",\n\"name\": \"initiative-001\",\n\"type\": \"Microsoft.Authorization/policySetDefinitions\",\n\"apiVersion\": \"2019-06-01\",\n\"properties\": {\n\"policyType\": \"Custom\",\n\"displayName\": \"Initiative 001\",\n\"description\": \"An example initiative.\",\n\"metadata\": {\n\"category\": \"Security\"\n},\n\"policyDefinitions\": []\n}\n}\n
    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.Descriptors/#links","title":"Links","text":"
    • Azure Policy definition structure
    • Common metadata properties
    • Policy definition template reference
    • Initiative definition template reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.Descriptors","AZR-000142"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/","title":"Use descriptive policy exemptions","text":"Azure.Policy.ExemptionDescriptorsAZR-000145Error

    Operational Excellence \u00b7 Policy \u00b7 Rule \u00b7 2021_06

    Policy exemptions should use a display name and description.

    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#description","title":"Description","text":"

    Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the reason for the policy exemption. Additionally, consider providing a link or reference to track exemption conditions and approval.

    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#recommendation","title":"Recommendation","text":"

    Consider setting a display name and description for each policy exemption.

    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#examples","title":"Examples","text":"","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#azure-templates","title":"Azure templates","text":"

    To deploy policy exemptions that pass this rule:

    • Set the properties.displayName property with a valid value.
    • Set the properties.description property with a valid value.

    For example:

    Azure Template snippet
    {\n\"comments\": \"An example exemption.\",\n\"name\": \"exemption-001\",\n\"type\": \"Microsoft.Authorization/policyExemptions\",\n\"apiVersion\": \"2020-07-01-preview\",\n\"properties\": {\n\"policyAssignmentId\": \"<assignment_id>\",\n\"policyDefinitionReferenceIds\": [],\n\"exemptionCategory\": \"Waiver\",\n\"expiresOn\": \"2021-04-27T14:00:00Z\",\n\"displayName\": \"Exemption 001\",\n\"description\": \"An example exemption.\",\n\"metadata\": {\n\"requestedBy\": \"Apps team\",\n\"approvedBy\": \"Security team\",\n\"createdBy\": \"DevOps pipeline\"\n}\n}\n}\n
    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.ExemptionDescriptors/#links","title":"Links","text":"
    • Azure Policy exemption structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.ExemptionDescriptors","AZR-000145"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/","title":"Policy waiver exemptions must expire","text":"Azure.Policy.WaiverExpiryAZR-000146Error

    Operational Excellence \u00b7 Policy \u00b7 Rule \u00b7 2021_06

    Configure policy waiver exemptions to expire.

    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#description","title":"Description","text":"

    Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the Mitigated category when the issue intent has been met through an another method.

    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#recommendation","title":"Recommendation","text":"

    Consider configuring an expiry for policy exemption waivers within the maximum threshold.

    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#examples","title":"Examples","text":"","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#azure-templates","title":"Azure templates","text":"

    To deploy policy assignments that pass this rule:

    • Set the properties.expiresOn property with a valid date earlier than the maximum number of days.

    For example:

    Azure Template snippet
    {\n\"comments\": \"An example exemption.\",\n\"name\": \"exemption-001\",\n\"type\": \"Microsoft.Authorization/policyExemptions\",\n\"apiVersion\": \"2020-07-01-preview\",\n\"properties\": {\n\"policyAssignmentId\": \"<assignment_id>\",\n\"policyDefinitionReferenceIds\": [],\n\"exemptionCategory\": \"Waiver\",\n\"expiresOn\": \"2021-04-27T14:00:00Z\",\n\"displayName\": \"Exemption 001\",\n\"description\": \"An example exemption.\",\n\"metadata\": {\n\"requestedBy\": \"Apps team\",\n\"approvedBy\": \"Security team\",\n\"createdBy\": \"DevOps pipeline\"\n}\n}\n}\n
    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#notes","title":"Notes","text":"

    This rule fails:

    • When the exemption is configured not to expire.
    • The exemption expiry date is greater than the maximum threshold.

    Configure AZURE_POLICY_WAIVER_MAX_EXPIRY to set the maximum expiry date threshold.

    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n
    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.Policy.WaiverExpiry/#links","title":"Links","text":"
    • Azure Policy exemption structure
    • Azure deployment reference
    • Repeatable infrastructure
    ","tags":["Azure.Policy.WaiverExpiry","AZR-000146"]},{"location":"en/rules/Azure.PostgreSQL.AAD/","title":"Use AAD authentication with PostgreSQL databases","text":"Azure.PostgreSQL.AADAZR-000389Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2023_06

    Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#description","title":"Description","text":"

    Azure Database for PostgreSQL offer two authentication models, Azure Active Directory (AAD) and PostgreSQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over PostgreSQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable PostgreSQL authentication entirely for the flexible server deployment model.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Additionally, consider disabling PostgreSQL authentication.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/flexibleServers/administrators sub-resource.
    • Set the properties.principalName to the user principal name of the AAD administrator user, group, or application.
    • Set the properties.principalType to the principal type used to represent the type of AAD administrator.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/administrators\",\n\"apiVersion\": \"2022-12-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), parameters('name'))]\",\n\"properties\": {\n\"principalName\": \"[parameters('principalName')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"postgreSqlFlexibleServer\"\n]\n}\n

    To deploy Azure Database for PostgreSQL single servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/servers/administrators\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n},\n\"dependsOn\": [\n\"postgreSqlSingleServer\"\n]\n}\n
    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/flexibleServers/administrators sub-resource.
    • Set the properties.principalName to the user principal name of the AAD administrator user, group, or application.
    • Set the properties.principalType to the principal type used to represent the type of AAD administrator.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {\n  name: name\n  parent: postgreSqlFlexibleServer\n  properties: {\n    principalName: principalName\n    principalType: principalType\n    tenantId: tenantId\n  }\n}\n

    To deploy Azure Database for PostgreSQL single servers that pass this rule:

    • Configure the Microsoft.DBforPostgreSQL/servers/administrators sub-resource.
    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the AAD administrator login object name.
    • Set the properties.sid to the object ID GUID of the AAD administrator user, group, or application.
    • Set the properties.tenantId to the tenant ID of the AAD administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource aadAdmin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12-01' = {\n  name: 'activeDirectory'\n  parent: postgreSqlSingleServer\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n    tenantId: tenantId\n  }\n}\n
    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#notes","title":"Notes","text":"

    The single server deployment model is limited to only one Azure AD admin at a time and does not support enforcing AAD-authentication only.

    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Azure Active Directory Authentication with PostgreSQL Flexible Server
    • Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server
    • Use Azure AD for authentication with Azure Database for PostgreSQL - Single Server
    • Azure Active Directory Authentication (Single Server VS Flexible Server)
    • Azure security baseline for Azure Database for PostgreSQL - Flexible Server
    • Azure security baseline for Azure Database for PostgreSQL - Single Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference Flexible Server
    • Azure deployment reference Single Server
    ","tags":["Azure.PostgreSQL.AAD","AZR-000389"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.PostgreSQL.AADOnlyAZR-000390Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2023_06

    Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#description","title":"Description","text":"

    Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.

    By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.

    Azure AD-only authentication is only supported for the flexible server deployment model.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Set the properties.authConfig.activeDirectoryAuth property to true.
    • Set the properties.authConfig.passwordAuth property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n\"apiVersion\": \"2022-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"authConfig\": {\n\"activeDirectoryAuth\": \"Enabled\",\n\"passwordAuth\": \"Disabled\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n
    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

    • Set the properties.authConfig.activeDirectoryAuth property to true.
    • Set the properties.authConfig.passwordAuth property to false.

    For example:

    Azure Bicep snippet
    resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {\n  name: serverName\n  location: location\n  properties: {\n    authConfig: {\n      activeDirectoryAuth: 'Enabled'\n      passwordAuth: 'Disabled'\n      tenantId: tenantId\n    }\n  }\n}\n
    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.

    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server
    • Azure Active Directory Authentication (Single Server VS Flexible Server)
    • Azure security baseline for Azure Database for PostgreSQL - Flexible Server
    • IM-1: Use centralized identity and authentication system
    • Azure deployment reference
    ","tags":["Azure.PostgreSQL.AADOnly","AZR-000390"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/","title":"Disable PostgreSQL Allow Azure access firewall rule","text":"Azure.PostgreSQL.AllowAzureAccessAZR-000150Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2020_06

    Determine if access from Azure services is required.

    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service including other Azure customers, network based-access to databases on the same PostgreSQL server instance. If network based access is permitted, authentication is still required.

    Enabling access from Azure Services is useful in certain cases for serverless PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.

    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Where a stable IP addresses are able to be configured, configure IP or virtual network based firewall rules instead of using Allow access to Azure services.

    Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.AllowAzureAccess/#links","title":"Links","text":"
    • Firewall rules in Azure Database for PostgreSQL
    ","tags":["Azure.PostgreSQL.AllowAzureAccess","AZR-000150"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/","title":"Use Microsoft Defender","text":"Azure.PostgreSQL.DefenderCloudAZR-000327Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2022_12

    Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#description","title":"Description","text":"

    Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforPostgreSQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('SkuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('postgresqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.DBforPostgreSQL/servers/securityAlertPolicies\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"Default\",\n\"dependsOn\": [\"[parameters('serverName')]\"],\n\"properties\": {\n\"emailAccountAdmins\": true,\n\"emailAddresses\": [\"soc@contoso.com\"],\n\"retentionDays\": 14,\n\"state\": \"Enabled\",\n\"storageAccountAccessKey\": \"account-key\",\n\"storageEndpoint\": \"https://contoso.blob.core.windows.net\"\n}\n}\n]\n}\n
    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Deploy a Microsoft.DBforPostgreSQL/servers/securityAlertPolicies sub-resource (child resource).
    • Set the properties.state property to Enabled.

    For example:

    Azure Bicep snippet
    resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n\nresource postgresqlDefender 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies@2017-12-01' = {\n  name: 'Default'\n  parent: postgresqlDbServer\n  properties: {\n    emailAccountAdmins: true\n    emailAddresses: ['soc@contoso.com']\n    retentionDays: 14\n    state: 'Enabled'\n    storageAccountAccessKey: 'account-key'\n    storageEndpoint: 'https://contoso.blob.core.windows.net'\n  }\n}\n
    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#notes","title":"Notes","text":"

    This rule is only applicable for the Azure Database for PostgreSQL Single Server deployment model.

    Azure Database for PostgreSQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.

    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.DefenderCloud/#links","title":"Links","text":"
    • Security operations
    • Enable Microsoft Defender for open-source relational databases
    • Azure deployment reference
    ","tags":["Azure.PostgreSQL.DefenderCloud","AZR-000327"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/","title":"Limit PostgreSQL server firewall rule range","text":"Azure.PostgreSQL.FirewallIPRangeAZR-000151Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2020_06

    Determine if there is an excessive number of permitted IP addresses.

    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    The PostgreSQL server has greater then ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.

    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallIPRange/#links","title":"Links","text":"
    • Firewall rules in Azure Database for PostgreSQL - Single Server
    • Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal
    ","tags":["Azure.PostgreSQL.FirewallIPRange","AZR-000151"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/","title":"Cleanup PostgreSQL server firewall rules","text":"Azure.PostgreSQL.FirewallRuleCountAZR-000149Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2020_06

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The PostgreSQL server has greater then ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.FirewallRuleCount/#links","title":"Links","text":"
    • Firewall rules in Azure Database for PostgreSQL - Single Server
    • Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal
    ","tags":["Azure.PostgreSQL.FirewallRuleCount","AZR-000149"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/","title":"Configure geo-redundant backup","text":"Azure.PostgreSQL.GeoRedundantBackupAZR-000326Error

    Reliability \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2022_12

    Azure Database for PostgreSQL should store backups in a geo-redundant storage.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#description","title":"Description","text":"

    Geo-redundant backup helps to protect your Azure Database for PostgreSQL Servers against outages impacting backup storage in the primary region and allows you to restore your server to the geo-paired region in the event of a disaster.

    When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. Both the Azure Database for PostgreSQL Flexible Server and the Azure Database for PostgreSQL Single Server deployment model supports geo-redundant backup.

    For the flexible deployment model the geo-redundant backup is supported for all tiers, but for the single deployment model either General Purpose or Memory Optimized tier is required.

    Check out the NOTES and the LINKS section for more details about geo-redundant backup for each of the deployment models.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#recommendation","title":"Recommendation","text":"

    Configure geo-redundant backup for Azure Database for PostgreSQL.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#examples","title":"Examples","text":"","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/flexibleServers\",\n\"apiVersion\": \"2022-01-20-preview\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_D16as\",\n\"tier\": \"GeneralPurpose\"\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storage\": {\n\"storageSizeGB\": \"[parameters('StorageSizeGB')]\"\n},\n\"createMode\": \"Default\",\n\"version\": \"[parameters('postgresqlVersion')]\",\n\"backup\": {\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n},\n\"highAvailability\": {\n\"mode\": \"Disabled\"\n}\n}\n}\n

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.DBforPostgreSQL/servers\",\n\"apiVersion\": \"2017-12-01\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"GeneralPurpose\",\n\"capacity\": \"[parameters('SkuCapacity')]\",\n\"size\": \"[format('{0}', parameters('skuSizeMB'))]\",\n\"family\": \"[parameters('skuFamily')]\"\n},\n\"properties\": {\n\"createMode\": \"Default\",\n\"version\": \"[parameters('postgresqlVersion')]\",\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"storageProfile\": {\n\"storageMB\": \"[parameters('skuSizeMB')]\",\n\"backupRetentionDays\": 7,\n\"geoRedundantBackup\": \"Enabled\"\n}\n}\n}\n
    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Azure Database for PostgreSQL Flexible Servers that pass this rule:

    • Set the properties.backup.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {\n  name: serverName\n  location: location\n  sku: {\n    name: 'Standard_D16as'\n    tier: 'GeneralPurpose'\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storage: {\n      storageSizeGB: StorageSizeGB\n    }\n    createMode: 'Default'\n    version: postgresqlVersion\n    backup: {\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n    highAvailability: {\n      mode: 'Disabled'\n    }\n  }\n}\n

    To deploy Azure Database for PostgreSQL Single Servers that pass this rule:

    • Set the properties.storageProfile.geoRedundantBackup property to the value 'Enabled'.

    For example:

    Azure Bicep snippet
    resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {\n  name: serverName\n  location: location\n  sku: {\n    name: skuName\n    tier: 'GeneralPurpose'\n    capacity: skuCapacity\n    size: '${skuSizeMB}'\n    family: skuFamily\n  }\n  properties: {\n    createMode: 'Default'\n    version: postgresqlVersion\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    storageProfile: {\n      storageMB: SkuSizeMB\n      backupRetentionDays: 7\n      geoRedundantBackup: 'Enabled'\n    }\n  }\n}\n
    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#notes","title":"Notes","text":"

    This rule is applicable for both the Azure Database for PostgreSQL Flexible Server deployment model and the Azure Database for PostgreSQL Single Server deployment model.

    For the Single Server deployment model, it runs only against 'General Purpose' and 'Memory Optimized' tiers. The 'Basic' tier does not support geo-redundant backup storage.

    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.GeoRedundantBackup/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Backup and restore in Azure Database for PostgreSQL flexible servers
    • Backup and restore in Azure Database for PostgreSQL single servers
    • Azure deployment reference flexible servers
    • Azure deployment reference single servers
    ","tags":["Azure.PostgreSQL.GeoRedundantBackup","AZR-000326"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/","title":"PostgreSQL DB server minimum TLS version","text":"Azure.PostgreSQL.MinTLSAZR-000148Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2020_09

    PostgreSQL DB servers should reject TLS versions older than 1.2.

    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that PostgreSQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2.

    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS enforcement in Azure Database for PostgreSQL Single server
    • Set TLS configurations for Azure Database for PostgreSQL - Single server
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.PostgreSQL.MinTLS","AZR-000148"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/","title":"Use valid PostgreSQL DB server names","text":"Azure.PostgreSQL.ServerNameAZR-000152Error

    Operational Excellence \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2020_12

    Azure PostgreSQL DB server names should meet naming requirements.

    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for PostgreSQL DB server names are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • PostgreSQL DB server names must be globally unique.
    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure PostgreSQL DB server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure PostgreSQL DB server names are unique.

    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.PostgreSQL.ServerName","AZR-000152"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/","title":"Enforce encrypted PostgreSQL connections","text":"Azure.PostgreSQL.UseSSLAZR-000147Error

    Security \u00b7 Azure Database for PostgreSQL \u00b7 Rule \u00b7 2020_06

    Enforce encrypted PostgreSQL connections.

    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#description","title":"Description","text":"

    Azure Database for PostgreSQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

    Unencrypted communication to PostgreSQL server instances could allow disclosure of information to an untrusted party.

    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#recommendation","title":"Recommendation","text":"

    Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

    Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PostgreSQL.UseSSL/#links","title":"Links","text":"
    • Data encryption in Azure
    • Configure SSL connectivity in Azure Database for PostgreSQL
    ","tags":["Azure.PostgreSQL.UseSSL","AZR-000147"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/","title":"Use valid Private Endpoint names","text":"Azure.PrivateEndpoint.NameAZR-000153Error

    Operational Excellence \u00b7 Private Endpoint \u00b7 Rule \u00b7 2021_12

    Private Endpoint names should meet naming requirements.

    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Private Endpoint names are:

    • Between 2 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Private Endpoint names must be unique within a resource group.
    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Private Endpoint naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#notes","title":"Notes","text":"

    This rule does not check if Private Endpoint names are unique.

    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PrivateEndpoint.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.PrivateEndpoint.Name","AZR-000153"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/","title":"Public IP addresses should use availability zones","text":"Azure.PublicIP.AvailabilityZoneAZR-000157Error

    Reliability \u00b7 Public IP address \u00b7 Rule \u00b7 2021_12

    Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability.

    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#description","title":"Description","text":"

    Public IP addresses using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. A zone redundant Public IP address can spread across multiple availability zones, which ensures the Public IP address will continue running even if another zone has gone down. Furthermore, this ensures Public Standard Load balancer frontend IPs using a zone-redundant Public IP address can survive zone failure.

    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using zone-redundant Public IP addresses deployed with Standard SKU.

    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure zone-redundancy for a Public IP address.

    • Set sku.name to Standard.
    • Set zones to [\"1\", \"2\", \"3\"].

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/publicIPAddresses\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"Regional\"\n},\n\"properties\": {\n\"publicIPAddressVersion\": \"IPv4\",\n\"publicIPAllocationMethod\": \"Static\",\n\"idleTimeoutInMinutes\": 4\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure zone-redundancy for a Public IP address.

    • Set sku.name to Standard.
    • Set zones to ['1', '2', '3'].

    For example:

    Azure Bicep snippet
    resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#notes","title":"Notes","text":"

    This rule is not applicable for public IP addresses used for Azure Bastion. Azure Bastion does not currently support Availability Zones. Public IP addresses with the following tags are automatically excluded from this rule:

    • resource-usage tag set to azure-bastion.

    This rule fails when \"zones\" is constrained to a single(zonal) zone, or set to null, [] when there are supported availability zones for the given region.

    This rule passes if no zones exist for a given region or \"zones\" is set to [\"1\", \"2\", \"3\"].

    Configure AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Network and resource type publicIpAddresses.

    # YAML: The default AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.AvailabilityZone/#links","title":"Links","text":"
    • Use zone-aware services
    • Load Balancer and Availability Zones
    • Azure deployment reference
    ","tags":["Azure.PublicIP.AvailabilityZone","AZR-000157"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/","title":"Use valid Public IP DNS labels","text":"Azure.PublicIP.DNSLabelAZR-000156Error

    Operational Excellence \u00b7 Public IP address \u00b7 Rule \u00b7 2020_06

    Public IP domain name labels should meet naming requirements.

    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#description","title":"Description","text":"

    When configuring Azure Public IP addresses domain name labels must meet naming requirements. The requirements for Public IP domain name labels are:

    • Between 3 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Start with a letter.
    • End a letter or number.
    • Domain name labels must be globally unique within a region.
    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#recommendation","title":"Recommendation","text":"

    Consider using domain name labels that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#notes","title":"Notes","text":"

    This rule does not check if Public IP domain name labels are unique.

    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.DNSLabel/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.PublicIP.DNSLabel","AZR-000156"]},{"location":"en/rules/Azure.PublicIP.IsAttached/","title":"Remove unused Public IP addresses","text":"Azure.PublicIP.IsAttachedAZR-000154Error

    Cost Optimization \u00b7 Public IP address \u00b7 Rule \u00b7 2020_06

    Public IP addresses should be attached or cleaned up if not in use.

    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#description","title":"Description","text":"

    Unattached static Public IP address are charged when not in use.

    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#recommendation","title":"Recommendation","text":"

    Consider removing Public IP addresses that are no longer required reduce complexity and costs.

    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.IsAttached/#links","title":"Links","text":"
    • Cost optimization design principles
    • Public IP address pricing
    • Azure deployment reference
    ","tags":["Azure.PublicIP.IsAttached","AZR-000154"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/","title":"Migrate to Standard SKU","text":"Azure.PublicIP.MigrateStandardAZR-000395Error

    Operational Excellence \u00b7 Public IP address \u00b7 Rule \u00b7 2023_09

    Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.

    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#description","title":"Description","text":"

    The Basic SKU for Public IP addresses will be retired on September 30, 2025. To avoid service disruption, migrate to Standard SKU for Public IP addresses.

    The Standard SKU additionally offers security by default and supports redundancy.

    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#recommendation","title":"Recommendation","text":"

    Migrate Basic SKU for Public IP addresses to the Standard SKU before retirement to avoid service disruption.

    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Public IP addresses that pass this rule:

    • Set sku.name to Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/publicIPAddresses\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"Regional\"\n},\n\"properties\": {\n\"publicIPAddressVersion\": \"IPv4\",\n\"publicIPAllocationMethod\": \"Static\",\n\"idleTimeoutInMinutes\": 4\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Public IP addresses that pass this rule:

    • Set sku.name to Standard.

    For example:

    Azure Bicep snippet
    resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.MigrateStandard/#links","title":"Links","text":"
    • Infrastructure provisioning
    • Basic SKU will be retired
    • Migrate a Basic SKU Public IP address to Standard SKU
    • Standard vs Basic SKU comparison
    • Azure deployment reference
    ","tags":["Azure.PublicIP.MigrateStandard","AZR-000395"]},{"location":"en/rules/Azure.PublicIP.Name/","title":"Use valid Public IP names","text":"Azure.PublicIP.NameAZR-000155Error

    Operational Excellence \u00b7 Public IP address \u00b7 Rule \u00b7 2020_06

    Public IP names should meet naming requirements.

    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Public IP names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Public IP names must be unique within a resource group.
    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Public IP naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#notes","title":"Notes","text":"

    This rule does not check if Public IP names are unique.

    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.PublicIP.Name","AZR-000155"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/","title":"Public IP addresses should use Standard SKU","text":"Azure.PublicIP.StandardSKUAZR-000158Error

    Reliability \u00b7 Public IP address \u00b7 Rule \u00b7 2021_12

    Public IP addresses should be deployed with Standard SKU for production workloads.

    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#description","title":"Description","text":"

    Public IP addresses allow Internet resources to communicate inbound to Azure resources. Currently two SKUs are supported: Basic and Standard.

    However, the Basic SKU for Public IP addresses will be retired on September 30, 2025.

    The Standard SKU additionally offers security and redundancy improvements over the Basic SKU. Including:

    • Secure by default model and be closed to inbound traffic when used as a frontend. Network security groups are required to allow inbound traffic.
    • Support for zone-redundancy and zonal deployments at creation. Zone-redundancy should mach the zone-redundancy of the resource it is attached to.
    • Have an adjustable inbound originated flow idle timeout.
    • More granular control of how traffic is routed between Azure and the Internet.
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#recommendation","title":"Recommendation","text":"

    Consider using Standard SKU for Public IP addresses deployed in production.

    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#examples","title":"Examples","text":"","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure Standard SKU for a Public IP address.

    • Set sku.name to Standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/publicIPAddresses\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard\",\n\"tier\": \"Regional\"\n},\n\"properties\": {\n\"publicIPAddressVersion\": \"IPv4\",\n\"publicIPAllocationMethod\": \"Static\",\n\"idleTimeoutInMinutes\": 4\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure Standard SKU for a Public IP address.

    • Set sku.name to Standard.

    For example:

    For example:

    Azure Bicep snippet
    resource pip 'Microsoft.Network/publicIPAddresses@2023-05-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard'\n    tier: 'Regional'\n  }\n  properties: {\n    publicIPAddressVersion: 'IPv4'\n    publicIPAllocationMethod: 'Static'\n    idleTimeoutInMinutes: 4\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.PublicIP.StandardSKU/#links","title":"Links","text":"
    • Meet application platform requirements
    • Standard Public IP addresses
    • Load Balancer and Availability Zones
    • Azure deployment reference
    ","tags":["Azure.PublicIP.StandardSKU","AZR-000158"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/","title":"Use role-based access control","text":"Azure.RBAC.CoAdministratorAZR-000206Error

    Security \u00b7 Subscription \u00b7 Rule \u00b7 2020_06

    Delegate access to manage Azure resources using role-based access control (RBAC).

    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#description","title":"Description","text":"

    Use of Co-administrator is intended to support management of resources deployed using the Classic deployment model. Resources deployed in the Resource Manager model do not require delegation of Co-administrators.

    Azure RBAC provides greater flexibility and control providing over 100 built-in roles. Additionally RBAC works with advanced advanced security features like Privileged Identity Management (PIM).

    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#recommendation","title":"Recommendation","text":"

    Consider delegating access to manage Azure resources using RBAC instead of classic Co-administrator roles. Limit delegation of Co-administrator roles only to subscription that contain resources deployed in the Classic deployment model.

    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.CoAdministrator/#links","title":"Links","text":"
    • Azure classic subscription administrators
    • Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles
    • What is Azure AD Privileged Identity Management?
    ","tags":["Azure.RBAC.CoAdministrator","AZR-000206"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/","title":"Limit Management Group delegation","text":"Azure.RBAC.LimitMGDelegationAZR-000205Error

    Security \u00b7 Subscription \u00b7 Rule \u00b7 2020_06

    Limit Role-Base Access Control (RBAC) inheritance from Management Groups.

    ","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#description","title":"Description","text":"

    RBAC in Azure inherits from management group to subscription to resource group to resource. Management group RBAC assignments have broad impact.

    ","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitMGDelegation/#recommendation","title":"Recommendation","text":"

    Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.

    Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.

    ","tags":["Azure.RBAC.LimitMGDelegation","AZR-000205"]},{"location":"en/rules/Azure.RBAC.LimitOwner/","title":"Limit use of subscription scoped Owner role","text":"Azure.RBAC.LimitOwnerAZR-000204Error

    Security \u00b7 Subscription \u00b7 Rule \u00b7 2020_06

    Limit the number of subscription Owners.

    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#description","title":"Description","text":"

    Azure provides a flexible delegation model using Role-Base Access Control (RBAC). RBAC allows administrators to grant fine grained permissions using roles to Azure resources. Over 100 built-in roles exist, and custom roles can be created to perform specific tasks. Permissions can be scoped to management group, subscription, resource group or individual resources.

    The Owner role provides the ability to create, delete, update and configure permissions for any resource. When assigned at the subscription scope, these permissions apply to the whole subscription and all resources in the subscription.

    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#recommendation","title":"Recommendation","text":"

    Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.

    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.LimitOwner/#links","title":"Links","text":"
    • What is Azure role-based access control (Azure RBAC)?
    • Limit the number of subscription owners
    ","tags":["Azure.RBAC.LimitOwner","AZR-000204"]},{"location":"en/rules/Azure.RBAC.PIM/","title":"Use JiT role activation with PIM","text":"Azure.RBAC.PIMAZR-000208Error

    Security \u00b7 Subscription \u00b7 Rule \u00b7 2020_09

    Use just-in-time (JiT) activation of roles instead of persistent role assignment.

    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#description","title":"Description","text":"

    PIM helps manage the impact of identity compromise or misuse of permissions by reducing persistent access. With PIM, eligible identities can activate time-bound role assignments on an as needed basis (just-in-time). Activation typically occurs before a schedule change or management operation.

    PIM is an Azure Active Directory (AD) feature included in Azure AD Premium P2.

    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#recommendation","title":"Recommendation","text":"

    Consider using Privileged Identity Management (PIM) to activate privileged roles on an as needed basis.

    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.PIM/#links","title":"Links","text":"
    • What is Azure AD Privileged Identity Management?
    • Discover Azure resources to manage in Privileged Identity Management
    • Configure Azure resource role settings in Privileged Identity Management
    • Lower exposure of privileged accounts
    • No standing access / Just in Time privileges
    • Use Azure AD Privileged Identity Management
    ","tags":["Azure.RBAC.PIM","AZR-000208"]},{"location":"en/rules/Azure.RBAC.UseGroups/","title":"Use groups","text":"Azure.RBAC.UseGroupsAZR-000203Error

    Security \u00b7 Subscription \u00b7 Rule \u00b7 2020_06

    Use groups for assigning permissions instead of individual user accounts.

    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#description","title":"Description","text":"

    Granting access with individual user accounts can bypass existing on-premises identity management tools and processes.

    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#recommendation","title":"Recommendation","text":"

    Consider using groups for assigning permissions instead of individual user accounts.

    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseGroups/#links","title":"Links","text":"
    • Avoid granular and custom permissions
    • What is Azure role-based access control (Azure RBAC)?
    ","tags":["Azure.RBAC.UseGroups","AZR-000203"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/","title":"Use Resource Group delegation","text":"Azure.RBAC.UseRGDelegationAZR-000207Error

    Security \u00b7 Subscription \u00b7 Rule \u00b7 2020_06

    Use RBAC assignments on resource groups instead of individual resources.

    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#description","title":"Description","text":"

    Azure provides a flexible delegation model using RBAC that allows administrators to grant fine grained permissions using roles to Azure resources. Permissions can be scoped to management group, subscription, resource group or individual resources.

    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#recommendation","title":"Recommendation","text":"

    Consider using RBAC assignments on resource groups instead of individual resources.

    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RBAC.UseRGDelegation/#links","title":"Links","text":"
    • Avoid granular and custom permissions
    • What is Azure role-based access control (Azure RBAC)?
    • Best practices for Azure RBAC
    ","tags":["Azure.RBAC.UseRGDelegation","AZR-000207"]},{"location":"en/rules/Azure.RSV.Immutable/","title":"Immutability","text":"Azure.RSV.ImmutableAZR-000397Error

    Security \u00b7 Recovery Services Vault \u00b7 Rule \u00b7 2023_09

    Ensure immutability is configured to protect backup data.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#description","title":"Description","text":"

    Immutability is supported for Recovery Services vaults by configuring the Immutable vault setting.

    Immutable vault helps protecting backup data by blocking any operations that could lead to loss of recovery points. Additionally, locking the Immutable vault setting makes it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

    For example, an malicious attack may attempt to remove data or delete vaults to prevent recovery to a known good state.

    The Immutable vault setting is not enabled per default.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#recommendation","title":"Recommendation","text":"

    Consider configuring immutability to protect backup data from accidental or malicious deletion.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#examples","title":"Examples","text":"","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Recovery Services vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.RecoveryServices/vaults\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('vaultName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('skuName')]\",\n\"tier\": \"[parameters('skuTier')]\"\n},\n\"properties\": {\n\"securitySettings\": {\n\"immutabilitySettings\": {\n\"state\": \"Locked\"\n}\n}\n}\n}\n
    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Recovery Services vaults that pass this rule:

    • Set properties.securitySettings.immutabilitySettings.state to Unlocked or Locked.

    For example:

    Azure Bicep snippet
    resource recoveryServicesVault 'Microsoft.RecoveryServices/vaults@2023-01-01' = {\n  name: vaultName\n  location: location\n  sku: {\n    name: skuName\n    tier: skuTier\n  }\n  properties: {\n    securitySettings: {\n      immutabilitySettings: {\n        state: 'Locked'\n      }\n    }\n  }\n}\n
    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#notes","title":"Notes","text":"

    Note that immutability locking Locked is irreversible, so ensure to take a well-informed decision when opting to lock. For example, for vaults containing production workloads consider using Locked. For cases where you are creating and destroying backups and vaults on a regulary basis such as temporary environments consider Unlocked.

    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Immutable/#links","title":"Links","text":"
    • Security design principles
    • Immutable vault for Azure Backup
    • Restricted operations
    • Manage Azure Backup Immutable vault operations
    • Azure security baseline for Azure Backup
    • Backup and restore plan to protect against ransomware
    • BR-2: Protect backup and recovery data
    • Azure deployment reference
    ","tags":["Azure.RSV.Immutable","AZR-000397"]},{"location":"en/rules/Azure.RSV.Name/","title":"Use valid names","text":"Azure.RSV.NameAZR-000350Error

    Operational Excellence \u00b7 Recovery Services Vault \u00b7 Rule \u00b7 2022_12

    Recovery Services vaults should meet naming requirements.

    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Recovery Services vault names are:

    • Between 2 and 50 characters long.
    • Alphanumerics and hyphens.
    • Start with letter.
    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Recovery Services vault naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#notes","title":"Notes","text":"

    This rule does not check if Recovery Services vault names are unique.

    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Recovery Services vault
    • Azure deployment reference
    ","tags":["Azure.RSV.Name","AZR-000350"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/","title":"Use geo-replicated storage","text":"Azure.RSV.ReplicationAlertAZR-000171Error

    Reliability \u00b7 Recovery Services Vault \u00b7 Rule \u00b7 2022_03

    Recovery Services Vaults (RSV) without replication alerts configured may be at risk.

    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#description","title":"Description","text":"

    Recovery Services Vaults (RSV) can be used to replicate virtual machines between Azure Regions. Alerts can be configured to send notifications when replication issues occur.

    The replication alerts can be configured for:

    • The resources owners (Based on RBAC permissions).
    • A list of email addresses.
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#recommendation","title":"Recommendation","text":"

    Configure replication alerts for Recovery Service Vaults that are performing replication tasks.

    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#examples","title":"Examples","text":"","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-azure-template","title":"Configure with Azure template","text":"

    By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via ARM templates either configure the sendToOwners or CustomerEmailAddress properties:

    • Set properties.sendToOwners to Send.
    • Set properties.customEmailAddresses to [ \"example@email.com\" ]

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.RecoveryServices/vaults/replicationAlertSettings\",\n\"apiVersion\": \"2021-08-01\",\n\"name\": \"replicationAlert\",\n\"properties\": {\n\"sendToOwners\": \"Send\",\n\"customEmailAddresses\": [\n\"example@email.com\"\n],\n\"locale\": \"en-US\"\n}\n}\n
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#configure-with-bicep","title":"Configure with Bicep","text":"

    By default a Recovery Services vaults does not have replication alerts setup. To define a replication alert via a Bicep either configure the sendToOwners or CustomerEmailAddress properties:

    • Set properties.sendToOwners to Send.
    • Set properties.customEmailAddresses to [ \"example@email.com\" ]

    For example:

    Azure Bicep snippet
    resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/replicationAlertSettings@2021-08-01' = {\n  name: 'replicationAlert'\n  parent: resourceSymbolicName\n  properties: {\n    sendToOwners: 'Sender'\n    customEmailAddresses: [\n      'example@email.com'\n    ]\n    locale: 'en-US'\n  }\n}\n
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#notes","title":"Notes","text":"

    With the locale property you can define the locale for the email notification.

    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.ReplicationAlert/#links","title":"Links","text":"
    • Recovery Services Vault - Overview
    • Recovery Services Vault - Replication Alerts
    • Azure deployment reference
    • Well Architected Framework - Reliability
    ","tags":["Azure.RSV.ReplicationAlert","AZR-000171"]},{"location":"en/rules/Azure.RSV.StorageType/","title":"Use geo-replicated storage","text":"Azure.RSV.StorageTypeAZR-000170Error

    Reliability \u00b7 Recovery Services Vault \u00b7 Rule \u00b7 2022_03

    Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk.

    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#description","title":"Description","text":"

    Recovery Services Vaults can be configured with several different durability options. Azure provides a number of geo-replicated options for storage including; Geo-redundant storage and read access geo-zone-redundant storage. The default storage type used will be Geo-redundant Geo-zone-redundant storage is only available in supported regions.

    The following geo-replicated options are available for recovery services vaults:

    • GeoRedundant
    • ReadAccessGeoZoneRedundant
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#recommendation","title":"Recommendation","text":"

    Consider using GeoRedundant for recovery services vaults that contain data.

    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#examples","title":"Examples","text":"","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-azure-template","title":"Configure with Azure template","text":"

    The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config in an ARM template:

    • Set properties.storageType to either GeoRedundant or ReadAccessGeoZoneRedundant. For example:
    Azure Template snippet
    {\n\"type\": \"Microsoft.RecoveryServices/vaults/backupconfig\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"vaultconfig-a\",\n\"location\": \"australiaeast\",\n\"tags\": {},\n\"properties\": {\n\"storageType\": \"GeoRedundant\"\n}\n}\n
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#configure-with-bicep","title":"Configure with Bicep","text":"

    The default storage type used by Recovery Services vaults is Geo-redundant. However if you're defining the backup config via Bicep:

    • Set properties.storageType to either GeoRedundant or ReadAccessGeoZoneRedundant.

    For example:

    Azure Bicep snippet
    resource testRecoveryServices 'Microsoft.RecoveryServices/vaults/backupconfig@2021-10-01' = {\n  name: 'vaultconfig'\n  location: 'string'\n  parent: resourceSymbolicName\n  properties: {\n    storageType: 'GeoRedundant'\n  }\n}\n
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.RSV.StorageType/#links","title":"Links","text":"
    • Recovery Services Vault - Overview
    • Recovery Services Vault - Storage Settings
    • Azure deployment reference
    • Well Architected Framework - Reliability
    ","tags":["Azure.RSV.StorageType","AZR-000170"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/","title":"Redis cache should use Availability zones in supported regions","text":"Azure.Redis.AvailabilityZoneAZR-000161Error

    Reliability \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2021_12

    Premium Redis cache should be deployed with availability zones for high availability.

    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#description","title":"Description","text":"

    Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.

    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for Premium Redis Cache deployed in supported regions.

    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.

    This rule fails when \"zones\" is null, [] or less than two zones are used when there are availability zones for the given region.

    This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.

    Configure AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Cache and resource type Redis.

    # YAML: The default AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#examples","title":"Examples","text":"","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for Premium SKU Redis Cache:

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"].
    • Set Properties.replicasPerMaster to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.
    • Set Properties.sku.name to Premium.
    • Set Properties.sku.family to P.
    • Set Properties.sku.capacity to one of [1, 2, 3, 4, 5], depending on the SKU you picked:
      • P1 - 6 GB
      • P2 - 13 GB
      • P3 - 26 GB
      • P4 - 53 GB
      • P5 - 120 GB

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for Premium SKU Redis Cache:

    • Set zones to a minimum of two zones from [\"1\", \"2\", \"3\"].
    • Set Properties.replicasPerMaster to number of zones - 1, to ensure you have at least as many nodes as zones you are replicating to.
    • Set Properties.sku.name to Premium.
    • Set Properties.sku.family to P.
    • Set Properties.sku.capacity to one of [1, 2, 3, 4, 5], depending on the SKU you picked:
      • P1 - 6 GB
      • P2 - 13 GB
      • P3 - 26 GB
      • P4 - 53 GB
      • P5 - 120 GB

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.AvailabilityZone/#links","title":"Links","text":"
    • Use zone-aware services
    • Enable zone redundancy for Azure Cache for Redis
    • High availability for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.AvailabilityZone","AZR-000161"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/","title":"Limit Redis cache number of IP addresses","text":"Azure.Redis.FirewallIPRangeAZR-000300Error

    Security \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2022_09

    Determine if there is an excessive number of permitted IP addresses for the Redis cache.

    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#description","title":"Description","text":"

    When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.

    If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.

    Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:

    • Not needed.
    • Too broad.
    • Too many.
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.

    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Limit the range of public IP address included in rules.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis/firewallRules\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n\"properties\": {\n\"startIP\": \"10.0.1.1\",\n\"endIP\": \"10.0.1.31\"\n},\n\"dependsOn\": [\n\"cache\"\n]\n}\n
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Limit the range of public IP address included in rules.
    Azure Bicep snippet
    resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#notes","title":"Notes","text":"

    This rule is not applicable when Redis is configured to allow private connectivity by setting properties.publicNetworkAccess to Disabled. Firewall rules can be used with VNET injected caches, but not private endpoints.

    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallIPRange/#links","title":"Links","text":"
    • Azure services for securing network connectivity
    • Azure best practices for network security
    • Azure Cache for Redis network isolation options
    • Limitations of firewall rules
    • Migrate from VNet injection caches to Private Link caches
    • Azure deployment reference
    ","tags":["Azure.Redis.FirewallIPRange","AZR-000300"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/","title":"Cleanup Redis cache firewall rules","text":"Azure.Redis.FirewallRuleCountAZR-000299Error

    Security \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2022_09

    Determine if there is an excessive number of firewall rules for the Redis cache.

    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#description","title":"Description","text":"

    When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.

    If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.

    Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:

    • Not needed.
    • Too broad.
    • Too many.
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The Redis cache has more than ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#examples","title":"Examples","text":"","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Configure a minimum number of firewall rules. This rule will fail if more then ten (10) firewall rules are configured.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis/firewallRules\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'allow-on-premises')]\",\n\"properties\": {\n\"startIP\": \"10.0.1.1\",\n\"endIP\": \"10.0.1.31\"\n},\n\"dependsOn\": [\n\"cache\"\n]\n}\n
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.startIP property to the start of the IP address range.
    • Set the properties.endIP property to the end of the IP address range.
    • Configure a minimum number of firewall rules. This rule will fail if more then ten (10) firewall rules are configured.
    Azure Bicep snippet
    resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {\n  parent: cache\n  name: 'allow-on-premises'\n  properties: {\n    startIP: '10.0.1.1'\n    endIP: '10.0.1.31'\n  }\n}\n
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#notes","title":"Notes","text":"

    This rule is not applicable when Redis is configured to allow private connectivity by setting properties.publicNetworkAccess to Disabled. Firewall rules can be used with VNet injected caches, but not private endpoints.

    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.FirewallRuleCount/#links","title":"Links","text":"
    • Azure services for securing network connectivity
    • Azure best practices for network security
    • Azure Cache for Redis network isolation options
    • Limitations of firewall rules
    • Migrate from VNet injection caches to Private Link caches
    • Azure deployment reference
    ","tags":["Azure.Redis.FirewallRuleCount","AZR-000299"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/","title":"Configure cache maxmemory-reserved setting","text":"Azure.Redis.MaxMemoryReservedAZR-000160Error

    Performance Efficiency \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2020_12

    Configure maxmemory-reserved to reserve memory for non-cache operations.

