From f27da91062ad219277bfc07760e794892c7a2674 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 2 Sep 2023 16:33:05 +1000 Subject: [PATCH] Quality updates to storage rule docs (#2417) --- docs/en/baselines/Azure.All.md | 8 +- docs/en/baselines/Azure.Default.md | 8 +- docs/en/baselines/Azure.GA_2022_09.md | 2 +- docs/en/baselines/Azure.GA_2022_12.md | 2 +- docs/en/baselines/Azure.GA_2023_03.md | 2 +- docs/en/baselines/Azure.GA_2023_06.md | 2 +- docs/en/baselines/Azure.MCSB.v1.md | 4 +- docs/en/baselines/Azure.Preview.md | 8 +- docs/en/rules/Azure.Storage.BlobAccessType.md | 4 +- .../rules/Azure.Storage.BlobPublicAccess.md | 45 +++---- .../Azure.Storage.ContainerSoftDelete.md | 110 +++++++++-------- ...Azure.Storage.DefenderCloud.MalwareScan.md | 17 ++- docs/en/rules/Azure.Storage.DefenderCloud.md | 6 +- .../Azure.Storage.FileShareSoftDelete.md | 51 +++++--- docs/en/rules/Azure.Storage.Firewall.md | 44 +++---- docs/en/rules/Azure.Storage.MinTLS.md | 50 ++++---- docs/en/rules/Azure.Storage.SoftDelete.md | 112 ++++++++++-------- docs/en/rules/Azure.Storage.UseReplication.md | 49 ++++---- docs/en/rules/index.md | 6 +- docs/en/rules/module.md | 22 +++- docs/en/rules/resource.md | 6 +- docs/es/rules/index.md | 6 +- docs/es/rules/module.md | 22 +++- docs/es/rules/resource.md | 6 +- .../rules/Azure.SQLMI.Rule.yaml | 2 +- .../rules/Azure.Storage.Rule.ps1 | 18 +-- .../rules/Azure.Storage.Rule.yaml | 1 + 27 files changed, 367 insertions(+), 246 deletions(-) diff --git a/docs/en/baselines/Azure.All.md b/docs/en/baselines/Azure.All.md index beaaeefd89..1854168125 100644 --- a/docs/en/baselines/Azure.All.md +++ b/docs/en/baselines/Azure.All.md @@ -4,7 +4,7 @@ Includes all Azure rules. ## Rules -The following rules are included within `Azure.All`. This baseline includes a total of 395 rules. +The following rules are included within `Azure.All`. This baseline includes a total of 399 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -130,6 +130,7 @@ Name | Synopsis | Severity [Azure.Cognitive.ManagedIdentity](../rules/Azure.Cognitive.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important [Azure.Cognitive.PrivateEndpoints](../rules/Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | Important [Azure.Cognitive.PublicAccess](../rules/Azure.Cognitive.PublicAccess.md) | Restrict access of Cognitive Services accounts to authorized virtual networks. | Important +[Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important @@ -173,8 +174,10 @@ Name | Synopsis | Severity [Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical [Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness +[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical [Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness [Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important +[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important [Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical [Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important @@ -255,6 +258,7 @@ Name | Synopsis | Severity [Azure.PublicIP.AvailabilityZone](../rules/Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness [Azure.PublicIP.IsAttached](../rules/Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important +[Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness [Azure.PublicIP.StandardSKU](../rules/Azure.PublicIP.StandardSKU.md) | Public IP addresses should be deployed with Standard SKU for production workloads. | Important [Azure.RBAC.CoAdministrator](../rules/Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important @@ -317,7 +321,7 @@ Name | Synopsis | Severity [Azure.Storage.DefenderCloud](../rules/Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical [Azure.Storage.DefenderCloud.MalwareScan](../rules/Azure.Storage.DefenderCloud.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical [Azure.Storage.DefenderCloud.SensitiveData](../rules/Azure.Storage.DefenderCloud.SensitiveData.md) | Enable sensitive data threat detection in Microsoft Defender for Storage. | Critical -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index 40a1c12f12..f67badea96 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -4,7 +4,7 @@ Default baseline for Azure rules. ## Rules -The following rules are included within `Azure.Default`. This baseline includes a total of 380 rules. +The following rules are included within `Azure.Default`. This baseline includes a total of 384 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -122,6 +122,7 @@ Name | Synopsis | Severity [Azure.Cognitive.ManagedIdentity](../rules/Azure.Cognitive.