    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#description","title":"Description","text":"

    Azure Cache for Redis supports configuration of the maxmemory-reserved setting. The maxmemory-reserved setting configures the amount of memory reserved for non-cache operations. Non-cache operations include background tasks, eviction, and compaction.

    By reserving memory for these operations, you prevent Redis cache from using all available memory for cache. If enough memory is not reserved for these operations it can lead to performance degradation and instability.

    Setting this value allows you to have a more consistent experience when your load varies. This value should be set higher for workloads that are write heavy.

    When memory reserved by maxmemory-reserved, it is unavailable for storage of cached data.

    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#recommendation","title":"Recommendation","text":"

    Consider configuring maxmemory-reserved to at least 10% of available cache memory.

    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#examples","title":"Examples","text":"","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisConfiguration.maxmemory-reserved property to at least 10% of the cache memory.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisConfiguration.maxmemory-reserved property to at least 10% of the cache memory.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MaxMemoryReserved/#links","title":"Links","text":"
    • Choose the right resources
    • Choosing the right tier
    • Scaling and memory
    • Memory management
    • SKU sizes
    • Azure deployment reference
    ","tags":["Azure.Redis.MaxMemoryReserved","AZR-000160"]},{"location":"en/rules/Azure.Redis.MinSKU/","title":"Use at least Standard C1 cache instances","text":"Azure.Redis.MinSKUAZR-000159Error

    Performance Efficiency \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2020_12

    Use Azure Cache for Redis instances of at least Standard C1.

    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#description","title":"Description","text":"

    Azure Cache for Redis supports a range of different scale options. Basic tier or Standard C0 caches are not suitable for production workloads.

    • Basic tier is a single node system with no data replication and no SLA.
    • Standard C0 caches used shared resources and subject to noisy neighbor issues.
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#recommendation","title":"Recommendation","text":"

    Consider using a minimum of a Standard C1 instance for production workloads.

    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.sku.name property to Premium or Standard.
    • Set the properties.sku.family property to P or C.
    • Set the properties.sku.capacity property to a capacity valid for the SKU 1 or higher.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.sku.name property to Premium or Standard.
    • Set the properties.sku.family property to P or C.
    • Set the properties.sku.capacity property to a capacity valid for the SKU 1 or higher.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinSKU/#links","title":"Links","text":"
    • Choose the right resources
    • Choosing the right tier
    • Scaling and memory
    • Memory management
    • SKU sizes
    • Azure deployment reference
    ","tags":["Azure.Redis.MinSKU","AZR-000159"]},{"location":"en/rules/Azure.Redis.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.Redis.MinTLSAZR-000164Error

    Security \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2020_06

    Redis Cache should reject TLS versions older than 1.2.

    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.

    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to a minimum of 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to a minimum of 1.2.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To deploy caches that pass this rule:

    • Use the --set parameter.

    For example:

    Azure CLI snippet
    az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To deploy caches that pass this rule:

    • Use the -MinimumTlsVersion parameter.

    For example:

    Azure PowerShell snippet
    Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'\n
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
    • Configure Azure Cache for Redis settings
    • Preparing for TLS 1.2 in Microsoft Azure
    • DP-3: Encrypt sensitive data in transit
    • Azure deployment reference
    ","tags":["Azure.Redis.MinTLS","AZR-000164"]},{"location":"en/rules/Azure.Redis.NonSslPort/","title":"Use secure connections to Redis instances","text":"Azure.Redis.NonSslPortAZR-000163Error

    Security \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2020_06

    Azure Cache for Redis should only accept secure connections.

    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#description","title":"Description","text":"

    Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.

    Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.

    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#recommendation","title":"Recommendation","text":"

    Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.

    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#examples","title":"Examples","text":"","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.enableNonSslPort property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.enableNonSslPort property to false.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.NonSslPort/#links","title":"Links","text":"
    • Data encryption in Azure
    • How to configure Azure Cache for Redis
    • DP-3: Encrypt sensitive data in transit
    • Azure Policy Regulatory Compliance controls for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.NonSslPort","AZR-000163"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/","title":"Use private endpoints with Azure Cache for Redis","text":"Azure.Redis.PublicNetworkAccessAZR-000165Error

    Security \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2022_03

    Redis cache should disable public network access.

    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#description","title":"Description","text":"

    When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.

    To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.

    Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.

    A private endpoint provides secure and private connectivity to Redis instances by:

    • Using a private IP address from your VNET.
    • Blocking all traffic from public networks.

    If you are using VNET injection, it is recommended to migrate to private endpoints.

    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#recommendation","title":"Recommendation","text":"

    Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.

    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#examples","title":"Examples","text":"","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false,\n\"publicNetworkAccess\": \"Disabled\"\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.publicNetworkAccess property to Disabled.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n    publicNetworkAccess: 'Disabled'\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.PublicNetworkAccess/#links","title":"Links","text":"
    • Azure services for securing network connectivity
    • Azure Cache for Redis with Azure Private Link
    • Best practices for endpoint security on Azure
    • Migrate from VNet injection caches to Private Link caches
    • What is Azure Private Endpoint?
    • NS-2: Secure cloud services with network controls
    • Azure Policy Regulatory Compliance controls for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.PublicNetworkAccess","AZR-000165"]},{"location":"en/rules/Azure.Redis.Version/","title":"Redis version for Azure Cache for Redis","text":"Azure.Redis.VersionAZR-000347Error

    Reliability \u00b7 Azure Cache for Redis \u00b7 Rule \u00b7 2022_12

    Azure Cache for Redis should use the latest supported version of Redis.

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#description","title":"Description","text":"

    Azure Cache for Redis supports Redis 6. Redis 6 brings new security features and better performance.

    Version 4 for Azure Cache for Redis instances will be retired on June 30, 3023.

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#recommendation","title":"Recommendation","text":"

    Consider upgrading Redis version for Azure Cache for Redis to the latest supported version (>=6.0).

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#examples","title":"Examples","text":"","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisVersion property to latest or 6.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redis\",\n\"apiVersion\": \"2023-04-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\",\n\"redisVersion\": \"latest\",\n\"sku\": {\n\"name\": \"Premium\",\n\"family\": \"P\",\n\"capacity\": 1\n},\n\"redisConfiguration\": {\n\"maxmemory-reserved\": \"615\"\n},\n\"enableNonSslPort\": false\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n]\n}\n
    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.redisVersion property to latest or 6.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redis@2023-04-01' = {\n  name: name\n  location: location\n  properties: {\n    minimumTlsVersion: '1.2'\n    redisVersion: 'latest'\n    sku: {\n      name: 'Premium'\n      family: 'P'\n      capacity: 1\n    }\n    redisConfiguration: {\n      'maxmemory-reserved': '615'\n    }\n    enableNonSslPort: false\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n}\n
    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#notes","title":"Notes","text":"

    This rule is only applicable for Azure Cache for Redis (OSS Redis) offering.

    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.Redis.Version/#links","title":"Links","text":"
    • Requirements
    • Security operations
    • Set Redis version for Azure Cache for Redis
    • How to upgrade an existing Redis 4 cache to Redis 6
    • Retirements from Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.Redis.Version","AZR-000347"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/","title":"Redis Cache minimum TLS version","text":"Azure.RedisEnterprise.MinTLSAZR-000301Error

    Security \u00b7 Azure Cache for Redis Enterprise \u00b7 Rule \u00b7 2022_09

    Redis Cache should reject TLS versions older than 1.2.

    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.

    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Cache/redisEnterprise\",\n\"apiVersion\": \"2022-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Enterprise_E10\"\n},\n\"properties\": {\n\"minimumTlsVersion\": \"1.2\"\n}\n}\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy caches that pass this rule:

    • Set the properties.minimumTlsVersion property to 1.2.

    For example:

    Azure Bicep snippet
    resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Enterprise_E10'\n  }\n  properties: {\n    minimumTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"

    To deploy caches that pass this rule:

    • Use the --set parameter.

    For example:

    Azure CLI snippet
    az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"

    To deploy caches that pass this rule:

    • Use the -MinimumTlsVersion parameter.

    For example:

    Azure PowerShell snippet
    Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'\n
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
    • Configure Azure Cache for Redis settings
    • Preparing for TLS 1.2 in Microsoft Azure
    • DP-3: Encrypt sensitive data in transit
    • Azure deployment reference
    ","tags":["Azure.RedisEnterprise.MinTLS","AZR-000301"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/","title":"Enterprise Redis cache should use Availability zones in supported regions","text":"Azure.RedisEnterprise.ZonesAZR-000162Error

    Reliability \u00b7 Azure Cache for Redis Enterprise \u00b7 Rule \u00b7 2021_12

    Enterprise Redis cache should be zone-redundant for high availability.

    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#description","title":"Description","text":"

    Redis Cache using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. Nodes in one availability zone are physically separated from nodes defined in another availability zone. By spreading node pools across multiple zones, nodes in one node pool will continue running even if another zone has gone down.

    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#recommendation","title":"Recommendation","text":"

    Consider using availability zones for Enterprise Redis Cache deployed in supported regions.

    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#notes","title":"Notes","text":"

    This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region.

    Configure AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.Cache and resource type redisEnterprise.

    # YAML: The default AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#examples","title":"Examples","text":"","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To set availability zones for Enterprise SKU Redis Cache:

    • Set zones to [\"1\", \"2\", \"3\"] or zone-redundancy.
    • Set Properties.sku.name to one of:
      • Enterprise_E10 - 12 GB
      • Enterprise_E20 - 25 GB
      • Enterprise_E50 - 50 GB
      • Enterprise_E100 - 100 GB
      • EnterpriseFlash_F300 - 345 GB
      • EnterpriseFlash_F700 - 715 GB
      • EnterpriseFlash_F1500 - 1455 GB
    • Set Properties.sku.capacity to:
      • One of [2, 4, 6, 8, 10] if using Enterprise_E10, Enterprise_E20, Enterprise_E50 or Enterprise_E100.
      • Either 3 or 9 if using EnterpriseFlash_F300, EnterpriseFlash_F700, EnterpriseFlash_F1500.

    For example:

    Azure Template snippet
    {\n\"name\": \"testrediscache\",\n\"type\": \"Microsoft.Cache/redisEnterprise\",\n\"apiVersion\": \"2021-02-01-preview\",\n\"properties\": {},\n\"location\": \"australiaeast\",\n\"dependsOn\": [],\n\"sku\": {\n\"name\": \"EnterpriseFlash_F700\",\n\"capacity\": 3\n},\n\"zones\": [\n\"1\",\n\"2\",\n\"3\"\n],\n\"tags\": {},\n\"resources\": [\n{\n\"name\": \"testrediscache/default\",\n\"type\": \"Microsoft.Cache/redisEnterprise/databases\",\n\"apiVersion\": \"2021-02-01-preview\",\n\"properties\": {\n\"clientProtocol\": \"Encrypted\",\n\"evictionPolicy\": \"NoEviction\",\n\"clusteringPolicy\": \"OSSCluster\",\n\"persistence\": {\n\"aofEnabled\": false,\n\"rdbEnabled\": false\n}\n},\n\"dependsOn\": [\n\"Microsoft.Cache/redisEnterprise/testrediscache\"\n],\n\"tags\": {}\n}\n]\n}\n
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#configure-with-bicep","title":"Configure with Bicep","text":"

    To set availability zones for Enterprise SKU Redis Cache:

    • Set zones to [\"1\", \"2\", \"3\"] or zone-redundancy.
    • Set Properties.sku.name to one of:
      • Enterprise_E10 - 12 GB
      • Enterprise_E20 - 25 GB
      • Enterprise_E50 - 50 GB
      • Enterprise_E100 - 100 GB
      • EnterpriseFlash_F300 - 345 GB
      • EnterpriseFlash_F700 - 715 GB
      • EnterpriseFlash_F1500 - 1455 GB
    • Set Properties.sku.capacity to:
      • One of [2, 4, 6, 8, 10] if using Enterprise_E10, Enterprise_E20, Enterprise_E50 or Enterprise_E100.
      • Either 3 or 9 if using EnterpriseFlash_F300, EnterpriseFlash_F700, EnterpriseFlash_F1500.

    For example:

    Azure Bicep snippet
    resource testrediscache 'Microsoft.Cache/redisEnterprise@2021-02-01-preview' = {\n  name: 'testrediscache'\n  properties: {}\n  location: 'australiaeast'\n  sku: {\n    name: 'EnterpriseFlash_F700'\n    capacity: 3\n  }\n  zones: [\n    '1'\n    '2'\n    '3'\n  ]\n  tags: {}\n  dependsOn: []\n}\n\nresource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021-02-01-preview' = {\n  parent: testrediscache\n  name: 'default'\n  properties: {\n    clientProtocol: 'Encrypted'\n    evictionPolicy: 'NoEviction'\n    clusteringPolicy: 'OSSCluster'\n    persistence: {\n      aofEnabled: false\n      rdbEnabled: false\n    }\n  }\n  tags: {}\n}\n
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.RedisEnterprise.Zones/#links","title":"Links","text":"
    • Use zone-aware services
    • Enable zone redundancy for Azure Cache for Redis
    • High availability for Azure Cache for Redis
    • Azure deployment reference
    ","tags":["Azure.RedisEnterprise.Zones","AZR-000162"]},{"location":"en/rules/Azure.Resource.AllowedRegions/","title":"Use allowed regions","text":"Azure.Resource.AllowedRegionsAZR-000167Error

    Security \u00b7 All resources \u00b7 Rule \u00b7 2020_06

    Resources should be deployed to allowed regions.

    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#description","title":"Description","text":"

    Azure supports deployment to many locations around the world called regions. Many organizations have requirements that limit where data can be stored or processed. This is commonly known as data residency.

    Most Azure resources must be deployed to a specific region. To align with your organizational requirements, you may choose to limit the regions that resources can be deployed to.

    Some resources, particularly those related to preview services or features, may not be available in all regions.

    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#recommendation","title":"Recommendation","text":"

    Consider deploying resources to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions.

    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#examples","title":"Examples","text":"","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resources that pass this rule:

    • Set the location property to an allowed region. OR
    • Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resources that pass this rule:

    • Set the location property to an allowed region. OR
    • Instead of hard coding the location, use a parameter to allow the location to be specified at deployment time.

    For example:

    Azure Bicep snippet
    @sys.description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#notes","title":"Notes","text":"

    This rule requires one or more allowed regions to be configured. By default, all regions are allowed.

    To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value to a set of allowed regions.

    For example:

    configuration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS:\n- australiaeast\n- australiasoutheast\n

    If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.

    For example:

    configuration:\nAZURE_RESOURCE_GROUP:\nlocation: australiaeast\n
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.AllowedRegions/#links","title":"Links","text":"
    • Regulatory compliance
    • Data residency in Azure
    • Azure geographies
    ","tags":["Azure.Resource.AllowedRegions","AZR-000167"]},{"location":"en/rules/Azure.Resource.UseTags/","title":"Use resource tags","text":"Azure.Resource.UseTagsAZR-000166Error

    Cost Optimization \u00b7 All resources \u00b7 Rule \u00b7 2020_06

    Azure resources should be tagged using a standard convention.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#description","title":"Description","text":"

    Azure Resource Manager (ARM) supports a flexible tagging model that allows each resource to be tagged. Tags are additional metadata that improves identification of resources and aids lifecycle management.

    Azure stores tags as name/ value pairs such as environment = production or costCode = 349921.

    A well defined tagging approach improves the management, billing, and automation operations of resources. When planning tags, identify information that is meaningful to business and technical staff.

    Azure provides several built-in policies to managed tags. Using these policies help enforce a tagging standard can reduce overall management Resource tags can be inherited from subscriptions or resource groups using Azure Policy.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#recommendation","title":"Recommendation","text":"

    Consider tagging resources using a standard convention. Identify mandatory and optional tags then tag all resources and resource groups using this standard.

    Also consider using Azure Policy to enforce mandatory tags.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#examples","title":"Examples","text":"","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy resource that pass this rule:

    • Set the tags property tags that align to your tagging standard.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Resources/resourceGroups\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"tags\": {\n\"environment\": \"production\",\n\"costCode\": \"349921\"\n}\n}\n
    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy resource that pass this rule:

    • Set the tags property tags that align to your tagging standard.

    For example:

    Azure Bicep snippet
    resource rg 'Microsoft.Resources/resourceGroups@2022-09-01' = {\n  name: name\n  location: location\n  tags: {\n    environment: 'production'\n    costCode: '349921'\n  }\n}\n
    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#notes","title":"Notes","text":"

    Azure Policy includes several built-in policies to enforce tagging such as:

    • Add a tag to resources
    • Add a tag to resource groups
    • Require a tag on resources
    • Require a tag on resource groups
    • Inherit a tag from the resource group
    • Inherit a tag from the resource group if missing
    • Inherit a tag from the subscription

    If you find resources that incorrectly report they should be tagged, please let us know by opening an issue.

    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.Resource.UseTags/#links","title":"Links","text":"
    • Enforce resource tagging
    • Tag support for Azure resources
    • Develop your naming and tagging strategy for Azure resources
    • Define your tagging strategy
    • Resource naming and tagging decision guide
    • Assign policy definitions for tag compliance
    • Enforcing custom tags
    ","tags":["Azure.Resource.UseTags","AZR-000166"]},{"location":"en/rules/Azure.ResourceGroup.Name/","title":"Use valid resource group names","text":"Azure.ResourceGroup.NameAZR-000168Error

    Operational Excellence \u00b7 Resource Group \u00b7 Rule \u00b7 2020_06

    Resource Group names should meet naming requirements.

    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Resource Group names are:

    • Between 1 and 90 characters long.
    • Alphanumerics, underscores, parentheses, hyphens, periods.
    • Can't end with period.
    • Resource Group names must be unique within a subscription.
    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Resource Group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#notes","title":"Notes","text":"

    This rule does not check if Resource Group names are unique.

    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.ResourceGroup.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.ResourceGroup.Name","AZR-000168"]},{"location":"en/rules/Azure.Route.Name/","title":"Use valid Route table names","text":"Azure.Route.NameAZR-000169Error

    Operational Excellence \u00b7 Route table \u00b7 Rule \u00b7 2020_06

    Route table names should meet naming requirements.

    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Route table names must be unique within a resource group.
    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Route table naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#notes","title":"Notes","text":"

    This rule does not check if Route table names are unique.

    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.Route.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.Route.Name","AZR-000169"]},{"location":"en/rules/Azure.SQL.AAD/","title":"Use AAD authentication with SQL databases","text":"Azure.SQL.AADAZR-000188Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Use Azure Active Directory (AAD) authentication with Azure SQL databases.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#description","title":"Description","text":"

    Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable SQL authentication entirely and only use AAD authentication.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with SQL databases. Additionally, consider disabling SQL authentication.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#examples","title":"Examples","text":"","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"minimalTlsVersion\": \"1.2\",\n\"administrators\": {\n\"azureADOnlyAuthentication\": true,\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('adminLogin')]\",\n\"principalType\": \"Group\",\n\"sid\": \"[parameters('adminPrincipalId')]\",\n\"tenantId\": \"[tenant().tenantId]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/administrators sub-resource. To deploy Microsoft.Sql/servers/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/administrators\",\n\"apiVersion\": \"2022-02-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'ActiveDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('adminLogin')]\",\n\"sid\": \"[parameters('adminPrincipalId')]\"\n},\n\"dependsOn\": [\n\"server\"\n]\n}\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/administrators sub-resource. To deploy Microsoft.Sql/servers/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource sqlAdministrator 'Microsoft.Sql/servers/administrators@2022-02-01-preview' = {\n  parent: server\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: adminLogin\n    sid: adminPrincipalId\n  }\n}\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az sql server ad-admin create -s '<server_name>' -g '<resource_group>' -u '<user_name>' -i '<object_id>'\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DisplayName '<user_name>'\n
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#notes","title":"Notes","text":"

    In newer API versions the properties.administrators property can be configured. Azure AD authentication can also be configured using the Microsoft.Sql/servers/administrators sub-resource.

    If both the properties.administrators property and Microsoft.Sql/servers/administrators are set, the sub-resource will override the property.

    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Configure and manage Azure AD authentication with Azure SQL
    • Using multi-factor Azure Active Directory authentication
    • Conditional Access with Azure SQL Database and Azure Synapse Analytics
    • Azure AD-only authentication with Azure SQL
    • Azure Policy for Azure Active Directory only authentication with Azure SQL
    • Azure deployment reference
    ","tags":["Azure.SQL.AAD","AZR-000188"]},{"location":"en/rules/Azure.SQL.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQL.AADOnlyAZR-000369Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2023_03

    Ensure Azure AD-only authentication is enabled with Azure SQL Database.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#description","title":"Description","text":"

    Azure SQL Database supports authentication with SQL logins and Azure AD authentication. By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities.

    Azure AD authentication provides:

    • Strong protection controls including conditional access, identity governance, and privileged identity management.
    • Centralized identity management with Azure AD.

    Additionally you can disable SQL authentication entirely, by enabling Azure AD-only authentication.

    Some features may have limitations when using Azure AD-only authentication is enabled, including:

    • Elastic jobs
    • SQL Data Sync
    • Change Data Capture (CDC)
    • Transactional replication
    • SQL insights

    Continue reading Limitations for Azure AD-only authentication in SQL Database.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Database.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#examples","title":"Examples","text":"

    Azure AD-only authentication can be enabled in two different ways.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Logical Servers that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"administrators\": {\n\"administratorType\": \"ActiveDirectory\",\n\"azureADOnlyAuthentication\": true,\n\"login\": \"[parameters('login')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/servers/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/azureADOnlyAuthentications\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'Default')]\",\n\"properties\": {\n\"azureADOnlyAuthentication\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/servers', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Logical Servers that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource logicalServer 'Microsoft.Sql/servers@2022-05-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/servers/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/servers/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource aadOnly 'Microsoft.Sql/servers/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: logicalServer\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n
    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. A managed identity is required if an Azure AD service principal (Azure AD application) oversees creating and managing Azure AD users, groups, or applications in the logical server.

    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Azure AD-only authentication with Azure SQL Database
    • Configure and manage Azure AD authentication with Azure SQL Database
    • Limitations for Azure AD-only authentication in SQL Database
    • Azure Policy for Azure AD-only authentication with Azure SQL Database
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.SQL.AADOnly","AZR-000369"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/","title":"Limit SQL database network access to trusted IP addresses","text":"Azure.SQL.AllowAzureAccessAZR-000184Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Determine if access from Azure services is required.

    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#description","title":"Description","text":"

    Allow access to Azure services, permits any Azure service network based access to databases. Network based access it not limited to a single customer, all Azure IP addresses are permitted. Network access can also be allowed/ blocked on individual databases, which takes precedence over server firewall rules.

    If network based access is permitted, authentication is still required.

    Enabling access from Azure Services is useful in certain cases for on demand PaaS workloads where configuring a stable IP address is not possible. For example Azure Functions, Container Instances and Logic Apps.

    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#recommendation","title":"Recommendation","text":"

    Consider using a stable IP address or configure virtual network based firewall rules. Determine if access from Azure services is required for the services connecting to the hosted databases.

    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.AllowAzureAccess/#links","title":"Links","text":"
    • Connections from inside Azure
    • Network security
    ","tags":["Azure.SQL.AllowAzureAccess","AZR-000184"]},{"location":"en/rules/Azure.SQL.Auditing/","title":"Enable auditing for Azure SQL DB server","text":"Azure.SQL.AuditingAZR-000187Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Enable auditing for Azure SQL logical server.

    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#description","title":"Description","text":"

    Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.

    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#recommendation","title":"Recommendation","text":"

    Consider enabling auditing for each SQL Database logical server and review reports on a regular basis.

    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#examples","title":"Examples","text":"","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy logical servers that pass this rule:

    • Define a Microsoft.Sql/servers/auditingSettings sub-resource with each logical server.
    • Set the properties.state property to Enabled for the Microsoft.Sql/servers/auditingSettings sub-resource.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/auditingSettings\",\n\"apiVersion\": \"2022-08-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n\"properties\": {\n\"isAzureMonitorTargetEnabled\": true,\n\"state\": \"Enabled\",\n\"retentionDays\": 7,\n\"auditActionsAndGroups\": [\n\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n\"FAILED_DATABASE_AUTHENTICATION_GROUP\",\n\"BATCH_COMPLETED_GROUP\"\n]\n},\n\"dependsOn\": [\n\"server\"\n]\n}\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy logical servers that pass this rule:

    • Define a Microsoft.Sql/servers/auditingSettings sub-resource with each logical server.
    • Set the properties.state property to Enabled for the Microsoft.Sql/servers/auditingSettings sub-resource.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n\nresource sqlAuditSettings 'Microsoft.Sql/servers/auditingSettings@2022-08-01-preview' = {\n  name: 'default'\n  parent: server\n  properties: {\n    isAzureMonitorTargetEnabled: true\n    state: 'Enabled'\n    retentionDays: 7\n    auditActionsAndGroups: [\n      'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'\n      'FAILED_DATABASE_AUTHENTICATION_GROUP'\n      'BATCH_COMPLETED_GROUP'\n    ]\n  }\n}\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az sql server audit-policy update -g '<resource_group>' -n '<server_name>' --state Enabled --bsts Enabled --storage-account '<storage_account_name>'\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlServerAudit -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -BlobStorageTargetState Enabled -StorageAccountResourceId '<storage_resource_id>'\n
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.Auditing/#links","title":"Links","text":"
    • Auditing for Azure SQL Database and Azure Synapse Analytics
    • Azure deployment reference
    ","tags":["Azure.SQL.Auditing","AZR-000187"]},{"location":"en/rules/Azure.SQL.DBName/","title":"Use valid SQL Database names","text":"Azure.SQL.DBNameAZR-000192Error

    Operational Excellence \u00b7 SQL Database \u00b7 Rule \u00b7 2020_12

    Azure SQL Database names should meet naming requirements.

    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL Database names are:

    • Between 1 and 128 characters long.
    • Letters, numbers, and special characters except: <>*%&:\\/?
    • Can't end with period or a space.
    • Azure SQL Database names must be unique for each logical server.

    The following reserved database names can not be used:

    • master
    • model
    • tempdb
    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#notes","title":"Notes","text":"

    This rule does not check if Azure SQL Database names are unique.

    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DBName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQL.DBName","AZR-000192"]},{"location":"en/rules/Azure.SQL.DefenderCloud/","title":"Use Advanced Threat Protection","text":"Azure.SQL.DefenderCloudAZR-000186Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Enable Microsoft Defender for Azure SQL logical server.

    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#description","title":"Description","text":"

    Enable Microsoft Defender for Azure SQL logical server.

    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider enabling Advanced Data Security and configuring Microsoft Defender for SQL logical servers.

    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet
    {\n\"comments\": \"Create or update an Azure SQL logical server.\",\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2019-06-01-preview\",\n\"name\": \"[parameters('serverName')]\",\n\"location\": \"[parameters('location')]\",\n\"tags\": \"[parameters('tags')]\",\n\"kind\": \"v12.0\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('adminUsername')]\",\n\"version\": \"12.0\",\n\"publicNetworkAccess\": \"[if(parameters('allowPublicAccess'), 'Enabled', 'Disabled')]\",\n\"administratorLoginPassword\": \"[parameters('adminPassword')]\",\n\"minimalTLSVersion\": \"1.2\"\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Sql/servers/securityAlertPolicies\",\n\"apiVersion\": \"2020-02-02-preview\",\n\"name\": \"[concat(parameters('serverName'), '/Default')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]\"\n],\n\"properties\": {\n\"state\": \"Enabled\"\n}\n}\n]\n}\n
    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlDatabaseThreatDetectionPolicy -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -StorageAccountName '<account_name>' -NotificationRecipientsEmails '<email>' -EmailAdmins $False\n
    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.DefenderCloud/#links","title":"Links","text":"
    • Advanced Threat Protection for Azure SQL Database
    • Microsoft Defender for SQL
    • Azure deployment reference
    ","tags":["Azure.SQL.DefenderCloud","AZR-000186"]},{"location":"en/rules/Azure.SQL.FGName/","title":"Use valid SQL failover group names","text":"Azure.SQL.FGNameAZR-000193Error

    Operational Excellence \u00b7 SQL Database \u00b7 Rule \u00b7 2020_12

    Azure SQL failover group names should meet naming requirements.

    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL failover group names are:

    • Between 1 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • SQL failover group names must be globally unique.
    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure SQL failover group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#notes","title":"Notes","text":"

    This rule does not check if Azure SQL failover group names are unique.

    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FGName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQL.FGName","AZR-000193"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/","title":"Limit SQL logical server firewall rule range","text":"Azure.SQL.FirewallIPRangeAZR-000185Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range).

    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#description","title":"Description","text":"

    Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common. This rule assesses the combined IP addresses from each Allowed IP firewall entry to check that the total allowed addresses is less than (10).

    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#recommendation","title":"Recommendation","text":"

    Reduce the size or count of the IP ranges set in the Firewall rules so that the total Allowed IPs are less than (10).

    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#example","title":"Example","text":"","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallIPRange/#links","title":"Links","text":"
    • Azure SQL Database and Azure Synapse IP firewall rules
    • Create and manage IP firewall rules
    ","tags":["Azure.SQL.FirewallIPRange","AZR-000185"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/","title":"Cleanup SQL logical server firewall rules","text":"Azure.SQL.FirewallRuleCountAZR-000183Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Determine if there is an excessive number of firewall rules.

    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#description","title":"Description","text":"

    Typically the number of firewall rules required is minimal, with management connectivity from on-premises and cloud application connectivity the most common.

    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#recommendation","title":"Recommendation","text":"

    The logical SQL Server has greater then ten (10) firewall rules. Some rules may not be needed.

    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.FirewallRuleCount/#links","title":"Links","text":"
    • Azure SQL Database and Azure Synapse IP firewall rules
    • Create and manage IP firewall rules
    ","tags":["Azure.SQL.FirewallRuleCount","AZR-000183"]},{"location":"en/rules/Azure.SQL.MinTLS/","title":"Azure SQL DB server minimum TLS version","text":"Azure.SQL.MinTLSAZR-000189Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_09

    Azure SQL Database servers should reject TLS versions older than 1.2.

    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure SQL Database servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2.

    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.minimalTlsVersion to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publicNetworkAccess\": \"Disabled\",\n\"minimalTlsVersion\": \"1.2\",\n\"administrators\": {\n\"azureADOnlyAuthentication\": true,\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('adminLogin')]\",\n\"principalType\": \"Group\",\n\"sid\": \"[parameters('adminPrincipalId')]\",\n\"tenantId\": \"[tenant().tenantId]\"\n}\n}\n}\n
    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy logical SQL Servers that pass this rule:

    • Set the properties.minimalTlsVersion to 1.2.

    For example:

    Azure Bicep snippet
    resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled'\n    minimalTlsVersion: '1.2'\n    administrators: {\n      azureADOnlyAuthentication: true\n      administratorType: 'ActiveDirectory'\n      login: adminLogin\n      principalType: 'Group'\n      sid: adminPrincipalId\n      tenantId: tenant().tenantId\n    }\n  }\n}\n
    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • Minimal TLS Version
    • Preparing for TLS 1.2 in Microsoft Azure
    • Azure deployment reference
    ","tags":["Azure.SQL.MinTLS","AZR-000189"]},{"location":"en/rules/Azure.SQL.ServerName/","title":"Use valid SQL logical server names","text":"Azure.SQL.ServerNameAZR-000190Error

    Operational Excellence \u00b7 SQL Database \u00b7 Rule \u00b7 2020_12

    Azure SQL logical server names should meet naming requirements.

    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL logical server names are:

    • Between 1 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • SQL logical server names must be globally unique.
    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#notes","title":"Notes","text":"

    This rule does not check if Azure SQL logical server names are unique.

    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.ServerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQL.ServerName","AZR-000190"]},{"location":"en/rules/Azure.SQL.TDE/","title":"Use SQL database TDE","text":"Azure.SQL.TDEAZR-000191Error

    Security \u00b7 SQL Database \u00b7 Rule \u00b7 2020_06

    Use Transparent Data Encryption (TDE) with Azure SQL Database.

    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#description","title":"Description","text":"

    TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.

    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#recommendation","title":"Recommendation","text":"

    Consider enable Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.

    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#examples","title":"Examples","text":"","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/servers/databases\",\n\"apiVersion\": \"2020-08-01-preview\",\n\"name\": \"[variables('dbName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('sku')]\"\n},\n\"kind\": \"v12.0,user\",\n\"properties\": {\n\"collation\": \"SQL_Latin1_General_CP1_CI_AS\",\n\"maxSizeBytes\": \"[mul(parameters('maxSizeMB'), 1048576)]\",\n\"catalogCollation\": \"SQL_Latin1_General_CP1_CI_AS\",\n\"zoneRedundant\": false,\n\"readScale\": \"Disabled\",\n\"storageAccountType\": \"GRS\"\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n\"apiVersion\": \"2014-04-01\",\n\"name\": \"[concat(variables('dbName'), '/current')]\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('databaseName'))]\"\n],\n\"properties\": {\n\"status\": \"Enabled\"\n}\n}\n]\n}\n
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'\n
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled\n
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQL.TDE/#links","title":"Links","text":"
    • Transparent data encryption for SQL Database
    • Azure deployment reference
    ","tags":["Azure.SQL.TDE","AZR-000191"]},{"location":"en/rules/Azure.SQLMI.AAD/","title":"Use AAD authentication with SQL Managed Instance","text":"Azure.SQLMI.AADAZR-000368Error

    Security \u00b7 SQL Managed Instance \u00b7 Rule \u00b7 2023_03

    Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#description","title":"Description","text":"

    Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.

    By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    Using Azure AD authentication requires an Azure AD administrator provisioned, if a instance does not have an Azure AD administrator, then Azure AD logins and users receive a Cannot connect to instance error.

    Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#recommendation","title":"Recommendation","text":"

    Consider using Azure Active Directory (AAD) authentication with SQL Managed Instance. Additionally, consider disabling SQL authentication.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#examples","title":"Examples","text":"

    An Azure AD administrator can be provisioned in two different ways.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('managedInstanceName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"administrators\": {\n\"administratorType\": \"ActiveDirectory\",\n\"azureADOnlyAuthentication\": true,\n\"login\": \"[parameters('login')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/administrators sub-resource. To deploy Microsoft.Sql/managedInstances/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances/administrators\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\":  \"[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]\",\n\"properties\": {\n\"administratorType\": \"ActiveDirectory\",\n\"login\": \"[parameters('login')]\",\n\"sid\": \"[parameters('sid')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n]\n}\n
    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.administratorType to ActiveDirectory.
    • Set the properties.administrators.login to the administrator login object name.
    • Set the properties.administrators.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/administrators sub-resource. To deploy Microsoft.Sql/managedInstances/administrators sub-resources that pass this rule:

    • Set the properties.administratorType to ActiveDirectory.
    • Set the properties.login to the administrator login object name.
    • Set the properties.sid to the object ID GUID of the administrator user, group, or application.

    For example:

    Azure Bicep snippet
    resource sqlAdministrator 'Microsoft.Sql/managedInstances//administrators@2022-05-01-preview' = {\n  parent: managedInstance\n  name: 'ActiveDirectory'\n  properties: {\n    administratorType: 'ActiveDirectory'\n    login: login\n    sid: sid\n  }\n}\n
    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#notes","title":"Notes","text":"

    If both the properties.administrators property and Microsoft.Sql/managedInstances/administrators are set, the sub-resoure will override the property.

    Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.

    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AAD/#links","title":"Links","text":"
    • Use modern password protection
    • Use Azure AD authentication
    • Configure and manage Azure AD authentication
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.SQLMI.AAD","AZR-000368"]},{"location":"en/rules/Azure.SQLMI.AADOnly/","title":"Azure AD-only authentication","text":"Azure.SQLMI.AADOnlyAZR-000366Error

    Security \u00b7 SQL Managed Instance \u00b7 Rule \u00b7 2023_03

    Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#description","title":"Description","text":"

    Azure SQL Managed Instance supports authentication with SQL logins and Azure AD authentication.

    By default, authentication with SQL logins is enabled. SQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

    Once you decide to use Azure AD authentication, you can disable authentication with SQL logins.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#recommendation","title":"Recommendation","text":"

    Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with SQL Managed Instance.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#examples","title":"Examples","text":"

    Azure AD-only authentication can be enabled in two different ways.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('managedInstanceName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {\n\"administratorLogin\": \"[parameters('administratorLogin')]\",\n\"administratorLoginPassword\": \"[parameters('administratorLoginPassword')]\",\n\"administrators\": {\n\"administratorType\": \"ActiveDirectory\",\n\"azureADOnlyAuthentication\": true,\n\"login\": \"[parameters('login')]\",\n\"principalType\": \"[parameters('principalType')]\",\n\"sid\": \"[parameters('sid')]\",\n\"tenantId\": \"[parameters('tenantId')]\"\n}\n}\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances/azureADOnlyAuthentications\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('managedInstanceName'), 'Default')]\",\n\"properties\": {\n\"azureADOnlyAuthentication\": true\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName'))]\"\n]\n}\n
    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set the properties.administrators.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {\n    administratorLogin: administratorLogin\n    administratorLoginPassword: administratorLoginPassword\n    administrators: {\n      administratorType: 'ActiveDirectory'\n      azureADOnlyAuthentication: true\n      login: login\n      principalType: principalType\n      sid: sid\n      tenantId: tenantId\n    }\n  }\n}\n

    Alternatively, you can configure the Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resource. To deploy Microsoft.Sql/managedInstances/azureADOnlyAuthentications sub-resources that pass this rule:

    • Set the properties.azureADOnlyAuthentication property to true.

    For example:

    Azure Bicep snippet
    resource aadOnly 'Microsoft.Sql/managedInstances/azureADOnlyAuthentications@2022-05-01-preview' = {\n  name: 'Default'\n  parent: managedInstance\n  properties: {\n    azureADOnlyAuthentication: true\n  }\n}\n
    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#notes","title":"Notes","text":"

    The Azure AD admin must be set before enabling Azure AD-only authentication. Managed identity is required to allow support for Azure AD authentication in SQL Managed Instance.

    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.AADOnly/#links","title":"Links","text":"
    • Use modern password protection
    • Azure AD-only authentication with Azure SQL Managed Instance
    • Configure and manage Azure AD authentication with Azure SQL Managed Instance
    • Azure Policy for Azure AD-only authentication with Azure SQL Managed Instance
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.SQLMI.AADOnly","AZR-000366"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/","title":"Managed identity","text":"Azure.SQLMI.ManagedIdentityAZR-000367Error

    Security \u00b7 SQL Managed Instance \u00b7 Rule \u00b7 2023_03

    Ensure managed identity is used to allow support for Azure AD authentication.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#description","title":"Description","text":"

    A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.

    You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance.

    Additionally, a managed identity is required for transparent data encryption with customer-managed key.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configure a managed identity to allow support for Azure AD authentication.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Sql/managedInstances\",\n\"apiVersion\": \"2022-05-01-preview\",\n\"name\": \"[parameters('managedInstanceName')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\",\n\"userAssignedIdentities\": {}\n},\n\"properties\": {}\n}\n
    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy SQL Managed Instances that pass this rule:

    • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
    • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {\n  name: appName\n  location: location\n  name: managedInstanceName\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n    userAssignedIdentities: {}\n  }\n  properties: {}\n}\n
    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#notes","title":"Notes","text":"

    To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.

    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities in Azure AD for Azure SQL Managed Instance
    • Azure deployment reference
    ","tags":["Azure.SQLMI.ManagedIdentity","AZR-000367"]},{"location":"en/rules/Azure.SQLMI.Name/","title":"Use valid SQL Managed Instance names","text":"Azure.SQLMI.NameAZR-000194Error

    Operational Excellence \u00b7 SQL Managed Instance \u00b7 Rule \u00b7 2020_12

    SQL Managed Instance names should meet naming requirements.

    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SQL Managed Instance names are:

    • Between 1 and 63 characters long.
    • Lowercase letters, numbers, and hyphens.
    • Can't start or end with a hyphen.
    • SQL Managed Instance names must be globally unique.
    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet SQL Managed Instance naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#notes","title":"Notes","text":"

    This rule does not check if SQL Managed Instance names are unique.

    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.SQLMI.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.SQLMI.Name","AZR-000194"]},{"location":"en/rules/Azure.Search.IndexSLA/","title":"Search index update SLA minimum replicas","text":"Azure.Search.IndexSLAAZR-000174Error

    Reliability \u00b7 Cognitive Search \u00b7 Rule \u00b7 2021_06

    Use a minimum of 3 replicas to receive an SLA for query and index updates.

    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#description","title":"Description","text":"

    Cognitive Search services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.

    Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.

    To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.

    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#recommendation","title":"Recommendation","text":"

    Consider increasing the number of replicas to a minimum of 3 to receive an SLA on index update requests.

    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#examples","title":"Examples","text":"","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 3.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 3.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.IndexSLA/#links","title":"Links","text":"
    • Resiliency checklist for specific Azure services
    • SLA for Azure Cognitive Search
    • Azure deployment reference
    ","tags":["Azure.Search.IndexSLA","AZR-000174"]},{"location":"en/rules/Azure.Search.ManagedIdentity/","title":"Search services uses a managed identity","text":"Azure.Search.ManagedIdentityAZR-000175Error

    Security \u00b7 Cognitive Search \u00b7 Rule \u00b7 2021_06

    Configure managed identities to access Azure resources.

    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#description","title":"Description","text":"

    Connections to Azure resources is required to use some features including indexing and customer managed-keys. Cognitive Search can use managed identities to authenticate to Azure resource without storing credentials.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Cognitive Search service. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the identity.type to SystemAssigned.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the identity.type to SystemAssigned.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • What are managed identities for Azure resources?
    • Connect a search service to other Azure resources using a managed identity
    • Make indexer connections to Azure Storage as a trusted service
    • Azure deployment reference
    ","tags":["Azure.Search.ManagedIdentity","AZR-000175"]},{"location":"en/rules/Azure.Search.Name/","title":"Use valid Cognitive Search service names","text":"Azure.Search.NameAZR-000176Error

    Operational Excellence \u00b7 Cognitive Search \u00b7 Rule \u00b7 2021_06

    Azure Cognitive Search service names should meet naming requirements.

    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Cognitive Search service names are:

    • Between 2 and 60 characters long.
    • Lowercase letters, numbers, and hyphens.
    • The first two and last one character must be a letter or a number.
    • Cognitive Search service names must be globally unique.
    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Azure Cognitive Search service naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#notes","title":"Notes","text":"

    This rule does not check if Azure Cognitive Search service names are unique.

    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • REST API reference
    • Define your naming convention
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.Search.Name","AZR-000176"]},{"location":"en/rules/Azure.Search.QuerySLA/","title":"Search query SLA minimum replicas","text":"Azure.Search.QuerySLAAZR-000173Error

    Reliability \u00b7 Cognitive Search \u00b7 Rule \u00b7 2021_06

    Use a minimum of 2 replicas to receive an SLA for index queries.

    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#description","title":"Description","text":"

    Cognitive Search services support indexing and querying. Indexing is the process of loading content into the service to make it searchable. Querying is the process where a client searches for content by sending queries to the index.

    Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and index updates to load balance across multiple replicas.

    To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.

    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#recommendation","title":"Recommendation","text":"

    Consider increasing the number of replicas to a minimum of 2 to receive an SLA on index query requests.

    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#examples","title":"Examples","text":"","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the replicaCount to a minimum of 2.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.QuerySLA/#links","title":"Links","text":"
    • Resiliency checklist for specific Azure services
    • SLA for Azure Cognitive Search
    • Azure deployment reference
    ","tags":["Azure.Search.QuerySLA","AZR-000173"]},{"location":"en/rules/Azure.Search.SKU/","title":"Cognitive Search minimum SKU","text":"Azure.Search.SKUAZR-000172Error

    Performance Efficiency \u00b7 Cognitive Search \u00b7 Rule \u00b7 2021_06

    Use the basic and standard tiers for entry level workloads.

    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#description","title":"Description","text":"

    Cognitive Search services using the Free tier run on resources shared across multiple subscribers. The Free tier is only suggested for limited small scale tests such as running code samples or tutorials.

    Running more demanding workloads on the Free tier may experience unpredictable performance or issues.

    To select a tier for your workload, estimate and test your required capacity.

    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#recommendation","title":"Recommendation","text":"

    Consider deploying Cognitive Search services using basic or higher tier.

    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#examples","title":"Examples","text":"","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the sku.name to a minimum of basic.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Search/searchServices\",\n\"apiVersion\": \"2022-09-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"standard\"\n},\n\"properties\": {\n\"replicaCount\": 3,\n\"partitionCount\": 1,\n\"hostingMode\": \"default\"\n}\n}\n
    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Cognitive Search services that pass this rule:

    • Set the sku.name to a minimum of basic.

    For example:

    Azure Bicep snippet
    resource search 'Microsoft.Search/searchServices@2022-09-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'standard'\n  }\n  properties: {\n    replicaCount: 3\n    partitionCount: 1\n    hostingMode: 'default'\n  }\n}\n
    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.Search.SKU/#links","title":"Links","text":"
    • Choose the right resources
    • SLA for Azure Cognitive Search
    • Estimate and manage capacity of an Azure Cognitive Search service
    • Azure deployment reference
    ","tags":["Azure.Search.SKU","AZR-000172"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/","title":"Audit Service Bus data plane access","text":"Azure.ServiceBus.AuditLogsAZR-000358Error

    Security \u00b7 Service Bus \u00b7 Rule \u00b7 2023_03

    Ensure namespaces audit diagnostic logs are enabled.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#description","title":"Description","text":"

    To capture logs that record data plane access operations (such as send or receive messages) in the service bus, diagnostic settings must be configured.

    When configuring diagnostic settings, enabled one of the following:

    • RuntimeAuditLogs category.
    • audit category group.
    • allLogs category group.

    Management operations for Service Bus is captured automatically within Azure Activity Logs.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#recommendation","title":"Recommendation","text":"

    Consider configuring diagnostic settings to record interactions with data of the Service Bus.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable RuntimeAuditLogs category or audit category group or allLogs category group.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ServiceBus/namespaces\",\n\"apiVersion\": \"2022-10-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"minimumTlsVersion\": \"1.2\"\n}\n},\n{\n\"type\": \"Microsoft.Insights/diagnosticSettings\",\n\"apiVersion\": \"2021-05-01-preview\",\n\"scope\": \"[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]\",\n\"name\": \"[parameters('diagName')]\",\n\"properties\": {\n\"workspaceId\": \"[parameters('workspaceId')]\",\n\"logs\": [\n{\n\"category\": \"RuntimeAuditLogs\",\n\"enabled\": true,\n\"retentionPolicy\": {\n\"days\": 0,\n\"enabled\": false\n}\n}\n]\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Deploy a diagnostic settings sub-resource (extension resource).
    • Enable RuntimeAuditLogs category or audit category group or allLogs category group.

    For example:

    Azure Bicep snippet
    resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Premium'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n\nresource nsDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n  name: diagName\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'RuntimeAuditLogs'\n        enabled: true\n        retentionPolicy: {\n          days: 0\n          enabled: false\n        }\n      }\n    ]\n  }\n  scope: ns\n}\n
    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#notes","title":"Notes","text":"

    This rule only applies to premium tier Service Bus instances. Runtime audit logs are currently available only in the Premium tier.

    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.AuditLogs/#links","title":"Links","text":"
    • Security audits
    • Monitoring Azure Service Bus data reference
    • Azure deployment reference
    ","tags":["Azure.ServiceBus.AuditLogs","AZR-000358"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/","title":"Use identity-based authentication for Service Bus namespaces","text":"Azure.ServiceBus.DisableLocalAuthAZR-000178Error

    Security \u00b7 Service Bus \u00b7 Rule \u00b7 2022_03

    Authenticate Service Bus publishers and consumers with Azure AD identities.

    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#description","title":"Description","text":"

    To publish or consume messages from Service Bus cryptographic keys, or Azure AD identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Azure AD authentication, the identity is validated against Azure AD. Using Azure AD identities centralizes identity management and auditing.

    Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.

    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#recommendation","title":"Recommendation","text":"

    Consider only using Azure AD identities to publish or consume messages from Service Bus. Then disable authentication based on access keys or SAS tokens.

    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ServiceBus/namespaces\",\n\"apiVersion\": \"2021-11-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set the properties.disableLocalAuth property to true.

    For example:

    Azure Bicep snippet
    resource ns 'Microsoft.ServiceBus/namespaces@2021-11-01' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.DisableLocalAuth/#links","title":"Links","text":"
    • Use identity-based authentication
    • Service Bus authentication and authorization
    • Azure deployment reference
    ","tags":["Azure.ServiceBus.DisableLocalAuth","AZR-000178"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/","title":"Enforce namespaces to minimum use TLS 1.2 version","text":"Azure.ServiceBus.MinTLSAZR-000315Error

    Security \u00b7 Service Bus \u00b7 Rule \u00b7 2022_12

    Enforce namespaces to require that clients send and receive data with TLS 1.2 version.

    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#description","title":"Description","text":"

    Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS).

    Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS. If a Service Bus namespace requires a minimum version of TLS, then any requests made with an older version will fail.

    Important If you are using a service that connects to Azure Service Bus, make sure that that service is using the appropriate version of TLS to send requests to Azure Service Bus before you set the required minimum version for a Service Bus namespace.

    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider namespaces to require that clients send and receive data with TLS 1.2 version.

    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set properties.minimumTlsVersion to 1.2.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ServiceBus/namespaces\",\n\"apiVersion\": \"2022-01-01-preview\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"sku\": {\n\"name\": \"Standard\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"minimumTlsVersion\": \"1.2\"\n}\n}\n
    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Service Bus namespaces that pass this rule:

    • Set properties.minimumTlsVersion to 1.2.

    For example:

    Azure Bicep snippet
    @description('The name of the resource.')\nparam name string\n\n@description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n\nresource ns 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {\n  name: name\n  location: location\n  identity: {\n    type: 'SystemAssigned'\n  }\n  sku: {\n    name: 'Standard'\n  }\n  properties: {\n    disableLocalAuth: true\n    minimumTlsVersion: '1.2'\n  }\n}\n
    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.MinTLS/#links","title":"Links","text":"
    • Information protection and storage
    • Enforce a minimum requires version of TLS
    • Azure deployment reference
    ","tags":["Azure.ServiceBus.MinTLS","AZR-000315"]},{"location":"en/rules/Azure.ServiceBus.Usage/","title":"Remove unused Service Bus namespaces","text":"Azure.ServiceBus.UsageAZR-000177Error

    Cost Optimization \u00b7 Service Bus \u00b7 Rule \u00b7 2022_03

    Regularly remove unused resources to reduce costs.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#description","title":"Description","text":"

    Billing starts for a Standard or Premium Service Bus namespace after it is provisioned. To to receive messages you must first create at least one queue or topic. Namespaces without any queues or topics are considered unused.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#recommendation","title":"Recommendation","text":"

    Consider removing Service Bus namespaces that are not used.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed (in-flight) to Azure.

    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceBus.Usage/#links","title":"Links","text":"
    • Generate cost reports
    • Pricing
    ","tags":["Azure.ServiceBus.Usage","AZR-000177"]},{"location":"en/rules/Azure.ServiceFabric.AAD/","title":"Use AAD authentication with Service Fabric clusters","text":"Azure.ServiceFabric.AADAZR-000179Error

    Security \u00b7 Service Fabric \u00b7 Rule \u00b7 2021_03

    Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#description","title":"Description","text":"

    When deploying Service Fabric clusters on Azure, AAD can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses AAD. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.

    For Service Fabric clusters running on Azure, AAD is recommended to secure access to management endpoints.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#recommendation","title":"Recommendation","text":"

    Consider enabling Azure Active Directory (AAD) client authentication for Service Fabric clusters.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#notes","title":"Notes","text":"

    For Linux clusters, AAD authentication must be configured at cluster creation time. Windows cluster can be updated to support AAD authentication after initial deployment.

    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.ServiceFabric.AAD/#links","title":"Links","text":"
    • Security recommendations
    • Set up Azure Active Directory for client authentication
    • Configure Azure Active Directory Authentication for Existing Cluster
    ","tags":["Azure.ServiceFabric.AAD","AZR-000179"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/","title":"Use managed identities for SignalR Services","text":"Azure.SignalR.ManagedIdentityAZR-000181Error

    Security \u00b7 SignalR Service \u00b7 Rule \u00b7 2022_03

    Configure SignalR Services to use managed identities to access Azure resources securely.

    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#description","title":"Description","text":"

    A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each SignalR Service. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/signalR\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"SignalR\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"features\": [\n{\n\"flag\": \"ServiceMode\",\n\"value\": \"Serverless\"\n}\n]\n}\n}\n
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities for Azure SignalR Service
    • Azure deployment reference
    ","tags":["Azure.SignalR.ManagedIdentity","AZR-000181"]},{"location":"en/rules/Azure.SignalR.Name/","title":"Use valid SignalR service names","text":"Azure.SignalR.NameAZR-000180Error

    Operational Excellence \u00b7 SignalR Service \u00b7 Rule \u00b7 2020_06

    SignalR service instance names should meet naming requirements.

    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for SignalR service names are:

    • Between 3 and 63 characters long.
    • Alphanumerics and hyphens.
    • Start with letter.
    • End with letter or number.
    • SignalR service names must be globally unique.
    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet SignalR service naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#notes","title":"Notes","text":"

    This rule does not check if SignalR service names are unique.

    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    ","tags":["Azure.SignalR.Name","AZR-000180"]},{"location":"en/rules/Azure.SignalR.SLA/","title":"Use an SLA for SignalR Services","text":"Azure.SignalR.SLAAZR-000182Error

    Reliability \u00b7 SignalR Service \u00b7 Rule \u00b7 2022_03

    Use SKUs that include an SLA when configuring SignalR Services.

    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#description","title":"Description","text":"

    When choosing a SKU for a SignalR Service you should consider the SLA that is included in the SKU. SignalR Services offer a range of SKU offerings:

    • Free - Are designed for early non-production use and do not include any SLA.
    • Standard - Are designed for production use and include an SLA.
    • Premium - Are designed for production use and include an SLA. Additional, Premium SKUs support increased resilience with Availablity Zones.
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#recommendation","title":"Recommendation","text":"

    Consider using a Standard or Premium SKU that includes an SLA.

    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#examples","title":"Examples","text":"","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1 or Premium_P1.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/signalR\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"kind\": \"SignalR\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true,\n\"features\": [\n{\n\"flag\": \"ServiceMode\",\n\"value\": \"Serverless\"\n}\n]\n}\n}\n
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1 or Premium_P1.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/signalR@2021-10-01' = {\n  name: name\n  location: location\n  kind: 'SignalR'\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n    features: [\n      {\n        flag: 'ServiceMode'\n        value: 'Serverless'\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.SignalR.SLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure SignalR Service pricing
    • Azure deployment reference
    ","tags":["Azure.SignalR.SLA","AZR-000182"]},{"location":"en/rules/Azure.Storage.BlobAccessType/","title":"Use private blob containers","text":"Azure.Storage.BlobAccessTypeAZR-000199Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2020_06

    Use containers configured with a private access type that requires authorization.

    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#description","title":"Description","text":"

    Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorization. Blob and Container access types are not intended for access to customer data. When authorization is required, clients must use cryptographic keys or identity-based tokens to authenticate.

    Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.

    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#recommendation","title":"Recommendation","text":"

    To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.

    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Account blob containers that pass this rule:

    • Set the properties.publicAccess property to None.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts/blobServices/containers\",\n\"apiVersion\": \"2021-06-01\",\n\"name\": \"[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]\",\n\"properties\": {\n\"publicAccess\": \"None\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]\",\n\"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Account blob containers that pass this rule:

    • Set the properties.publicAccess property to None.

    For example:

    Azure Bicep snippet
    resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {\n  parent: blobService\n  name: containerName\n  properties: {\n    publicAccess: 'None'\n  }\n}\n
    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobAccessType/#links","title":"Links","text":"
    • Authentication with Azure AD
    • About anonymous public read access
    • Use Azure Policy to enforce authorized access
    • How a shared access signature works
    • Azure deployment reference
    ","tags":["Azure.Storage.BlobAccessType","AZR-000199"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/","title":"Disallow anonymous access to blob service","text":"Azure.Storage.BlobPublicAccessAZR-000198Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2020_09

    Storage Accounts should only accept authorized requests.

    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#description","title":"Description","text":"

    Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.

    Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.

    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#recommendation","title":"Recommendation","text":"

    Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#examples","title":"Examples","text":"","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.allowBlobPublicAccess property to false.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.allowBlobPublicAccess property to false.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.BlobPublicAccess/#links","title":"Links","text":"
    • Use Azure AD for storage authentication
    • Allow or disallow public read access for a storage account
    • Remediate anonymous public access
    • Use Azure Policy to enforce authorized access
    • Authorize access to blobs using Azure Active Directory
    • Azure deployment reference
    ","tags":["Azure.Storage.BlobPublicAccess","AZR-000198"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/","title":"Use container soft delete","text":"Azure.Storage.ContainerSoftDeleteAZR-000289Error

    Reliability \u00b7 Storage Account \u00b7 Rule \u00b7 2022_09

    Enable container soft delete on Storage Accounts.

    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#description","title":"Description","text":"

    Container soft delete protects your data from being accidentally or erroneously modified or deleted. When container soft delete is enabled for a storage account, a container and its contents may be recovered after it has been deleted, within a retention period that you specify.

    Blob container soft delete should be considered part of the strategy to protect and retain data. Also consider:

    • Implementing role-based access control (RBAC).
    • Configuring resource locks to protect against deletion.
    • Configuring blob soft delete.

    Blob containers can be configured to retain deleted containers for a period of time between 1 and 365 days.

    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling container soft delete on storage accounts to protect blob containers from accidental deletion or modification.

    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.containerDeleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.containerDeleteRetentionPolicy.days property to the number of days to retain blobs.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n\"properties\": {\n\"deleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n},\n\"containerDeleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.containerDeleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.containerDeleteRetentionPolicy.days property to the number of days to retain blobs.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days 7 -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Enable-AzStorageContainerDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -StorageAccountName '<name>' -RetentionDays 7\n
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

    Storage accounts with:

    • Hierarchical namespace enabled to not support blob soft delete.
    • Deployed as a FileStorage storage account do not support blob soft delete.
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.ContainerSoftDelete/#links","title":"Links","text":"
    • Data management for reliability
    • Storage Accounts and reliability
    • Soft delete for containers
    • Enable and manage soft delete for containers
    • Azure deployment reference
    ","tags":["Azure.Storage.ContainerSoftDelete","AZR-000289"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/","title":"Malware Scanning","text":"Azure.Storage.DefenderCloud.MalwareScanAZR-000384Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2023_06

    Enable Malware Scanning in Microsoft Defender for Storage.

    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#description","title":"Description","text":"

    Microsoft Defender for Storage provides additional security for storage accounts.

    One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

    Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

    Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

    This can be helpful when:

    • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
    • To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

    When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

    Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.

    It is also worth to mention that the resource level enablement can be useful when:

    • Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#recommendation","title":"Recommendation","text":"

    Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.

    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.malwareScanning.onUpload.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/DefenderForStorageSettings\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"current\",\n\"properties\": {\n\"isEnabled\": true,\n\"malwareScanning\": {\n\"onUpload\": {\n\"isEnabled\": true,\n\"capGBPerMonth\": 5000\n}\n},\n\"overrideSubscriptionLevelSettings\": false\n},\n\"scope\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\"\n}\n
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.malwareScanning.onUpload.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n\u202f properties: {\n\u202f \u202f isEnabled: true\n\u202f \u202f malwareScanning: {\n\u202f \u202f \u202f onUpload: {\n\u202f \u202f \u202f \u202f isEnabled: true\n\u202f \u202f \u202f \u202f capGBPerMonth: 5000\n\u202f \u202f \u202f }\n\u202f \u202f }\n\u202f \u202f overrideSubscriptionLevelSettings: false\n\u202f }\n}\n
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#notes","title":"Notes","text":"

    This feature is currently in preview.

    Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

    • When the plan is already enabled at the subscription level and the resource level override property overrideSubscriptionLevelSettings value is false, the resource level enablement will be ignored and the subscription level (plan) will still be used.
    • If the override property overrideSubscriptionLevelSettings value is true, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
    • If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.MalwareScan/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Malware Scanning in Defender for Storage
    • Limitations
    • Setting up response to Malware Scanning
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    ","tags":["Azure.Storage.DefenderCloud.MalwareScan","AZR-000384"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/","title":"Sensitive data threat detection","text":"Azure.Storage.DefenderCloud.SensitiveDataAZR-000391Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2023_06

    Enable sensitive data threat detection in Microsoft Defender for Storage.

    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#description","title":"Description","text":"

    Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.

    The sensitive data threat detection capability helps teams:

    • Identity where sensitive data is stored.
    • Detect possible security incidents resulting is data exposure.

    When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).

    Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

    When overriding sensitive data threat detection on individual Storage Account it is possible to configure custom sensitive data threat detection settings that differ from the settings configured at the subscription level.

    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#recommendation","title":"Recommendation","text":"

    Consider enabling sensitive data threat detection using Microsoft Defender for Storage on the Storage Account. Additionally, consider enabling sensitive data threat detection for all Storage Accounts within a subscription.

    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.sensitiveDataDiscovery.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/DefenderForStorageSettings\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"current\",\n\"properties\": {\n\"sensitiveDataDiscovery\": {\n\"isEnabled\": true\n},\n\"overrideSubscriptionLevelSettings\": false\n},\n\"scope\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\"\n}\n
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.sensitiveDataDiscovery.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#notes","title":"Notes","text":"

    This feature is currently in preview. The following limitations currently apply for Microsoft Defender for Storage:

    • Only Storage Accounts with public network access set to enabled are supported.
    • Not all storage services within Storage Accounts are currently supported.
    • When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority. To override settings on a Storage Account, set the properties.overrideSubscriptionLevelSettings property to true.
    • If there is no plan at the subcription level, Microsoft Defender for Storage can be configured without an override.
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud.SensitiveData/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Sensitive data threat detection in Defender for Storage
    • Support and prerequisites for data-aware security posture
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    ","tags":["Azure.Storage.DefenderCloud.SensitiveData","AZR-000391"]},{"location":"en/rules/Azure.Storage.DefenderCloud/","title":"Enable Microsoft Defender","text":"Azure.Storage.DefenderCloudAZR-000386Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2023_06

    Enable Microsoft Defender for Storage for storage accounts.

    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#description","title":"Description","text":"

    Microsoft Defender for Storage analyzes data and control plane logs from protected Storage Accounts. Which allows Microsoft Defender for Cloud to surface findings with details of the security threats and contextual information.

    Additionally, Microsoft Defender for Storage provides security extensions to analyze data stored within Storage Accounts:

    • Anti-malware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
    • Sensitive data threat detection to find resources with sensitive data.

    Microsoft Defender for Storage can be enabled on a per subscription or per resource basis. Enabling at the subscription level is recommended because it protects current and future Storage Accounts. However, enabling at the resource level may be preferred for specific Storage Account to apply custom settings.

    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#recommendation","title":"Recommendation","text":"

    Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.

    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#examples","title":"Examples","text":"","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy storage accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/DefenderForStorageSettings\",\n\"apiVersion\": \"2022-12-01-preview\",\n\"name\": \"current\",\n\"properties\": {\n\"isEnabled\": true,\n\"malwareScanning\": {\n\"onUpload\": {\n\"isEnabled\": true,\n\"capGBPerMonth\": 5000\n}\n},\n\"sensitiveDataDiscovery\": {\n\"isEnabled\": true\n},\n\"overrideSubscriptionLevelSettings\": false\n},\n\"scope\": \"[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]\"\n}\n
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy storage accounts that pass this rule:

    • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
    • Set the properties.isEnabled property to true.

    For example:

    Azure Bicep snippet
    resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {\n  name: 'current'\n  scope: storageAccount\n  properties: {\n    isEnabled: true\n    malwareScanning: {\n      onUpload: {\n        isEnabled: true\n        capGBPerMonth: 5000\n      }\n    }\n    sensitiveDataDiscovery: {\n      isEnabled: true\n    }\n    overrideSubscriptionLevelSettings: false\n  }\n}\n
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#notes","title":"Notes","text":"

    This rule is not processed by default. To enable this rule, set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration value to true.

    The following limitations currently apply for Microsoft Defender for Storage:

    • Malware scanning and sensitive data discovery are preview features.
    • Storage types supported are Blob Storage, Azure Files and Azure Data Lake Storage Gen2. Other storage types are not supported.
    • When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority. To override settings on a Storage Account, set the properties.overrideSubscriptionLevelSettings property to true.
    • If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.DefenderCloud/#links","title":"Links","text":"
    • Security operations in Azure
    • What is Microsoft Defender for Cloud?
    • Overview of Microsoft Defender for Storage
    • Enable and configure Microsoft Defender for Storage
    • Quickstart: Enable enhanced security features
    • Azure security baseline for Storage
    • DP-2: Monitor anomalies and threats targeting sensitive data
    • LT-1: Enable threat detection capabilities
    • Azure Policy built-in policy definitions
    ","tags":["Azure.Storage.DefenderCloud","AZR-000386"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/","title":"Use soft delete on files shares","text":"Azure.Storage.FileShareSoftDeleteAZR-000298Error

    Reliability \u00b7 Storage Account \u00b7 Rule \u00b7 2022_09

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#synopsis","title":"Synopsis","text":"

    Enable soft delete on Storage Accounts file shares.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#description","title":"Description","text":"

    Soft delete for Azure Files protects your shares from being accidentally deleted. This feature does not protect against individual files being deleted or modified. When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered after it has been deleted, within a retention period that you specify.

    Soft delete on file shares should be considered part of the strategy to protect and retain data for Azure Files. Also consider:

    • Enabling Azure File Share Backup.
    • Implementing role-based access control (RBAC).

    Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the fileServices sub-resource
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain files.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts/fileServices\",\n\"apiVersion\": \"2022-05-01\",\n\"name\": \"default\",\n\"properties\": {\n\"shareDeleteRetentionPolicy\": {\n\"days\": \"7\",\n\"enabled\": \"true\"\n}\n}\n}\n
    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the fileServices sub-resource
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain files.

    For example:

    Azure Bicep snippet
    resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    shareDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n
    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.FileShareSoftDelete/#links","title":"Links","text":"
    • Data management for reliability
    • Storage Accounts and reliability
    • Enable soft delete on Azure file shares
    • About Azure file share backup
    • Authorize access to file data
    • Azure deployment reference
    ","tags":["Azure.Storage.FileShareSoftDelete","AZR-000298"]},{"location":"en/rules/Azure.Storage.Firewall/","title":"Configure Azure Storage firewall","text":"Azure.Storage.FirewallAZR-000202Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2021_09

    Storage Accounts should only accept explicitly allowed traffic.

    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#description","title":"Description","text":"

    By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

    After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

    • Azure services on the trusted service list.
    • IP address or CIDR range.
    • Private endpoint connections.
    • Azure virtual network subnets with a Service Endpoint.
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#recommendation","title":"Recommendation","text":"

    Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#examples","title":"Examples","text":"","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.networkAcls.defaultAction property to Deny.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Azure storage firewall is not supported for Cloud Shell storage accounts.

    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.Firewall/#links","title":"Links","text":"
    • Public endpoints
    • Configure Azure Storage firewalls and virtual networks
    • Use private endpoints for Azure Storage
    • Persist files in Azure Cloud Shell
    • Azure deployment reference
    ","tags":["Azure.Storage.Firewall","AZR-000202"]},{"location":"en/rules/Azure.Storage.MinTLS/","title":"Storage Account minimum TLS version","text":"Azure.Storage.MinTLSAZR-000200Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2020_09

    Storage Accounts should reject TLS versions older than 1.2.

    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#description","title":"Description","text":"

    The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

    Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#recommendation","title":"Recommendation","text":"

    Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#examples","title":"Examples","text":"","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.MinTLS/#links","title":"Links","text":"
    • Data encryption in Azure
    • TLS encryption in Azure
    • Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
    • DP-3: Encrypt sensitive data in transit
    • Preparing for TLS 1.2 in Microsoft Azure
    • Use Azure Policy to enforce the minimum TLS version
    • Azure deployment reference
    ","tags":["Azure.Storage.MinTLS","AZR-000200"]},{"location":"en/rules/Azure.Storage.Name/","title":"Use valid storage account names","text":"Azure.Storage.NameAZR-000201Error

    Operational Excellence \u00b7 Storage Account \u00b7 Rule \u00b7 2020_06

    Storage Account names should meet naming requirements.

    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Storage Account names are:

    • Between 3 and 24 characters long.
    • Lowercase letters or numbers.
    • Storage Account names must be globally unique.
    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Storage Account naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#notes","title":"Notes","text":"

    This rule does not check if Storage Account names are unique.

    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.Storage.Name","AZR-000201"]},{"location":"en/rules/Azure.Storage.SecureTransfer/","title":"Enforce encrypted Storage connections","text":"Azure.Storage.SecureTransferAZR-000196Error

    Security \u00b7 Storage Account \u00b7 Rule \u00b7 2020_06

    Storage accounts should only accept encrypted connections.

    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#description","title":"Description","text":"

    Azure Storage Accounts can be configured to allow unencrypted connections. Unencrypted communication could allow disclosure of information to an un-trusted party. Storage Accounts can be configured to require encrypted connections.

    To do this set the Secure transfer required option. When secure transfer required is enabled, attempts to connect to storage using HTTP or unencrypted SMB connections are rejected.

    Storage Accounts that are deployed with a newer API version will have this option enabled by default. However, this does not prevent the option from being disabled.

    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#recommendation","title":"Recommendation","text":"

    Storage accounts should only accept secure traffic. Consider only accepting encrypted connections by setting the Secure transfer required option. Also consider using Azure Policy to audit or enforce this configuration.

    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#examples","title":"Examples","text":"","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • For API versions older then 2019-04-01, set the properties.supportsHttpsTrafficOnly property to true.
    • For API versions 2019-04-01 and newer:
      • Omit the properties.supportsHttpsTrafficOnly property OR
      • Explicitly set the properties.supportsHttpsTrafficOnly property to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • For API versions older then 2019-04-01, set the properties.supportsHttpsTrafficOnly property to true.
    • For API versions 2019-04-01 and newer:
      • Omit the properties.supportsHttpsTrafficOnly property OR
      • Explicitly set the properties.supportsHttpsTrafficOnly property to true.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SecureTransfer/#links","title":"Links","text":"
    • Data encryption in Azure
    • Require secure transfer in Azure Storage
    • DP-3: Encrypt sensitive data in transit
    • Sample policy for ensuring https traffic
    • Azure deployment reference
    ","tags":["Azure.Storage.SecureTransfer","AZR-000196"]},{"location":"en/rules/Azure.Storage.SoftDelete/","title":"Use blob soft delete","text":"Azure.Storage.SoftDeleteAZR-000197Error

    Reliability \u00b7 Storage Account \u00b7 Rule \u00b7 2020_06

    Enable blob soft delete on Storage Accounts.

    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#description","title":"Description","text":"

    Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.

    Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:

    • Implementing role-based access control (RBAC).
    • Configuring resource locks to protect against deletion.
    • Configuring blob container soft delete.

    Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.

    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#recommendation","title":"Recommendation","text":"

    Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.

    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#examples","title":"Examples","text":"","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Storage/storageAccounts/blobServices\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'default')]\",\n\"properties\": {\n\"deleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n},\n\"containerDeleteRetentionPolicy\": {\n\"enabled\": true,\n\"days\": 7\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]\"\n]\n}\n]\n}\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
    • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  parent: storageAccount\n  name: 'default'\n  properties: {\n    deleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n    containerDeleteRetentionPolicy: {\n      enabled: true\n      days: 7\n    }\n  }\n}\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -AccountName '<name>' -RetentionDays 7\n
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#notes","title":"Notes","text":"

    Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

    Storage accounts with:

    • Hierarchical namespace enabled to not support blob soft delete.
    • Deployed as a FileStorage storage account do not support blob soft delete.
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.SoftDelete/#links","title":"Links","text":"
    • Data management for reliability
    • Storage Accounts and reliability
    • Soft delete for Azure Storage blobs
    • Blob storage features available in Azure Data Lake Storage Gen2
    • Azure deployment reference
    ","tags":["Azure.Storage.SoftDelete","AZR-000197"]},{"location":"en/rules/Azure.Storage.UseReplication/","title":"Use geo-replicated storage","text":"Azure.Storage.UseReplicationAZR-000195Error

    Reliability \u00b7 Storage Account \u00b7 Rule \u00b7 2020_06

    Storage Accounts not using geo-replicated storage (GRS) may be at risk.

    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#description","title":"Description","text":"

    Storage Accounts can be configured with several different durability options. Azure provides a number of geo-replicated options including; Geo-redundant storage and geo-zone-redundant storage. Geo-zone-redundant storage is only available in supported regions.

    The following geo-replicated options are available within Azure:

    • Standard_GRS
    • Standard_RAGRS
    • Standard_GZRS
    • Standard_RAGZRS
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#recommendation","title":"Recommendation","text":"

    Consider using GRS for storage accounts that contain data.

    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#examples","title":"Examples","text":"","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2023-01-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_GRS\"\n},\n\"kind\": \"StorageV2\",\n\"properties\": {\n\"allowBlobPublicAccess\": false,\n\"supportsHttpsTrafficOnly\": true,\n\"minimumTlsVersion\": \"TLS1_2\",\n\"accessTier\": \"Hot\",\n\"allowSharedKeyAccess\": false,\n\"networkAcls\": {\n\"defaultAction\": \"Deny\"\n}\n}\n}\n
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Storage Accounts that pass this rule:

    • Set the sku.name property to a geo-replicated SKU. Such as Standard_GRS.

    For example:

    Azure Bicep snippet
    resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_GRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowBlobPublicAccess: false\n    supportsHttpsTrafficOnly: true\n    minimumTlsVersion: 'TLS1_2'\n    accessTier: 'Hot'\n    allowSharedKeyAccess: false\n    networkAcls: {\n      defaultAction: 'Deny'\n    }\n  }\n}\n
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#notes","title":"Notes","text":"

    This rule is not applicable for premium storage accounts. Storage Accounts with the following tags are automatically excluded from this rule:

    • ms-resource-usage = 'azure-cloud-shell' - Storage Accounts used for Cloud Shell are not intended to store data. This tag is applied by Azure to Cloud Shell Storage Accounts by default.
    • resource-usage = 'azure-functions' - Storage Accounts used for Azure Functions. This tag can be optionally configured.
    • resource-usage = 'azure-monitor' - Storage Accounts used by Azure Monitor are intended for diagnostic logs. This tag can be optionally configured.
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Storage.UseReplication/#links","title":"Links","text":"
    • Meet application platform requirements
    • Azure Storage redundancy
    • Azure deployment reference
    ","tags":["Azure.Storage.UseReplication","AZR-000195"]},{"location":"en/rules/Azure.Template.DebugDeployment/","title":"Disable debugging of nested deployments","text":"Azure.Template.DebugDeploymentAZR-000225Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Use default deployment detail level for nested deployments.

    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#description","title":"Description","text":"

    When creating Azure template, nested deployments can be created with debugging settings enabled. Deployment debugging detail is intended for troubleshooting deployments during development. Debugging settings may log sensitive values. Use caution when using this setting to debug of nested deployments.

    To reduce nested deployment detail, remove or configure the properties.debugSetting.detailLevel property to none for nested deployments.

    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#recommendation","title":"Recommendation","text":"

    Consider disabling debugging of nested deployments before release.

    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DebugDeployment/#links","title":"Links","text":"
    • Troubleshoot deployment errors
    • DebugSetting
    • Release deployment
    ","tags":["Azure.Template.DebugDeployment","AZR-000225"]},{"location":"en/rules/Azure.Template.DefineParameters/","title":"Define template parameters","text":"Azure.Template.DefineParametersAZR-000218Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters.

    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#description","title":"Description","text":"

    Azure templates support parameters, which are inputs you can specify when deploying the template resources. Each template can support up to 256 parameters.

    When defining template parameters:

    • Minimize the number of parameters that require input by specifying a defaultValue.
    • Use parameters for resource names and deployment locations.
    • Use variables or literal resource properties for values that don't change.
    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#recommendation","title":"Recommendation","text":"

    Consider defining a minimal number of parameters to make the template reusable.

    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#examples","title":"Examples","text":"","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • Define at least one parameter.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"name\": \"Managed Identity\",\n\"description\": \"Create or update a Managed Identity.\"\n},\n\"parameters\": {\n\"identityName\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The name of the Managed Identity.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The Azure region to deploy to.\",\n\"example\": \"eastus\"\n}\n},\n\"tags\": {\n\"type\": \"object\",\n\"metadata\": {\n\"description\": \"Tags to apply to the resource.\",\n\"example\": {\n\"service\": \"app1\",\n\"env\": \"prod\"\n}\n}\n}\n},\n\"variables\": {\n\"tenantId\": \"[subscription().tenantId]\"\n},\n\"resources\": [\n{\n\"comments\": \"Create or update a Managed Identity\",\n\"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n\"apiVersion\": \"2018-11-30\",\n\"name\": \"[parameters('identityName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"tenantId\": \"[variables('tenantId')]\"\n},\n\"tags\": \"[parameters('tags')]\"\n}\n]\n}\n
    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#notes","title":"Notes","text":"

    This rule is not applicable and ignored for templates generated with Bicep, PSArm and AzOps. Generated templates from these tools may not require any parameters to be set.

    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.DefineParameters/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.DefineParameters","AZR-000218"]},{"location":"en/rules/Azure.Template.ExpressionLength/","title":"Template expressions should not exceed a maximum length","text":"Azure.Template.ExpressionLengthAZR-000228Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_12

    Template expressions should not exceed the maximum length.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#description","title":"Description","text":"

    Extremely long expressions may be difficult to read and debug. Avoid using expressions that exceed 24,576 characters in length.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#recommendation","title":"Recommendation","text":"

    Consider updating the expression to reduce complexity and length.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#notes","title":"Notes","text":"

    This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.

    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.ExpressionLength/#links","title":"Links","text":"
    • Deployment considerations for DevOps
    • Template limits
    ","tags":["Azure.Template.ExpressionLength","AZR-000228"]},{"location":"en/rules/Azure.Template.LocationDefault/","title":"Default to resource group location","text":"Azure.Template.LocationDefaultAZR-000220Error

    Reliability \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Set the default value for the location parameter within an ARM template to resource group location.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#description","title":"Description","text":"

    In the event of a regional outage in the resource group location, you will be unable to control resources inside that resource group, regardless of what region those resources are actually in. Resources for regional services should be deployed into a resource group on the same region.

    When authoring templates, the resource group location should be the default resource location. This approach minimizes the number of times users are asked to provide location information.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#recommendation","title":"Recommendation","text":"

    Consider updating the location parameter to use [resourceGroup().location] as the default value.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • If the location parameter is specified, it should be set to [resourceGroup().location].

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"nsg-001\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"deny-hop-outbound\",\n\"properties\": {\n\"priority\": 200,\n\"access\": \"Deny\",\n\"protocol\": \"Tcp\",\n\"direction\": \"Outbound\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#configure-with-bicep","title":"Configure with Bicep","text":"

    To author bicep source files that pass this rule:

    • If the location parameter is specified, it should be set to resourceGroup().location.

    For example:

    Azure Bicep snippet
    @description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n
    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#notes","title":"Notes","text":"

    This rule ignores templates using tenant, Management Group, and Subscription deployment schemas. Deployment to these scopes does not occur against a resource group.

    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationDefault/#links","title":"Links","text":"
    • ARM template best practices
    • Operating in multiple regions
    • Resource group
    ","tags":["Azure.Template.LocationDefault","AZR-000220"]},{"location":"en/rules/Azure.Template.LocationType/","title":"Use type string for location parameters","text":"Azure.Template.LocationTypeAZR-000221Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Location parameters should use a string value.

    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#description","title":"Description","text":"

    The template parameter location is a standard parameter recommended for deployment templates. The location parameter is a intended for specifying the deployment location of the primary resource. When including location parameters in templates use the type string.

    Additionally, the template may include other resources. Use the location parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information.

    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#recommendation","title":"Recommendation","text":"

    Consider updating the location parameter to be of type string.

    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#examples","title":"Examples","text":"","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • If the location parameter is specified, it should be set to a string type.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The location resources will be deployed.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Network/networkSecurityGroups\",\n\"apiVersion\": \"2021-02-01\",\n\"name\": \"nsg-001\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"securityRules\": [\n{\n\"name\": \"deny-hop-outbound\",\n\"properties\": {\n\"priority\": 200,\n\"access\": \"Deny\",\n\"protocol\": \"Tcp\",\n\"direction\": \"Outbound\",\n\"sourceAddressPrefix\": \"VirtualNetwork\",\n\"destinationAddressPrefix\": \"*\",\n\"destinationPortRanges\": [\n\"3389\",\n\"22\"\n]\n}\n}\n]\n}\n}\n]\n}\n
    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#configure-with-bicep","title":"Configure with Bicep","text":"

    To author bicep source files that pass this rule:

    • If the location parameter is specified, it should be set to a string type.

    For example:

    Azure Bicep snippet
    @description('The location resources will be deployed.')\nparam location string = resourceGroup().location\n
    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.LocationType/#links","title":"Links","text":"
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.LocationType","AZR-000221"]},{"location":"en/rules/Azure.Template.MetadataLink/","title":"Use parameter file metadata link","text":"Azure.Template.MetadataLinkAZR-000231Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_09

    Configure a metadata link for each parameter file.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#description","title":"Description","text":"

    A parameter file can include an additional metadata. This metadata provides additional context for use of the parameter file.

    PSRule for Azure uses the metadata.template property within parameter files to store a metadata link. A metadata link, is an explicit association between a parameter file it's intended template file.

    This rule is disabled by default but can be enabled by configuring AZURE_PARAMETER_FILE_METADATA_LINK. Enable this rule to ensure that each parameter file has a metadata link to a valid template file.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#recommendation","title":"Recommendation","text":"

    Consider setting metadata for each parameter file linking to the deployment template.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#examples","title":"Examples","text":"","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#configure-parameter-file","title":"Configure parameter file","text":"

    To create parameter files that pass this rule:

    • Set the metadata.template property to a valid template file path.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"templates/storage/v1/template.json\"\n},\n\"parameters\": {\n\"storageAccountName\": {\n\"value\": \"...\"\n}\n}\n}\n
    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#notes","title":"Notes","text":"

    Enable this rule by setting the AZURE_PARAMETER_FILE_METADATA_LINK option to true.

    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.MetadataLink/#links","title":"Links","text":"
    • Using templates
    ","tags":["Azure.Template.MetadataLink","AZR-000231"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/","title":"Default should match type","text":"Azure.Template.ParameterDataTypesAZR-000226Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Set the parameter default value to a value of the same type.

    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#description","title":"Description","text":"

    Azure Resource Manager (ARM) template support parameters with a range of types, including:

    • bool
    • int
    • string
    • array
    • object
    • secureString
    • secureObject

    When including a defaultValue, the default value should match the same type at the type property. For example:

    Azure Template snippet
    {\n\"boolParam\": {\n\"type\": \"bool\",\n\"defaultValue\": false\n},\n\"intParam\": {\n\"type\": \"int\",\n\"defaultValue\": 5\n},\n\"stringParam\": {\n\"type\": \"string\",\n\"defaultValue\": \"test-rg\"\n},\n\"arrayParam\": {\n\"type\": \"array\",\n\"defaultValue\": [ 1, 2, 3 ]\n},\n\"objectParam\": {\n\"type\": \"object\",\n\"defaultValue\": {\n\"one\": \"a\",\n\"two\": \"b\"\n}\n}\n}\n
    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#recommendation","title":"Recommendation","text":"

    Consider updating the parameter default value to a value of the same type.

    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterDataTypes/#links","title":"Links","text":"
    • Data types
    • Release deployment
    ","tags":["Azure.Template.ParameterDataTypes","AZR-000226"]},{"location":"en/rules/Azure.Template.ParameterFile/","title":"Use ARM parameter file structure","text":"Azure.Template.ParameterFileAZR-000229Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2020_06

    Use ARM template parameter files that are valid.

    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#description","title":"Description","text":"

    Azure Resource Manager (ARM) template parameter files have a pre-defined structure. ARM template parameter files require $schema, contentVersion and parameters sections to be defined. If any of these sections are missing, ARM will not accept the parameter file.

    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#recommendation","title":"Recommendation","text":"

    Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.

    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterFile/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for parameter files
    • Create Resource Manager parameter file
    • Parameters in Azure Resource Manager templates
    ","tags":["Azure.Template.ParameterFile","AZR-000229"]},{"location":"en/rules/Azure.Template.ParameterMetadata/","title":"Use template parameter descriptions","text":"Azure.Template.ParameterMetadataAZR-000215Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2020_09

    Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter.

    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#description","title":"Description","text":"

    ARM templates supports an additional metadata description to be added to each parameter. The parameter description is visible in Azure when using portal deployment pages. Additionally, descriptions provide context for people editing template and parameter files.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"storageAccountType\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The type of the new storage account created to store the VM disks.\"\n}\n}\n}\n}\n
    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#recommendation","title":"Recommendation","text":"

    Consider defining a metadata description for each template parameter.