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important [Azure.Cognitive.PrivateEndpoints](../rules/Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | Important [Azure.Cognitive.PublicAccess](../rules/Azure.Cognitive.PublicAccess.md) | Restrict access of Cognitive Services accounts to authorized virtual networks. | Important +[Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important @@ -161,8 +162,10 @@ Name | Synopsis | Severity [Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical [Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness +[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical [Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness [Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important +[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important [Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical [Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important @@ -243,6 +246,7 @@ Name | Synopsis | Severity [Azure.PublicIP.AvailabilityZone](../rules/Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness [Azure.PublicIP.IsAttached](../rules/Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important +[Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness [Azure.PublicIP.StandardSKU](../rules/Azure.PublicIP.StandardSKU.md) | Public IP addresses should be deployed with Standard SKU for production workloads. | Important [Azure.RBAC.CoAdministrator](../rules/Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important @@ -303,7 +307,7 @@ Name | Synopsis | Severity [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important [Azure.Storage.DefenderCloud](../rules/Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/baselines/Azure.GA_2022_09.md b/docs/en/baselines/Azure.GA_2022_09.md index ad18c02fad..8b9fa7b0e3 100644 --- a/docs/en/baselines/Azure.GA_2022_09.md +++ b/docs/en/baselines/Azure.GA_2022_09.md @@ -238,7 +238,7 @@ Name | Synopsis | Severity [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/baselines/Azure.GA_2022_12.md b/docs/en/baselines/Azure.GA_2022_12.md index e93591125f..a7b4722c52 100644 --- a/docs/en/baselines/Azure.GA_2022_12.md +++ b/docs/en/baselines/Azure.GA_2022_12.md @@ -267,7 +267,7 @@ Name | Synopsis | Severity [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/baselines/Azure.GA_2023_03.md b/docs/en/baselines/Azure.GA_2023_03.md index f98d330578..74085e4050 100644 --- a/docs/en/baselines/Azure.GA_2023_03.md +++ b/docs/en/baselines/Azure.GA_2023_03.md @@ -286,7 +286,7 @@ Name | Synopsis | Severity [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/baselines/Azure.GA_2023_06.md b/docs/en/baselines/Azure.GA_2023_06.md index aa957f5585..f09f1643c9 100644 --- a/docs/en/baselines/Azure.GA_2023_06.md +++ b/docs/en/baselines/Azure.GA_2023_06.md @@ -299,7 +299,7 @@ Name | Synopsis | Severity [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important [Azure.Storage.DefenderCloud](../rules/Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md index 9621ed8759..2a371aef4d 100644 --- a/docs/en/baselines/Azure.MCSB.v1.md +++ b/docs/en/baselines/Azure.MCSB.v1.md @@ -6,7 +6,7 @@ Microsoft Cloud Security Benchmark v1. ## Controls -The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 115 rules. +The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 117 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -80,6 +80,8 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Azure AD identities. | Important [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Event Hub namespaces should reject TLS versions older than 1.2. | Critical +[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical +[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important [Azure.FrontDoor.WAF.Enabled](../rules/Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical [Azure.IoTHub.MinTLS](../rules/Azure.IoTHub.MinTLS.md) | IoT Hubs should reject TLS versions older than 1.2. | Critical [Azure.KeyVault.RBAC](../rules/Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness diff --git a/docs/en/baselines/Azure.Preview.md b/docs/en/baselines/Azure.Preview.md index 9d093113f3..bad07e47d1 100644 --- a/docs/en/baselines/Azure.Preview.md +++ b/docs/en/baselines/Azure.Preview.md @@ -4,7 +4,7 @@ Includes rules for Azure GA and preview features. ## Rules -The following rules are included within `Azure.Preview`. This baseline includes a total of 395 rules. +The following rules are included within `Azure.Preview`. This baseline includes a total of 399 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -130,6 +130,7 @@ Name | Synopsis | Severity [Azure.Cognitive.ManagedIdentity](../rules/Azure.Cognitive.