    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMetadata/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.ParameterMetadata","AZR-000215"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/","title":"Use minValue and maxValue with correct type","text":"Azure.Template.ParameterMinMaxValueAZR-000224Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Template parameters minValue and maxValue constraints must be valid.

    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#description","title":"Description","text":"

    When defining Azure template parameters the minValue or maxValue constraints can be added to parameters. These constraints are only valid for parameters using the int type. When configuring minValue and maxValue an integer must be used.

    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#recommendation","title":"Recommendation","text":"

    Consider updating parameter definitions using minValue or maxValue. When using minValue or maxValue these values must be integers and only apply to int parameters.

    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterMinMaxValue/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.ParameterMinMaxValue","AZR-000224"]},{"location":"en/rules/Azure.Template.ParameterScheme/","title":"Use a https template parameter file schema","text":"Azure.Template.ParameterSchemeAZR-000230Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_09

    Use an Azure template parameter file schema with the https scheme.

    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#description","title":"Description","text":"

    JSON schemas are used to validate the structure of Azure template parameter files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by schema.management.azure.com the http scheme redirects to https.

    While http://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json# points to a file. All supported Azure template parameter schemas use the https scheme.

    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#recommendation","title":"Recommendation","text":"

    Consider using a schema with the https scheme.

    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template parameter files that pass this rule:

    • Configure the template parameter schema to a supported schema with the https:// URI prefix, such as https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": { }\n}\n
    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterScheme/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for parameter files
    • Create Resource Manager parameter file
    ","tags":["Azure.Template.ParameterScheme","AZR-000230"]},{"location":"en/rules/Azure.Template.ParameterStrongType/","title":"Parameter value should match strong type","text":"Azure.Template.ParameterStrongTypeAZR-000227Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_12

    Set the parameter value to a value that matches the specified strong type.

    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#description","title":"Description","text":"

    Template string parameters can optionally specify a strong type. When parameter files are expanded, if the parameter value does not match the type this rule fails. Support is provided by PSRule for Azure for the following types:

    • Resource type - Specify a resource type. For example Microsoft.OperationalInsights/workspaces. If a resource type is specified the parameter value must be a resource id of that type.
    • Location - Specify location as the strong type. If location is specified, the parameter value must be a valid Azure location.
    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#recommendation","title":"Recommendation","text":"

    Consider updating the parameter value to a value that matches the specifed strong type.

    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterStrongType/#links","title":"Links","text":"
    • Deployment considerations for DevOps
    • Strong type
    ","tags":["Azure.Template.ParameterStrongType","AZR-000227"]},{"location":"en/rules/Azure.Template.ParameterValue/","title":"Specify a value for each parameter","text":"Azure.Template.ParameterValueAZR-000232Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_09

    Specify a value for each parameter in template parameter files.

    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#description","title":"Description","text":"

    When defining a template parameter file:

    • Uou must specify a value for each parameter in the file.
    • If the parameter is optional, you can omit the parameter from the file.
    • If the parameter is required, you must specify a value for the parameter.
    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#recommendation","title":"Recommendation","text":"

    Consider defining a value for each parameter in the template parameter file.

    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#examples","title":"Examples","text":"","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template parameter files that pass this rule:

    • Set a value for each parameter specified in the file.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"parameter1\": {\n\"value\": \"value1\"\n},\n\"parameter2\": {\n\"value\": []\n}\n}\n}\n
    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ParameterValue/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for parameter files
    • Create Resource Manager parameter file
    • Parameters in Azure Resource Manager templates
    ","tags":["Azure.Template.ParameterValue","AZR-000232"]},{"location":"en/rules/Azure.Template.ResourceLocation/","title":"Use a location parameter for regional resources","text":"Azure.Template.ResourceLocationAZR-000222Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Template resource location should be an expression or global.

    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#description","title":"Description","text":"

    The template parameter location is a standard parameter recommended for deployment templates. The location parameter is a intended for specifying the deployment location of the primary resource.

    When defining a resource that requires a location, use the location parameter. For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"name\": \"[parameters('VNETName')]\",\n\"apiVersion\": \"2020-06-01\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n

    Additionally, the template may include other resources. Use the location parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.

    For non-regional resources such as Front Door and DNS Zones specify a literal location global.

    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#recommendation","title":"Recommendation","text":"

    Consider updating the resource location property to use [parameters('location)].

    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.ResourceLocation/#links","title":"Links","text":"
    • ARM template best practices
    • Release deployment
    • Parameters
    ","tags":["Azure.Template.ResourceLocation","AZR-000222"]},{"location":"en/rules/Azure.Template.Resources/","title":"Include a template resource","text":"Azure.Template.ResourcesAZR-000216Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2020_09

    Each Azure Resource Manager (ARM) template file should deploy at least one resource.

    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#description","title":"Description","text":"

    An ARM template file is used to create or update one or more Azure resources. The resources property of an ARM template includes a definition of the resources to deploy.

    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#recommendation","title":"Recommendation","text":"

    Consider removing Azure template files that do not deploy any resources.

    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.Resources/#links","title":"Links","text":"
    • Resources
    • Tutorial: Create and deploy your first ARM template
    • Release deployment
    ","tags":["Azure.Template.Resources","AZR-000216"]},{"location":"en/rules/Azure.Template.TemplateFile/","title":"Use ARM template file structure","text":"Azure.Template.TemplateFileAZR-000212Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2020_06

    Use ARM template files that are valid.

    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#description","title":"Description","text":"

    Azure Resource Manager (ARM) template files have a pre-defined structure. ARM templates require $schema, contentVersion and resources sections to be defined. If any of these sections are missing, ARM will not accept the template.

    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#recommendation","title":"Recommendation","text":"

    Consider reviewing the requirements for this file. Also consider using Visual Studio Code to assist with authoring these files.

    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateFile/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Template file structure
    • Define resources in Azure Resource Manager templates
    ","tags":["Azure.Template.TemplateFile","AZR-000212"]},{"location":"en/rules/Azure.Template.TemplateSchema/","title":"Use a recent template schema version","text":"Azure.Template.TemplateSchemaAZR-000213Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_09

    Use a more recent version of the Azure template schema.

    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#description","title":"Description","text":"

    The JSON schemas used to define Azure templates are versioned. When defining templates use templates with a supported schema.

    The following template schemas are deprecated:

    • https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#
    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#recommendation","title":"Recommendation","text":"

    Consider using a more recent schema version for Azure template files.

    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template files that pass this rule:

    • Configure the template schema to one of the following:
      • https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#
      • https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#
      • https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#
      • https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": { },\n\"functions\": [],\n\"resources\": [ ]\n}\n
    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateSchema/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for ARM templates
    • Template file structure
    ","tags":["Azure.Template.TemplateSchema","AZR-000213"]},{"location":"en/rules/Azure.Template.TemplateScheme/","title":"Use a https template file schema","text":"Azure.Template.TemplateSchemeAZR-000214Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_09

    Use an Azure template file schema with the https scheme.

    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#description","title":"Description","text":"

    JSON schemas are used to validate the structure of Azure template files. The JSON schema specification permits schemas to use https or http schemes. When using referencing schemas served by schema.management.azure.com the http scheme redirects to https.

    While http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json# points to a file. All supported Azure template schemas use the https scheme.

    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#recommendation","title":"Recommendation","text":"

    Consider using a schema with the https scheme.

    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#examples","title":"Examples","text":"","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template files that pass this rule:

    • Configure the template schema to a supported schema with the https:// URI prefix, such as https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": { },\n\"functions\": [],\n\"resources\": [ ]\n}\n
    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.TemplateScheme/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Test cases for ARM templates
    • Template file structure
    ","tags":["Azure.Template.TemplateScheme","AZR-000214"]},{"location":"en/rules/Azure.Template.UseComments/","title":"Use comments for each ARM template resource","text":"Azure.Template.UseCommentsAZR-000234Information

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_12

    Use comments for each resource in ARM template to communicate purpose.

    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#description","title":"Description","text":"

    ARM templates can optionally include comments in resources. This helps other contributors understand the purpose of the resource.

    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#recommendation","title":"Recommendation","text":"

    Specify comments for each resource in the template.

    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#examples","title":"Examples","text":"","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template files that pass this rule:

    • Specify comments for each resource in the template.

    For example:

    Azure Template snippet
    \"resources\": [\n{\n\"name\": \"[variables('storageAccountName')]\",\n\"type\": \"Microsoft.Storage/storageAccounts\",\n\"apiVersion\": \"2019-06-01\",\n\"location\": \"[resourceGroup().location]\",\n\"comments\": \"This storage account is used to store the VM disks.\",\n...\n}\n]\n
    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseComments/#links","title":"Links","text":"
    • Better understand your cloud resources
    • ARM template best practices
    ","tags":["Azure.Template.UseComments","AZR-000234"]},{"location":"en/rules/Azure.Template.UseDescriptions/","title":"Use comments for each generated template resource","text":"Azure.Template.UseDescriptionsAZR-000235Information

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_12

    Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose.

    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#description","title":"Description","text":"

    Generated templates can optionally include descriptions in resources. This helps other contributors understand the purpose of the resource.

    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#recommendation","title":"Recommendation","text":"

    Specify descriptions for each resource in the template.

    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#examples","title":"Examples","text":"","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To define Bicep template files that pass this rule:

    • Specify the @description() or @sys.description() decorator for each resource in the template.

    For example:

    Azure Bicep snippet
    // An example container registry\n@description('abc')\nresource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseDescriptions/#links","title":"Links","text":"
    • Better understand your cloud resources
    • Decorators
    ","tags":["Azure.Template.UseDescriptions","AZR-000235"]},{"location":"en/rules/Azure.Template.UseLocationParameter/","title":"Use a location parameter to specify resource location","text":"Azure.Template.UseLocationParameterAZR-000223Warning

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_03

    Template should reference a location parameter to specify resource location.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#description","title":"Description","text":"

    The template parameter location is a standard parameter recommended for deployment templates. The location parameter is a intended for specifying the deployment location of the primary resource.

    When defining a resource that requires a location, use the location parameter. For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"name\": \"[parameters('VNETName')]\",\n\"apiVersion\": \"2020-06-01\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {}\n}\n

    Additionally, the template may include other resources. Use the location parameter value for resources that are likely to be in the same location. This approach minimizes the number of times users are asked to provide location information. For resources that aren't available in all locations, use a separate parameter.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#recommendation","title":"Recommendation","text":"

    Consider using parameters('location) instead of resourceGroup().location. Using a location parameter enabled users of the template to specify the location of deployed resources.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#examples","title":"Examples","text":"","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To author templates that pass this rule:

    • Define a parameter named location.
    • Set the location of any deployed resources to [parameters('location')].

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"name\": \"Managed Identity\",\n\"description\": \"Create or update a Managed Identity.\"\n},\n\"parameters\": {\n\"identityName\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"The name of the Managed Identity.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"The Azure region to deploy to.\",\n\"example\": \"eastus\"\n}\n},\n\"tags\": {\n\"type\": \"object\",\n\"metadata\": {\n\"description\": \"Tags to apply to the resource.\",\n\"example\": {\n\"service\": \"app1\",\n\"env\": \"prod\"\n}\n}\n}\n},\n\"variables\": {\n\"tenantId\": \"[subscription().tenantId]\"\n},\n\"resources\": [\n{\n\"comments\": \"Create or update a Managed Identity\",\n\"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n\"apiVersion\": \"2018-11-30\",\n\"name\": \"[parameters('identityName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"tenantId\": \"[variables('tenantId')]\"\n},\n\"tags\": \"[parameters('tags')]\"\n}\n]\n}\n
    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#notes","title":"Notes","text":"

    This rule is not applicable and ignored for templates generated with Bicep, PSArm, and AzOps. Generated templates from these tools may not require any parameters to be set.

    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseLocationParameter/#links","title":"Links","text":"
    • ARM template best practices
    • Parameters
    • Release deployment
    ","tags":["Azure.Template.UseLocationParameter","AZR-000223"]},{"location":"en/rules/Azure.Template.UseParameters/","title":"Remove unused template parameters","text":"Azure.Template.UseParametersAZR-000217Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2020_09

    Each Azure Resource Manager (ARM) template parameter should be used or removed from template files.

    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#description","title":"Description","text":"

    ARM templates can optionally define parameters that can be reused throughout the template. Parameters that are not used may make template use more complex for no benefit.

    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#recommendation","title":"Recommendation","text":"

    Consider removing unused parameters from Azure template files.

    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseParameters/#links","title":"Links","text":"
    • Parameters
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.UseParameters","AZR-000217"]},{"location":"en/rules/Azure.Template.UseVariables/","title":"Remove unused template variables","text":"Azure.Template.UseVariablesAZR-000219Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2020_09

    Each Azure Resource Manager (ARM) template variable should be used or removed from template files.

    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#description","title":"Description","text":"

    ARM templates can optionally define variables that can be reused throughout the template. Variables that are not used may add template complexity for no benefit.

    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#recommendation","title":"Recommendation","text":"

    Consider removing unused variables from Azure template files.

    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.UseVariables/#links","title":"Links","text":"
    • Variables
    • ARM template best practices
    • Release deployment
    ","tags":["Azure.Template.UseVariables","AZR-000219"]},{"location":"en/rules/Azure.Template.ValidSecretRef/","title":"Use a valid secret reference","text":"Azure.Template.ValidSecretRefAZR-000233Error

    Operational Excellence \u00b7 All resources \u00b7 Rule \u00b7 2021_09

    Use a valid secret reference within parameter files.

    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#description","title":"Description","text":"

    When referencing secrets in a template parameter file:

    • The secret reference must be a valid Azure resource ID Key Vault.
    • A secret name must be specified.
    • An optional secret version can be specified.
    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#recommendation","title":"Recommendation","text":"

    Check the secret value Key Vault reference is valid.

    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#examples","title":"Examples","text":"","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To define Azure template parameter files that pass this rule:

    • When a secret is referenced from Key Vault, provide a valid resource ID and secret name.

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"gatewayName\": {\n\"value\": \"gateway-A\"\n},\n\"sku\": {\n\"value\": \"VpnGw1\"\n},\n\"subnetId\": {\n\"value\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet\"\n},\n\"sharedKey\": {\n\"reference\": {\n\"keyVault\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001\"\n},\n\"secretName\": \"valid-secret\"\n}\n}\n}\n}\n
    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.Template.ValidSecretRef/#links","title":"Links","text":"
    • Automate deployments with ARM Templates
    • Reference secrets with static ID
    • Create Resource Manager parameter file
    ","tags":["Azure.Template.ValidSecretRef","AZR-000233"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/","title":"Use at least two Traffic Manager endpoints","text":"Azure.TrafficManager.EndpointsAZR-000236Error

    Reliability \u00b7 Traffic Manager \u00b7 Rule \u00b7 2020_06

    Traffic Manager should use at lest two enabled endpoints.

    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#description","title":"Description","text":"

    Traffic Manager is a DNS service that enables you to distribute traffic to improve availability and responsiveness. Traffic is distributed across endpoints, which can be located in different availability zones and regions.

    When only one enabled endpoint exists, routing for high availability and/ or responsiveness is not possible.

    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#recommendation","title":"Recommendation","text":"

    Consider adding additional endpoints or enabling disabled endpoints. Also consider, using endpoints deployed across different regions to provide high availability.

    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Endpoints/#links","title":"Links","text":"
    • What is Traffic Manager?
    • How Traffic Manager Works
    ","tags":["Azure.TrafficManager.Endpoints","AZR-000236"]},{"location":"en/rules/Azure.TrafficManager.Protocol/","title":"Use HTTPS to monitor web-based endpoints","text":"Azure.TrafficManager.ProtocolAZR-000237Error

    Security \u00b7 Traffic Manager \u00b7 Rule \u00b7 2020_06

    Monitor Traffic Manager web-based endpoints with HTTPS.

    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#description","title":"Description","text":"

    Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health. For web-based endpoints use HTTPS.

    If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint. This alone does not indicate that the endpoint is operational and ready to receive requests. Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.

    If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint. HTTPS-based health checks additionally check if a certificate is present, but do not validate if the certificate is valid.

    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#recommendation","title":"Recommendation","text":"

    Consider using HTTPS to monitor web-based endpoint health. HTTPS-based monitoring improves security and increases accuracy of health probes.

    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.TrafficManager.Protocol/#links","title":"Links","text":"
    • Data encryption in Azure
    • Traffic Manager endpoint monitoring
    ","tags":["Azure.TrafficManager.Protocol","AZR-000237"]},{"location":"en/rules/Azure.VM.ADE/","title":"Use Azure Disk Encryption","text":"Azure.VM.ADEAZR-000252Error

    Security \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Use Azure Disk Encryption (ADE).

    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#description","title":"Description","text":"

    Virtual machines (VMs) can be encrypted using ADE to protect disks with full disk encryption. Storage Service Encryption (SSE) is encryption as rest for Managed Disks and Storage Accounts. SSE automatically decrypts storage as it is read. Full disk encryption varies from SSE by decrypting disks on read within the operating system.

    ADE protects disk decryption keys within Key Vault.

    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#recommendation","title":"Recommendation","text":"

    Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.

    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.ADE/#links","title":"Links","text":"
    • Data encryption in Azure
    • Creating and configuring a key vault for Azure Disk Encryption
    • Azure Disk Encryption scenarios on Windows VMs
    ","tags":["Azure.VM.ADE","AZR-000252"]},{"location":"en/rules/Azure.VM.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VM.AMAAZR-000345Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2022_12

    Use Azure Monitor Agent for collecting monitoring data.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#description","title":"Description","text":"

    Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of virtual machines. Data collected gets delivered to Azure Monitor for use by features, insights and other services, such as Microsoft Defender for Cloud.

    Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#recommendation","title":"Recommendation","text":"

    Virtual Machines should install Azure Monitor Agent.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#examples","title":"Examples","text":"","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorWindowsAgent\",\n\"typeHandlerVersion\": \"1.0\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Bicep snippet
    param vmName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {\n  name: '${vmName}/AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#notes","title":"Notes","text":"

    The Azure Monitor Agent (AMA) itself does not include all configuration needed, additionally data collection rules and associations are required.

    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.AMA/#links","title":"Links","text":"
    • Monitoring
    • Azure Monitor Agent overview
    • Azure deployment reference
    ","tags":["Azure.VM.AMA","AZR-000345"]},{"location":"en/rules/Azure.VM.ASAlignment/","title":"Use aligned availability sets","text":"Azure.VM.ASAlignmentAZR-000254Error

    Reliability \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Use availability sets aligned with managed disks fault domains.

    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#description","title":"Description","text":"

    Availability sets can be configured to align with managed disk fault domains. When aligned, the fault domain for storage is co-located with compute. Aligned availability sets help prevent compute and storage from a single VM spanning multiple fault domains.

    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#recommendation","title":"Recommendation","text":"

    Consider deploying VMs with managed disks into aligned availability sets.

    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASAlignment/#links","title":"Links","text":"
    • Availability sets
    • Managed disk integration with availability sets
    • Reliability checklist
    ","tags":["Azure.VM.ASAlignment","AZR-000254"]},{"location":"en/rules/Azure.VM.ASMinMembers/","title":"Use availability sets with at least two members","text":"Azure.VM.ASMinMembersAZR-000255Error

    Reliability \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Availability sets should be deployed with at least two virtual machines (VMs).

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#description","title":"Description","text":"

    An availability set is a logical grouping of VMs that allows Azure to optimize the placement of VMs. Azure uses this grouping to separate VMs within the availablity set across fault and update domains. Each VM in your availability set is assigned an update domain and a fault domain. VMs in different update and fault domains is mapped to different underlying physical hardware. The reason for doing this is to improve reliability by removing some single points of failure.

    Deploy two or more VMs within an availability set to provide for a highly available application. There is no cost for the Availability Set itself, you only pay for each VM instance that you create.

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#recommendation","title":"Recommendation","text":"

    Consider deploying at least two VMs within an availability set to gain availability benefits.

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure (in-flight).

    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASMinMembers/#links","title":"Links","text":"
    • Reliability checklist
    • Availability sets overview
    • Availability options for virtual machines in Azure
    • Failure mode analysis
    • Tutorial: Create and deploy highly available virtual machines with Azure PowerShell
    ","tags":["Azure.VM.ASMinMembers","AZR-000255"]},{"location":"en/rules/Azure.VM.ASName/","title":"Use valid Availability Set names","text":"Azure.VM.ASNameAZR-000256Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Availability Set names should meet naming requirements.

    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Availability Set names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Availability Set names must be unique within a resource group.
    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Availability Set naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#notes","title":"Notes","text":"

    This rule does not check if Availability Set names are unique.

    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.ASName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.ASName","AZR-000256"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/","title":"Use accelerated networking","text":"Azure.VM.AcceleratedNetworkingAZR-000244Error

    Performance Efficiency \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Use accelerated networking for supported operating systems and VM types.

    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#description","title":"Description","text":"

    Enabling accelerated networking for a virtual machine (VM) greatly improves networking performance. Accelerated networking work by enabling single root I/O virtualization (SR-IOV) to a VM. SR-IOV reduces latency, jitter, and CPU utilization network demanding workloads.

    Accelerated networking is available for supported operating systems and VM types.

    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#recommendation","title":"Recommendation","text":"

    Consider enabling accelerated networking for supported operating systems and VM types.

    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.AcceleratedNetworking/#links","title":"Links","text":"
    • Create a Linux virtual machine with Accelerated Networking using Azure CLI
    • Create a Windows VM with accelerated networking using Azure PowerShell
    ","tags":["Azure.VM.AcceleratedNetworking","AZR-000244"]},{"location":"en/rules/Azure.VM.Agent/","title":"VM agent is provisioned automatically","text":"Azure.VM.AgentAZR-000246Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Ensure the VM agent is provisioned automatically.

    ","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#description","title":"Description","text":"

    The virtual machine (VM) agent is required for most functionality that interacts with the guest operating system.

    VM extensions help reduce management overhead by providing an entry point to bootstrap monitoring and configuration of the guest operating system. The VM agent is required to use any VM extensions.

    ","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.Agent/#recommendation","title":"Recommendation","text":"

    Automatically provision the VM agent for all supported operating systems, this is the default.

    ","tags":["Azure.VM.Agent","AZR-000246"]},{"location":"en/rules/Azure.VM.BasicSku/","title":"Avoid Basic VM SKU","text":"Azure.VM.BasicSkuAZR-000241Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Virtual machines (VMs) should not use Basic sizes.

    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#description","title":"Description","text":"

    VMs can be deployed in Basic or Standard sizes. Basic VM sizes are suitable only for entry level development scenarios.

    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#recommendation","title":"Recommendation","text":"

    Basic VM sizes are not suitable for production workloads or intensive development workloads. Consider migration to an alternative Standard VM size.

    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.BasicSku/#links","title":"Links","text":"
    • Sizes for Windows virtual machines in Azure
    • Sizes for Linux virtual machines in Azure
    ","tags":["Azure.VM.BasicSku","AZR-000241"]},{"location":"en/rules/Azure.VM.ComputerName/","title":"Use valid VM computer names","text":"Azure.VM.ComputerNameAZR-000249Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Virtual Machine (VM) computer name should meet naming requirements.

    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#description","title":"Description","text":"

    When configuring Azure VMs the assigned computer name must meet operation system (OS) requirements.

    The requirements for Windows VMs are:

    • Between 1 and 15 characters long.
    • Alphanumerics, and hyphens.
    • Can not include only numbers.

    The requirements for Linux VMs are:

    • Between 1 and 64 characters long.
    • Alphanumerics, periods, and hyphens.
    • Start with alphanumeric.
    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#recommendation","title":"Recommendation","text":"

    Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VM resource name.

    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#notes","title":"Notes","text":"

    VM resource names have different naming restrictions. See Azure.VM.Name for details.

    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.ComputerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.ComputerName","AZR-000249"]},{"location":"en/rules/Azure.VM.DiskAttached/","title":"Remove unused managed disks","text":"Azure.VM.DiskAttachedAZR-000250Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Managed disks should be attached to virtual machines or removed.

    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#description","title":"Description","text":"

    Unattached managed disks are charged but not in use. Unattached managed disks still consume storage and are charged on their size.

    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#recommendation","title":"Recommendation","text":"

    Consider removing managed disks that are no longer required to reduce complexity and costs.

    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskAttached/#links","title":"Links","text":"
    • Managed Disk pricing
    ","tags":["Azure.VM.DiskAttached","AZR-000250"]},{"location":"en/rules/Azure.VM.DiskCaching/","title":"Configure host caching","text":"Azure.VM.DiskCachingAZR-000242Error

    Performance Efficiency \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Check disk caching is configured correctly for the workload.

    ","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#description","title":"Description","text":"

    Check disk caching is configured correctly for the workload.

    ","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskCaching/#recommendation","title":"Recommendation","text":"

    Check disk caching is configured correctly for the workload.

    ","tags":["Azure.VM.DiskCaching","AZR-000242"]},{"location":"en/rules/Azure.VM.DiskName/","title":"Use valid Managed Disk names","text":"Azure.VM.DiskNameAZR-000253Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Managed Disk names should meet naming requirements.

    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Managed Disk names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Managed Disk names must be unique within a resource group.
    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Managed Disk naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#notes","title":"Notes","text":"

    This rule does not check if Managed Disk names are unique.

    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.DiskName","AZR-000253"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/","title":"Allocate VM disks aligned to billing model","text":"Azure.VM.DiskSizeAlignmentAZR-000251Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Align to the Managed Disk billing model to improve cost efficiency.

    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#description","title":"Description","text":"

    Managed disk is smaller than SKU size.

    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#recommendation","title":"Recommendation","text":"

    Consider resizing or optimizing storage to reduce waste by using disk sizes that align to the billing model for Managed Disks. Also consider, sizing and striping disks to optimize performance.

    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.DiskSizeAlignment/#links","title":"Links","text":"
    • Managed Disks pricing
    ","tags":["Azure.VM.DiskSizeAlignment","AZR-000251"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/","title":"Associate a maintenance configuration","text":"Azure.VM.MaintenanceConfigAZR-000375Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2023_06

    Use a maintenance configuration for virtual machines.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#description","title":"Description","text":"

    Virtual machines can be attached to a maintenance configuration which allows customer managed assessments and updates for machine patches within the guest operating system.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#recommendation","title":"Recommendation","text":"

    Consider automatically managing and applying operating system updates by associating a maintenance configuration.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#examples","title":"Examples","text":"","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Maintenance/configurationAssignments\",\n\"apiVersion\": \"2022-11-01-preview\",\n\"name\": \"[parameters('assignmentName')]\",\n\"location\": \"[parameters('location')]\",\n\"scope\": \"[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]\",\n\"properties\": {\n\"maintenanceConfigurationId\": \"[parameters('maintenanceConfigurationId')]\"\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]\"\n]\n}\n
    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a Microsoft.Maintenance/configurationAssignments sub-resource (extension resource).
    • Set the properties.maintenanceConfigurationId property to the linked maintenance configuration resource Id.

    For example:

    Azure Bicep snippet
    resource config 'Microsoft.Maintenance/configurationAssignments@2022-11-01-preview' = {\n  name: assignmentName\n  location: location\n  scope: vm\n  properties: {\n    maintenanceConfigurationId: maintenanceConfigurationId\n  }\n}\n
    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#notes","title":"Notes","text":"

    Operating system updates with Update Managment center is a preview feature. Not all operating systems are supported, check out the LINKS section for more information. Update management center doesn't support driver updates.

    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MaintenanceConfig/#links","title":"Links","text":"
    • Repeatable infrastructure
    • About Update management center
    • How to programmatically manage updates for Azure VMs
    • Manage Update configuration settings
    • Supported operating systems
    • Azure deployment reference
    ","tags":["Azure.VM.MaintenanceConfig","AZR-000375"]},{"location":"en/rules/Azure.VM.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VM.MigrateAMAAZR-000317Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2022_12

    Use Azure Monitor Agent as replacement for Log Analytics Agent.

    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#description","title":"Description","text":"

    The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your VMs and servers in Azure. The Azure Monitor agent provdes the following benefits over legacy agents:

    • Security and performance
      • Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).
      • A higher events-per-second (EPS) upload rate.
    • Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:
      • DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.
      • With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.
    • Simpler management of data collection, including ease of troubleshooting:
      • Easy multihoming on Windows and Linux.
      • Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.
      • Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.
    • A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#recommendation","title":"Recommendation","text":"

    Virtual Machines should migrate to Azure Monitor Agent.

    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorWindowsAgent\",\n\"typeHandlerVersion\": \"1.0\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machines that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Bicep snippet
    param vmName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource windowsAgent 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {\n  name: '${vmName}/AzureMonitorWindowsAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorWindowsAgent'\n    typeHandlerVersion: '1.0'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.MigrateAMA/#links","title":"Links","text":"
    • Monitoring
    • Log Analytics agent retiring
    • Migrate to Azure Monitor Agent from Log Analytics Agent
    • Azure deployment reference
    ","tags":["Azure.VM.MigrateAMA","AZR-000317"]},{"location":"en/rules/Azure.VM.NICAttached/","title":"Attach NIC or clean up","text":"Azure.VM.NICAttachedAZR-000257Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Network interfaces (NICs) should be attached.

    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICAttached/#description","title":"Description","text":"

    Network interfaces (NICs) are used to attach services to a virtual network. Each NIC is deployed as a separate resource, however are intended to be used with a related service. A NIC that is not attached to a related service perform no purpose.

    Example of services that use NICs include:

    • Virtual Machines
    • Private Endpoints
    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICAttached/#recommendation","title":"Recommendation","text":"

    Consider cleaning up NICs that are not required to reduce management complexity. Also consider using Resource Groups to help manage the lifecycle of related resources together.

    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICAttached/#links","title":"Links","text":"
    • Azure deployment reference
    ","tags":["Azure.VM.NICAttached","AZR-000257"]},{"location":"en/rules/Azure.VM.NICName/","title":"Use valid NIC names","text":"Azure.VM.NICNameAZR-000259Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Network Interface (NIC) names should meet naming requirements.

    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Network Interface names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • NIC names must be unique within a resource group.
    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Network Interface naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#notes","title":"Notes","text":"

    This rule does not check if Network Interface names are unique.

    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.NICName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.NICName","AZR-000259"]},{"location":"en/rules/Azure.VM.Name/","title":"Use valid VM names","text":"Azure.VM.NameAZR-000248Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Virtual Machine (VM) names should meet naming requirements.

    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for VM names are:

    • Between 1 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VM names must be unique within a resource group.
    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet VM resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.

    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#notes","title":"Notes","text":"

    This rule does not check if VM names are unique. Additionally, VM computer names have additional restrictions. See Azure.VM.ComputerName for details.

    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.Name","AZR-000248"]},{"location":"en/rules/Azure.VM.PPGName/","title":"Use valid PPG names","text":"Azure.VM.PPGNameAZR-000260Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Proximity Placement Group (PPG) names should meet naming requirements.

    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for placement groups names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start and end with alphanumeric.
    • PPG names must be unique within a resource group.
    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Proximity Placement Group naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#notes","title":"Notes","text":"

    This rule does not check if Proximity Placement Group names are unique.

    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PPGName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VM.PPGName","AZR-000260"]},{"location":"en/rules/Azure.VM.PromoSku/","title":"Use current VM SKUs","text":"Azure.VM.PromoSkuAZR-000240Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Virtual machines (VMs) should not use expired promotional SKU.

    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#description","title":"Description","text":"

    Some VM sizes may offer promotional rates that can be used by deploying VMs with a designated SKU. Promotional rates expire, and while this does not cause interruption to running VMs, the rate that VMs are billed at returns to the original price.

    Promo SKUs are not eligible for savings from reserved instances. Expired promo SKUs may confuse billing reconciliation when the promotional period expires.

    VMs should not use expired promo SKU.

    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#recommendation","title":"Recommendation","text":"

    Consider moving from promotional SKUs to SKUs eligible for reserved instances for VMs with an extended life cycle. Consider moving from promotional SKUs to the regular SKU once the promotional period has expired.

    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PromoSku/#links","title":"Links","text":"
    • Virtual Machine pricing
    ","tags":["Azure.VM.PromoSku","AZR-000240"]},{"location":"en/rules/Azure.VM.PublicKey/","title":"Use public keys for Linux","text":"Azure.VM.PublicKeyAZR-000245Error

    Security \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Linux virtual machines should use public keys.

    ","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#description","title":"Description","text":"

    Linux virtual machines support either password or public key based authentication for the default administrator account.

    ","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.PublicKey/#recommendation","title":"Recommendation","text":"

    Consider using public key based authentication instead of passwords.

    ","tags":["Azure.VM.PublicKey","AZR-000245"]},{"location":"en/rules/Azure.VM.SQLServerDisk/","title":"Configure Premium disks or above","text":"Azure.VM.SQLServerDiskAZR-000324Error

    Performance Efficiency \u00b7 Virtual Machine \u00b7 Rule \u00b7 2022_12

    Use Premium SSD disks or greater for data and log files for production SQL Server workloads.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#description","title":"Description","text":"

    Use premium SSD disks or greater for data and log files for production SQL Server workloads.

    This is an advanced topic with many considerations, so we highly suggest to follow the LINKS section for more around this with aligned and up-to-date documentation.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#recommendation","title":"Recommendation","text":"

    Configure Premium SSD disks or greater for data and log files for production SQL Server workloads.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#examples","title":"Examples","text":"","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Machines that pass this rule:

    • Set the properties.storageProfile.osDisk.managedDisk.storageAccountType property to Premium_LRS or greater.
    • Configure each data disk included in properties.storageProfile.dataDisks to use Premium_LRS or greater by setting the property managedDisk.storageAccountType.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('virtualMachineName')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"[parameters('virtualMachineSize')]\"\n},\n\"storageProfile\": {\n\"osDisk\": {\n\"createOption\": \"FromImage\",\n\"managedDisk\": {\n\"storageAccountType\": \"Premium_LRS\"\n},\n\"diskSizeGB\": 127\n},\n\"imageReference\": {\n\"publisher\": \"MicrosoftSQLServer\",\n\"offer\": \"SQL2019-WS2019\",\n\"sku\": \"Enterprise\",\n\"version\": \"latest\"\n},\n\"dataDisks\": [\n{\n\"lun\": 0,\n\"caching\": \"ReadOnly\",\n\"createOption\": \"Empty\",\n\"writeAcceleratorEnabled\": false,\n\"managedDisk\": {\n\"storageAccountType\": \"UltraSSD_LRS\"\n},\n\"diskSizeGB\": 1023\n}\n]\n},\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n}\n]\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('virtualMachineName')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\",\n\"windowsConfiguration\": {\n\"enableAutomaticUpdates\": true,\n\"provisionVMAgent\": true\n}\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]\"\n]\n}\n
    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Machines that pass this rule:

    • Set the properties.storageProfile.osDisk.managedDisk.storageAccountType property to Premium_LRS or greater.
    • Configure each data disk included in properties.storageProfile.dataDisks to use Premium_LRS or greater by setting the property managedDisk.storageAccountType.

    For example:

    Azure Bicep snippet
    resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: virtualMachineName\n  location: location\n  properties: {\n    hardwareProfile: {\n      vmSize: virtualMachineSize\n    }\n    storageProfile: {\n      osDisk: {\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n        diskSizeGB: 127\n      }\n      imageReference: {\n        publisher: 'MicrosoftSQLServer'\n        offer: 'SQL2019-WS2019'\n        sku: 'Enterprise'\n        version: 'latest'\n      }\n      dataDisks: [\n        {\n          lun: 0\n          caching: 'ReadOnly'\n          createOption: 'Empty'\n          writeAcceleratorEnabled: false\n          managedDisk: {\n            storageAccountType: 'UltraSSD_LRS'\n          }\n          diskSizeGB: 1023\n        }\n      ]\n    }\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: networkInterface.id\n        }\n      ]\n    }\n    osProfile: {\n      computerName: virtualMachineName\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n      windowsConfiguration: {\n        enableAutomaticUpdates: true\n        provisionVMAgent: true\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#notes","title":"Notes","text":"

    This rule is only applicable for OS disk and data disks configured with the property properties.storageProfile.osDisk.managedDisk.storageAccountType and the property properties.storageProfile.dataDisks.managedDisk.storageAccountType.

    Resources declarations can therefore pass the rule which are using not using Premium disks or above.

    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.SQLServerDisk/#links","title":"Links","text":"
    • Design for performance
    • Performance best practices for SQL Server on Azure VMs
    • Azure deployment reference
    ","tags":["Azure.VM.SQLServerDisk","AZR-000324"]},{"location":"en/rules/Azure.VM.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine","text":"Azure.VM.ScriptExtensionsAZR-000332Error

    Security \u00b7 Virtual Machine \u00b7 Rule \u00b7 2022_12

    Custom Script Extensions scripts that reference secret values must use the protectedSettings.

    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#description","title":"Description","text":"

    Virtual Machines support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#recommendation","title":"Recommendation","text":"

    Consider specifying secure values within protectedSettings to avoid exposing secrets during extension deployments.

    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#examples","title":"Examples","text":"","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy VM extensions that pass this rule:

    • Set any secure values within properties.protectedSettings.
    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n\"name\": \"installcustomscript\",\n\"apiVersion\": \"2015-06-15\",\n\"location\": \"australiaeast\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Extensions\",\n\"type\": \"CustomScript\",\n\"typeHandlerVersion\": \"2.0\",\n\"autoUpgradeMinorVersion\": true,\n\"protectedSettings\": {\n\"commandToExecute\": \"Write-Output 'hello-world'\"\n}\n}\n}\n
    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VM extensions that pass this rule:

    • Set any secure values within properties.protectedSettings.
    Azure Bicep snippet
    resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = {\n  name: 'installcustomscript'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Extensions'\n    type: 'CustomScript'\n    typeHandlerVersion: '2.0'\n    autoUpgradeMinorVersion: true\n    protectedSettings: {\n        commandToExecute: 'Write-Output \"hello-world\"'\n    }\n  }\n}\n
    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ScriptExtensions/#links","title":"Links","text":"
    • Secure application configuration and dependencies
    • Azure deployment reference
    • Windows Custom Script Extensions
    • Linux Custom Script Extensions
    ","tags":["Azure.VM.ScriptExtensions","AZR-000332"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/","title":"VMs should not be stopped state","text":"Azure.VM.ShouldNotBeStoppedAZR-000351Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 Rule \u00b7 2023_03

    Azure VMs should be running or in a deallocated state.

    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#description","title":"Description","text":"

    Azure Virtual Machines in a stopped state are still billed hourly for compute usage. Therefor VMs should generally be in a deallocated or running state.

    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#recommendation","title":"Recommendation","text":"

    Consider fully deallocating VMs instead of stopping VMs to reduce cost.

    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.ShouldNotBeStopped/#links","title":"Links","text":"
    • Shut down underutilized instances
    • States and billing status of Azure Virtual Machines
    ","tags":["Azure.VM.ShouldNotBeStopped","AZR-000351"]},{"location":"en/rules/Azure.VM.Standalone/","title":"Standalone Virtual Machine","text":"Azure.VM.StandaloneAZR-000239Error

    Reliability \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Use VM features to increase reliability and improve covered SLA for VM configurations.

    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#description","title":"Description","text":"

    All VM configurations within Azure offer an SLA. However, the SLA provided and the overall availability of the system varies depending on the configuration.

    First, consider performing a Failure Mode Analysis (FMA) of the system. A FMA is the process of analyzing the system to determine the possible failure points.

    For Virtual Machines (VMs), running a single instance is often a single point of failure. In many but not all cases, the number of VMs can be increased to add redundancy to the system. Taking advantage of some of the features of Azure can further increase the availability of the system.

    • Availability Zones (AZ) - is a physically separate zone, within an Azure region. Each Availability Zone has a distinct power source, network, and cooling.
    • Availability Sets - is a logical grouping of VMs that allows Azure to understand how your application is built. By understanding the distinct tiers of the application, Azure can better organize compute and storage to improve availability.
    • Solid State Storage (SSD) Disks - high performance block-level storage with three replicas of your data.
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#recommendation","title":"Recommendation","text":"

    Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.

    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#examples","title":"Examples","text":"","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy VMs that pass this rule with on of the following:

    • Deploy the VM in an Availability Set by specifying properties.availabilitySet.id in code.
    • Deploy the VM in an Availability Zone by specifying zones with 1, 2, or 3 in code.
    • Deploy the VM using only premium disks for OS and data disks by specifying storageAccountType as Premium_LRS.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2022-03-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"zones\": [\n\"1\"\n],\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"Standard_D2s_v3\"\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('name')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\"\n},\n\"storageProfile\": {\n\"imageReference\": {\n\"publisher\": \"MicrosoftWindowsServer\",\n\"offer\": \"WindowsServer\",\n\"sku\": \"[parameters('sku')]\",\n\"version\": \"latest\"\n},\n\"osDisk\": {\n\"name\": \"[format('{0}-disk0', parameters('name'))]\",\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\",\n\"managedDisk\": {\n\"storageAccountType\": \"Premium_LRS\"\n}\n}\n},\n\"licenseType\": \"Windows_Server\",\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n}\n]\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n]\n}\n
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VMs that pass this rule with on of the following:

    • Deploy the VM in an Availability Set by specifying properties.availabilitySet.id in code.
    • Deploy the VM in an Availability Zone by specifying zones with 1, 2, or 3 in code.
    • Deploy the VM using only premium disks for OS and data disks by specifying storageAccountType as Premium_LRS.

    For example:

    Azure Bicep snippet
    resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {\n  name: name\n  location: location\n  zones: [\n    '1'\n  ]\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n        managedDisk: {\n          storageAccountType: 'Premium_LRS'\n        }\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.Standalone/#links","title":"Links","text":"
    • Meet application platform requirements
    • Virtual Machine SLA
    • Availability options for virtual machines in Azure
    • Manage the availability of Windows virtual machines in Azure
    • Manage the availability of Linux virtual machines
    ","tags":["Azure.VM.Standalone","AZR-000239"]},{"location":"en/rules/Azure.VM.UniqueDns/","title":"NICs with custom DNS settings","text":"Azure.VM.UniqueDnsAZR-000258Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Network interfaces (NICs) should inherit DNS from virtual networks.

    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.UniqueDns/#description","title":"Description","text":"

    By default Virtual machine (VM) NICs automatically use a DNS configuration inherited from the virtual network they connect to. Optionally, DNS servers can be overridden on a per NIC basis with a custom configuration.

    Using network interfaces with individual DNS server settings may increase management overhead and complexity.

    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.UniqueDns/#recommendation","title":"Recommendation","text":"

    Consider updating NIC DNS server settings to inherit from virtual network.

    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.UniqueDns/#links","title":"Links","text":"
    • Change DNS servers.
    ","tags":["Azure.VM.UniqueDns","AZR-000258"]},{"location":"en/rules/Azure.VM.Updates/","title":"Automatic updates are enabled","text":"Azure.VM.UpdatesAZR-000247Error

    Operational Excellence \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Ensure automatic updates are enabled at deployment.

    ","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#description","title":"Description","text":"

    Window virtual machines (VMs) have automatic updates turned on at deployment time by default. The option can be enabled/ disabled at deployment time or updated for VM scale sets.

    Enabling this option does not prevent automatic updates being disabled or reconfigured within the operating system after deployment.

    ","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.Updates/#recommendation","title":"Recommendation","text":"

    Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.

    ","tags":["Azure.VM.Updates","AZR-000247"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/","title":"Use Azure Hybrid Benefit","text":"Azure.VM.UseHybridUseBenefitAZR-000243Error

    Cost Optimization \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.

    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#description","title":"Description","text":"

    Azure Hybrid Benefit is a licensing benefit that helps you to reduce costs of running virtual machine (VM) workloads.

    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#recommendation","title":"Recommendation","text":"

    Consider using Azure Hybrid Benefit for eligible workloads.

    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#examples","title":"Examples","text":"","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy VMs that pass this rule:

    • Set the properties.licenseType property to one of the following:
      • Windows_Server
      • Windows_Client

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachines\",\n\"apiVersion\": \"2021-07-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"hardwareProfile\": {\n\"vmSize\": \"Standard_D2s_v3\"\n},\n\"osProfile\": {\n\"computerName\": \"[parameters('name')]\",\n\"adminUsername\": \"[parameters('adminUsername')]\",\n\"adminPassword\": \"[parameters('adminPassword')]\"\n},\n\"storageProfile\": {\n\"imageReference\": {\n\"publisher\": \"MicrosoftWindowsServer\",\n\"offer\": \"WindowsServer\",\n\"sku\": \"[parameters('sku')]\",\n\"version\": \"latest\"\n},\n\"osDisk\": {\n\"name\": \"[format('{0}-disk0', parameters('name'))]\",\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n}\n},\n\"licenseType\": \"Windows_Server\",\n\"networkProfile\": {\n\"networkInterfaces\": [\n{\n\"id\": \"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n}\n]\n}\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]\"\n]\n}\n
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VMs that pass this rule:

    • Set the properties.licenseType property to one of the following:
      • Windows_Server
      • Windows_Client

    For example:

    Azure Bicep snippet
    resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' = {\n  name: name\n  location: location\n  properties: {\n    hardwareProfile: {\n      vmSize: 'Standard_D2s_v3'\n    }\n    osProfile: {\n      computerName: name\n      adminUsername: adminUsername\n      adminPassword: adminPassword\n    }\n    storageProfile: {\n      imageReference: {\n        publisher: 'MicrosoftWindowsServer'\n        offer: 'WindowsServer'\n        sku: sku\n        version: 'latest'\n      }\n      osDisk: {\n        name: '${name}-disk0'\n        caching: 'ReadWrite'\n        createOption: 'FromImage'\n      }\n    }\n    licenseType: 'Windows_Server'\n    networkProfile: {\n      networkInterfaces: [\n        {\n          id: nic.id\n        }\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az vm update -n '<name>' -g '<resource_group>' --set licenseType=Windows_Server\n
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseHybridUseBenefit/#links","title":"Links","text":"
    • Azure Hybrid Benefit FAQ
    • Azure Hybrid Benefit for Windows Server
    ","tags":["Azure.VM.UseHybridUseBenefit","AZR-000243"]},{"location":"en/rules/Azure.VM.UseManagedDisks/","title":"Use Managed Disks","text":"Azure.VM.UseManagedDisksAZR-000238Error

    Reliability \u00b7 Virtual Machine \u00b7 Rule \u00b7 2020_06

    Virtual machines (VMs) should use managed disks.

    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#description","title":"Description","text":"

    VMs can be configured with un-managed or managed disks. Un-managed disks, are .vhd files stored on a Storage Account that you manage as files. Managed disks allow you to managed the VM disk and the Storage Account is managed by Microsoft.

    Managed disks are the successor to un-managed disks and provide an number of additional features. Using managed disks reduces management of VM storage, improves durability and availability of VMs.

    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#recommendation","title":"Recommendation","text":"

    Consider using managed disks for virtual machine storage.

    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VM.UseManagedDisks/#links","title":"Links","text":"
    • Introduction to Azure managed disks
    ","tags":["Azure.VM.UseManagedDisks","AZR-000238"]},{"location":"en/rules/Azure.VMSS.AMA/","title":"Use Azure Monitor Agent","text":"Azure.VMSS.AMAAZR-000346Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 Rule \u00b7 2022_12

    Use Azure Monitor Agent for collecting monitoring data.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#description","title":"Description","text":"

    Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of virtual machines in virtual machine scale sets. Data collected gets delivered to Azure Monitor for use by features, insights and other services, such as Microsoft Defender for Cloud.

    Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#recommendation","title":"Recommendation","text":"

    Consider monitoring Virtual Machine Scale Sets using the Azure Monitor Agent.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\",\n\"defaultValue\": \"vmss-01\"\n},\n\"location\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[parameters('vmssName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"b2ms\",\n\"tier\": \"Standard\",\n\"capacity\": 1\n},\n\"properties\": {\n\"overprovision\": true,\n\"upgradePolicy\": {\n\"mode\": \"Automatic\"\n},\n\"singlePlacementGroup\": true,\n\"platformFaultDomainCount\": 3,\n\"virtualMachineProfile\": {\n\"extensionProfile\": {\n\"extensions\": [\n{\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"properties\": {\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true,\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\"\n}\n}\n]\n},\n\"storageProfile\": {\n\"osDisk\": {\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n},\n\"imageReference\": {\n\"publisher\": \"microsoft-aks\",\n\"offer\": \"aks\",\n\"sku\": \"aks-ubuntu-1804-202208\",\n\"version\": \"2022.08.29\"\n}\n},\n\"osProfile\": {\n\"adminUsername\": \"azureuser\",\n\"computerNamePrefix\": \"vmss-01\",\n\"linuxConfiguration\": {\n\"disablePasswordAuthentication\": true\n},\n\"provisionVMAgent\": true,\n\"ssh\": {\n\"publicKeys\": [\n{\n\"path\": \"/home/azureuser/.ssh/authorized_keys\"\n}\n]\n}\n},\n\"networkProfile\": {\n\"networkInterfaceConfigurations\": [\n{\n\"name\": \"vmss-001\",\n\"properties\": {\n\"primary\": true,\n\"enableAcceleratedNetworking\": true,\n\"networkSecurityGroup\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n},\n\"ipConfigurations\": [\n{\n\"name\": \"ipconfig1\",\n\"properties\": {\n\"primary\": true,\n\"subnet\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n},\n\"privateIPAddressVersion\": \"IPv4\",\n\"loadBalancerBackendAddressPools\": [\n{\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n}\n]\n}\n}\n]\n}\n}\n]\n}\n}\n}\n}\n]\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource Microsoft.Compute/virtualMachines/extensions.
    • Set properties.publisher to Microsoft.Azure.Monitor.
    • Set properties.type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#notes","title":"Notes","text":"

    The Azure Monitor Agent (AMA) itself does not include all configuration needed, additionally data collection rules and associations are required.

    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.AMA/#links","title":"Links","text":"
    • Monitoring
    • Azure Monitor Agent overview
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.VMSS.AMA","AZR-000346"]},{"location":"en/rules/Azure.VMSS.ComputerName/","title":"Use valid VMSS computer names","text":"Azure.VMSS.ComputerNameAZR-000262Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 Rule \u00b7 2020_06

    Virtual Machine Scale Set (VMSS) computer name should meet naming requirements.

    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#description","title":"Description","text":"

    When configuring Azure VMSS the assigned computer name prefix must meet operation system (OS) requirements.

    The requirements for Windows VM instances are:

    • Between 1 and 15 characters long.
    • Alphanumerics, and hyphens.
    • Can not include only numbers.

    The requirements for Linux VM instances are:

    • Between 1 and 64 characters long.
    • Alphanumerics, periods, and hyphens.
    • Start with alphanumeric.
    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#recommendation","title":"Recommendation","text":"

    Consider using computer names that meet OS naming requirements. Additionally, consider using computer names that match the VMSS resource name.

    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#notes","title":"Notes","text":"

    VMSS resource names have different naming restrictions. See Azure.VMSS.Name for details.

    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.ComputerName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VMSS.ComputerName","AZR-000262"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/","title":"Migrate to Azure Monitor Agent","text":"Azure.VMSS.MigrateAMAAZR-000318Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 Rule \u00b7 2022_12

    Use Azure Monitor Agent as replacement for Log Analytics Agent.

    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#description","title":"Description","text":"

    The legacy Log Analytics agent will be retired on August 31, 2024. Before that date, you'll need to start using the Azure Monitor agent to monitor your virtual machine scale sets. The Azure Monitor agent provdes the following benefits over legacy agents:

    • Security and performance
      • Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).
      • A higher events-per-second (EPS) upload rate.
    • Cost savings by using data collection rules. Using DCRs is one of the most useful advantages of using Azure Monitor Agent:
      • DCRs let you configure data collection for specific machines connected to a workspace as compared to the \"all or nothing\" approach of legacy agents.
      • With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.
    • Simpler management of data collection, including ease of troubleshooting:
      • Easy multihoming on Windows and Linux.
      • Centralized, \"in the cloud\" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.
      • Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.
    • A single agent that consolidates all features necessary to address all telemetry data collection needs across servers and client devices running Windows 10 or 11. A single agent is the goal, although Azure Monitor Agent currently converges with the Log Analytics agents.
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#recommendation","title":"Recommendation","text":"

    Virtual Machine Scale Sets should migrate to Azure Monitor Agent.

    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#examples","title":"Examples","text":"","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\",\n\"defaultValue\": \"vmss-01\"\n},\n\"location\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[parameters('vmssName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"b2ms\",\n\"tier\": \"Standard\",\n\"capacity\": 1\n},\n\"properties\": {\n\"overprovision\": true,\n\"upgradePolicy\": {\n\"mode\": \"Automatic\"\n},\n\"singlePlacementGroup\": true,\n\"platformFaultDomainCount\": 3,\n\"virtualMachineProfile\": {\n\"extensionProfile\": {\n\"extensions\": [\n{\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"properties\": {\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true,\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\"\n}\n}\n]\n},\n\"storageProfile\": {\n\"osDisk\": {\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n},\n\"imageReference\": {\n\"publisher\": \"microsoft-aks\",\n\"offer\": \"aks\",\n\"sku\": \"aks-ubuntu-1804-202208\",\n\"version\": \"2022.08.29\"\n}\n},\n\"osProfile\": {\n\"adminUsername\": \"azureuser\",\n\"computerNamePrefix\": \"vmss-01\",\n\"linuxConfiguration\": {\n\"disablePasswordAuthentication\": true\n},\n\"provisionVMAgent\": true,\n\"ssh\": {\n\"publicKeys\": [\n{\n\"path\": \"/home/azureuser/.ssh/authorized_keys\"\n}\n]\n}\n},\n\"networkProfile\": {\n\"networkInterfaceConfigurations\": [\n{\n\"name\": \"vmss-001\",\n\"properties\": {\n\"primary\": true,\n\"enableAcceleratedNetworking\": true,\n\"networkSecurityGroup\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n},\n\"ipConfigurations\": [\n{\n\"name\": \"ipconfig1\",\n\"properties\": {\n\"primary\": true,\n\"subnet\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n},\n\"privateIPAddressVersion\": \"IPv4\",\n\"loadBalancerBackendAddressPools\": [\n{\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n}\n]\n}\n}\n]\n}\n}\n]\n}\n}\n}\n}\n]\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"vmssName\": {\n\"type\": \"string\"\n},\n\"location\": {\n\"type\": \"string\"\n},\n\"userAssignedManagedIdentity\": {\n\"type\": \"string\"\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets/extensions\",\n\"apiVersion\": \"2022-08-01\",\n\"name\": \"[format('{0}/AzureMonitorLinuxAgent', parameters('vmssName'))]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"publisher\": \"Microsoft.Azure.Monitor\",\n\"type\": \"AzureMonitorLinuxAgent\",\n\"typeHandlerVersion\": \"1.21\",\n\"settings\": {\n\"authentication\": {\n\"managedIdentity\": {\n\"identifier-name\": \"mi_res_id\",\n\"identifier-value\": \"[parameters('userAssignedManagedIdentity')]\"\n}\n}\n},\n\"autoUpgradeMinorVersion\": true,\n\"enableAutomaticUpgrade\": true\n}\n}\n]\n}\n
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual machine scale sets that pass this rule:

    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.virtualMachineProfile.extensionProfile.extensions.properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string = 'vmss-01'\nparam location string\n\nresource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2022-08-01' = {\n  name: vmssName\n  location: location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      extensionProfile: {\n        extensions: [\n          {\n            name: '${vmssName}/AzureMonitorLinuxAgent'\n\n            properties: {\n              autoUpgradeMinorVersion: true\n              enableAutomaticUpgrade: true\n              publisher: 'Microsoft.Azure.Monitor'\n              type: 'AzureMonitorLinuxAgent'\n              typeHandlerVersion: '1.21'\n            }\n          }\n        ]\n      }\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }\n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n        }\n        provisionVMAgent: true\n        ssh: {\n          publicKeys: [\n            {\n              path: '/home/azureuser/.ssh/authorized_keys'\n            }\n          ]\n        }\n      }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n

    To deploy virtual machine scale sets with a extension sub resource that pass this rule:

    • Deploy a extension sub-resource (extension resource).
    • Set properties.publisher to 'Microsoft.Azure.Monitor'.
    • Set properties.type to 'AzureMonitorWindowsAgent' (Windows) or 'AzureMonitorLinuxAgent' (Linux).

    For example:

    Azure Bicep snippet
    param vmssName string\nparam location string\nparam userAssignedManagedIdentity string\n\nresource linuxAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2022-08-01' = {\n  name: '${vmssName}/AzureMonitorLinuxAgent'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Monitor'\n    type: 'AzureMonitorLinuxAgent'\n    typeHandlerVersion: '1.21'\n    autoUpgradeMinorVersion: true\n    enableAutomaticUpgrade: true\n    settings: {\n      authentication: {\n        managedIdentity: {\n          identifier-name: 'mi_res_id'\n          identifier-value: userAssignedManagedIdentity\n        }\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.MigrateAMA/#links","title":"Links","text":"
    • Monitoring
    • Log Analytics agent retiring
    • Migrate to Azure Monitor Agent from Log Analytics Agent
    • Azure deployment reference
    • Azure deployment reference
    ","tags":["Azure.VMSS.MigrateAMA","AZR-000318"]},{"location":"en/rules/Azure.VMSS.Name/","title":"Use valid VMSS names","text":"Azure.VMSS.NameAZR-000261Error

    Operational Excellence \u00b7 Virtual Machine Scale Sets \u00b7 Rule \u00b7 2020_06

    Virtual Machine Scale Set (VMSS) names should meet naming requirements.

    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for VMSS names are:

    • Between 1 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VM names must be unique within a resource group.
    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet VMSS resource name requirements. Additionally, consider using a resource name that meeting OS naming requirements.

    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#notes","title":"Notes","text":"

    This rule does not check if VMSS names are unique. Additionally, VMSS computer names have additional restrictions. See Azure.VMSS.ComputerName for details.

    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VMSS.Name","AZR-000261"]},{"location":"en/rules/Azure.VMSS.PublicKey/","title":"Disable password authentication","text":"Azure.VMSS.PublicKeyAZR-000288Error

    Security \u00b7 Virtual Machine Scale Sets \u00b7 Rule \u00b7 2022_09

    Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.

    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#description","title":"Description","text":"

    Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.

    A common tactic observed used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks.

    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#recommendation","title":"Recommendation","text":"

    Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.

    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#examples","title":"Examples","text":"","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy an virtual machine scale set that pass this rule:

    • Set properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication to true.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Compute/virtualMachineScaleSets\",\n\"apiVersion\": \"2021-11-01\",\n\"name\": \"vmss-01\",\n\"location\": \"[resourceGroup().location]\",\n\"sku\": {\n\"name\": \"b2ms\",\n\"tier\": \"Standard\",\n\"capacity\": 1\n},\n\"properties\": {\n\"overprovision\": true,\n\"upgradePolicy\": {\n\"mode\": \"Automatic\"\n},\n\"singlePlacementGroup\": true,\n\"platformFaultDomainCount\": 3,\n\"virtualMachineProfile\": {\n\"storageProfile\": {\n\"osDisk\": {\n\"caching\": \"ReadWrite\",\n\"createOption\": \"FromImage\"\n},\n\"imageReference\": {\n\"publisher\": \"microsoft-aks\",\n\"offer\": \"aks\",\n\"sku\": \"aks-ubuntu-1804-202208\",\n\"version\": \"2022.08.29\"\n}\n},\n\"osProfile\": {\n\"adminUsername\": \"azureuser\",\n\"computerNamePrefix\": \"vmss-01\",\n\"linuxConfiguration\": {\n\"disablePasswordAuthentication\": true\n},\n\"provisionVMAgent\": true,\n\"ssh\": {\n\"publicKeys\": [\n{\n\"path\": \"/home/azureuser/.ssh/authorized_keys\"\n}\n]\n}\n},\n\"networkProfile\": {\n\"networkInterfaceConfigurations\": [\n{\n\"name\": \"vmss-001\",\n\"properties\": {\n\"primary\": true,\n\"enableAcceleratedNetworking\": true,\n\"networkSecurityGroup\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001\"\n},\n\"ipConfigurations\": [\n{\n\"name\": \"ipconfig1\",\n\"properties\": {\n\"primary\": true,\n\"subnet\": {\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001\"\n},\n\"privateIPAddressVersion\": \"IPv4\",\n\"loadBalancerBackendAddressPools\": [\n{\n\"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes\"\n}\n]\n}\n}\n]\n}\n}\n]\n}\n}\n}\n}\n
    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy an virtual machine scale set that pass this rule:

    • Set properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication to true.

    For example:

    Azure Bicep snippet
    resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = {\n  name: 'vmss-01'\n  location: resourceGroup().location\n  sku: {\n    name: 'b2ms'\n    tier: 'Standard'\n    capacity: 1\n  }\n  properties: {\n    overprovision: true\n    upgradePolicy: {\n      mode: 'Automatic'\n    }\n    singlePlacementGroup: true\n    platformFaultDomainCount: 3\n    virtualMachineProfile: {\n      storageProfile: {\n        osDisk: {\n          caching: 'ReadWrite'\n          createOption: 'FromImage'\n        }\n        imageReference: {\n          publisher: 'microsoft-aks'\n          offer: 'aks'\n          sku: 'aks-ubuntu-1804-202208'\n          version: '2022.08.29'\n        }    \n      }\n      osProfile: {\n        adminUsername: 'azureuser'\n        computerNamePrefix: 'vmss-01'\n        linuxConfiguration: {\n          disablePasswordAuthentication: true\n          }\n          provisionVMAgent: true\n          ssh: {\n            publicKeys: [\n              {\n                path: '/home/azureuser/.ssh/authorized_keys'\n              }\n            ]\n          }\n        }\n      networkProfile: {\n        networkInterfaceConfigurations: [\n          {\n            name: 'vmss-001'\n            properties: {\n              primary: true\n              enableAcceleratedNetworking: true\n              networkSecurityGroup: {\n                id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001'\n              }\n              ipConfigurations: [\n                {\n                  name: 'ipconfig1'\n                  properties: {\n                    primary: true\n                    subnet: {\n                      id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001'\n                    }\n                    privateIPAddressVersion: 'IPv4'\n                    loadBalancerBackendAddressPools: [\n                      {\n                        id:  '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes'\n                      }\n                    ]\n                  }\n                }\n              ]\n            }\n          }\n        ]\n      }\n    }\n  }\n}\n
    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.PublicKey/#links","title":"Links","text":"
    • Identity and access management
    • Azure security baseline for Linux Virtual Machines
    • Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure
    • Azure deployment reference
    ","tags":["Azure.VMSS.PublicKey","AZR-000288"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/","title":"Securely pass secrets to Custom Script Extensions for Virtual Machine Scale Sets","text":"Azure.VMSS.ScriptExtensionsAZR-000333Error

    Security \u00b7 Virtual Machine Scale Sets \u00b7 Rule \u00b7 2022_12

    Custom Script Extensions scripts that reference secret values must use the protectedSettings.

    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#description","title":"Description","text":"

    Virtual Machines Scale Sets support the ability to execute custom scripts on launch. This can be configured via user data and custom script extensions. When the template is rendered, anything in the settings section will be rendered in clear text. To ensure they're kept secret, use the protectedSettings section instead.

    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#recommendation","title":"Recommendation","text":"

    Consider specifying secure values within properties.extensionProfile.extensions.protectedSettings to avoid exposing secrets during extension deployments.

    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#examples","title":"Examples","text":"

    To deploy VMSS extensions that pass this rule:

    • Set any secure values within properties.extensionProfile.extensions.protectedSettings
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-azure-template","title":"Configure with Azure template","text":"Azure Template snippet
    \"extensionProfile\": {\n\"extensions\": [\n{\n\"name\": \"customScript\",\n\"properties\": {\n\"publisher\": \"Microsoft.Compute\",\n\"protectedSettings\": {\n\"commandToExecute\": \"Write-Output 'example'\"\n},\n\"typeHandlerVersion\": \"1.8\",\n\"autoUpgradeMinorVersion\": true,\n\"type\": \"CustomScriptExtension\"\n}\n}\n]\n}\n
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy VMSS extensions that pass this rule:

    • Set any secure values within properties.extensionProfile.extensions.protectedSettings
    Azure Bicep snippet
    extensionProfile: {\n  extensions: [\n    {\n      name: 'customScript'\n      properties: {\n        publisher: 'Microsoft.Compute'\n        protectedSettings: {\n          commandToExecute: 'Write-Output \"example\"'\n        },\n        typeHandlerVersion: '1.8'\n        autoUpgradeMinorVersion: true\n        type: 'CustomScriptExtension'\n      }\n    }\n  ]\n}\n
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VMSS.ScriptExtensions/#links","title":"Links","text":"
    • Secure application configuration and dependencies
    • Azure deployment reference
    • Azure VMSS Extensions Overview
    ","tags":["Azure.VMSS.ScriptExtensions","AZR-000333"]},{"location":"en/rules/Azure.VNET.BastionSubnet/","title":"Configure VNETs with a AzureBastionSubnet subnet","text":"Azure.VNET.BastionSubnetAZR-000314Error

    Reliability \u00b7 Virtual Network \u00b7 Rule \u00b7 2022_12

    VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs.

    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#description","title":"Description","text":"

    Azure Bastion lets you securely connect to a virtual machine using your browser or native SSH/RDP client on Windows workstations or the Azure portal. An Azure Bastion host is deployed inside an Azure Virtual Network and can access virtual machines in the virtual network (VNet), or virtual machines in peered VNets.

    Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs), without any exposure through public IP addresses.

    This is a recommended pattern for virtual machine remote access.

    Adding Azure Bastion in your configuration adds the following benefits:

    • Added resiliency (out of band remote access).
    • Negates the need for hybrid connectivity.
    • Provides an extra layer of control. It enables secure and seamless RDP/SSH connectivity to your VMs directly from the Azure portal or native client in preview over a secure TLS channel.
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#recommendation","title":"Recommendation","text":"

    Consider an Azure Bastion Subnet to allow for out of band remote access to VMs and provide an extra layer of control.

    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureBastionSubnet defined in properties.subnets.

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2023-05-01\",\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\"10.0.0.0/16\"]\n},\n\"subnets\": [\n{\n\"name\": \"GatewaySubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.0.0/27\"\n}\n},\n{\n\"name\": \"AzureBastionSubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.64/26\"\n}\n}\n]\n}\n}\n

    To deploy Virtual Networks with a subnet sub-resource that pass this rule:

    • Configure an AzureBastionSubnet sub-resource.

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2023-05-01\",\n\"type\": \"Microsoft.Network/virtualNetworks/subnets\",\n\"name\": \"[format('{0}/{1}', parameters('name'), 'AzureBastionSubnet')]\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.64/26\"\n},\n\"dependsOn\": [\"[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]\"]\n}\n
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureBastionSubnet defined in properties.subnets.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureBastionSubnet'\n        properties: {\n          addressPrefix: '10.0.1.64/26'\n        }\n      }\n    ]\n  }\n}\n

    To deploy Virtual Networks with a subnet sub-resource that pass this rule:

    • Configure an AzureBastionSubnet sub-resource.

    For example:

    Azure Bicep snippet
    resource bastionSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-05-01' = {\n  name: 'AzureBastionSubnet'\n  parent: vnet\n  properties: {\n    addressPrefix: '10.0.1.64/26'\n  }\n}\n
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.BastionSubnet/#links","title":"Links","text":"
    • Best practices
    • Plan for virtual machine remote access
    • Hub-spoke network topology in Azure
    • What is Azure Bastion?
    • Azure VNET deployment reference
    • Azure subnet deployment reference
    ","tags":["Azure.VNET.BastionSubnet","AZR-000314"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/","title":"Configure VNETs with a AzureFirewallSubnet subnet","text":"Azure.VNET.FirewallSubnetAZR-000322Error

    Security \u00b7 Virtual Network \u00b7 Rule \u00b7 2022_12

    Use Azure Firewall to filter network traffic to and from Azure resources.

    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#description","title":"Description","text":"

    Network segmentation is a key component of a secure network architecture. Azure provides several features that work together to provide strong network segmentation controls.

    Azure Firewall is a cloud native stateful Firewall as a service. It can be used to perform deep packet inspection on both east-west and north-south traffic. Firewalls rules can be defined as policies and centrally managed.

    Some key advantages that Azure Firewall has over traditional solutions include:

    • Azure Firewall integrates directly with Virtual Network (VNET) and subnet level security. Supports Azure concepts that minimize the need for complex network configuration such as service/ FQDN tags and load balancing.
    • Managed by Azure, there is no need to deploy additional management infrastructure or consoles.
    • Built-in support for Infrastructure as Code (IaC), version control, and DevOps.

    For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).

    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#recommendation","title":"Recommendation","text":"

    Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.

    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#examples","title":"Examples","text":"","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureFirewallSubnet defined in properties.subnets.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"subnets\": [\n{\n\"name\": \"GatewaySubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.0.0/27\"\n}\n},\n{\n\"name\": \"AzureFirewallSubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.0/26\"\n}\n}\n]\n}\n}\n
    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Configure an AzureFirewallSubnet defined in properties.subnets.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/27'\n        }\n      }\n      {\n        name: 'AzureFirewallSubnet'\n        properties: {\n          addressPrefix: '10.0.1.0/26'\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.FirewallSubnet/#links","title":"Links","text":"
    • Azure features for segmentation
    • Hub-spoke network topology in Azure
    • Define an Azure network topology
    • What is Azure Firewall?
    • Azure VNET deployment reference
    • Azure subnet deployment reference
    ","tags":["Azure.VNET.FirewallSubnet","AZR-000322"]},{"location":"en/rules/Azure.VNET.LocalDNS/","title":"Use local DNS servers","text":"Azure.VNET.LocalDNSAZR-000265Error

    Reliability \u00b7 Virtual Network \u00b7 Rule \u00b7 2020_06

    Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.

    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#description","title":"Description","text":"

    Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.

    When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.

    Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.

    Where possible consider deploying:

    • Azure DNS Private Resolver.
    • Azure Private DNS Zones.

    Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.

    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#recommendation","title":"Recommendation","text":"

    Consider deploying redundant DNS services within a connected Azure VNET.

    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to an IP address within the same or peered network within Azure. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"dhcpOptions\": {\n\"dnsServers\": [\n\"10.0.1.4\",\n\"10.0.1.5\"\n]\n}\n}\n}\n
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to an IP address within the same or peered network within Azure. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure (in-flight).

    When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:

    • Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
    • Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.

    When you do this, this rule may report a false positive by default. If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY to true.

    For example:

    configuration:\nAZURE_VNET_DNS_WITH_IDENTITY: true\n
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.LocalDNS/#links","title":"Links","text":"
    • Understand the impact of dependencies
    • Hub-spoke network topology in Azure
    • Azure landing zone conceptual architecture
    • What is Azure DNS Private Resolver?
    • What is Azure Private DNS?
    • Azure deployment reference
    ","tags":["Azure.VNET.LocalDNS","AZR-000265"]},{"location":"en/rules/Azure.VNET.Name/","title":"Use valid VNET names","text":"Azure.VNET.NameAZR-000268Error

    Operational Excellence \u00b7 Virtual Network \u00b7 Rule \u00b7 2020_06

    Virtual Network (VNET) names should meet naming requirements.

    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Virtual Network names are:

    • Between 2 and 64 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VNET names must be unique within a resource group.
    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Virtual Network naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#notes","title":"Notes","text":"

    This rule does not check if Virtual Network names are unique.

    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.VNET.Name","AZR-000268"]},{"location":"en/rules/Azure.VNET.PeerState/","title":"VNET peer is not connected","text":"Azure.VNET.PeerStateAZR-000266Error

    Operational Excellence \u00b7 Virtual Network \u00b7 Rule \u00b7 2020_06

    VNET peering connections must be connected.

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#description","title":"Description","text":"

    When peering virtual networks, a peering connection must be established from both virtual networks. Only once both peering connections are in the Connected state will traffic be allowed to flow between the virtual networks.

    Connections in the Initiated or Disconnected state should be investigated to determine if the connection is required. When the connection is no longer required, it should be removed to prevent confusion during management and monitoring operations.

    Most customers will use a hub and spoke topology to connect virtual networks. For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#recommendation","title":"Recommendation","text":"

    Consider removing peering connections that are not longer required or complete peering connections.

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#examples","title":"Examples","text":"","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual networks that pass this rule:

    • Create a peering connection from the spoke to the hub. AND
    • Create a peering connection from the hub to the spoke.

    For example a peering connection from a spoke to a hub:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[format('{0}/{1}', parameters('spokeName'), format('peer-to-{0}', parameters('hubName')))]\",\n\"properties\": {\n\"remoteVirtualNetwork\": {\n\"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('hubName'))]\"\n},\n\"allowVirtualNetworkAccess\": true,\n\"allowForwardedTraffic\": true,\n\"allowGatewayTransit\": false,\n\"useRemoteGateways\": true\n}\n}\n

    For example a peering connection from a hub to a spoke:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[format('{0}/{1}', parameters('hubName'), format('peer-to-{0}', parameters('spokeName')))]\",\n\"properties\": {\n\"remoteVirtualNetwork\": {\n\"id\": \"[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeName'))]\"\n},\n\"allowVirtualNetworkAccess\": true,\n\"allowForwardedTraffic\": false,\n\"allowGatewayTransit\": true,\n\"useRemoteGateways\": false\n}\n}\n
    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual networks that pass this rule:

    • Create a peering connection from the spoke to the hub. AND
    • Create a peering connection from the hub to the spoke.

    For example a peering connection from a spoke to a hub:

    Azure Bicep snippet
    resource toHub 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: spoke\n  name: 'peer-to-${hub.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: hub.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: true\n    allowGatewayTransit: false\n    useRemoteGateways: true\n  }\n}\n

    For example a peering connection from a hub to a spoke:

    Azure Bicep snippet
    resource toSpoke 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-05-01' = {\n  parent: hub\n  name: 'peer-to-${spoke.name}'\n  properties: {\n    remoteVirtualNetwork: {\n      id: spoke.id\n    }\n    allowVirtualNetworkAccess: true\n    allowForwardedTraffic: false\n    allowGatewayTransit: true\n    useRemoteGateways: false\n  }\n}\n
    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#notes","title":"Notes","text":"

    This rule applies when analyzing resources deployed to Azure (in-flight).

    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.PeerState/#links","title":"Links","text":"
    • Monitoring operations of cloud applications
    • Virtual network peering
    • Create, change, or delete a virtual network peering
    • Networking limits
    • Hub-spoke network topology in Azure
    • Define an Azure network topology
    • Azure VNET deployment reference
    • Azure VNET peering deployment reference
    ","tags":["Azure.VNET.PeerState","AZR-000266"]},{"location":"en/rules/Azure.VNET.SingleDNS/","title":"Use redundant DNS servers","text":"Azure.VNET.SingleDNSAZR-000264Error

    Reliability \u00b7 Virtual Network \u00b7 Rule \u00b7 2020_06

    Virtual networks (VNETs) should have at least two DNS servers assigned.

    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#description","title":"Description","text":"

    Virtual networks (VNETs) should have at least two (2) DNS servers assigned. Using a single DNS server may indicate a single point of failure where the DNS IP address is not load balanced.

    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#recommendation","title":"Recommendation","text":"

    Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.

    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#examples","title":"Examples","text":"","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to at least two DNS server addresses. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"dhcpOptions\": {\n\"dnsServers\": [\n\"10.0.1.4\",\n\"10.0.1.5\"\n]\n}\n}\n}\n
    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy Virtual Networks that pass this rule:

    • Set properties.dhcpOptions.dnsServers to at least two DNS server addresses. OR
    • Use the default Azure DNS servers.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n  }\n}\n
    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SingleDNS/#links","title":"Links","text":"
    • Understand the impact of dependencies
    • Hub-spoke network topology in Azure
    • Azure landing zone conceptual architecture
    • Azure deployment reference
    ","tags":["Azure.VNET.SingleDNS","AZR-000264"]},{"location":"en/rules/Azure.VNET.SubnetName/","title":"Use valid subnet names","text":"Azure.VNET.SubnetNameAZR-000267Error

    Operational Excellence \u00b7 Virtual Network \u00b7 Rule \u00b7 2020_06

    Subnet names should meet naming requirements.

    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for Route table names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Subnet names must be unique within a virtual network.
    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet subnet naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#notes","title":"Notes","text":"

    This rule does not check if subnet names are unique.

    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.SubnetName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    ","tags":["Azure.VNET.SubnetName","AZR-000267"]},{"location":"en/rules/Azure.VNET.UseNSGs/","title":"Use NSGs on subnets","text":"Azure.VNET.UseNSGsAZR-000263Error

    Security \u00b7 Virtual Network \u00b7 Rule \u00b7 2020_06

    Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.

    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#description","title":"Description","text":"

    Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.

    NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.

    There is a small subset of special purpose subnets that do not support NSGs. These subnets are:

    • GatewaySubnet - used for hybrid connectivity with VPN and ExpressRoute gateways.
    • AzureFirewallSubnet and AzureFirewallManagementSubnet - are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.
    • RouteServerSubnet - used by managed routing provided by Azure Route Server.
    • Any subnet delegated to a dedicated HSM with Microsoft.HardwareSecurityModules/dedicatedHSMs.
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#recommendation","title":"Recommendation","text":"

    Consider assigning a network security group (NSG) to each virtual network subnet.

    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#examples","title":"Examples","text":"","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy virtual networks subnets that pass this rule:

    • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Network/virtualNetworks\",\n\"apiVersion\": \"2023-05-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"properties\": {\n\"addressSpace\": {\n\"addressPrefixes\": [\n\"10.0.0.0/16\"\n]\n},\n\"dhcpOptions\": {\n\"dnsServers\": [\n\"10.0.1.4\",\n\"10.0.1.5\"\n]\n},\n\"subnets\": [\n{\n\"name\": \"GatewaySubnet\",\n\"properties\": {\n\"addressPrefix\": \"10.0.0.0/24\"\n}\n},\n{\n\"name\": \"snet-001\",\n\"properties\": {\n\"addressPrefix\": \"10.0.1.0/24\",\n\"networkSecurityGroup\": {\n\"id\": \"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n}\n}\n}\n]\n},\n\"dependsOn\": [\n\"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]\"\n]\n}\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy virtual network subnets that pass this rule:

    • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

    For example:

    Azure Bicep snippet
    resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {\n  name: name\n  location: location\n  properties: {\n    addressSpace: {\n      addressPrefixes: [\n        '10.0.0.0/16'\n      ]\n    }\n    dhcpOptions: {\n      dnsServers: [\n        '10.0.1.4'\n        '10.0.1.5'\n      ]\n    }\n    subnets: [\n      {\n        name: 'GatewaySubnet'\n        properties: {\n          addressPrefix: '10.0.0.0/24'\n        }\n      }\n      {\n        name: 'snet-001'\n        properties: {\n          addressPrefix: '10.0.1.0/24'\n          networkSecurityGroup: {\n            id: nsg.id\n          }\n        }\n      }\n    ]\n  }\n}\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-cli","title":"Configure with Azure CLI","text":"Azure CLI snippet
    az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#configure-with-azure-powershell","title":"Configure with Azure PowerShell","text":"Azure PowerShell snippet
    $vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'\n$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'\nSet-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg\n
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNET.UseNSGs/#links","title":"Links","text":"
    • Implement network segmentation patterns on Azure
    • Network Security Best Practices
    • Azure Firewall FAQ
    • Forced tunneling configuration
    • Azure Route Server FAQ
    • Azure Dedicated HSM networking
    • Azure VNET deployment reference
    • Azure NSG deployment reference
    ","tags":["Azure.VNET.UseNSGs","AZR-000263"]},{"location":"en/rules/Azure.VNG.ConnectionName/","title":"Use valid connection names","text":"Azure.VNG.ConnectionNameAZR-000275Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2020_06

    Virtual Network Gateway (VNG) connection names should meet naming requirements.

    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for connection names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • Connection names must be unique within a resource group.
    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#recommendation","title":"Recommendation","text":"

    Consider using names that meet connection naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#notes","title":"Notes","text":"

    This rule does not check if connection names are unique.

    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ConnectionName/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.VNG.ConnectionName","AZR-000275"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/","title":"Use availability zone SKU for ExpressRoute gateways","text":"Azure.VNG.ERAvailabilityZoneSKUAZR-000273Error

    Reliability \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2021_12

    Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#description","title":"Description","text":"

    ExpressRoute gateways can be deployed in Availability Zones with the following SKUs:

    • ErGw1AZ
    • ErGw2AZ
    • ErGw3AZ

    This brings resiliency, scalability, and higher availability to ExpressRoute gateways. Deploying ExpressRoute gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"

    Consider deploying ExpressRoute gateways with an availability zone SKU to improve reliability of virtual network gateways.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#notes","title":"Notes","text":"

    ExpressRoute gateway availability zones are managed via Public IP addresses, and are flagged separately under the Azure.PublicIP.AvailabilityZone rule.

    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure an AZ SKU for an ExpressRoute gateway:

    • Set properties.gatewayType to 'ExpressRoute'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'ErGw1AZ'
      • 'ErGw2AZ'
      • 'ErGw3AZ'

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/virtualNetworkGateways\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [\n\"[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]\"\n],\n\"tags\": {},\n\"properties\": {\n\"gatewayType\": \"ExpressRoute\",\n\"ipConfigurations\": [\n{\n\"name\": \"default\",\n\"properties\": {\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"[parameters('subnetId')]\"\n},\n\"publicIpAddress\": {\n\"id\": \"[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]\"\n}\n}\n}\n],\n\"vpnType\": \"[parameters('vpnType')]\",\n\"vpnGatewayGeneration\": \"[parameters('vpnGatewayGeneration')]\",\n\"sku\": {\n\"name\": \"ErGw1AZ\",\n\"tier\": \"ErGw1AZ\"\n}\n}\n}\n
    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure an AZ SKU for an ExpressRoute gateway:

    • Set properties.gatewayType to 'ExpressRoute'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'ErGw1AZ'
      • 'ErGw2AZ'
      • 'ErGw3AZ'

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {\n  name: name\n  location: location\n  tags: {}\n  properties: {\n    gatewayType: 'ExpressRoute'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)\n          }\n        }\n      }\n    ]\n    vpnType: vpnType\n    vpnGatewayGeneration: vpnGatewayGeneration\n    sku: {\n      name: 'ErGw1AZ'\n      tier: 'ErGw1AZ'\n    }\n  }\n  dependsOn: [\n    newPublicIpAddressName_resource\n  ]\n}\n
    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERAvailabilityZoneSKU/#links","title":"Links","text":"
    • Azure deployment reference
    • About zone-redundant virtual network gateways in Azure Availability Zones
    • ExpressRoute gateway SKUs
    • Use zone-aware services
    ","tags":["Azure.VNG.ERAvailabilityZoneSKU","AZR-000273"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/","title":"Migrate from legacy ER gateway SKUs","text":"Azure.VNG.ERLegacySKUAZR-000271Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2020_06

    Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways.

    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#description","title":"Description","text":"

    When deploying a ER gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.

    • Basic
    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#recommendation","title":"Recommendation","text":"

    Consider redeploying ER gateways using new SKUs to improve reliability and performance of gateways.

    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.ERLegacySKU/#links","title":"Links","text":"
    • Estimated performances by gateway SKU
    • Azure deployment reference
    ","tags":["Azure.VNG.ERLegacySKU","AZR-000271"]},{"location":"en/rules/Azure.VNG.Name/","title":"Use valid VNG names","text":"Azure.VNG.NameAZR-000274Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2020_06

    Virtual Network Gateway (VNG) names should meet naming requirements.

    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for VNG names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • VNG names must be unique within a resource group.
    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Virtual Network Gateway (VNG) naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#notes","title":"Notes","text":"

    This rule does not check if VNG names are unique.

    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Azure deployment reference
    • Recommended abbreviations for Azure resource types
    ","tags":["Azure.VNG.Name","AZR-000274"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/","title":"Use Active-Active VPN gateways","text":"Azure.VNG.VPNActiveActiveAZR-000270Error

    Reliability \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2020_06

    Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime.

    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#description","title":"Description","text":"

    VPN Gateways can be configured as either Active-Passive or Active-Active for Site-to-Site (S2S) connections. When deploying VPN gateways, Azure deploys two instances for high-availability (HA).

    When using an Active-Passive configuration, one instance is designated a standby for failover.

    Gateways configured to use an Active-Active configuration:

    • Establish two IPSEC tunnels, one from each instance per connection.
    • Each instance will load balance network traffic.
    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#recommendation","title":"Recommendation","text":"

    Consider using Active-Active VPN gateways to reduce connectivity downtime during HA failover.

    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#notes","title":"Notes","text":"

    Azure provisions a single instance for Basic (legacy) VPN gateways. As a result, Basic VPN gateways do not support Active-Active connections. To use Active-Active VPN connections, migrate to a gateway configured as VpnGw1 or higher SKU.

    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNActiveActive/#links","title":"Links","text":"
    • Highly Available Cross-Premises and VNet-to-VNet Connectivity
    • Update an existing VPN gateway
    • Azure deployment reference
    ","tags":["Azure.VNG.VPNActiveActive","AZR-000270"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/","title":"Use availability zone SKU for VPN gateways","text":"Azure.VNG.VPNAvailabilityZoneSKUAZR-000272Error

    Reliability \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2021_12

    Use availability zone SKU for virtual network gateways deployed with VPN gateway type.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#description","title":"Description","text":"

    VPN gateways can be deployed in Availability Zones with the following SKUs:

    • VpnGw1AZ
    • VpnGw2AZ
    • VpnGw3AZ
    • VpnGw4AZ
    • VpnGw5AZ

    This brings resiliency, scalability, and higher availability to VPN gateways. Deploying VPN gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#recommendation","title":"Recommendation","text":"

    Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#notes","title":"Notes","text":"

    VPN gateway availability zones are managed via Public IP addresses, and are flagged separately under the Azure.PublicIP.AvailabilityZone rule.