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important [Azure.Cognitive.PrivateEndpoints](../rules/Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | Important [Azure.Cognitive.PublicAccess](../rules/Azure.Cognitive.PublicAccess.md) | Restrict access of Cognitive Services accounts to authorized virtual networks. | Important +[Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important @@ -173,8 +174,10 @@ Name | Synopsis | Severity [Azure.EventHub.Usage](../rules/Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.Firewall.Mode](../rules/Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical [Azure.Firewall.Name](../rules/Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness +[Azure.Firewall.PolicyMode](../rules/Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical [Azure.Firewall.PolicyName](../rules/Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness [Azure.FrontDoor.Logs](../rules/Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important +[Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important [Azure.FrontDoor.MinTLS](../rules/Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical [Azure.FrontDoor.Name](../rules/Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important @@ -255,6 +258,7 @@ Name | Synopsis | Severity [Azure.PublicIP.AvailabilityZone](../rules/Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness [Azure.PublicIP.IsAttached](../rules/Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important +[Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness [Azure.PublicIP.StandardSKU](../rules/Azure.PublicIP.StandardSKU.md) | Public IP addresses should be deployed with Standard SKU for production workloads. | Important [Azure.RBAC.CoAdministrator](../rules/Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important @@ -317,7 +321,7 @@ Name | Synopsis | Severity [Azure.Storage.DefenderCloud](../rules/Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical [Azure.Storage.DefenderCloud.MalwareScan](../rules/Azure.Storage.DefenderCloud.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical [Azure.Storage.DefenderCloud.SensitiveData](../rules/Azure.Storage.DefenderCloud.SensitiveData.md) | Enable sensitive data threat detection in Microsoft Defender for Storage. | Critical -[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important +[Azure.Storage.FileShareSoftDelete](../rules/Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important [Azure.Storage.Firewall](../rules/Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important [Azure.Storage.MinTLS](../rules/Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness diff --git a/docs/en/rules/Azure.Storage.BlobAccessType.md b/docs/en/rules/Azure.Storage.BlobAccessType.md index 2846ca7597..f3ac8e0153 100644 --- a/docs/en/rules/Azure.Storage.BlobAccessType.md +++ b/docs/en/rules/Azure.Storage.BlobAccessType.md @@ -1,5 +1,5 @@ --- -reviewed: 2022/01/20 +reviewed: 2022-01-20 severity: Important pillar: Security category: Authentication @@ -77,4 +77,4 @@ resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@20 - [About anonymous public read access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-configure#about-anonymous-public-read-access) - [Use Azure Policy to enforce authorized access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent#use-azure-policy-to-enforce-authorized-access) - [How a shared access signature works](https://docs.microsoft.com/azure/storage/common/storage-sas-overview#how-a-shared-access-signature-works) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts) diff --git a/docs/en/rules/Azure.Storage.BlobPublicAccess.md b/docs/en/rules/Azure.Storage.BlobPublicAccess.md index 4158673162..02b74e2253 100644 --- a/docs/en/rules/Azure.Storage.BlobPublicAccess.md +++ b/docs/en/rules/Azure.Storage.BlobPublicAccess.md @@ -18,7 +18,7 @@ Blob containers in Azure Storage Accounts can be configured for private or anony By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. -Anonymous access to blobs or containers can be restricted by setting `AllowBlobPublicAccess` to `false`. +Anonymous access to blobs or containers can be restricted by setting `allowBlobPublicAccess` to `false`. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. @@ -39,22 +39,24 @@ For example: ```json { - "comments": "Storage Account", - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2019-06-01", - "name": "st0000001", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_GRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "supportsHttpsTrafficOnly": true, - "minimumTlsVersion": "TLS1_2", - "allowBlobPublicAccess": false, - "accessTier": "Hot" + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_GRS" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "accessTier": "Hot", + "allowSharedKeyAccess": false, + "networkAcls": { + "defaultAction": "Deny" } + } } ``` @@ -67,18 +69,19 @@ To deploy Storage Accounts that pass this rule: For example: ```bicep -resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = { - name: 'st0000001' +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: name location: location sku: { name: 'Standard_GRS' } kind: 'StorageV2' properties: { - supportsHttpsTrafficOnly: true - accessTier: 'Hot' allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowSharedKeyAccess: false networkAcls: { defaultAction: 'Deny' } @@ -93,4 +96,4 @@ resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = { - [Remediate anonymous public access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent#remediate-anonymous-public-access) - [Use Azure Policy to enforce authorized access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent#use-azure-policy-to-enforce-authorized-access) - [Authorize access to blobs using Azure Active Directory](https://docs.microsoft.com/azure/storage/blobs/authorize-access-azure-active-directory) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts#StorageAccountPropertiesCreateParameters) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts) diff --git a/docs/en/rules/Azure.Storage.ContainerSoftDelete.md b/docs/en/rules/Azure.Storage.ContainerSoftDelete.md index 4def5c9647..a7c76a1518 100644 --- a/docs/en/rules/Azure.Storage.ContainerSoftDelete.md +++ b/docs/en/rules/Azure.Storage.ContainerSoftDelete.md @@ -1,4 +1,5 @@ --- +reviewed: 2023-09-02 severity: Important pillar: Reliability category: Data management @@ -42,49 +43,44 @@ To deploy Storage Accounts that pass this rule: ```json { - "comments": "Storage Account", - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-04-01", - "name": "st0000001", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_GRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "supportsHttpsTrafficOnly": true, - "accessTier": "Hot", - "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" - }, - "resources": [ - { - "comments": "Configure blob storage services", - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2019-06-01", - "name": "st0000001/default", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', 'st0000001')]" - ], - "sku": { - "name": "Standard_GRS" - }, - "properties": { - "cors": { - "corsRules": [] - }, - "deleteRetentionPolicy": { - "enabled": true, - "days": 7 - }, - "containerDeleteRetentionPolicy": { - "enabled": true, - "days": 7 - } - } + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_GRS" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "accessTier": "Hot", + "allowSharedKeyAccess": false, + "networkAcls": { + "defaultAction": "Deny" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2023-01-01", + "name": "[format('{0}/{1}', parameters('name'), 'default')]", + "properties": { + "deleteRetentionPolicy": { + "enabled": true, + "days": 7 + }, + "containerDeleteRetentionPolicy": { + "enabled": true, + "days": 7 } - ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + ] + } + ] } ``` @@ -98,9 +94,28 @@ To deploy Storage Accounts that pass this rule: For example: ```bicep -resource st0000001_blob 'Microsoft.Storage/storageAccounts/blobServices@2021-04-01' = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: name + location: location + sku: { + name: 'Standard_GRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true + minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowSharedKeyAccess: false + networkAcls: { + defaultAction: 'Deny' + } + } +} + +resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = { + parent: storageAccount name: 'default' - parent: st0000001 properties: { deleteRetentionPolicy: { enabled: true @@ -138,7 +153,8 @@ Storage accounts with: ## LINKS +- [Data management for reliability](https://learn.microsoft.com/azure/well-architected/resiliency/data-management) +- [Storage Accounts and reliability](https://learn.microsoft.com/azure/well-architected/services/storage/storage-accounts/reliability) - [Soft delete for containers](https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview) -- [Enable and manage soft delete for containers](https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal) -- [RBAC operations for Storage](https://docs.microsoft.com/azure/role-based-access-control/resource-provider-operations#microsoftstorage) -- [Azure