    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#examples","title":"Examples","text":"","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To configure an AZ SKU for a VPN gateway:

    • Set properties.gatewayType to 'Vpn'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'VpnGw1AZ'
      • 'VpnGw2AZ'
      • 'VpnGw3AZ'
      • 'VpnGw4AZ'
      • 'VpnGw5AZ'

    For example:

    Azure Template snippet
    {\n\"apiVersion\": \"2020-11-01\",\n\"name\": \"[parameters('name')]\",\n\"type\": \"Microsoft.Network/virtualNetworkGateways\",\n\"location\": \"[parameters('location')]\",\n\"dependsOn\": [\n\"[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]\"\n],\n\"tags\": {},\n\"properties\": {\n\"gatewayType\": \"Vpn\",\n\"ipConfigurations\": [\n{\n\"name\": \"default\",\n\"properties\": {\n\"privateIPAllocationMethod\": \"Dynamic\",\n\"subnet\": {\n\"id\": \"[parameters('subnetId')]\"\n},\n\"publicIpAddress\": {\n\"id\": \"[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]\"\n}\n}\n}\n],\n\"vpnType\": \"[parameters('vpnType')]\",\n\"vpnGatewayGeneration\": \"[parameters('vpnGatewayGeneration')]\",\n\"sku\": {\n\"name\": \"VpnGw1AZ\",\n\"tier\": \"VpnGw1AZ\"\n}\n}\n}\n
    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#configure-with-bicep","title":"Configure with Bicep","text":"

    To configure an AZ SKU for a VPN gateway:

    • Set properties.gatewayType to 'Vpn'
    • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
      • 'VpnGw1AZ'
      • 'VpnGw2AZ'
      • 'VpnGw3AZ'
      • 'VpnGw4AZ'
      • 'VpnGw5AZ'

    For example:

    Azure Bicep snippet
    resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {\n  name: name\n  location: location\n  tags: {}\n  properties: {\n    gatewayType: 'Vpn'\n    ipConfigurations: [\n      {\n        name: 'default'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: {\n            id: subnetId\n          }\n          publicIPAddress: {\n            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)\n          }\n        }\n      }\n    ]\n    vpnType: vpnType\n    vpnGatewayGeneration: vpnGatewayGeneration\n    sku: {\n      name: 'VpnGw1AZ'\n      tier: 'VpnGw1AZ'\n    }\n  }\n  dependsOn: [\n    newPublicIpAddressName_resource\n  ]\n}\n
    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNAvailabilityZoneSKU/#links","title":"Links","text":"
    • Azure deployment reference
    • About zone-redundant virtual network gateways in Azure Availability Zones
    • VPN gateway SKUs
    • Use zone-aware services
    ","tags":["Azure.VNG.VPNAvailabilityZoneSKU","AZR-000272"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/","title":"Migrate from legacy VPN gateway SKUs","text":"Azure.VNG.VPNLegacySKUAZR-000269Error

    Operational Excellence \u00b7 Virtual Network Gateway \u00b7 Rule \u00b7 2020_06

    Migrate from legacy SKUs to improve reliability and performance of VPN gateways.

    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#description","title":"Description","text":"

    When deploying a VPN gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.

    • Basic
    • Standard
    • HighPerformance
    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#recommendation","title":"Recommendation","text":"

    Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.

    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.VNG.VPNLegacySKU/#links","title":"Links","text":"
    • Change to the new gateway SKUs
    • Azure deployment reference
    ","tags":["Azure.VNG.VPNLegacySKU","AZR-000269"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/","title":"Use managed identities for Web PubSub Services","text":"Azure.WebPubSub.ManagedIdentityAZR-000277Error

    Security \u00b7 Web PubSub Service \u00b7 Rule \u00b7 2022_03

    Configure Web PubSub Services to use managed identities to access Azure resources securely.

    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#description","title":"Description","text":"

    A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

    Using Azure managed identities have the following benefits:

    • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
    • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
    • Managed identities can be used without any additional cost.
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#recommendation","title":"Recommendation","text":"

    Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.

    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/webPubSub\",\n\"apiVersion\": \"2023-02-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set the identity.type to SystemAssigned or UserAssigned.
    • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/webPubSub@2023-02-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.ManagedIdentity/#links","title":"Links","text":"
    • Use identity-based authentication
    • Managed identities for Azure Web PubSub Service
    • IM-1: Use centralized identity and authentication system
    • IM-3: Manage application identities securely and automatically
    • Azure deployment reference
    ","tags":["Azure.WebPubSub.ManagedIdentity","AZR-000277"]},{"location":"en/rules/Azure.WebPubSub.SLA/","title":"Use an SLA for Web PubSub Services","text":"Azure.WebPubSub.SLAAZR-000278Error

    Reliability \u00b7 Web PubSub Service \u00b7 Rule \u00b7 2022_03

    Use SKUs that include an SLA when configuring Web PubSub Services.

    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#description","title":"Description","text":"

    When choosing a SKU for a Web PubSub Service you should consider the SLA that is included in the SKU. Web PubSub Services offer a range of SKU offerings:

    • Free - Are designed for early non-production use and do not include any SLA.
    • Standard - Are designed for production use and include an SLA.
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#recommendation","title":"Recommendation","text":"

    Consider using a Standard SKU that includes an SLA.

    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#examples","title":"Examples","text":"","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-azure-template","title":"Configure with Azure template","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1.

    For example:

    Azure Template snippet
    {\n\"type\": \"Microsoft.SignalRService/webPubSub\",\n\"apiVersion\": \"2021-10-01\",\n\"name\": \"[parameters('name')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Standard_S1\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"disableLocalAuth\": true\n}\n}\n
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#configure-with-bicep","title":"Configure with Bicep","text":"

    To deploy services that pass this rule:

    • Set sku.name to Standard_S1.

    For example:

    Azure Bicep snippet
    resource service 'Microsoft.SignalRService/webPubSub@2021-10-01' = {\n  name: name\n  location: location\n  sku: {\n    name: 'Standard_S1'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    disableLocalAuth: true\n  }\n}\n
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.WebPubSub.SLA/#links","title":"Links","text":"
    • Target and non-functional requirements
    • Azure Web PubSub pricing
    • Azure deployment reference
    ","tags":["Azure.WebPubSub.SLA","AZR-000278"]},{"location":"en/rules/Azure.vWAN.Name/","title":"Use valid vWAN names","text":"Azure.vWAN.NameAZR-000276Error

    Operational Excellence \u00b7 Virtual WAN \u00b7 Rule \u00b7 2021_12

    Virtual WAN (vWAN) names should meet naming requirements.

    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#description","title":"Description","text":"

    When naming Azure resources, resource names must meet service requirements. The requirements for vWAN names are:

    • Between 1 and 80 characters long.
    • Alphanumerics, underscores, periods, and hyphens.
    • Start with alphanumeric.
    • End alphanumeric or underscore.
    • vWAN names must be unique within a resource group.
    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#recommendation","title":"Recommendation","text":"

    Consider using names that meet Virtual WAN (vWAN) naming requirements. Additionally consider naming resources with a standard naming convention.

    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#notes","title":"Notes","text":"

    This rule does not check if vWAN names are unique.

    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/Azure.vWAN.Name/#links","title":"Links","text":"
    • Repeatable infrastructure
    • Naming rules and restrictions for Azure resources
    • Recommended abbreviations for Azure resource types
    • Azure deployment reference
    ","tags":["Azure.vWAN.Name","AZR-000276"]},{"location":"en/rules/module/","title":"Rules by pillar","text":"

    PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.

    "},{"location":"en/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"en/rules/module/#governance","title":"Governance","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"en/rules/module/#optimize","title":"Optimize","text":"Name Synopsis Severity Level Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error"},{"location":"en/rules/module/#pricing-and-billing-model","title":"Pricing and billing model","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"en/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error"},{"location":"en/rules/module/#reports","title":"Reports","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/module/#resource-usage","title":"Resource usage","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"en/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"en/rules/module/#automation","title":"Automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"en/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"en/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning"},{"location":"en/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning"},{"location":"en/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"en/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"en/rules/module/#principles_1","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"en/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"en/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"en/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"en/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"en/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"en/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"en/rules/module/#design-for-performance-efficiency","title":"Design for performance efficiency","text":"Name Synopsis Severity Level Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"en/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"en/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"en/rules/module/#performance-patterns","title":"Performance patterns","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"en/rules/module/#reliability","title":"Reliability","text":""},{"location":"en/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"en/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"en/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"en/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"en/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"en/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error"},{"location":"en/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"en/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"en/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"en/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"en/rules/module/#security","title":"Security","text":""},{"location":"en/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"en/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"en/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning"},{"location":"en/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"en/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"en/rules/module/#data-flow","title":"Data flow","text":"Name Synopsis Severity Level Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"en/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"en/rules/module/#deployment_1","title":"Deployment","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"en/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"en/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error"},{"location":"en/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"en/rules/module/#information-protection","title":"Information protection","text":"Name Synopsis Severity Level Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error"},{"location":"en/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"en/rules/module/#logs-and-alerts","title":"Logs and alerts","text":"Name Synopsis Severity Level Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error"},{"location":"en/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"en/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"en/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/module/#optimize_1","title":"Optimize","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error"},{"location":"en/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"en/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/module/#security-configuration","title":"Security configuration","text":"Name Synopsis Severity Level Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"en/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"en/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"en/rules/resource/","title":"Rules by resource type","text":"

    PSRule for Azure includes the following rules organized by resource type.

    "},{"location":"en/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"en/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"en/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"en/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"en/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"en/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"en/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"en/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"en/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"en/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"en/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"en/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"en/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"en/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"en/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#cognitive-search","title":"Cognitive Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"en/rules/resource/#cognitive-services","title":"Cognitive Services","text":"Name Synopsis Severity Level Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error"},{"location":"en/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"en/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"en/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"en/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"en/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"en/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error"},{"location":"en/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"en/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"en/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"en/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"en/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"en/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"en/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"en/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"en/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"en/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"en/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"en/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"en/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"en/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"en/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"en/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"en/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"en/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"en/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"en/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"en/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"en/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"en/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"en/selectors/Azure.AppService.IsAPIApp/","title":"Azure.AppService.IsAPIApp","text":"

    Azure App Services API apps.

    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against API apps.

    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsAPIApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsAPIApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsAPIApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsAPIApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsAPIApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsAPIApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsAPIApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/","title":"Azure.AppService.IsFunctionApp","text":"

    Azure App Services function apps.

    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against Azure Functions apps.

    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsFunctionApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsFunctionApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsFunctionApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/","title":"Azure.AppService.IsLogicApp","text":"

    Single tenanted Logic Apps.

    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against Logic Apps with the Standard SKU.

    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsLogicApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsLogicApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsLogicApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsLogicApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsLogicApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsLogicApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsLogicApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsWebApp/","title":"Azure.AppService.IsWebApp","text":"

    Azure App Services web apps.

    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#description","title":"Description","text":"

    Use this selector to filter rules to only run against web apps.

    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsWebApp.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.AppService.IsWebApp\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.AppService.IsWebApp.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.AppService.IsWebApp\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.AppService.IsWebApp/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.AppService.IsWebApp.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.AppService.IsWebApp' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.Resource.SupportsTags/","title":"Azure.Resource.SupportsTags","text":"

    Resources that supports tags.

    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#description","title":"Description","text":"

    Use this selector to filter rules to only run against resources that support tags.

    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.Resource.SupportsTags.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.Resource.SupportsTags\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.Resource.SupportsTags.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.Resource.SupportsTags\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.Resource.SupportsTags/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.Resource.SupportsTags.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.Resource.SupportsTags' {\n# Rule logic goes here\n}\n
    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/","title":"Azure.ServiceBus.IsPremium","text":"

    Azure Service Bus premium namespaces.

    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#description","title":"Description","text":"

    Use this selector to filter rules to only run against premium Service Bus namespaces.

    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#examples","title":"Examples","text":""},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-yaml-based-rules","title":"Configure with YAML-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium.
    ---\n# Synopsis: An example rule.\napiVersion: github.com/microsoft/PSRule/v1\nkind: Rule\nmetadata:\nname: Local.MyRule\nspec:\nwith:\n- PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium\ncondition:\n# Rule logic goes here\n
    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-json-based-rules","title":"Configure with JSON-based rules","text":"
    • Use the with property to set PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium.
    {\n// Synopsis: An example rule.\n\"apiVersion\": \"github.com/microsoft/PSRule/v1\",\n\"kind\": \"Rule\",\n\"metadata\": {\n\"name\": \"Local.MyRule\"\n},\n\"spec\": {\n\"with\": [\n\"PSRule.Rules.Azure\\\\Azure.ServiceBus.IsPremium\"\n],\n\"condition\": {\n// Rule logic goes here\n}\n}\n}\n
    "},{"location":"en/selectors/Azure.ServiceBus.IsPremium/#configure-with-powershell-based-rules","title":"Configure with PowerShell-based rules","text":"
    • Use the -With parameter to set PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium.
    # Synopsis: An example rule.\nRule 'Local.MyRule' -With 'PSRule.Rules.Azure\\Azure.ServiceBus.IsPremium' {\n# Rule logic goes here\n}\n
    "},{"location":"es/asb-v3/","title":"Azure Security Benchmark","text":"

    Azure Security Benchmark (ASB) es un conjunto de controles y recomendaciones que ayudan a mejorar la seguridad de las cargas de trabajo en Azure. Los controles del ASB tambi\u00e9n se asignan a los marcos de la industria, como CIS, PCI-DSS y NIST. Si esta es su primera introduccion a ASB o esta busecano por ayudo a como utilizarlo, refiera a la Introducci\u00f3n a Azure Security Benchmark

    "},{"location":"es/asb-v3/#azure-security-benchmark-v3","title":"Azure Security Benchmark v3","text":"

    Esta es la versi\u00f3n mas reciente del ASB. Las reglas incluidas en PSRule para Azure se han asignado a v3 para que pueda comprender el impacto de las reglas. Esto es particularmente \u00fatil cuando busca comprender c\u00f3mo abordar un requisito de cumplimiento espec\u00edfico de su organizaci\u00f3n.

    Los siguientes controles est\u00e1n incluidos en Azure Security Benchmark v3:

    • Seguridad de red (NS)
    • Administraci\u00f3n de identidades (IM)
    • Acceso con privilegios (PA)
    • Protecci\u00f3n de datos (DP)
    • Administraci\u00f3n de recursos (AM)
    • Registro y detecci\u00f3n de amenazas (LT)
    • Respuesta a incidentes IR)
    • Posici\u00f3n y administraci\u00f3n de vulnerabilidades (PV)
    • Seguridad de los puntos de conexi\u00f3n (ES)
    • Copia de seguridad y recuperaci\u00f3n (BR)
    • Seguridad de DevOps (DS)
    • Gobernanza y estrategia (GS)

    "},{"location":"es/asb-v3/#links","title":"Links","text":"
    • Introducci\u00f3n a los controles de seguridad de Azure (v3)
    "},{"location":"es/rules/","title":"Reference","text":"

    The following rules and features are included in PSRule for Azure.

    Info

    The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.

    "},{"location":"es/rules/#rules","title":"Rules","text":"

    The following rules are included in PSRule for Azure.

    Reference Name Synopsis Release AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA AZR-000005 Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. GA AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA AZR-000019 Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. GA AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. GA AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Preview AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. GA AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Front Door. GA AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. GA AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000176 Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. GA AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. GA AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA AZR-000188 Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. GA AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. GA AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA AZR-000257 Azure.VM.NICAttached Network interfaces (NICs) should be attached. GA AZR-000258 Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA AZR-000259 Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. GA AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA AZR-000280 Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. GA AZR-000281 Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. GA AZR-000282 Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. GA AZR-000283 Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. GA AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. GA AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA AZR-000312 Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Preview AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA AZR-000315 Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. GA AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. GA AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. Preview AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Preview AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000384 Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Preview AZR-000385 Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Preview AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA AZR-000389 Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. GA AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA AZR-000391 Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Preview AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA"},{"location":"es/rules/Azure.ACR.AdminUser/","title":"Deshabilitar el usuario adminstrador para ACR","text":"Azure.ACR.AdminUserAZR-000005Error

    Seguridad \u00b7 Container Registry \u00b7 Rule \u00b7 2020_06

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#sinopsis","title":"Sinopsis","text":"

    Usar identidades de Azure AD en lugar de usar el usuario administrador del registro.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#descripcion","title":"Descripci\u00f3n","text":"

    Azure Container Registry (ACR) incluye una cuenta de usuario administrador incorporada. La cuenta de usuario administrador es una cuenta de usuario \u00fanica con acceso administrativo al registro. Esta cuenta proporciona acceso de usuario \u00fanico para pruebas y desarrollo tempranos. La cuenta de usuario administrador no est\u00e1 dise\u00f1ada para usarse con registros de contenedores de producci\u00f3n.

    En su lugar, utilice el control de acceso basado en roles (RBAC). RBAC se puede usar para delegar permisos de registro a una identidad de Azure AD (AAD).

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere deshabilitar la cuenta de usuario administrador y solo use la autenticaci\u00f3n basada en identidad para las operaciones de registro.

    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar Container Registries, pasa la siguiente regla:

    • Establezca properties.adminUserEnabled a false.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar Container Registries, pasa la siguiente regla:

    • Establezca properties.adminUserEnabled a false.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet
    az acr update --admin-enabled false -n '<name>' -g '<resource_group>'\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet
    Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser\n
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.AdminUser/#enlaces","title":"Enlaces","text":"
    • Uso de la autenticaci\u00f3n basada en identidad
    • Autenticaci\u00f3n con un registro de contenedor de Azure
    • Procedimientos recomendados para Azure Container Registry
    • Use la identidad administrada de Azure para autenticarse en Azure Container Registry
    • Roles y permisos de Azure Container Registry
    • \u00bfQu\u00e9 es el control de acceso basado en rol de Azure (RBAC)?
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.AdminUser","AZR-000005"]},{"location":"es/rules/Azure.ACR.ContainerScan/","title":"Examen de im\u00e1genes del registro","text":"Azure.ACR.ContainerScanAZR-000002Error

    Seguridad \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#sinopsis","title":"Sinopsis","text":"

    Habilite el an\u00e1lisis de vulnerabilidades para im\u00e1genes de contenedores.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#descripcion","title":"Descripci\u00f3n","text":"

    Un riesgo potencial con las cargas de trabajo basadas en contenedores son las vulnerabilidades de seguridad sin parches en:

    • Im\u00e1genes base del sistema operativo.
    • Marcos y dependencias de tiempo de ejecuci\u00f3n utilizados por el c\u00f3digo de la aplicaci\u00f3n.

    Es importante adoptar una estrategia para escanear activamente las im\u00e1genes en busca de vulnerabilidades de seguridad. Una opci\u00f3n para escanear im\u00e1genes de contenedores es usar Microsoft Defender para registros de contenedores. Microsoft Defender para registros de contenedores analiza cada imagen de contenedor enviada al registro.

    Microsoft Defender para registros de contenedores analiza im\u00e1genes en im\u00e1genes insertadas, importadas y extra\u00eddas recientemente. Las im\u00e1genes extra\u00eddas recientemente se escanean peri\u00f3dicamente cuando se extrajeron en los \u00faltimos 30 d\u00edas. Cualquier vulnerabilidad detectada se informa a Microsoft Defender for Cloud.

    Escaneo de vulnerabilidades de im\u00e1genes de contenedores con Microsoft Defender para registros de contenedores:

    • Actualmente solo est\u00e1 disponible para registros ACR alojados en Linux.
    • El registro de contenedores debe ser accesible para los registros de contenedores de Microsoft Defender. El acceso a la red no puede estar restringido por firewall, puntos de conexi\u00f3n de servicio o puntos de conexi\u00f3n privados.
    • Es compatible para clientes de la nube comerciales. Actualmente no se admite en nubes soberanas o nacionales (por ejemplo, gobierno de EE. UU., gobierno de China, etc.).
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar Microsoft Defender para la nube para buscar vulnerabilidades de seguridad en im\u00e1genes de contenedores.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para habilitar el escaneo de im\u00e1genes de contenedores:

    • Establezca pricingTier a Standard para Microsoft Defender para container registries.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.Security/pricings\",\n\"apiVersion\": \"2018-06-01\",\n\"name\": \"ContainerRegistry\",\n\"properties\": {\n\"pricingTier\": \"Standard\"\n}\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para habilitar el escaneo de im\u00e1genes de contenedores:

    • Establezca pricingTier a Standard para Microsoft Defender para container registries.

    Por ejemplo:

    Azure Bicep snippet
    resource defenderForContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {\n  name: 'ContainerRegistry'\n  properties: {\n    pricingTier: 'Standard'\n  }\n}\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-cli","title":"Configurar con Azure CLI","text":"Azure CLI snippet
    az security pricing create -n 'ContainerRegistry' --tier 'standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#configurar-con-azure-powershell","title":"Configurar con Azure PowerShell","text":"Azure PowerShell snippet
    Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'\n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContainerScan/#enlaces","title":"Enlaces","text":"
    • Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud
    • Introducci\u00f3n a Microsoft Defender para registros de contenedor
    • Introducci\u00f3n a Microsoft Defender for Containers
    • Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n
    ","tags":["Azure.ACR.ContainerScan","AZR-000002"]},{"location":"es/rules/Azure.ACR.ContentTrust/","title":"Utilica im\u00e1genes de contenedores de confianza","text":"Azure.ACR.ContentTrustAZR-000009Error

    Seguridad \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#sinopsis","title":"Sinopsis","text":"

    Utilica im\u00e1genes de contenedores firmadas por un publicador de im\u00e1genes de confianza. Use container images signed by a trusted image publisher.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#descripcion","title":"Descripci\u00f3n","text":"

    La confianza en el contenido de Azure Container Registry (ACR) permite insertar y extraer im\u00e1genes firmadas. Las im\u00e1genes firmadas brindan una garant\u00eda adicional de que se han creado en una fuente confiable. Para habilitar la confianza en el contenido, el registro del contenedor debe usar una SKU Premium.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere habilitar la confianza en el contenido en registros, clientes e im\u00e1genes de contenedores de firmas.

    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar resgistros de contenedores que superen esta regla:

    • Establezca properties.trustPolicy.status a enabled.
    • Establezca properties.trustPolicy.type a Notary.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar resgistros de contenedores que superen esta regla:

    • Establezca properties.trustPolicy.status a enabled.
    • Establezca properties.trustPolicy.type a Notary.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.ContentTrust/#enlaces","title":"Enlaces","text":"
    • Confianza en el contenido en Azure Container Registry
    • Content trust in Docker
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.ContentTrust","AZR-000009"]},{"location":"es/rules/Azure.ACR.GeoReplica/","title":"Geo-replicar im\u00e1genes de contenedores","text":"Azure.ACR.GeoReplicaAZR-000004Error

    Confiabilidad \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#sinopsis","title":"Sinopsis","text":"

    Utilice registros de contenedores replicados geogr\u00e1ficamente para complementar las implementaciones de contenedores en varias regiones.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#descripcion","title":"Descripci\u00f3n","text":"

    Un registro de contenedor se almacena y mantiene de forma predeterminada en una sola regi\u00f3n. Opcionalmente, se puede habilitar la replicaci\u00f3n geogr\u00e1fica en una o m\u00e1s regiones adicionales.

    Los registros de contenedores de replicaci\u00f3n geogr\u00e1fica brindan los siguientes beneficios:

    • Los nombres \u00fanicos de registros/im\u00e1genes/etiquetas se pueden usar en m\u00faltiples regiones.
    • El acceso al registro de cierre de red dentro de la regi\u00f3n reduce la latencia.
    • Como las im\u00e1genes se extraen de un registro replicado local, cada extracci\u00f3n no genera costos de salida adicionales.
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar un registro de contenedor replicado geogr\u00e1ficamente para implementaciones en varias regiones.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:

    • Establezca sku.name a Premium (necesario para la replicaci\u00f3n geogr\u00e1fica).
    • Agrega el recurso secundario replications con location establecida en la regi\u00f3n para replicar.

    Por ejemplo:

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"_generator\": {\n\"name\": \"bicep\",\n\"version\": \"0.5.6.12127\",\n\"templateHash\": \"12610175857982700190\"\n}\n},\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"acrAdminUserEnabled\": {\n\"type\": \"bool\",\n\"defaultValue\": false,\n\"metadata\": {\n\"description\": \"Enable admin user that has push / pull permission to the registry.\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\"Premium\"],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry. Geo-replication requires Premium SKU.\"\n}\n},\n\"acrReplicaLocation\": {\n\"type\": \"string\",\n\"metadata\": {\n\"description\": \"Short name for registry replica location.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n},\n\"properties\": {\n\"adminUserEnabled\": \"[parameters('acrAdminUserEnabled')]\"\n}\n},\n{\n\"type\": \"Microsoft.ContainerRegistry/registries/replications\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[format('{0}/{1}', parameters('acrName'), parameters('acrReplicaLocation'))]\",\n\"location\": \"[parameters('acrReplicaLocation')]\",\n\"properties\": {},\n\"dependsOn\": [\n\"[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]\"\n]\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para habilitar la replicaci\u00f3n geogr\u00e1fica para registros de contenedores que pasan esta regla:

    • Establezca sku.name a Premium (necesario para la replicaci\u00f3n geogr\u00e1fica).
    • Agrega el recurso secundario replications con location establecida en la regi\u00f3n para replicar.

    Por ejemplo:

    Azure Bicep snippet
    resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n  properties: {\n    adminUserEnabled: acrAdminUserEnabled\n  }\n}\n\nresource containerRegistryReplica 'Microsoft.ContainerRegistry/registries/replications@2019-12-01-preview' = {\n  parent: containerRegistry\n  name: '${acrReplicaLocation}'\n  location: acrReplicaLocation\n  properties: {\n  }\n}\n
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.GeoReplica/#elaces","title":"Elaces","text":"
    • Resistencia y dependencias
    • Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones
    • Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry
    • Tutorial: Preparar un registro de contenedor de Azure con replicaci\u00f3n geogr\u00e1fica
    ","tags":["Azure.ACR.GeoReplica","AZR-000004"]},{"location":"es/rules/Azure.ACR.ImageHealth/","title":"Eliminar im\u00e1genes de contenedores vulnerables","text":"Azure.ACR.ImageHealthAZR-000003Error

    Seguridad \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#sinopsis","title":"Sinopsis","text":"

    Eliminar im\u00e1genes de contenedores con vulnerabilidades conocidas.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#descripcion","title":"Descripci\u00f3n","text":"

    Cuando Microsoft Defender para registros de contenedores est\u00e1 habilitado, Microsoft Defender analiza las im\u00e1genes de contenedores. Las im\u00e1genes de contenedores se escanean en busca de vulnerabilidades conocidas y se marcan como saludables o no saludables. No se deben utilizar im\u00e1genes de contenedores vulnerables.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar la eliminaci\u00f3n de im\u00e1genes de contenedores con vulnerabilidades conocidas.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.ImageHealth/#enlaces","title":"Enlaces","text":"
    • Recomendaciones de revisi\u00f3n y correcci\u00f3n
    • Introducci\u00f3n a Microsoft Defender para registros de contenedor
    • Introducci\u00f3n a Microsoft Defender for Containers
    • Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n
    ","tags":["Azure.ACR.ImageHealth","AZR-000003"]},{"location":"es/rules/Azure.ACR.MinSku/","title":"Utilice el SKU de producci\u00f3n de ACR","text":"Azure.ACR.MinSkuAZR-000006Error

    Confiabilidad \u00b7 Container Registry \u00b7 Rule \u00b7 2020_06

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#sinopsis","title":"Sinopsis","text":"

    ACR debe usar el SKU Premium o Est\u00e1ndar para las implementaciones de producci\u00f3n.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#descripcion","title":"Descripci\u00f3n","text":"

    Azure Container Registry (ACR) proporciona una gama de diferentes niveles de servicio (tambi\u00e9n conocidos como SKU). Estos niveles de servicio proporcionan diferentes niveles de rendimiento y caracter\u00edsticas.

    Hay tres niveles de servicio disponibles: B\u00e1sico, Est\u00e1ndar y Premium. Los registros de contenedores b\u00e1sicos solo se recomiendan para implementaciones que no sean de producci\u00f3n. Utilice un m\u00ednimo de Est\u00e1ndar para registros de contenedores de producci\u00f3n.

    El SKU Premium proporciona un mayor rendimiento de im\u00e1genes y almacenamiento incluido, y es necesario para:

    • Geo-replicaci\u00f3n
    • Zonas de disponibilidad
    • Puntos de conexi\u00f3n privados
    • Restricciones de firewall
    • Tokens y mapas de alcance
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar el SKU de Premium de registros de contenedores para implementaciones de producci\u00f3n.

    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca sku.name a Premium o Standard.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca sku.name a Premium o Standard.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.MinSku/#elaces","title":"Elaces","text":"
    • Requisitos no funcionales y de destino
    • Niveles del servicio Azure Container Registry
    • Replicaci\u00f3n geogr\u00e1fica en Azure Container Registry
    • Implementaci\u00f3n de la replicaci\u00f3n geogr\u00e1fica en varias regiones
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.MinSku","AZR-000006"]},{"location":"es/rules/Azure.ACR.Name/","title":"Utilice nombres de registro v\u00e1lidos","text":"Azure.ACR.NameAZR-000007Error

    Excelencia operativa \u00b7 Container Registry \u00b7 Rule \u00b7 2020_06

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#sinopsis","title":"Sinopsis","text":"

    Los nombres de registro de contenedores deben cumplir con los requisitos de denominaci\u00f3n.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#descripcion","title":"Descripci\u00f3n","text":"

    Al nombrar los recursos de Azure, los nombres de los recursos deben cumplir con los requisitos del servicio. Los requisitos para los nombres de registro de contenedores son:

    • Entre 5 y 50 caracteres de longitud.
    • Alfanum\u00e9ricos.
    • Los nombres de registros de contenedores deben ser \u00fanicos a nivel mundial.
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere usar nombres que cumplan con los requisitos de nombres del registro de contenedores. Adem\u00e1s, considere nombrar recursos con una convenci\u00f3n de nomenclatura est\u00e1ndar.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Puede asegurarse de que el par\u00e1metro acrName cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros MinLength y maxLength. Tambi\u00e9n puede usar una funci\u00f3n uniqueString() para asegurarse de que el nombre sea globalmente \u00fanico.

    Por ejemplo

    Azure Template snippet
    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"parameters\": {\n\"acrName\": {\n\"type\": \"string\",\n\"defaultValue\": \"[format('acr{0}', uniqueString(resourceGroup().id))]\",\n\"maxLength\": 50,\n\"minLength\": 5,\n\"metadata\": {\n\"description\": \"Globally unique name of your Azure Container Registry\"\n}\n},\n\"location\": {\n\"type\": \"string\",\n\"defaultValue\": \"[resourceGroup().location]\",\n\"metadata\": {\n\"description\": \"Location for registry home replica.\"\n}\n},\n\"acrSku\": {\n\"type\": \"string\",\n\"defaultValue\": \"Premium\",\n\"allowedValues\": [\n\"Standard\"\n\"Premium\"\n],\n\"metadata\": {\n\"description\": \"Tier of your Azure Container Registry.\"\n}\n}\n},\n\"resources\": [\n{\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2019-12-01-preview\",\n\"name\": \"[parameters('acrName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"[parameters('acrSku')]\"\n},\n\"tags\": {\n\"displayName\": \"Container Registry\",\n\"container.registry\": \"[parameters('acrName')]\"\n}\n}\n],\n\"outputs\": {\n\"acrLoginServer\": {\n\"type\": \"string\",\n\"value\": \"[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]\"\n}\n}\n}\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Puede asegurarse de que el par\u00e1metro acrName cumpla con los requisitos de nomenclatura utilizando las propiedades de los par\u00e1metros MinLength y maxLength. Tambi\u00e9n puede usar una funci\u00f3n uniqueString() para asegurarse de que el nombre sea globalmente \u00fanico.

    Por ejemplo:

    Azure Bicep snippet
    @description('Globally unique name of your Azure Container Registry')\n@minLength(5)\n@maxLength(50)\nparam acrName string = 'acr${uniqueString(resourceGroup().id)}'\n\n@description('Location for registry home replica.')\nparam location string = resourceGroup().location\n\n@description('Tier of your Azure Container Registry. Geo-replication requires Premium SKU.')\n@allowed([\n  'Standard'\n  'Premium'\n])\nparam acrSku string = 'Premium'\n\nresource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-12-01-preview' = {\n  name: acrName\n  location: location\n  sku: {\n    name: acrSku\n  }\n  tags: {\n    displayName: 'Container Registry'\n    'container.registry': acrName\n  }\n}\n\noutput acrLoginServer string = containerRegistry.properties.loginServer\n
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#notas","title":"Notas","text":"

    Esta regla no comprueba si los nombres de registro de contenedores son \u00fanicos.

    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Name/#enlaces","title":"Enlaces","text":"
    • Infraestructura repetible
    • Reglas y restricciones de nomenclatura para los recursos de Azure
    • Abreviaturas recomendadas para los tipos de recursos de Azure
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.Name","AZR-000007"]},{"location":"es/rules/Azure.ACR.Quarantine/","title":"Utilice patr\u00f3n de cuarentena de imagen de contenedor","text":"Azure.ACR.QuarantineAZR-000008Error

    Seguridad \u00b7 Container Registry \u00b7 Rule \u00b7 Preview \u00b7 2020_12

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#sinopsis","title":"Sinopsis","text":"

    Habilite la cuarentena de im\u00e1genes de contenedores, escanee y marque im\u00e1genes como verificadas.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#descripcion","title":"Descripci\u00f3n","text":"

    La cuarentena de im\u00e1genes es una opci\u00f3n configurable para Azure Container Registry (ACR). Cuando est\u00e1 habilitado, las im\u00e1genes enviadas al registro del contenedor no est\u00e1n disponibles de forma predeterminada. Cada imagen debe verificarse y marcarse como Aprobada antes de que est\u00e9 disponible para extraer.

    Para verificar im\u00e1genes de contenedores, integre con una herramienta de seguridad externa que admita esta funci\u00f3n.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere configurar una herramienta de seguridad para implementar el patr\u00f3n de cuarentena de im\u00e1genes. Habilite la cuarentena de im\u00e1genes en el registro de contenedores para garantizar que cada imagen se verifique antes de su uso.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.quarantinePolicy.status a enabled.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.quarantinePolicy.status a enabled.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#notas","title":"Notas","text":"

    La cuarentena de im\u00e1genes para Azure Container Registry se encuentra actualmente en versi\u00f3n preliminar.

    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Quarantine/#enlaces","title":"Enlaces","text":"
    • Supervisi\u00f3n de recursos de Azure en Microsoft Defender for Cloud
    • \u00bfC\u00f3mo se habilita la cuarentena autom\u00e1tica de im\u00e1genes para un registro?
    • Patr\u00f3n de cuarentena
    • Proteger las im\u00e1genes y el tiempo de ejecuci\u00f3n
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.Quarantine","AZR-000008"]},{"location":"es/rules/Azure.ACR.Retention/","title":"Configurar directiva de retenci\u00f3n de ACR","text":"Azure.ACR.RetentionAZR-000010Error

    Optimizaci\u00f3n de costos \u00b7 Container Registry \u00b7 Rule \u00b7 Preview \u00b7 2020_12

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#sinopsis","title":"Sinopsis","text":"

    Use una directiva de retenci\u00f3n para limpiar los manifiestos sin etiquetar.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#descripcion","title":"Descripci\u00f3n","text":"

    La directiva de retenci\u00f3n es una opci\u00f3n configurable de Premium Azure Container Registry (ACR). Cuando se configura una directiva de retenci\u00f3n, los manifiestos sin etiquetar en el registro se eliminan autom\u00e1ticamente. Un manifiesto no est\u00e1 etiquetado cuando se env\u00eda una imagen m\u00e1s reciente con la misma etiqueta. es decir, lo \u00faltimo.

    La directiva de retenci\u00f3n (en d\u00edas) se puede establecer en 0-365. El valor predeterminado es 7 d\u00edas.

    Para configurar una directiva de retenci\u00f3n, el registro del contenedor debe usar una SKU Premium.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere habilitar una directiva de retenci\u00f3n para manifiestos sin etiquetar.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#ejemplos","title":"Ejemplos","text":"","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-plantilla-de-arm","title":"Configurar con plantilla de ARM","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.retentionPolicy.status a enabled.

    Por ejemplo:

    Azure Template snippet
    {\n\"type\": \"Microsoft.ContainerRegistry/registries\",\n\"apiVersion\": \"2021-06-01-preview\",\n\"name\": \"[parameters('registryName')]\",\n\"location\": \"[parameters('location')]\",\n\"sku\": {\n\"name\": \"Premium\"\n},\n\"identity\": {\n\"type\": \"SystemAssigned\"\n},\n\"properties\": {\n\"adminUserEnabled\": false,\n\"policies\": {\n\"quarantinePolicy\": {\n\"status\": \"enabled\"\n},\n\"trustPolicy\": {\n\"status\": \"enabled\",\n\"type\": \"Notary\"\n},\n\"retentionPolicy\": {\n\"status\": \"enabled\",\n\"days\": 30\n}\n}\n}\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#configurar-con-bicep","title":"Configurar con Bicep","text":"

    Para implementar registros de contenedores que superen esta regla:

    • Establezca properties.retentionPolicy.status a enabled.

    Por ejemplo:

    Azure Bicep snippet
    resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {\n  name: registryName\n  location: location\n  sku: {\n    name: 'Premium'\n  }\n  identity: {\n    type: 'SystemAssigned'\n  }\n  properties: {\n    adminUserEnabled: false\n    policies: {\n      quarantinePolicy: {\n        status: 'enabled'\n      }\n      trustPolicy: {\n        status: 'enabled'\n        type: 'Notary'\n      }\n      retentionPolicy: {\n        status: 'enabled'\n        days: 30\n      }\n    }\n  }\n}\n
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#notas","title":"Notas","text":"

    Las directivas de retenci\u00f3n para Azure Container Registry est\u00e1n actualmente en versi\u00f3n preliminar.

    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Retention/#enlaces","title":"Enlaces","text":"
    • Almacenamiento escalable
    • Establecimiento de una directiva de retenci\u00f3n para manifiestos sin etiqueta
    • Bloqueo de una imagen de contenedor en una instancia de Azure Container Registry
    • Referencia de implementaci\u00f3n de Azure
    ","tags":["Azure.ACR.Retention","AZR-000010"]},{"location":"es/rules/Azure.ACR.Usage/","title":"Uso del almacenamiento del registro de contenedores","text":"Azure.ACR.UsageAZR-000001Error

    Optimizaci\u00f3n de costos \u00b7 Container Registry \u00b7 Rule \u00b7 2020_12

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#sinopsis","title":"Sinopsis","text":"

    Elimine peri\u00f3dicamente las im\u00e1genes obsoletas e innecesarias para reducir el uso del almacenamiento.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#descripcion","title":"Descripci\u00f3n","text":"

    Cada SKU de ACR tiene una cantidad de almacenamiento incluido. Cuando se excede la cantidad de almacenamiento incluido, se acumulan costos de almacenamiento adicionales por GiB.

    Es una buena pr\u00e1ctica limpiar regularmente las im\u00e1genes hu\u00e9rfanas. Estas im\u00e1genes son el resultado de enviar im\u00e1genes actualizadas con la misma etiqueta.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#recomendacion","title":"Recomendaci\u00f3n","text":"

    Considere eliminar las im\u00e1genes obsoletas e innecesarias para reducir el consumo de almacenamiento. Tambi\u00e9n considere actualizar a Premium SKU para registros b\u00e1sicos o est\u00e1ndar para aumentar el almacenamiento incluido.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#notas","title":"Notas","text":"

    Esta regla se aplica cuando se analizan los recursos implementados en Azure.

    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/Azure.ACR.Usage/#enlaces","title":"Enlaces","text":"
    • Generar informes de costos
    • Niveles del servicio Azure Container Registry
    • Almacenamiento escalable
    • Administraci\u00f3n del tama\u00f1o del registro
    • Eliminaci\u00f3n de im\u00e1genes de contenedor en Azure Container Registry
    ","tags":["Azure.ACR.Usage","AZR-000001"]},{"location":"es/rules/module/","title":"Rules by pillar","text":"

    PSRule for Azure includes the following rules across five pillars of the Microsoft Azure Well-Architected Framework.