resource template](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts/blobservices) +- [Enable and manage soft delete for containers](https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts/blobservices) diff --git a/docs/en/rules/Azure.Storage.DefenderCloud.MalwareScan.md b/docs/en/rules/Azure.Storage.DefenderCloud.MalwareScan.md index 7a52a4f51d..8b96528bd8 100644 --- a/docs/en/rules/Azure.Storage.DefenderCloud.MalwareScan.md +++ b/docs/en/rules/Azure.Storage.DefenderCloud.MalwareScan.md @@ -18,20 +18,24 @@ Microsoft Defender for Storage provides additional security for storage accounts One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus. -Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed. +Content uploaded to cloud storage could be malware. +Storage accounts can be a malware entry point into the organization and a malware distribution point. +To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed. Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time. This can be helpful when: - To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.) -- To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits. +- To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits. When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated. -Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommandation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings. +Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. +However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. +Defender for Storage settings on each storage account is inherited by the subscription level settings. -It is also worth to mention that the resouce level enablement can be useful when: +It is also worth to mention that the resource level enablement can be useful when: - Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level. @@ -100,11 +104,12 @@ resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettin This feature is currently in preview. -Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported. +Malware Scanning is not supported for storage accounts with public network access set to disabled. +Not all services within storage accounts are currently supported. - When the plan is already enabled at the subscription level and the resource level override property `overrideSubscriptionLevelSettings` value is `false`, the resource level enablement will be ignored and the subscription level (plan) will still be used. - If the override property `overrideSubscriptionLevelSettings` value is `true`, the resource level enablement will be honored and a dedicated plan will be configured for the storage account. -- If there is no plan at the subcription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account. +- If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account. ## LINKS diff --git a/docs/en/rules/Azure.Storage.DefenderCloud.md b/docs/en/rules/Azure.Storage.DefenderCloud.md index f2fb542ea6..196db1025d 100644 --- a/docs/en/rules/Azure.Storage.DefenderCloud.md +++ b/docs/en/rules/Azure.Storage.DefenderCloud.md @@ -19,12 +19,12 @@ Which allows Microsoft Defender for Cloud to surface findings with details of th Additionally, Microsoft Defender for Storage provides security extensions to analyze data stored within Storage Accounts: -- Antimalware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities. +- Anti-malware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities. - Sensitive data threat detection to find resources with sensitive data. Microsoft Defender for Storage can be enabled on a per subscription or per resource basis. Enabling at the subscription level is recommended because it protects current and future Storage Accounts. -However, enabling at the resource level may be prefered for specific Storage Account to apply custom settings. +However, enabling at the resource level may be preferred for specific Storage Account to apply custom settings. ## RECOMMENDATION @@ -105,7 +105,7 @@ The following limitations currently apply for Microsoft Defender for Storage: Other storage types are not supported. - When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority. To override settings on a Storage Account, set the `properties.overrideSubscriptionLevelSettings` property to `true`. -- If there is no plan at the subcription level, Microsoft Defender for Storage can be configured without an override. +- If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override. ## LINKS diff --git a/docs/en/rules/Azure.Storage.FileShareSoftDelete.md b/docs/en/rules/Azure.Storage.FileShareSoftDelete.md index 47c00b9344..57ed7f2dd9 