    "},{"location":"es/rules/module/#cost-optimization","title":"Cost Optimization","text":""},{"location":"es/rules/module/#governance","title":"Governance","text":"Name Synopsis Severity Level Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error"},{"location":"es/rules/module/#optimize","title":"Optimize","text":"Name Synopsis Severity Level Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error"},{"location":"es/rules/module/#pricing-and-billing-model","title":"Pricing and billing model","text":"Name Synopsis Severity Level Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error"},{"location":"es/rules/module/#principles","title":"Principles","text":"Name Synopsis Severity Level Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error"},{"location":"es/rules/module/#reports","title":"Reports","text":"Name Synopsis Severity Level Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/module/#resource-usage","title":"Resource usage","text":"Name Synopsis Severity Level Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error"},{"location":"es/rules/module/#operational-excellence","title":"Operational Excellence","text":""},{"location":"es/rules/module/#automation","title":"Automation","text":"Name Synopsis Severity Level Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error"},{"location":"es/rules/module/#configuration","title":"Configuration","text":"Name Synopsis Severity Level Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error"},{"location":"es/rules/module/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning"},{"location":"es/rules/module/#instrumentation","title":"Instrumentation","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning"},{"location":"es/rules/module/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.VNET.PeerState VNET peering connections must be connected. Important Error"},{"location":"es/rules/module/#monitoring","title":"Monitoring","text":"Name Synopsis Severity Level Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error"},{"location":"es/rules/module/#principles_1","title":"Principles","text":"Name Synopsis Severity Level Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error"},{"location":"es/rules/module/#release-engineering","title":"Release engineering","text":"Name Synopsis Severity Level Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error"},{"location":"es/rules/module/#repeatable-infrastructure","title":"Repeatable infrastructure","text":"Name Synopsis Severity Level Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error Azure.Route.Name Route table names should meet naming requirements. Awareness Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#tagging-and-resource-naming","title":"Tagging and resource naming","text":"Name Synopsis Severity Level Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error"},{"location":"es/rules/module/#performance-efficiency","title":"Performance Efficiency","text":""},{"location":"es/rules/module/#application-capacity","title":"Application capacity","text":"Name Synopsis Severity Level Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/module/#application-design","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error"},{"location":"es/rules/module/#application-scalability","title":"Application scalability","text":"Name Synopsis Severity Level Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error"},{"location":"es/rules/module/#design-for-performance","title":"Design for performance","text":"Name Synopsis Severity Level Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error"},{"location":"es/rules/module/#design-for-performance-efficiency","title":"Design for performance efficiency","text":"Name Synopsis Severity Level Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error"},{"location":"es/rules/module/#performance","title":"Performance","text":"Name Synopsis Severity Level Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error"},{"location":"es/rules/module/#performance-efficiency-checklist","title":"Performance efficiency checklist","text":"Name Synopsis Severity Level Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error"},{"location":"es/rules/module/#performance-patterns","title":"Performance patterns","text":"Name Synopsis Severity Level Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error"},{"location":"es/rules/module/#reliability","title":"Reliability","text":""},{"location":"es/rules/module/#application-design_1","title":"Application design","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error"},{"location":"es/rules/module/#availability","title":"Availability","text":"Name Synopsis Severity Level Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/module/#best-practices","title":"Best practices","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error"},{"location":"es/rules/module/#data-management","title":"Data management","text":"Name Synopsis Severity Level Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error"},{"location":"es/rules/module/#design","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error"},{"location":"es/rules/module/#health-modeling","title":"Health modeling","text":"Name Synopsis Severity Level Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error"},{"location":"es/rules/module/#load-balancing-and-failover","title":"Load balancing and failover","text":"Name Synopsis Severity Level Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error"},{"location":"es/rules/module/#reliability-design-principles","title":"Reliability design principles","text":"Name Synopsis Severity Level Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/module/#requirements","title":"Requirements","text":"Name Synopsis Severity Level Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"es/rules/module/#resiliency-and-dependencies","title":"Resiliency and dependencies","text":"Name Synopsis Severity Level Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error"},{"location":"es/rules/module/#resource-deployment","title":"Resource deployment","text":"Name Synopsis Severity Level Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error"},{"location":"es/rules/module/#scalability","title":"Scalability","text":"Name Synopsis Severity Level Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error"},{"location":"es/rules/module/#target-and-non-functional-requirements","title":"Target and non-functional requirements","text":"Name Synopsis Severity Level Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error"},{"location":"es/rules/module/#security","title":"Security","text":""},{"location":"es/rules/module/#application-endpoints","title":"Application endpoints","text":"Name Synopsis Severity Level Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error"},{"location":"es/rules/module/#authentication","title":"Authentication","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error"},{"location":"es/rules/module/#authorization","title":"Authorization","text":"Name Synopsis Severity Level Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning"},{"location":"es/rules/module/#azure-resources","title":"Azure resources","text":"Name Synopsis Severity Level Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error"},{"location":"es/rules/module/#connectivity","title":"Connectivity","text":"Name Synopsis Severity Level Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error"},{"location":"es/rules/module/#data-flow","title":"Data flow","text":"Name Synopsis Severity Level Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"es/rules/module/#data-protection","title":"Data protection","text":"Name Synopsis Severity Level Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error"},{"location":"es/rules/module/#deployment_1","title":"Deployment","text":"Name Synopsis Severity Level Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error"},{"location":"es/rules/module/#design_1","title":"Design","text":"Name Synopsis Severity Level Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error"},{"location":"es/rules/module/#encryption","title":"Encryption","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error"},{"location":"es/rules/module/#identity-and-access-management","title":"Identity and access management","text":"Name Synopsis Severity Level Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error"},{"location":"es/rules/module/#information-protection","title":"Information protection","text":"Name Synopsis Severity Level Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error"},{"location":"es/rules/module/#infrastructure-provisioning_1","title":"Infrastructure provisioning","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/module/#key-and-secret-management","title":"Key and secret management","text":"Name Synopsis Severity Level Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error"},{"location":"es/rules/module/#logs-and-alerts","title":"Logs and alerts","text":"Name Synopsis Severity Level Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error"},{"location":"es/rules/module/#monitor_1","title":"Monitor","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error"},{"location":"es/rules/module/#network-security-and-containment","title":"Network security and containment","text":"Name Synopsis Severity Level Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error"},{"location":"es/rules/module/#network-segmentation","title":"Network segmentation","text":"Name Synopsis Severity Level Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/module/#optimize_1","title":"Optimize","text":"Name Synopsis Severity Level Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error"},{"location":"es/rules/module/#review-and-remediate","title":"Review and remediate","text":"Name Synopsis Severity Level Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error"},{"location":"es/rules/module/#secrets","title":"Secrets","text":"Name Synopsis Severity Level Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/module/#security-configuration","title":"Security configuration","text":"Name Synopsis Severity Level Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error"},{"location":"es/rules/module/#security-design-principles","title":"Security design principles","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/module/#security-operations","title":"Security operations","text":"Name Synopsis Severity Level Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error"},{"location":"es/rules/module/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error"},{"location":"es/rules/resource/","title":"Rules by resource type","text":"

    PSRule for Azure includes the following rules organized by resource type.

    "},{"location":"es/rules/resource/#all-resources","title":"All resources","text":"Name Synopsis Severity Level Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important Error Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness Error Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness Error Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. Awareness Error Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness Error Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness Error Azure.Template.LocationType Location parameters should use a string value. Important Error Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important Error Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important Error Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important Error Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness Error Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important Error Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness Error Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness Error Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness Error Azure.Template.ResourceLocation Template resource location should be an expression or global. Awareness Error Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness Error Azure.Template.TemplateFile Use ARM template files that are valid. Important Error Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness Error Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness Error Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness Information Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness Information Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness Warning Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. Awareness Error Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. Awareness Error Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. Awareness Error"},{"location":"es/rules/resource/#api-management","title":"API Management","text":"Name Synopsis Severity Level Azure.APIM.APIDescriptors API Management APIs should have a display name and description. Awareness Warning Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. Important Error Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important Error Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical Error Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important Error Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical Error Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important Error Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. Critical Error Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. Important Error Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important Error Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. Important Error Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important Error Azure.APIM.Name API Management service names should meet naming requirements. Awareness Error Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important Error Azure.APIM.ProductApproval Configure products to require approval. Important Error Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness Warning Azure.APIM.ProductSubscription Configure products to require a subscription. Important Error Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important Error Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical Error Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness Error"},{"location":"es/rules/resource/#app-configuration","title":"App Configuration","text":"Name Synopsis Severity Level Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important Error Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Azure AD identities. Important Error Azure.AppConfig.GeoReplica Consider replication for app configuration store to ensure resiliency to region outages. Important Error Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness Error Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important Error Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important Error"},{"location":"es/rules/resource/#app-service","title":"App Service","text":"Name Synopsis Severity Level Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important Error Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness Error Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness Error Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important Error Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical Error Azure.AppService.NETVersion Configure applications to use newer .NET versions. Important Error Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. Important Error Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important Error Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important Error Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. Important Error Azure.AppService.WebProbe Configure and enable instance health probes. Important Error Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important Error Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important Error"},{"location":"es/rules/resource/#app-service-environment","title":"App Service Environment","text":"Name Synopsis Severity Level Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important Error"},{"location":"es/rules/resource/#application-gateway","title":"Application Gateway","text":"Name Synopsis Severity Level Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. Important Error Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important Error Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important Error Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important Error Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness Error Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important Error Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical Error Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical Error Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical Error Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical Error Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important Error Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical Error Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical Error Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#application-insights","title":"Application Insights","text":"Name Synopsis Severity Level Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness Error Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. Important Error"},{"location":"es/rules/resource/#application-security-group","title":"Application Security Group","text":"Name Synopsis Severity Level Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#arc","title":"Arc","text":"Name Synopsis Severity Level Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Important Error Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Important Error"},{"location":"es/rules/resource/#automation-account","title":"Automation Account","text":"Name Synopsis Severity Level Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important Error Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important Error Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important Error Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important Error Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness Error"},{"location":"es/rules/resource/#azure-cache-for-redis","title":"Azure Cache for Redis","text":"Name Synopsis Severity Level Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important Error Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical Error Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness Error Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important Error Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important Error Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical Error Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical Error Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important Error"},{"location":"es/rules/resource/#azure-cache-for-redis-enterprise","title":"Azure Cache for Redis Enterprise","text":"Name Synopsis Severity Level Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical Error Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important Error"},{"location":"es/rules/resource/#azure-database-for-mariadb","title":"Azure Database for MariaDB","text":"Name Synopsis Severity Level Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness Error Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important Error Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness Error Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important Error Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical Error Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness Error Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical Error Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#azure-database-for-mysql","title":"Azure Database for MySQL","text":"Name Synopsis Severity Level Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Critical Error Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. Important Error Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important Error Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important Error Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness Error Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important Warning Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical Error"},{"location":"es/rules/resource/#azure-database-for-postgresql","title":"Azure Database for PostgreSQL","text":"Name Synopsis Severity Level Azure.PostgreSQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for PostgreSQL databases. Critical Error Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. Important Error Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important Error Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important Error Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important Error Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical Error Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness Error Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical Error"},{"location":"es/rules/resource/#azure-kubernetes-service","title":"Azure Kubernetes Service","text":"Name Synopsis Severity Level Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important Error Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important Error Azure.AKS.AutoScaling Use Autoscaling to ensure AKS clusters deployed with virtual machine scale sets are running efficiently with the right number of nodes for the workloads present. Important Error Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important Error Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important Error Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important Error Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important Error Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important Error Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important Error Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important Error Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness Error Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important Warning Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important Error Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important Error Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important Error Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important Error Azure.AKS.MinNodeCount AKS clusters should have minimum number of nodes for failover and updates. Important Error Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness Error Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. Important Error Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important Error Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important Error Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important Error Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important Error Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important Error Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important Error Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important Error Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important Error Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important Error Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important Error"},{"location":"es/rules/resource/#backup-vault","title":"Backup Vault","text":"Name Synopsis Severity Level Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important Error"},{"location":"es/rules/resource/#bastion","title":"Bastion","text":"Name Synopsis Severity Level Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#cognitive-search","title":"Cognitive Search","text":"Name Synopsis Severity Level Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important Error Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Search.Name Azure Cognitive Search service names should meet naming requirements. Awareness Error Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important Error Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical Error"},{"location":"es/rules/resource/#cognitive-services","title":"Cognitive Services","text":"Name Synopsis Severity Level Azure.Cognitive.DisableLocalAuth Authenticate requests to Cognitive Services with Azure AD identities. Important Error Azure.Cognitive.ManagedIdentity Configure managed identities to access Azure resources. Important Error Azure.Cognitive.PrivateEndpoints Use Private Endpoints to access Cognitive Services accounts. Important Error Azure.Cognitive.PublicAccess Restrict access of Cognitive Services accounts to authorized virtual networks. Important Error"},{"location":"es/rules/resource/#container-app","title":"Container App","text":"Name Synopsis Severity Level Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important Error Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Important Error Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important Error Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important Error Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important Error Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness Error Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important Error Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important Error Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness Error"},{"location":"es/rules/resource/#container-registry","title":"Container Registry","text":"Name Synopsis Severity Level Azure.ACR.AdminUser Use Azure AD identities instead of using the registry admin user. Critical Error Azure.ACR.AnonymousAccess Disable anonymous pull access. Important Error Azure.ACR.ContainerScan Enable vulnerability scanning for container images. Critical Error Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important Error Azure.ACR.Firewall Limit network access of container registries to only trusted clients. Important Error Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. Important Error Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical Error Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important Error Azure.ACR.Name Container registry names should meet naming requirements. Awareness Error Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Important Error Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Important Error Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Important Error Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important Error"},{"location":"es/rules/resource/#content-delivery-network","title":"Content Delivery Network","text":"Name Synopsis Severity Level Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness Error Azure.CDN.HTTP Enforce HTTPS for client connections. Important Error Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important Error"},{"location":"es/rules/resource/#cosmos-db","title":"Cosmos DB","text":"Name Synopsis Severity Level Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness Error Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. Important Error"},{"location":"es/rules/resource/#data-explorer","title":"Data Explorer","text":"Name Synopsis Severity Level Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important Error Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important Error Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#data-factory","title":"Data Factory","text":"Name Synopsis Severity Level Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness Error"},{"location":"es/rules/resource/#databricks","title":"Databricks","text":"Name Synopsis Severity Level Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical Error"},{"location":"es/rules/resource/#deployment","title":"Deployment","text":"Name Synopsis Severity Level Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. Awareness Error Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness Error Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. Critical Error Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. Critical Error Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. Critical Error"},{"location":"es/rules/resource/#event-grid","title":"Event Grid","text":"Name Synopsis Severity Level Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important Error Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important Error Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important Error"},{"location":"es/rules/resource/#event-hub","title":"Event Hub","text":"Name Synopsis Severity Level Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Azure AD identities. Important Error Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical Error Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#firewall","title":"Firewall","text":"Name Synopsis Severity Level Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical Error Azure.Firewall.Name Firewall names should meet naming requirements. Awareness Error Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical Error Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#front-door","title":"Front Door","text":"Name Synopsis Severity Level Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important Error Azure.FrontDoor.Logs Audit and monitor access through Front Door. Important Error Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important Error Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical Error Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness Error Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important Error Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important Error Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important Error Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important Error Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important Error Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical Error Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness Error Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical Error Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical Error Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical Error"},{"location":"es/rules/resource/#iot-hub","title":"IoT Hub","text":"Name Synopsis Severity Level Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical Error"},{"location":"es/rules/resource/#key-vault","title":"Key Vault","text":"Name Synopsis Severity Level Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important Error Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important Error Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important Error Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness Error Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important Error Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness Error Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important Error Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness Warning Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness Error Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important Error"},{"location":"es/rules/resource/#load-balancer","title":"Load Balancer","text":"Name Synopsis Severity Level Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important Error Azure.LB.Name Load Balancer names should meet naming requirements. Awareness Error Azure.LB.Probe Use a specific probe for web protocols. Important Error Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#logic-app","title":"Logic App","text":"Name Synopsis Severity Level Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical Error"},{"location":"es/rules/resource/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"Name Synopsis Severity Level Azure.Defender.Api Enable Microsoft Defender for APIs. Critical Error Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical Error Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical Error Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical Error Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical Error Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical Error Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical Error Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical Error Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical Error Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical Error Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical Error Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical Error Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Defender.Storage.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. Important Error Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important Error"},{"location":"es/rules/resource/#monitor","title":"Monitor","text":"Name Synopsis Severity Level Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important Error"},{"location":"es/rules/resource/#network-security-group","title":"Network Security Group","text":"Name Synopsis Severity Level Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness Error Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow \"any\" as an inbound source. Critical Error Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness Error Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. Important Error Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important Error Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#policy","title":"Policy","text":"Name Synopsis Severity Level Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness Error Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness Error Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness Error Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness Error Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness Error"},{"location":"es/rules/resource/#private-endpoint","title":"Private Endpoint","text":"Name Synopsis Severity Level Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#public-ip-address","title":"Public IP address","text":"Name Synopsis Severity Level Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important Error Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness Error Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important Error Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important Error Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness Error Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. Important Error"},{"location":"es/rules/resource/#recovery-services-vault","title":"Recovery Services Vault","text":"Name Synopsis Severity Level Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important Error Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness Error Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important Error Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#resource-group","title":"Resource Group","text":"Name Synopsis Severity Level Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#route-table","title":"Route table","text":"Name Synopsis Severity Level Azure.Route.Name Route table names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#service-bus","title":"Service Bus","text":"Name Synopsis Severity Level Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important Error Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Azure AD identities. Important Error Azure.ServiceBus.MinTLS Enforce namespaces to require that clients send and receive data with TLS 1.2 version. Important Error Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important Error"},{"location":"es/rules/resource/#service-fabric","title":"Service Fabric","text":"Name Synopsis Severity Level Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. Critical Error"},{"location":"es/rules/resource/#signalr-service","title":"SignalR Service","text":"Name Synopsis Severity Level Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important Error Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness Error Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important Error"},{"location":"es/rules/resource/#sql-database","title":"SQL Database","text":"Name Synopsis Severity Level Azure.SQL.AAD Use Azure Active Directory (AAD) authentication with Azure SQL databases. Critical Error Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. Important Error Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important Error Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important Error Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness Error Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important Error Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness Error Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). Important Error Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness Error Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical Error Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness Error Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical Error"},{"location":"es/rules/resource/#sql-managed-instance","title":"SQL Managed Instance","text":"Name Synopsis Severity Level Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical Error Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important Error Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important Error Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#storage-account","title":"Storage Account","text":"Name Synopsis Severity Level Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important Error Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important Error Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important Error Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical Error Azure.Storage.DefenderCloud.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. Critical Error Azure.Storage.DefenderCloud.SensitiveData Enable sensitive data threat detection in Microsoft Defender for Storage. Critical Error Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important Error Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important Error Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical Error Azure.Storage.Name Storage Account names should meet naming requirements. Awareness Error Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important Error Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important Error Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. Important Error"},{"location":"es/rules/resource/#subscription","title":"Subscription","text":"Name Synopsis Severity Level Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important Error Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important Error Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important Error Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important Error Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important Error Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important Error"},{"location":"es/rules/resource/#traffic-manager","title":"Traffic Manager","text":"Name Synopsis Severity Level Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important Error Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important Error"},{"location":"es/rules/resource/#user-assigned-managed-identity","title":"User Assigned Managed Identity","text":"Name Synopsis Severity Level Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#virtual-machine","title":"Virtual Machine","text":"Name Synopsis Severity Level Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important Error Azure.VM.ADE Use Azure Disk Encryption (ADE). Important Error Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important Error Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important Error Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important Error Azure.VM.ASName Availability Set names should meet naming requirements. Awareness Error Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important Error Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness Error Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important Error Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important Error Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness Error Azure.VM.DiskSizeAlignment Align to the Managed Disk billing model to improve cost efficiency. Awareness Error Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Important Error Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness Error Azure.VM.NICAttached Network interfaces (NICs) should be attached. Awareness Error Azure.VM.NICName Network Interface (NIC) names should meet naming requirements. Awareness Error Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness Error Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness Error Azure.VM.PublicKey Linux virtual machines should use public keys. Important Error Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important Error Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important Error Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important Error Azure.VM.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness Error Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important Error Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness Error Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important Error"},{"location":"es/rules/resource/#virtual-machine-scale-sets","title":"Virtual Machine Scale Sets","text":"Name Synopsis Severity Level Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data. Important Error Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness Error Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important Error Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness Error Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important Error Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important Error"},{"location":"es/rules/resource/#virtual-network","title":"Virtual Network","text":"Name Synopsis Severity Level Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important Error Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important Error Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important Error Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness Error Azure.VNET.PeerState VNET peering connections must be connected. Important Error Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important Error Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness Error Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical Error"},{"location":"es/rules/resource/#virtual-network-gateway","title":"Virtual Network Gateway","text":"Name Synopsis Severity Level Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness Error Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important Error Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Important Error Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness Error Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important Error Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important Error Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Important Error"},{"location":"es/rules/resource/#virtual-wan","title":"Virtual WAN","text":"Name Synopsis Severity Level Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness Error"},{"location":"es/rules/resource/#web-pubsub-service","title":"Web PubSub Service","text":"Name Synopsis Severity Level Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important Error Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important Error"},{"location":"learn/learn-video-series/","title":"Learn PSRule for Azure series","text":""},{"location":"learn/learn-video-series/#introducing-psrule-for-azure","title":"Introducing PSRule for Azure","text":"

    An introduction to PSRule for Azure and how it relates to the Azure Well-Architected Framework. We also give an quick overview of baselines, handling exceptions, and reporting options.

    "},{"location":"learn/learn-video-series/#getting-started-using-github","title":"Getting started using GitHub","text":"

    Getting started with PSRule for Azure using GitHub. We create a GitHub Actions workflow, enabled expansion, and iterate on Bicep code.

    "},{"location":"learn/official/","title":"Official learning","text":""},{"location":"learn/official/#blog-posts","title":"Blog posts","text":""},{"location":"learn/official/#2022","title":"2022","text":"
    • Visualize Infrastructure as Code Maturity
    • Introduction to Infrastructure As Code (IAC) Testing
    "},{"location":"license-contributing/","title":"License and contributing","text":"

    PSRule for Azure is licensed with an MIT License, which means it's free to use and modify. But please check out the details.

    We open source at Microsoft.

    In addition to our team, we hope you will think about contributing too. Here is how you can get started:

    • Report issues.
    • Upvote existing issues that are important to you.
    • Improve documentation.
    • Contribute code.

    Please read our contributing guidelines and code of conduct to learn how to contribute.

    "},{"location":"license-contributing/hackathons/","title":"Past hackathons","text":""},{"location":"license-contributing/hackathons/#microsoft-global-hackathon-2022","title":"Microsoft Global Hackathon 2022","text":"

    Thanks to the team who made the following contributions during the hackathon:

    • New features:
      • Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
    • New rules:
      • Azure Cache for Redis:
        • Check the number of firewall rules for caches by @jonathanruiz. #544
        • Check the number of IP addresses in firewall rules for caches by @jonathanruiz. #544
      • App Configuration:
        • Check identity-based authentication is used for configuration stores by @pazdedav. #1691
      • Application Gateway WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Defender for Cloud:
        • Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher. #1632
        • Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher. #1632
      • Front Door WAF:
        • Check policy is enabled by @fbinotto. #1470
        • Check policy uses prevention mode by @fbinotto. #1470
        • Check policy uses managed rule sets by @fbinotto. #1470
        • Check policy does not have any exclusions defined by @fbinotto. #1470
      • Network Security Group:
        • Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
      • Storage Account:
        • Check blob container soft delete is enabled by @pazdedav. #1671
        • Check file share soft delete is enabled by @jonathanruiz. #966
    • Updated rules:
      • Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz. #545
        • The following rules have been renamed with aliases:
          • Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
          • Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
          • Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
        • If you are referencing the old names please consider updating to the new names.
      • Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
    • General improvements:
      • Updated NSG documentation with code snippets and links by @simone-bennett. #1607
      • Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
      • Updated SQL firewall rules documentation by @ms-sambell. #1569
      • Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
      • Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
      • Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
    • Bug fixes:
      • Fixed continue processing policy assignments on error by @BernieWhite. #1651
      • Fixed handling of runtime assessment data by @BernieWhite. #1707
      • Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
    "},{"location":"license-contributing/writing-documentation/","title":"Writing documentation","text":"

    PSRule for Azure contains documentation ranging from conceptual, code examples, to recommendations. All of this documentation is written in markdown, open source, and available for you to contribute to.

    Some of the documentation that you might like to improve includes:

    • Rule recommendations (docs/en/rules/).
    • Scenarios and examples (docs/customization/ and docs/scenarios/).
    • PowerShell cmdlet and conceptual topics (docs/commands/ and docs/concepts/).

    Abstract

    This topic covers contributing documentation in PSRule for Azure.

    "},{"location":"license-contributing/writing-documentation/#rule-help","title":"Rule help","text":"

    PSRule for Azure includes recommendations and expanded documentation with each rule. The recommendations are written in markdown and consumed by PSRule during analysis. This allows us to present easy to read web documentation without writing it separately for anaylsis.

    As a result, PSRule does require rule documentation to be structured in a standard way. Also we have standards about the metadata we required to ensure there is consistency across documentation.

    Some key points for writing rule help:

    • Aligned \u2014 PSRule for Azure is aligned to the Microsoft Azure Well-Archtected Framework (WAF).
    • Actionable \u2014 Any recommendations must be clear and actionable. The reader must be able to understand:
      • What has been detected as an issue.
      • Why it is considered an issue.
    • Learn by examples \u2014 For most cases, recommendations should include Azure Bicep and template examples. Optionally CLI or PowerShell command reference may be included. Examples should be as concise as possible.
    • Documentation references \u2014 Each recommendation must include references to the WAF. Additionally consider adding:
      • Links to provide more detail about the service feature.
      • Azure deployment reference.

    Please read our contributing guidelines and code of conduct to learn how to contribute.

    "},{"location":"quickstarts/test-bicep-with-github/","title":"Test a Bicep deployment with GitHub Actions","text":"

    Bicep supports using a parameter file to deploy a module to Azure.

    Abstract

    Learn how to setup your GitHub repository to automatically test Bicep deployments referenced using .bicepparam files.

    "},{"location":"quickstarts/test-bicep-with-github/#before-you-begin","title":"Before you begin","text":"

    This quickstart assumes you have already:

    1. Installed Git locally and created a GitHub account. For more information, see Setup Git and Signing up for a new GitHub account.
    2. Created a GitHub repository and cloned it locally. For more information, see Create a repo and Clone a repo.
    3. Installed an editor or IDE locally to edit your repository files. For more information, see Visual Studio Code.

    "},{"location":"quickstarts/test-bicep-with-github/#add-a-sample-bicep-deployment","title":"Add a sample Bicep deployment","text":"

    If you don't already have a Bicep deployment in your repository, add a sample deployment.

    1. In the root of your repository, create a new folder called deployments.
    2. In the deployments folder, create a new file called dev.bicepparam.
    3. In the deployments folder, create a new file called main.bicep.
    Example parameter file deployments/dev.bicepparam
    using 'main.bicep'\n\nparam environment = 'dev'\nparam name = 'kv-example-001'\nparam defaultAction = 'Deny'\nparam workspaceId = '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-001'\n
    Example deployment module deployments/main.bicep
    targetScope = 'resourceGroup'\n\nparam name string\nparam location string = resourceGroup().location\n\n@allowed([\n  'Allow'\n  'Deny'\n])\nparam defaultAction string = 'Deny'\nparam environment string\nparam workspaceId string = ''\n\nresource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {\n  name: name\n  location: location\n  properties: {\n    sku: {\n      family: 'A'\n      name: 'standard'\n    }\n    tenantId: tenant().tenantId\n    enableSoftDelete: true\n    enablePurgeProtection: true\n    enableRbacAuthorization: true\n    networkAcls: {\n      defaultAction: defaultAction\n    }\n  }\n  tags: {\n    env: environment\n  }\n}\n\n@sys.description('Configure auditing for Key Vault.')\nresource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {\n  name: 'service'\n  scope: vault\n  properties: {\n    workspaceId: workspaceId\n    logs: [\n      {\n        category: 'AuditEvent'\n        enabled: true\n      }\n    ]\n  }\n}\n

    You can also find a copy of these files in the quickstart sample repository.

    "},{"location":"quickstarts/test-bicep-with-github/#create-an-options-file","title":"Create an options file","text":"

    PSRule can be configured using a default YAML options file called ps-rule.yaml. Many of configuration options you are likely to want to use can be set using this file. Options in this file will automatically be detected by other PSRule commands and tools.

    1. Create a new branch in your repository for your changes. For more information, see Creating a branch.
    2. In the root of your repository, create a new file called ps-rule.yaml.
    3. Update the file with the following contents and save.

      ps-rule.yaml
      #\n# PSRule configuration\n#\n# Please see the documentation for all configuration options:\n# https://aka.ms/ps-rule-azure/options\n# Require a minimum version of PSRule for Azure.\nrequires:\nPSRule.Rules.Azure: '>=1.29.0'\n# Automatically use rules for Azure.\ninclude:\nmodule:\n- PSRule.Rules.Azure\n# Ignore all files except .bicepparam files.\ninput:\npathIgnore:\n- '**'\n- '!**/*.bicepparam'\n# Enable expansion of Azure .bicepparam files.\nconfiguration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: true\n
    "},{"location":"quickstarts/test-bicep-with-github/#create-a-workflow","title":"Create a workflow","text":"

    GitHub Actions are configured using a YAML file called a workflow. A workflow is made up of one or more jobs and steps.

    1. In the root of your repository, create a new folder called .github/workflows.
    2. In the .github/workflows folder, create a new file called analysis.yaml.
    3. Update the file with the following contents and save.
    GitHub Actions workflow
    #\n# Analyze repository with PSRule\n#\n# For PSRule documentation see:\n# https://aka.ms/ps-rule\n# https://aka.ms/ps-rule-azure\n# For action details see:\n# https://aka.ms/ps-rule-action\nname: Analyze repository\n# Run analysis for main or PRs against main\non:\npush:\nbranches:\n- main\npull_request:\nbranches:\n- main\njobs:\nanalyze:\nname: Analyze repository\nruns-on: ubuntu-latest\nsteps:\n- name: Checkout\nuses: actions/checkout@v3\n- name: Run PSRule analysis\nuses: microsoft/ps-rule@v2.9.0 # (1)\nwith:\nmodules: PSRule.Rules.Azure # (2)\n
    1. Reference the PSRule action. You can find the latest version of the action on the GitHub Marketplace.
    2. Automatically download and use PSRule for Azure during analysis.
    "},{"location":"quickstarts/test-bicep-with-github/#commit-and-push-changes","title":"Commit and push changes","text":"
    1. Commit and push the changes to your repository. For more information, see Committing changes to your project.
    2. Create a pull request to merge the changes into the main branch in GitHub. For more information, see Creating a pull request.
    3. Navigate to the Actions tab in your repository to check the status of the workflow.

    "},{"location":"quickstarts/test-bicep-with-github/#recommended-content","title":"Recommended content","text":"
    • Testing Bicep modules
    • Restoring modules from a private registry
    • Suppression and excluding rules
    • Enforcing custom tags

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/","title":"Validate Azure resources from templates with Azure Pipelines","text":"

    Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.

    Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.

    The following scenario shows how PSRule can be used to validate Azure resource templates within an Azure Pipeline.

    This scenario covers the following:

    • Installing PSRule extension
    • Linking parameter files to templates
    • Creating a YAML pipeline
      • Installing Azure rules
      • Exporting resource data for analysis
      • Validating exported resources
    • Generating NUnit output
    • Complete example
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-psrule-extension","title":"Installing PSRule extension","text":"

    PSRule includes an extension that can be installed from the Visual Studio Marketplace. Once installed, Azure Pipelines tasks are available to install PSRule modules and run analysis.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#linking-parameter-files-to-templates","title":"Linking parameter files to templates","text":"

    ARM template parameter files allows parameters for a deployment to be saved and checked into source control. PSRule can automatically resolve ARM templates from parameter files by using a metadata link.

    To link a parameter file to an ARM template add the metadata.template property within a parameter file.

    For example:

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"./azuredeploy.json\"\n},\n\"parameters\": {\n\"vnetName\": {\n\"value\": \"vnet-001\"\n},\n\"addressPrefix\": {\n\"value\": [\n\"10.1.0.0/24\"\n]\n}\n}\n}\n

    In the example parameter file azuredeploy.parameters.json is linked to the template azuredeploy.json. The prefix of ./ indicates that the template file is in a relative path to the parameter file. If ./ is not included, PSRule will look for the template relative to the working directory.

    For example:

    {\n\"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n\"contentVersion\": \"1.0.0.0\",\n\"metadata\": {\n\"template\": \"templates/vnet-hub/v1/template.json\"\n},\n\"parameters\": {\n\"vnetName\": {\n\"value\": \"vnet-001\"\n},\n\"addressPrefix\": {\n\"value\": [\n\"10.1.0.0/24\"\n]\n}\n}\n}\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#creating-a-yaml-pipeline","title":"Creating a YAML pipeline","text":"

    Azure Pipelines supports defining pipelines in YAML. PSRule uses a number of configurable task steps to install modules, export data and perform analysis.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#installing-azure-rules","title":"Installing Azure rules","text":"

    To install the module containing Azure rules use the ps-rule-install YAML task.

    # Install PSRule.Rules.Azure from the PowerShell Gallery.\n- task: ps-rule-install@2\ninputs:\nmodule: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#exporting-resource-data-for-analysis","title":"Exporting resource data for analysis","text":"

    PSRule provides a pre-built cmdlets for finding template files within a path and exporting resource data.

    • Get-AzRuleTemplateLink finds linked templates from parameter files. By default, parameter files with the *.parameters.json extension are discovered. Files are found recursively from the current working path.
    • Export-AzRuleTemplateData exports resource data from template files.

    To generate data for analysis use a PowerShell YAML task to export resource data from linked templates.

    # Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n

    If parameter files are located in a specific sub-directory the path can be updated as follows.

    # Export resource data from parameter files in the deployments/ sub-directory.\n- powershell: Get-AzRuleTemplateLink ./deployments/ | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n

    If parameter files do not use the file extension .parameters.json input path can be set.

    # Export resource data from parameter files ending in *.json instead of default *.parameters.json.\n- powershell: Get-AzRuleTemplateLink -InputPath *.json | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n

    In both cases, resource data for analysis is exported to out/templates/.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#validating-exported-resources","title":"Validating exported resources","text":"

    To validate exported resources use the ps-rule-assert YAML task. The following task uses previously exported resource data for analysis.

    # Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\ninputs:\ninputType: inputPath\ninputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\nmodules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n# Optionally, also analyze objects using custom rules from '.ps-rule/'.\nsource: '.ps-rule/'\n# Optionally, save results to an NUnit report.\noutputFormat: NUnit3\noutputPath: reports/ps-rule-resources.xml\n

    In the example:

    • Resource data is read from out/templates/.
    • If custom rules are defined in the .ps-rule/ these are also evaluated.
    • Validation results are saved as an NUnit report.
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#generating-nunit-output","title":"Generating NUnit output","text":"

    NUnit is a popular unit test framework for .NET. PSRule supports publishing validation results in the NUnit format. With Azure DevOps, an NUnit report can be published using Publish Test Results task.

    An example YAML snippet is included below:

    # Publish NUnit report as test results\n- task: PublishTestResults@2\ndisplayName: 'Publish PSRule results'\ninputs:\ntestRunTitle: 'PSRule'                          # The title to use for the test run.\ntestRunner: NUnit                               # Import report using the NUnit format.\ntestResultsFiles: 'reports/ps-rule-results.xml' # The previously saved NUnit report.\ncondition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#complete-example","title":"Complete example","text":"

    Putting each of these steps together.

    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#azure-devops-pipeline","title":"Azure DevOps Pipeline","text":"
    #\n# PSRule with Azure Pipelines\n#\ntrigger:\n- main\npool:\nvmImage: 'ubuntu-latest'\nsteps:\n# Install PSRule.Rules.Azure from the PowerShell Gallery\n- task: ps-rule-install@2\ninputs:\nmodule: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.\n# Export resource data from parameter files within the current working directory.\n- powershell: Get-AzRuleTemplateLink | Export-AzRuleTemplateData -OutputPath out/templates/;\ndisplayName: 'Export template data'\n# Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.\n- task: ps-rule-assert@2\ninputs:\ninputType: inputPath\ninputPath: 'out/templates/*.json'        # Read exported resource data from 'out/templates/'.\nmodules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.\n# Optionally, also analyze objects using custom rules from '.ps-rule/'.\nsource: '.ps-rule/'\n# Optionally, save results to an NUnit report.\noutputFormat: NUnit3\noutputPath: reports/ps-rule-resources.xml\n# Publish NUnit report as test results\n- task: PublishTestResults@2\ndisplayName: 'Publish PSRule results'\ninputs:\ntestRunTitle: 'PSRule'                          # The title to use for the test run.\ntestRunner: NUnit                               # Import report using the NUnit format.\ntestResultsFiles: 'reports/ps-rule-*.xml'       # Use previously saved NUnit reports.\nmergeTestResults: true                          # Merge multiple reports.\ncondition: succeededOrFailed()                    # Run this task if previous steps succeeded of failed.\n
    "},{"location":"scenarios/azure-pipelines-ci/azure-pipelines-ci/#more-information","title":"More information","text":"
    • azure-pipelines.yaml - An example Azure DevOps Pipeline.
    • azuredeploy.json - An example template file.
    • azuredeploy.parameters.json - An example parameters file.
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/","title":"Validate Azure resources from templates with continuous integration (CI)","text":"

    Azure Resource Manager (ARM) templates are a JSON-based file structure. ARM templates are typically not static, they include parameters, functions and conditions. Depending on the parameters provided to a template, resources may differ significantly.

    Important resource properties that should be validated are often variables, parameters or deployed conditionally. Under these circumstances, to correctly validate resources in a template, parameters must be resolved.

    The following scenario shows how to validate Azure resources from templates using a generic pipeline. The examples provided can be integrated into a continuous integration (CI) pipeline able to run PowerShell.

    For integrating into Azure DevOps see Validate Azure resources from templates with Azure Pipelines.

    This scenario covers the following:

    • Installing PSRule within a CI pipeline
    • Exporting rule data for analysis
    • Validating exported resources
    • Formatting output
    • Failing the pipeline
    • Generating NUnit output
    • Complete example
    • Additional options
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#installing-psrule-within-a-ci-pipeline","title":"Installing PSRule within a CI pipeline","text":"

    Typically, PSRule is not pre-installed on CI worker nodes and must be installed within the pipeline. PSRule PowerShell modules need to be installed prior to calling PSRule cmdlets.

    If your CI pipeline runs on a persistent virtual machine that you control, consider pre-installing PSRule. The following examples focus on installing PSRule dynamically during execution of the pipeline. Which is suitable for cloud-based CI worker nodes.

    To install PSRule within a CI pipeline, execute the Install-Module PowerShell cmdlet.

    Depending on your environment, the CI worker process may not have administrative permissions. To install modules into the current context running the CI pipeline use -Scope CurrentUser. The PowerShell Gallery is not a trusted source by default. Use the -Force switch to suppress a prompt to install modules from PowerShell Gallery.

    For example:

    $Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -Force;\n

    Installing PSRule.Rules.Azure also installs the base PSRule module and associated Azure dependencies. The PSRule.Rules.Azure module includes cmdlets and pre-built rules for validating Azure resources. Using the pre-built rules is completely optional.

    In some cases, installing NuGet and PowerShellGet may be required to connect to the PowerShell Gallery. The NuGet package provider can be installed using the Install-PackageProvider PowerShell cmdlet.

    $Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n

    The example below includes both steps together with checks:

    if ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction SilentlyContinue)) {\n$Null = Install-PackageProvider -Name NuGet -Scope CurrentUser -Force;\n}\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\nInstall-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n

    Add -AllowPrerelease to install pre-release versions. See the change log for the latest version.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#exporting-rule-data-for-analysis","title":"Exporting rule data for analysis","text":"

    In PSRule, the Export-AzRuleTemplateData cmdlet resolves a template and returns a resultant set of resources. The resultant set of resources can then be validated.

    No connectivity to Azure is required by default when calling Export-AzRuleTemplateData.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#export-cmdlet-parameters","title":"Export cmdlet parameters","text":"

    To run Export-AzRuleTemplateData two key parameters are required:

    • -TemplateFile - An absolute or relative path to the template JSON file.
    • -ParameterFile - An absolute or relative path to one or more parameter JSON files.

    The -ParameterFile parameter is optional when all parameters defined in the template have defaultValue set.

    Optionally the following parameters can be used:

    • -Name - The name of the deployment. If not specified a default name of export-<xxxxxxxx> will be used.
    • -OutputPath - An absolute or relative path where the resultant resources will be written to JSON. If not specified the current working path be used.
    • -ResourceGroup - The name of a resource group where the deployment is intended to be run. If not specified placeholder values will be used.
    • -Subscription - The name or subscription Id of a subscription where the deployment is intended to be run. If not specified placeholder values will be used.

    See cmdlet help for a full list of parameters.

    If -OutputPath is a directory or is not set, the output file will be automatically named resources-<name>.json.

    For example:

    Export-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json;\n

    Multiple parameter files that map to the same template can be supplied in a single cmdlet call. Additional templates can be exported by calling Export-AzRuleTemplateData multiple times.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#use-of-placeholder-values","title":"Use of placeholder values","text":"

    A number of functions that can be used within Azure templates retrieve information from Azure. Some examples include reference, subscription, resourceGroup, list*.

    The default for Export-AzRuleTemplateData is to operate without requiring authenticated connectivity to Azure. As a result, functions that retrieve information from Azure use placeholders such as {{Subscription.SubscriptionId}}.

    To provide a real value for subscription and resourceGroup use the -Subscription and -ResourceGroup parameters. When using -Subscription and -ResourceGroup the subscription and resource group must already exist. Additionally the context running the cmdlet must have at least read access (i.e. Reader).

    It is currently not possible to provide a real value for reference and list*, only placeholders will be used.

    Key Vault references in parameter files use placeholders instead of the real value to prevent accidental exposure of secrets.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#validating-exported-resources","title":"Validating exported resources","text":"

    To validate exported resources use Invoke-PSRule, Assert-PSRule or Test-PSRuleTarget. In a CI pipeline, Assert-PSRule is recommended. Assert-PSRule outputs preformatted results ideal for use within a CI pipeline.

    Use Assert-PSRule with the resolved resource output as an input using -InputPath.

    In the following example, resources from .\\resources.json are validated against pre-built rules:

    Assert-PSRule -InputPath .\\resources-export-*.json -Module PSRule.Rules.Azure;\n

    Example output:

     -> vnet-001 : Microsoft.Network/virtualNetworks\n\n    [PASS] Azure.Resource.UseTags\n    [PASS] Azure.VirtualNetwork.UseNSGs\n    [PASS] Azure.VirtualNetwork.SingleDNS\n    [PASS] Azure.VirtualNetwork.LocalDNS\n\n -> vnet-001/subnet2 : Microsoft.Network/virtualNetworks/subnets\n\n    [FAIL] Azure.Resource.UseTags\n

    To process multiple input files a wildcard * can be used.

    Assert-PSRule -InputPath .\\out\\*.json -Module PSRule.Rules.Azure;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#formatting-output","title":"Formatting output","text":"

    When executing a CI pipeline, feedback on any validation failures is important. The Assert-PSRule cmdlet provides easy to read formatted output instead of PowerShell objects.

    Additionally, Assert-PSRule supports styling formatted output for Azure Pipelines and GitHub Actions. Use the -Style AzurePipelines or -Style GitHubActions parameter to style output.

    For example:

    Assert-PSRule -InputPath .\\out\\*.json -Style AzurePipelines -Module PSRule.Rules.Azure;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#failing-the-pipeline","title":"Failing the pipeline","text":"

    When using PSRule within a CI pipeline, a failed rule should stop the pipeline. When using Assert-PSRule if any rules fail, an error will be generated.

    Assert-PSRule : One or more rules reported failure.\nAt line:1 char:1\n+ Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\tests\\Resou ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n+ CategoryInfo          : InvalidData: (:) [Assert-PSRule], FailPipelineException\n+ FullyQualifiedErrorId : PSRule.Fail,Assert-PSRule\n

    A single PowerShell error is typically enough to stop a CI pipeline. If you are using a different configuration additionally -ErrorAction Stop can be used.

    For example:

    Assert-PSRule -Module PSRule.Rules.Azure -InputPath .\\out\\*.json -ErrorAction Stop;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#generating-nunit-output","title":"Generating NUnit output","text":"

    NUnit is a popular unit test framework for .NET. NUnit generates a test report format that is widely interpreted by CI systems. While PSRule does not use NUnit directly, it support outputting validation results in the NUnit3 format. Using a common format allows integration with any system that supports the NUnit3 for publishing test results.

    To generate an NUnit report:

    • Use the -OutputFormat NUnit3 parameter.
    • Use the -OutputPath parameter to specify the path of the report file to write.
    Assert-PSRule -OutputFormat NUnit3 -OutputPath .\\reports\\rule-report.xml -Module PSRule.Rules.Azure -InputPath .\\out\\*.json;\n

    The output path will be created if it does not exist.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#complete-example","title":"Complete example","text":"

    Putting each of these steps together.

    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#install-dependencies","title":"Install dependencies","text":"
    # Install dependencies for connecting to PowerShell Gallery\nif ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction Ignore)) {\nInstall-PackageProvider -Name NuGet -Force -Scope CurrentUser;\n}\nif ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {\nInstall-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;\n}\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#validate-templates","title":"Validate templates","text":"
    # Install PSRule.Rules.Azure module\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n# Resolve resources\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n# Validate resources\n$assertParams = @{\nInputPath = 'out/*.json'\nModule = 'PSRule.Rules.Azure'\nStyle = 'AzurePipelines'\nOutputFormat = 'NUnit3'\nOutputPath = 'reports/rule-report.xml'\n}\nAssert-PSRule @assertParams;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#additional-options","title":"Additional options","text":""},{"location":"scenarios/azure-template-ci/azure-template-ci/#using-invoke-build","title":"Using Invoke-Build","text":"

    Invoke-Build is a build automation cmdlet that can be installed from the PowerShell Gallery by installing the InvokeBuild module. Within Invoke-Build, each build process is broken into tasks.

    The following example shows an example of using PSRule.Rules.Azure with InvokeBuild tasks.

    # Synopsis: Install PSRule modules\ntask InstallPSRule {\nif ($Null -eq (Get-InstalledModule -Name PSRule.Rules.Azure -MinimumVersion '0.12.1' -ErrorAction SilentlyContinue)) {\n$Null = Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser -MinimumVersion '0.12.1' -Force;\n}\n}\n# Synopsis: Run validation\ntask ValidateTemplate InstallPSRule, {\n# Resolve resources\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath out/;\n# Validate resources\n$assertParams = @{\nInputPath = 'out/*.json'\nModule = 'PSRule.Rules.Azure'\nStyle = 'AzurePipelines'\nOutputFormat = 'NUnit3'\nOutputPath = 'reports/rule-report.xml'\n}\nAssert-PSRule @assertParams;\n}\n# Synopsis: Run all build tasks\ntask Build ValidateTemplate\n
    Invoke-Build Build;\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#calling-from-pester","title":"Calling from Pester","text":"

    Pester is a unit test framework for PowerShell that can be installed from the PowerShell Gallery.

    Typically, Pester unit tests are built for a particular pipeline. PSRule can complement Pester unit tests by providing dynamic and sharable rules that are easy to reuse. By using -If or -Type pre-conditions, rules can dynamically provide validation for a range of use cases.

    When calling PSRule from Pester use Invoke-PSRule instead of Assert-PSRule. Invoke-PSRule returns validation result objects that can be tested by Pester Should conditions.

    Additionally, the Logging.RuleFail option can be included to generate an error message for each failing rule.

    For example:

    Describe 'Azure' {\nContext 'Resource templates' {\nIt 'Use content rules' {\nExport-AzRuleTemplateData -TemplateFile .\\template.json -ParameterFile .\\parameters.json -OutputPath .\\out\\resources.json;\n# Validate resources\n$invokeParams = @{\nInputPath = 'out/*.json'\nModule = 'PSRule.Rules.Azure'\nOutputFormat = 'NUnit3'\nOutputPath = 'reports/rule-report.xml'\nOption = (New-PSRuleOption -LoggingRuleFail Error)\n}\nInvoke-PSRule @invokeParams -Outcome Fail,Error | Should -BeNullOrEmpty;\n}\n}\n}\n
    "},{"location":"scenarios/azure-template-ci/azure-template-ci/#more-information","title":"More information","text":"
    • pipeline-deps.ps1 - Example script installing pipeline dependencies.
    • validate-template.ps1 - Example script for running template validation.
    • template.json - Example template file.
    • parameters.json - Example parameters file.
    "},{"location":"setup/configuring-expansion/","title":"Configuring expansion","text":"

    PSRule for Azure can automatically resolve Azure resource context at runtime from infrastructure code. This feature can be enabled by using the following configuration options.

    "},{"location":"setup/configuring-expansion/#configuration","title":"Configuration","text":"

    Tip

    Each of these configuration options are set within the ps-rule.yaml file. To learn how to set configuration options see Configuring options.

    "},{"location":"setup/configuring-expansion/#parameter-file-expansion","title":"Parameter file expansion","text":"

    v1.4.1

    This configuration option determines if Azure template parameter files will automatically be expanded. By default, parameter files will not be automatically expanded. When enabled, PSRule will discover and expand JSON parameter files for Azure templates or Bicep modules.

    Parameter files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_PARAMETER_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_PARAMETER_FILE_EXPANSION: true\n
    "},{"location":"setup/configuring-expansion/#bicep-source-expansion","title":"Bicep source expansion","text":"

    v1.11.0

    This configuration option determines if Azure Bicep source files will automatically be expanded. By default, Bicep files will not be automatically expanded.

    Bicep files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_BICEP_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_BICEP_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION: true\n
    "},{"location":"setup/configuring-expansion/#bicep-parameter-expansion","title":"Bicep parameter expansion","text":"

    v1.27.0

    This configuration option determines if Azure Bicep parameter files (.bicepparam) are expanded. Currently while this is an experimental feature this is not enabled by default.

    Bicep files are expanded when PSRule cmdlets with the -Format File parameter are used.

    Syntax:

    configuration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: bool\n

    Default:

    # YAML: The default AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option\nconfiguration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: false\n

    Example:

    # YAML: Set the AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option to enable expansion\nconfiguration:\nAZURE_BICEP_PARAMS_FILE_EXPANSION: true\n
    "},{"location":"setup/configuring-expansion/#bicep-compilation-timeout","title":"Bicep compilation timeout","text":"

    v1.13.3

    This configuration option determines the maximum time to spend building a single Bicep source file. The timeout is configured in seconds.

    When a timeout occurs, PSRule for Azure stops the build and returns an error. Any resources contained within Bicep source files that exceeded the timeout are not analyzed.

    The default timeout is 5 seconds, however the timeout can be set to an integer between 1 and 120.

    Syntax:

    configuration:\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: int\n

    Default:

    # YAML: The default AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 5\n

    Example:

    # YAML: Set the AZURE_BICEP_FILE_EXPANSION_TIMEOUT configuration option to enable expansion\nconfiguration:\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n
    "},{"location":"setup/configuring-expansion/#require-template-metadata-link","title":"Require template metadata link","text":"

    v1.7.0

    This configuration option determines if Azure template parameter files require a metadata link. When configured to true, the Azure.Template.MetadataLink rule is enabled. Any Azure template parameter files that do not include a metadata link will report a fail for this rule.

    The rule Azure.Template.MetadataLink is not enabled by default. Additionally, when enabled this rule can still be excluded or suppressed like all other rules.

    Syntax:

    configuration:\nAZURE_PARAMETER_FILE_METADATA_LINK: bool\n

    Default:

    # YAML: The default AZURE_PARAMETER_FILE_METADATA_LINK configuration option\nconfiguration:\nAZURE_PARAMETER_FILE_METADATA_LINK: false\n

    Example:

    # YAML: Set the AZURE_PARAMETER_FILE_METADATA_LINK configuration option to enable expansion\nconfiguration:\nAZURE_PARAMETER_FILE_METADATA_LINK: true\n
    "},{"location":"setup/configuring-expansion/#deployment-properties","title":"Deployment properties","text":"

    v1.17.0

    This configuration option sets the deployment object use by the deployment() function. Configure this option to change the details of the deployment when exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option applies to the parent deployment. Nested deployments will use any properties configured within code. Additionally, this configuration option will be ignore when -Name is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_DEPLOYMENT:\nname: string\n

    Default:

    # YAML: The default AZURE_DEPLOYMENT configuration option\nconfiguration:\nAZURE_DEPLOYMENT:\nname: 'ps-rule-test-deployment'\n

    Example:

    # YAML: Override the name of the deployment object.\nconfiguration:\nAZURE_DEPLOYMENT:\nname: 'deploy-web-application'\n
    "},{"location":"setup/configuring-expansion/#deployment-resource-group","title":"Deployment resource group","text":"

    v1.1.0

    This configuration option sets the resource group object used by the resourceGroup() function. Configure this option to change the resource group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -ResourceGroup is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_RESOURCE_GROUP:\nname: string\nlocation: string\ntags: object\nproperties:\nprovisioningState: string\n

    Default:

    # YAML: The default AZURE_RESOURCE_GROUP configuration option\nconfiguration:\nAZURE_RESOURCE_GROUP:\nname: 'ps-rule-test-rg'\nlocation: 'eastus'\ntags: { }\nproperties:\nprovisioningState: 'Succeeded'\n

    Example:

    # YAML: Override the location of the resource group object.\nconfiguration:\nAZURE_RESOURCE_GROUP:\nlocation: 'australiasoutheast'\n
    "},{"location":"setup/configuring-expansion/#deployment-subscription","title":"Deployment subscription","text":"

    v1.1.0

    This configuration option sets the subscription object used by the subscription() function. Configure this option to change the subscription object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    This configuration option will be ignored when -Subscription is used with Export-AzRuleTemplateData.

    Syntax:

    configuration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: string\ndisplayName: string\nstate: string\n

    Default:

    # YAML: The default AZURE_SUBSCRIPTION configuration option\nconfiguration:\nAZURE_SUBSCRIPTION:\nsubscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule Test Subscription'\nstate: 'NotDefined'\n

    Example:

    # YAML: Override the display name of the subscription object\nconfiguration:\nAZURE_SUBSCRIPTION:\ndisplayName: 'My test subscription'\n
    "},{"location":"setup/configuring-expansion/#deployment-tenant","title":"Deployment tenant","text":"

    v1.11.0

    This configuration option sets the tenant object used by the tenant() function. Configure this option to change the tenant object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    Syntax:

    configuration:\nAZURE_TENANT:\ncountryCode: string\ntenantId: string\ndisplayName: string\n

    Default:

    # YAML: The default AZURE_TENANT configuration option\nconfiguration:\nAZURE_TENANT:\ncountryCode: 'US'\ntenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'\ndisplayName: 'PSRule'\n

    Example:

    # YAML: Override the display name of the tenant object\nconfiguration:\nAZURE_TENANT:\ndisplayName: 'Contoso'\n
    "},{"location":"setup/configuring-expansion/#deployment-management-group","title":"Deployment management group","text":"

    v1.11.0

    This configuration option sets the management group object used by the managementGroup() function. Configure this option to change the management group object when using exporting templates for analysis. Provided properties will override the default. Any properties that are not provided with use the defaults as specified below.

    Syntax:

    configuration:\nAZURE_MANAGEMENT_GROUP:\nname: string\nproperties:\ndisplayName: string\n

    Default:

    # YAML: The default AZURE_MANAGEMENT_GROUP configuration option\nconfiguration:\nAZURE_MANAGEMENT_GROUP:\nname: 'psrule-test'\nproperties:\ndisplyName: 'PSRule Test Management Group'\n

    Example:

    # YAML: Override the display name of the management group object\nconfiguration:\nAZURE_MANAGEMENT_GROUP:\nproperties:\ndisplayName: 'My test management group'\n
    "},{"location":"setup/configuring-expansion/#required-parameter-defaults","title":"Required parameter defaults","text":"

    v1.13.0

    This configuration option allows a fallback value to be configured for required parameters. When a parameter value is not provided and a default is not set, the fallback value will be used.

    Configure this option when you are providing a set of common parameters dynamically during a pipeline. In this scenario, it may not make sense to add the parameters to a parameter file or Bicep deployment.

    Syntax:

    configuration:\nAZURE_PARAMETER_DEFAULTS:\n<parameter>: <value>\n

    Default:

    # YAML: The default AZURE_PARAMETER_DEFAULTS configuration option\nconfiguration:\nAZURE_PARAMETER_DEFAULTS: { }\n

    Example:

    # YAML: Set fallback values for adminPassword and workspaceId parameters.\nconfiguration:\nAZURE_PARAMETER_DEFAULTS:\nadminPassword: $CREDENTIAL_PLACEHOLDER$\nworkspaceId: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}\n
    "},{"location":"setup/configuring-expansion/#excluding-files","title":"Excluding files","text":"

    Template or Bicep source files can be excluded from being processed by PSRule and expansion. To exclude a file, configure the input.pathIgnore option by providing a path spec to ignore.

    Syntax:

    input:\npathIgnore:\n- string\n- string\n

    Default:

    # YAML: The default input.pathIgnore option\ninput:\npathIgnore: []\n

    Example:

    # YAML: Exclude a file from being processed by PSRule and expansion\ninput:\npathIgnore:\n- 'out/'\n- 'modules/**/*.bicep'\n
    "},{"location":"setup/configuring-options/","title":"Configuring options","text":"

    PSRule for Azure comes with many configuration options. Additionally, the PSRule engine includes several options that apply to all rules. You can visit the about_PSRule_Options topic to read about general PSRule options.

    "},{"location":"setup/configuring-options/#setting-options","title":"Setting options","text":"

    Configuration options are set within the ps-rule.yaml file. PSRule will automatically find this file within the current working directory. To set options, create a new file named ps-rule.yaml in the root directory of your repository.

    For configuring pre-flight analysis, create a ps-rule.yaml in your current working directory.

    Tip

    This file should be committed to your repository so it is available when your pipeline runs.

    Note

    Use all lowercase characters ps-rule.yaml to name the file. On case-sensitive file systems, a file with uppercase characters may not be found.

    Configuration can be combined as indented keys. Use comments to add context.

    Example ps-rule.yaml

    requires:\n# Require a minimum of PSRule for Azure v1.29.0\nPSRule.Rules.Azure: '>=1.29.0'\nconfiguration:\n# Enable expansion of Azure Template files.\nAZURE_PARAMETER_FILE_EXPANSION: true\n# Enable expansion of Azure Bicep files.\nAZURE_BICEP_FILE_EXPANSION: true\n# Configure the timeout for bicep build to 15 seconds.\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n# Enable Bicep CLI checks.\nAZURE_BICEP_CHECK_TOOL: true\n# Optionally, configure the minimum version of the Bicep CLI.\nAZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n# Configure the minimum AKS cluster version.\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.26.6'\nrule:\n# Enable custom rules that don't exist in the baseline\nincludeLocal: true\nexclude:\n# Ignore the following rules for all resources\n- Azure.VM.UseHybridUseBenefit\n- Azure.VM.Standalone\nsuppression:\nAzure.AKS.AuthorizedIPs:\n# Exclude the following externally managed AKS clusters\n- aks-cluster-prod-eus-001\nAzure.Storage.SoftDelete:\n# Exclude the following non-production storage accounts\n- storagedeveus6jo36t\n- storagedeveus1df278\n

    Tip

    YAML can be a bit particular about indenting. If something is not working, double check that you have consistent spacing in your options file. We recommend using two (2) spaces to indent.

    "},{"location":"setup/configuring-options/#setting-environment-variables","title":"Setting environment variables","text":"

    In addition to ps-rule.yaml, most options can be set using environment variables. When configuring environment variables we recommend that all capital letters are used. This is because environment variables are case-sensitive on some operating systems.

    PSRule environment variables use a consistent naming pattern of PSRULE_<PARENT>_<NAME>. Where <PARENT> is the parent class and <NAME> is the specific option.

    When setting environment variables:

    • Enum values are set by string and are not case-sensitive. For example PSRULE_OUTPUT_FORMAT could be set to Yaml.
    • Boolean values are set by true, false, 1, or 0 and are not case-sensitive. For example PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION could be set to true.
    • String array values can specify multiple items by using a semi-colon separator. For example PSRULE_RULE_EXCLUDE could be set to 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'.
    GitHub ActionsAzure PipelinesPowerShellBash
    env:\nPSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: true\nPSRULE_OUTPUT_FORMAT: Yaml\nPSRULE_RULE_EXCLUDE: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    variables:\n- name: PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION\nvalue: true\n- name: PSRULE_OUTPUT_FORMAT\nvalue: Yaml\n- name: PSRULE_RULE_EXCLUDE\nvalue: 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    $Env:PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION = 'true'\n$Env:PSRULE_OUTPUT_FORMAT = 'Yaml'\n$Env:PSRULE_RULE_EXCLUDE = 'Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    export PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION=true\nexport PSRULE_OUTPUT_FORMAT=Yaml\nexport PSRULE_RULE_EXCLUDE='Azure.VM.UseHybridUseBenefit;Azure.VM.Standalone'\n
    "},{"location":"setup/configuring-rules/","title":"Configuring rule defaults","text":"

    PSRule for Azure include several rules that can be configured. Setting these values overrides the default configuration with organization specific values.

    Tip

    Each of these configuration options are set within the ps-rule.yaml file. To learn how to set configuration options see Configuring options.

    "},{"location":"setup/configuring-rules/#azure_aks_cluster_minimum_version","title":"AZURE_AKS_CLUSTER_MINIMUM_VERSION","text":"

    v1.12.0

    This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.

    Syntax:

    configuration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string\n

    Default:

    # YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option\nconfiguration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.26.6\n

    Example:

    # YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.22.4\nconfiguration:\nAZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.22.4\n
    "},{"location":"setup/configuring-rules/#azure_aks_cni_minimum_cluster_subnet_size","title":"AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE","text":"

    This configuration option determines the minimum subnet size for Azure AKS CNI.

    Syntax:

    configuration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: integer\n

    Default:

    # YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option\nconfiguration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23\n

    Example:

    # YAML: Set the AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option to 26\nconfiguration:\nAZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 26\n
    "},{"location":"setup/configuring-rules/#azure_aks_additional_region_availability_zone_list","title":"AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST","text":"

    This configuration option adds availability zones that are not included in the existing providers. You can use this option to add availability zones that are not included in the default list.

    The following providers are supported:

    • Microsoft.Compute/virtualMachineScaleSets
    • Microsoft.Network/applicationGateways
    • Microsoft.Network/publicIPAddresses
    • Microsoft.ApiManagement/service
    • Microsoft.Cache/Redis
    • Microsoft.Cache/redisEnterprise

    The following rules and configuration options are supported:

    • Azure.AKS.AvailabilityZone - AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.AppGw.AvailabilityZone - AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.PublicIP.AvailabilityZone - AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.APIM.AvailabilityZone - AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.Redis.AvailabilityZone - AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
    • Azure.RedisEnterprise.Zones - AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST

    Syntax:

    configuration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: array\n

    Default:

    # YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option\nconfiguration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []\n

    Example:

    # YAML: Set the AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option to Antarctica North and Antarctica South, with zones 1, 2, 3.\nconfiguration:\nAZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST:\n- location: Antarctica North\nzones:\n- '1'\n- '2'\n- '3'\n- location: Antarctica South\nzones:\n- '1'\n- '2'\n- '3'\n

    The above example, both these forms of location are accepted:

    • Antarctica North or antarcticanorth
    • Antarctica South or antarcticasouth

    The rules normalize these location formats so either is accepted in the configuration.

    Note

    The above are examples for illustration purpose only. At the time of writing, Antarctica North and Antarctica South are fictional locations. If they do in the future exist, use this option add them prior to PSRule for Azure support. The above shows examples specific to Azure.AKS.AvailabilityZone, but behavior is consistent across all supported rules.

    "},{"location":"setup/configuring-rules/#azure_aks_enabled_platform_log_categories_list","title":"AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"

    This configuration option sets selective platform diagnostic categories to report on being enabled.

    Syntax:

    configuration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n

    Default:

    # YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- cluster-autoscaler\n- kube-apiserver\n- kube-controller-manager\n- kube-scheduler\n- AllMetrics\n

    Example:

    # YAML: Set the AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to cluster-autoscaler and AllMetrics categories only. \nconfiguration:\nAZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- cluster-autoscaler\n- AllMetrics\n
    "},{"location":"setup/configuring-rules/#azure_automationaccount_enabled_platform_log_categories_list","title":"AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST","text":"

    This configuration option sets selective platform diagnostic categories to report on being enabled.

    Syntax:

    configuration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array\n

    Default:

    # YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option\nconfiguration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- JobLogs\n- JobStreams\n- DscNodeStatus\n- AllMetrics\n

    Example:

    # YAML: Set the AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to JobLogs and AllMetrics categories only. \nconfiguration:\nAZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST:\n- JobLogs\n- AllMetrics\n
    "},{"location":"setup/configuring-rules/#set-the-minimum-maxpods-for-a-node-pool","title":"Set the minimum MaxPods for a node pool","text":"

    This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a maxPods option is used to determine the maximum number of pods for each node in the node pool.

    Depending on your workloads it may make sense to change this option:

    • Micro-services/ web applications: 50+
    • Data movement/ processing: 20-30

    Syntax:

    configuration:\nAzure_AKSNodeMinimumMaxPods: integer\n

    Default:

    # YAML: The default Azure_AKSNodeMinimumMaxPods configuration option\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 50\n

    Example:

    # YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30\nconfiguration:\nAzure_AKSNodeMinimumMaxPods: 30\n
    "},{"location":"setup/configuring-rules/#azure_apim_min_api_version","title":"AZURE_APIM_MIN_API_VERSION","text":"

    This configuration option sets the minimum API version used for control plane API calls to API Management instances. Configure this option to change the minimum API version, which defaults to '2021-08-01'.

    Syntax:

    configuration:\nAZURE_APIM_MIN_API_VERSION: string\n

    Default:

    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-08-01'\n

    Example:

    # YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'\nconfiguration:\nAZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'\n
    "},{"location":"setup/configuring-rules/#azure_containerapps_restrict_ingress","title":"AZURE_CONTAINERAPPS_RESTRICT_INGRESS","text":"

    This configuration specifies whether if external ingress should be enabled or disabled.

    Syntax:

    configuration:\nAZURE_CONTAINERAPPS_RESTRICT_INGRESS: boolean # An boolean value\n

    Default:

    # YAML: The default AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option\nconfiguration:\nAZURE_CONTAINERAPPS_RESTRICT_INGRESS: false\n

    Example:

    # YAML: Set the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to enabled\nconfiguration:\nAZURE_CONTAINERAPPS_RESTRICT_INGRESS: true\n
    "},{"location":"setup/configuring-rules/#azure_cosmos_defender_per_account","title":"AZURE_COSMOS_DEFENDER_PER_ACCOUNT","text":"

    This configuration option enables validation for that each Cosmos DB account is associated with a Microsoft Defender for Cosmos DB resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_COSMOS_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"setup/configuring-rules/#azure_resource_allowed_locations","title":"AZURE_RESOURCE_ALLOWED_LOCATIONS","text":"

    v1.30.0

    Applies to Azure.Resource.AllowedRegions.

    This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.

    By default, AZURE_RESOURCE_ALLOWED_LOCATIONS is not configured.

    Syntax:

    configuration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS: array # An array of regions\n

    Default:

    # YAML: The default Azure_AllowedRegions configuration option\nconfiguration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS: []\n

    Example:

    # YAML: Set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option to Australia East, Australia South East\nconfiguration:\nAZURE_RESOURCE_ALLOWED_LOCATIONS:\n- australiaeast\n- australiasoutheast\n

    If you configure the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.

    For example:

    configuration:\nAZURE_RESOURCE_GROUP:\nlocation: australiaeast\n
    "},{"location":"setup/configuring-rules/#azure_minimumcertificatelifetime","title":"Azure_MinimumCertificateLifetime","text":"

    This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.

    Syntax:

    configuration:\nAzure_MinimumCertificateLifetime: integer\n

    Default:

    # YAML: The default Azure_MinimumCertificateLifetime configuration option\nconfiguration:\nAzure_MinimumCertificateLifetime: 30\n

    Example:

    # YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90\nconfiguration:\nAzure_MinimumCertificateLifetime: 90\n
    "},{"location":"setup/configuring-rules/#azure_linux_os_offers","title":"AZURE_LINUX_OS_OFFERS","text":"

    v1.20.0

    This configurations specifies names of offers corresponding to the Linux OS. It's mostly intended to be used when analyzing templates that use private Linux offerings. Rules that check if a VM or VMSS has Linux OS also validate against the values set by this configuration.

    Syntax:

    configuration:\nAZURE_LINUX_OS_OFFERS: array # An array of offer names\n

    Default:

    # YAML: The default AZURE_LINUX_OS_OFFERS configuration option\nconfiguration:\nAZURE_LINUX_OS_OFFERS: []\n

    Example:

    # YAML: Set the AZURE_LINUX_OS_OFFERS configuration option to aLinuxOffer, anotherLinuxOffer\nconfiguration:\nAZURE_LINUX_OS_OFFERS:\n- 'aLinuxOffer'\n- 'anotherLinuxOffer'\n
    "},{"location":"setup/configuring-rules/#azure_policy_ignore_list","title":"AZURE_POLICY_IGNORE_LIST","text":"

    v1.21.0

    This configuration option configures a custom list policy definitions to ignore when exporting policy to rules. In addition to the custom list, a built-in list of policies are ignored. The built-in list can be found here.

    Configure this option to ignore policy definitions that:

    • Already have a rule defined.
    • Are not relevant to testing Infrastructure as Code.

    Syntax:

    configuration:\nAZURE_POLICY_IGNORE_LIST: array\n

    Default:

    # YAML: The default AZURE_POLICY_IGNORE_LIST configuration option\nconfiguration:\nAZURE_POLICY_IGNORE_LIST: []\n

    Example:

    # YAML: Add a custom policy definition to ignore\nAZURE_POLICY_IGNORE_LIST:\n- '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'\n- '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'\n
    "},{"location":"setup/configuring-rules/#azure_policy_rule_prefix","title":"AZURE_POLICY_RULE_PREFIX","text":"

    This configuration option sets the prefix for names of exported rules. Configure this option to change the prefix, which defaults to Azure.

    This configuration option will be ignored when -Prefix is used with Export-AzPolicyAssignmentRuleData.

    Syntax:

    configuration:\nAZURE_POLICY_RULE_PREFIX: string\n

    Default:

    # YAML: The default AZURE_POLICY_RULE_PREFIX configuration option\nconfiguration:\nAZURE_POLICY_RULE_PREFIX: Azure\n

    Example:

    # YAML: Override the prefix of exported policy rules\nAZURE_POLICY_RULE_PREFIX: AzureCustomPrefix\n
    "},{"location":"setup/configuring-rules/#azure_policy_waiver_max_expiry","title":"AZURE_POLICY_WAIVER_MAX_EXPIRY","text":"

    This configuration option determines the maximum number of days in the future for a waiver policy exemption.

    Syntax:

    configuration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: integer\n

    Default:

    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 366\n

    Example:

    # YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90\nconfiguration:\nAZURE_POLICY_WAIVER_MAX_EXPIRY: 90\n
    "},{"location":"setup/configuring-rules/#azure_storage_defender_per_account","title":"AZURE_STORAGE_DEFENDER_PER_ACCOUNT","text":"

    v1.27.0

    This configuration option enables validation for that each storage account is associated with a Microsoft Defender for Storage resource level plan. Configure this option to enable the per account validation, which defaults to false.

    Syntax:

    configuration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean\n

    Default:

    # YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: false\n

    Example:

    # YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true\nconfiguration:\nAZURE_STORAGE_DEFENDER_PER_ACCOUNT: true\n
    "},{"location":"setup/configuring-rules/#azure_vnet_dns_with_identity","title":"AZURE_VNET_DNS_WITH_IDENTITY","text":"

    v1.30.0

    Applies to Azure.VNET.LocalDNS.

    Set this configuration option to true when DNS is deployed within the Identity subscription to avoid false positives.

    When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:

    • Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
    • Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.

    If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY to true. By default, this configuration option is set to false.

    Syntax:

    configuration:\nAZURE_VNET_DNS_WITH_IDENTITY: boolean # An boolean value\n

    Default:

    # YAML: The default AZURE_VNET_DNS_WITH_IDENTITY configuration option\nconfiguration:\nAZURE_VNET_DNS_WITH_IDENTITY: false\n

    Example:

    # YAML: Set the AZURE_VNET_DNS_WITH_IDENTITY configuration option to enabled\nconfiguration:\nAZURE_VNET_DNS_WITH_IDENTITY: true\n
    "},{"location":"setup/setup-azure-monitor-logs/","title":"Setup Azure Monitor logs","text":"

    When analyzing Azure resources, you may want to capture the results of each analysis run. Azure Monitor provides a central storage location for log data through Log Analytics workspaces. Centrally storing PSRule results enables the following scenarios:

    • Auditing and reporting \u2014 Report on analysis pass or failures.
      • Use Azure Monitor workbooks or custom queries to perform analysis and display results.
      • Perform security analysis within Microsoft Azure Sentinel your a scalable, cloud-native SIEM. Alternatively, export log data from Log Analytics for ingestion into a third-party SIEM.
    • Send notifications using alerts \u2014 Trigger alerts to send notifications.
    • Integration with other workflows \u2014 Configure alerts and action groups to trigger integration.

    Abstract

    This topic covers setting up PSRule to log rule results into a Log Analytics workspace.

    "},{"location":"setup/setup-azure-monitor-logs/#logging-into-a-log-analytics-workspace","title":"Logging into a Log Analytics workspace","text":"

    Logging of PSRule results into a workspace is done using the PSRule for Azure Monitor module. PSRule for Azure Monitor extends the PSRule pipeline to import results into the specified workspace.

    Once configured, PSRule will log results into the PSRule_CL custom log table of the chosen workspace.

    Info

    Integration between PSRule and Azure Monitor is done by means of a convention. Conventions extend the pipeline to be able to upload results after rules have run.

    "},{"location":"setup/setup-azure-monitor-logs/#setting-environment-variables","title":"Setting environment variables","text":"

    PSRule for Azure Monitor requires a Log Analytics workspace to import results into. To configure the workspace to import results to the following environment variables must be set.

    • PSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID - The unique ID (GUID) for the workspace to import results.
    • PSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY - Either the primary or secondary key of the workspace.

    How to set these environment variables is covered in the next section for GitHub Actions and Azure Pipelines.

    Tip

    Both the workspace ID and keys can be found under the Agents management settings of the workspace.

    "},{"location":"setup/setup-azure-monitor-logs/#configuring-your-pipeline","title":"Configuring your pipeline","text":"

    The convention that imports PSRule analysis results is not executed by default. To enable, reference the Monitor.LogAnalytics.Import convention in your analysis pipeline.

    "},{"location":"setup/setup-azure-monitor-logs/#with-github-actions","title":"With GitHub Actions","text":"

    GitHub Action

    Import analysis results into Azure Monitor with GitHub Actions by:

    • Using the PSRule.Monitor module.
    • Referencing the Monitor.LogAnalytics.Import convention.
    • Configure secrets for MONITOR_WORKSPACE_ID and MONITOR_WORKSPACE_KEY.
    StablePre-release

    Install the latest stable module versions.

    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables using GitHub encrypted secrets\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n

    Install the latest stable or pre-release module versions.

    - name: Analyze Azure template files\nuses: microsoft/ps-rule@v2.9.0\nwith:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nprerelease: true\nenv:\n# Define environment variables using GitHub encrypted secrets\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: ${{ secrets.MONITOR_WORKSPACE_ID }}\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: ${{ secrets.MONITOR_WORKSPACE_KEY }}\n

    Important

    Environment variables can be configured in the workflow or from a secret. To keep MONITOR_WORKSPACE_KEY secure, use an encrypted secret.

    "},{"location":"setup/setup-azure-monitor-logs/#with-azure-pipelines","title":"With Azure Pipelines","text":"

    Extension

    Import analysis results into Azure Monitor with Azure Pipelines by:

    • Installing the PSRule extension, then using the ps-rule-assert task in pipeline steps.
    • Using the PSRule.Monitor module.
    • Referencing the Monitor.LogAnalytics.Import convention.
    • Configure variables for MONITORWORKSPACEID and MONITORWORKSPACEKEY.
    StablePre-release

    Install the latest stable module versions.

    - task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables within Azure Pipelines\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n

    Install the latest stable or pre-release module versions.

    - task: ps-rule-install@2\ndisplayName: Install PSRule for Azure (pre-release)\ninputs:\nmodule: PSRule.Rules.Azure\nprerelease: true\n- task: ps-rule-install@2\ndisplayName: Install PSRule for Azure Monitor (pre-release)\ninputs:\nmodule: PSRule.Monitor\nprerelease: true\n- task: ps-rule-assert@2\ndisplayName: Analyze Azure template files\ninputs:\nmodules: PSRule.Rules.Azure,PSRule.Monitor\nconventions: Monitor.LogAnalytics.Import\nenv:\n# Define environment variables within Azure Pipelines\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_ID: $(MONITORWORKSPACEID)\nPSRULE_CONFIGURATION_MONITOR_WORKSPACE_KEY: $(MONITORWORKSPACEKEY)\n

    Important

    Variables can be configured in YAML, on the pipeline, or referenced from a defined variable group. To keep MONITORWORKSPACEKEY secure, use a variable group linked to an Azure Key Vault.

    "},{"location":"setup/setup-azure-monitor-logs/#samples","title":"Samples","text":"

    Continue reading for some sample resources you can try once this integration is setup Azure Monitor integration.

    "},{"location":"setup/setup-azure-monitor-logs/#log-analytics-queries","title":"Log Analytics Queries","text":""},{"location":"setup/setup-azure-monitor-logs/#results-with-annotations","title":"Results with annotations","text":"Kusto
    // Show extended info\nPSRule_CL\n| where TimeGenerated > ago(30d)\n| extend Pillar = tostring(parse_json(Annotations_s).pillar)\n| extend Link = tostring(parse_json(Annotations_s).[\"online version\"])\n
    "},{"location":"setup/setup-azure-monitor-logs/#summarize-results-by-run","title":"Summarize results by run","text":"Kusto
    // Group by run\nPSRule_CL\n| where TimeGenerated > ago(30d)\n| summarize Pass=countif(Outcome_s == \"Pass\"), Fail=countif(Outcome_s  == \"Fail\") by RunId_s\n
    "},{"location":"setup/setup-azure-monitor-logs/#querying-the-data","title":"Querying The Data","text":"

    Once the results have been published to the Log Analytics workspace, they can be queried by executing results against the PSRule_CL table (under Custom Logs). For more information on how to write Log Analytics querys, review the Log Analytics tutortial.

    "},{"location":"setup/setup-azure-monitor-logs/#workbook","title":"Workbook","text":"

    Workbook

    A sample Azure Monitor Workbook is available in the PSRule for Azure GitHub repository. This workbook can be imported directly into Azure Monitor and used as a foundation to build from. Review the Workbook creation tutorial for instructions on how to work with the sample Workbook.

    "},{"location":"setup/setup-bicep/","title":"Setup Bicep","text":"

    To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines.

    Abstract

    This topic covers setting up support for analyzing Azure resources within Bicep source files.

    "},{"location":"setup/setup-bicep/#installing-bicep-cli","title":"Installing Bicep CLI","text":"

    PSRule for Azure requires a minimum of Bicep CLI version 0.4.451. However the features you use within Bicep may require a newer version of the Bicep CLI.

    You may need to install or upgrade the Bicep CLI in the following scenarios:

    • Your Bicep source files require a newer version of the CLI then supported by hosted agents. The Bicep CLI version can be found in the included software list for each supported platform.
    • You are using self-hosted runners with your GitHub Actions workflow.
    • You are using self-hosted agents with Azure Pipelines.
    • You are performing local validation or using a different CI platform.

    The Bicep CLI can be installed on MacOS, Linux, and Windows. For installation instructions see Setup your Bicep development environment.

    Tip

    When installing Bicep using the Azure CLI, Bicep is not added to the PATH environment variable. To use PSRule for Azure with the Azure CLI set the PSRULE_AZURE_BICEP_USE_AZURE_CLI to true. Setting this environment variable is explained in the next section.

    "},{"location":"setup/setup-bicep/#setting-environment-variables","title":"Setting environment variables","text":"

    When expanding Bicep files, the path to the Bicep CLI binary is required. By default, the PATH environment variable will be used to discover the binary path. When using this option, add the sub-directory containing the Bicep binary to the environment variable.

    Alternatively, the path can be overridden by setting the PSRULE_AZURE_BICEP_PATH environment variable. When setting PSRULE_AZURE_BICEP_PATH specify the full path to the Bicep binary including the file name. File names used for Bicep binaries include bicep, or bicep.exe.

    Example

    Bash
    export PSRULE_AZURE_BICEP_PATH='/usr/local/bin/bicep'\n
    PowerShell
    $Env:PSRULE_AZURE_BICEP_PATH = '/usr/local/bin/bicep';\n
    GitHub Actions
    env:\nPSRULE_AZURE_BICEP_PATH: '/usr/local/bin/bicep'\n
    Azure Pipelines
    variables:\n- name: PSRULE_AZURE_BICEP_PATH\nvalue: '/usr/local/bin/bicep'\n
    "},{"location":"setup/setup-bicep/#using-azure-cli","title":"Using Azure CLI","text":"

    By default, PSRule for Azure uses the Bicep CLI directly. An additional option is to use the Azure CLI to invoke the Bicep CLI. When using this option the required version of the CLI must be installed prior to using PSRule for Azure. This is explained in Setup your Bicep development environment.

    To enable this option, set the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable to true.

    Example

    Bash
    export PSRULE_AZURE_BICEP_USE_AZURE_CLI=true\n
    PowerShell
    $Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true'\n
    GitHub Actions
    env:\nPSRULE_AZURE_BICEP_USE_AZURE_CLI: true\n
    Azure Pipelines
    variables:\n- name: PSRULE_AZURE_BICEP_USE_AZURE_CLI\nvalue: true\n
    "},{"location":"setup/setup-bicep/#additional-arguments","title":"Additional arguments","text":"

    For configuration, additional arguments can be passed to the Bicep CLI. This is intended to improve forward compatibility with Bicep CLI.

    To configure additional arguments, set the PSRULE_AZURE_BICEP_ARGS environment variable.

    "},{"location":"setup/setup-bicep/#configuring-expansion","title":"Configuring expansion","text":"

    Docs

    PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from .bicep files.

    To enabled this feature, set the Configuration.AZURE_BICEP_FILE_EXPANSION to true. This option can be set within the ps-rule.yaml file.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of bicep source files.\nAZURE_BICEP_FILE_EXPANSION: true\n

    Tip

    If you deploy Bicep code using JSON parameter files this option does not need to be set. Set Configuration.AZURE_PARAMETER_FILE_EXPANSION to true instead. See Using parameter files and By metadata for more information.

    "},{"location":"setup/setup-bicep/#configuring-timeout","title":"Configuring timeout","text":"

    Docs

    In certain environments it may be necessary to increase the default timeout for building Bicep files. This can occur if your Bicep deployments are:

    • Large and complex.
    • Use nested modules.
    • Use modules restored from a registry.

    If you are experiencing timeout errors you can increase the default timeout of 5 seconds. To configure the timeout, set Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT to the timeout in seconds.

    ps-rule.yaml
    configuration:\n# Enable automatic expansion of bicep source files.\nAZURE_BICEP_FILE_EXPANSION: true\n# Configure the timeout for bicep build to 15 seconds.\nAZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15\n
    "},{"location":"setup/setup-bicep/#checking-bicep-version","title":"Checking Bicep version","text":"

    v1.25.0

    To use Bicep files with PSRule for Azure:

    • The Bicep CLI must be installed or you must configure the Azure CLI.
    • The version installed must support the features you are using.

    It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Additionally, the version installed in your CI/ CD pipeline may not be the same as your local development environment.

    You can enable checking the Bicep CLI version during initialization. To enable this feature, set the Configuration.AZURE_BICEP_CHECK_TOOL option to true. Additionally, you can set the minimum version required using the Configuration.AZURE_BICEP_MINIMUM_VERSION option.

    ps-rule.yaml
    configuration:\n# Enable Bicep CLI checks.\nAZURE_BICEP_CHECK_TOOL: true\n# Optionally, configure the minimum version of the Bicep CLI.\nAZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n
    "},{"location":"setup/setup-bicep/#configuring-minimum-version","title":"Configuring minimum version","text":"

    v1.25.0

    The Azure Bicep CLI is updated regularly, with new features and bug fixes. You must use a version of the Bicep CLI that supports the features you are using. If you attempt to use a feature that is not supported by the Bicep CLI, expansion will fail with a BCP error.

    Tip

    It may not always be clear which version of Bicep CLI is being used if you have multiple versions installed. Using the Bicep CLI via az bicep is not the default, and you may need to set additional options to use it.

    To ensure you are using the correct version of the Bicep CLI, you can configure the minimum version required. If an earlier version is detected, PSRule for Azure will generate an error. To configure the minimum version, set the Configuration.AZURE_BICEP_MINIMUM_VERSION option. By default, the minimum version is set to 0.4.451.

    ps-rule.yaml
    configuration:\n# Enable Bicep CLI checks.\nAZURE_BICEP_CHECK_TOOL: true\n# Configure the minimum version of the Bicep CLI.\nAZURE_BICEP_MINIMUM_VERSION: '0.16.2'\n

    Important

    The Configuration.AZURE_BICEP_CHECK_TOOL must be set to true for this option to take effect.

    Tip

    For troubleshooting Bicep compilation errors see Bicep compile errors.

    "},{"location":"setup/setup-bicep/#recommended-content","title":"Recommended content","text":"
    • Using Bicep source
    • Restoring modules from a private registry
    "},{"location":"specs/inflight-export-spec/","title":"Design spec for export of in-flight resource data","text":"

    To support analysis of in-flight resources, the configuration data must be exported from Azure. This spec documents this mode of operation.

    "},{"location":"specs/inflight-export-spec/#requirements","title":"Requirements","text":"

    The requirements for this feature/ mode of operation include:

    • Export resources, resource groups, and subscription configuration.
    • Export related sub-resource configuration data to support rules.

    Additonally some non-function requirements include:

    • Gracefully handle Azure management API throttling.
    • Limit exported data based on filters.
    "}]} \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index 7d04b9523ef31328521393eab14b34fa6212ed23..50eef8466c117e54291f411f37601d9105bb5542 100644 GIT binary patch delta 15 Wcmdm~uv39ezMF$%+KY{B#sUB-wgl?{ delta 15 Wcmdm~uv39ezMF$X_u)o1V*vms9Rzy- diff --git a/working-with-baselines/index.html b/working-with-baselines/index.html index e07893eee2..2dc429b92d 100644 --- a/working-with-baselines/index.html +++ b/working-with-baselines/index.html @@ -12168,7 +12168,7 @@

    Additional standard baselinesGA Azure features. This is the default baseline that is used when no baseline is specified. Rules for Azure features that are within the scope of a public or private preview are not included.

  • -
  • Azure.Preview - Includes rules for GA and preview Azure features.
  • +
  • Azure.Preview - Includes all rules for GA and preview Azure features.
  • Azure.All - Includes all Azure rules shipped with PSRule for Azure. This is functionally the same as Azure.Preview however intended for internal use only.
  • @@ -12229,7 +12229,7 @@

    Including custom rules Last update: - 2023-09-30 + 2023-10-01