100644 --- a/docs/en/rules/Azure.Storage.FileShareSoftDelete.md +++ b/docs/en/rules/Azure.Storage.FileShareSoftDelete.md @@ -1,5 +1,5 @@ --- -reviewed: 2022-09-19 +reviewed: 2023-09-02 severity: Important pillar: Reliability category: Data Management @@ -7,27 +7,38 @@ resource: Storage Account online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.FileShareSoftDelete/ --- -# Use fileshare soft delete +# Use soft delete on files shares ## Synopsis -Enable fileshare soft delete on Storage Accounts +Enable soft delete on Storage Accounts file shares. ## Description -Azure Files offers soft delete for fileshares within Storage Accounts to recover deleted or modified files. +Soft delete for Azure Files protects your shares from being accidentally deleted. +This feature **does not** protect against individual files being deleted or modified. +When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered +after it has been deleted, within a retention period that you specify. + +Soft delete on file shares should be considered _part_ of the strategy to protect and retain data for Azure Files. +Also consider: + +- Enabling Azure File Share Backup. +- Implementing role-based access control (RBAC). + +Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days. ## Recommendation -Consider enabling soft delete on fileshares to protect files from accidential deletion or modification. +Consider enabling soft delete on Azure Files to protect against accidental deletion of shares. ## Examples ### Configure with Azure template -To deploy Fileshares via ARM that pass this rule: +To deploy Storage Accounts that pass this rule: -- Set the `properties.deleteRetentionPolicy.enabled` property to `true` on the fileshare services sub-resource +- Set the `properties.deleteRetentionPolicy.enabled` property to `true` on the `fileServices` sub-resource - Configure the `properties.deleteRetentionPolicy.days` property to the number of days to retain files. For example: @@ -48,34 +59,36 @@ For example: ### Configure with Bicep -To deploy Fileshares via Bicep that pass this rule: +To deploy Storage Accounts that pass this rule: -- Set the `properties.deleteRetentionPolicy.enabled` property to `true` on the fileshare services sub-resource +- Set the `properties.deleteRetentionPolicy.enabled` property to `true` on the `fileServices` sub-resource - Configure the `properties.deleteRetentionPolicy.days` property to the number of days to retain files. For example: ```bicep - -resource 'Microsoft.Storage/storageAccounts/fileServices@2022-05-01' = { +resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = { + parent: storageAccount name: 'default' - parent: st0000001 + properties: { shareDeleteRetentionPolicy: { - days: 7 enabled: true + days: 7 } } } - ``` ## Notes -Cloud Shell storage with the tag `ms-resource-usage = 'azure-cloud-shell'` is excluded. Storage accounts used for Cloud Shell are not intended to store data. +Cloud Shell storage with the tag `ms-resource-usage = 'azure-cloud-shell'` is excluded. +Storage accounts used for Cloud Shell are not intended to store data. ## Links -- [Enable soft delete on Azure file shares](https://docs.microsoft.com/azure/storage/files/storage-files-enable-soft-delete?tabs=azure-portal) -- [RBAC operations for storage](https://docs.microsoft.com/azure/role-based-access-control/resource-provider-operations#microsoftstorage) -- [What is Azure Files?](https://docs.microsoft.com/azure/storage/files/storage-files-introduction) -- [Microsoft.Storage storageAccounts/fileServices](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts/fileservices) +- [Data management for reliability](https://learn.microsoft.com/azure/well-architected/resiliency/data-management) +- [Storage Accounts and reliability](https://learn.microsoft.com/azure/well-architected/services/storage/storage-accounts/reliability) +- [Enable soft delete on Azure file shares](https://learn.microsoft.com/azure/storage/files/storage-files-prevent-file-share-deletion) +- [About Azure file share backup](https://learn.microsoft.com/azure/backup/azure-file-share-backup-overview) +- [Authorize access to file data](https://learn.microsoft.com/azure/storage/files/authorize-data-operations-portal) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts/fileservices) diff --git a/docs/en/rules/Azure.Storage.Firewall.md b/docs/en/rules/Azure.Storage.Firewall.md index 8387782837..10dcd11d88 100644 --- a/docs/en/rules/Azure.Storage.Firewall.md +++ b/docs/en/rules/Azure.Storage.Firewall.md @@ -42,23 +42,24 @@ For example: ```json { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-04-01", - "name": "st0000001", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_GRS" - }, - "kind": "StorageV2", - "properties": { - "supportsHttpsTrafficOnly": true, - "accessTier": "Hot", - "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2", - "networkAcls": { - "defaultAction": "Deny" - } + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_GRS" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "accessTier": "Hot", + "allowSharedKeyAccess": false, + "networkAcls": { + "defaultAction": "Deny" } + } } ``` @@ -71,18 +72,19 @@ To deploy Storage Accounts that pass this rule: For example: ```bicep -resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = { - name: 'st0000001' +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: name location: location sku: { name: 'Standard_GRS' } kind: 'StorageV2' properties: { - supportsHttpsTrafficOnly: true - accessTier: 'Hot' allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowSharedKeyAccess: false networkAcls: { defaultAction: 'Deny' } @@ -101,4 +103,4 @@ Azure storage firewall is not supported for Cloud Shell storage accounts. - [Configure Azure Storage firewalls and virtual networks](https://docs.microsoft.com/azure/storage/common/storage-network-security) - [Use private endpoints for Azure Storage](https://docs.microsoft.com/azure/storage/common/storage-private-endpoints) - [Persist files in Azure Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/persisting-shell-storage) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts#NetworkRuleSet) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts) diff --git a/docs/en/rules/Azure.Storage.MinTLS.md b/docs/en/rules/Azure.Storage.MinTLS.md index e5eef2cb2b..cc5f14a141 100644 --- a/docs/en/rules/Azure.Storage.MinTLS.md +++ b/docs/en/rules/Azure.Storage.MinTLS.md @@ -37,22 +37,24 @@ For example: ```json { - "comments": "Storage Account", - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2019-06-01", - "name": "st0000001", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_GRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "supportsHttpsTrafficOnly": true, - "minimumTlsVersion": "TLS1_2", - "allowBlobPublicAccess": false, - "accessTier": "Hot" + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_GRS" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "accessTier": "Hot", + "allowSharedKeyAccess": false, + "networkAcls": { + "defaultAction": "Deny" } + } } ``` @@ -65,18 +67,19 @@ To deploy Storage Accounts that pass this rule: For example: ```bicep -resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = { - name: 'st0000001' +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: name location: location sku: { name: 'Standard_GRS' } kind: 'StorageV2' properties: { - supportsHttpsTrafficOnly: true - accessTier: 'Hot' allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowSharedKeyAccess: false networkAcls: { defaultAction: 'Deny' } @@ -87,8 +90,9 @@ resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = { ## LINKS - [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit) -- [TLS encryption in Azure](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#tls-encryption-in-azure) -- [Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account](https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version) +- [TLS encryption in Azure](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#tls-encryption-in-azure) +- [Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account](https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version) +- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline#dp-3-encrypt-sensitive-data-in-transit) - [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/) -- [Use Azure Policy to enforce the minimum TLS version](https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version#use-azure-policy-to-enforce-the-minimum-tls-version) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts#StorageAccountPropertiesCreateParameters) +- [Use Azure Policy to enforce the minimum TLS version](https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts) diff --git a/docs/en/rules/Azure.Storage.SoftDelete.md b/docs/en/rules/Azure.Storage.SoftDelete.md index 3a3a480d7b..7b8e37dba7 100644 --- a/docs/en/rules/Azure.Storage.SoftDelete.md +++ b/docs/en/rules/Azure.Storage.SoftDelete.md @@ -1,4 +1,5 @@ --- +reviewed: 2023-09-02 severity: Important pillar: Reliability category: Data management @@ -42,49 +43,44 @@ To deploy Storage Accounts that pass this rule: ```json { - "comments": "Storage Account", - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-04-01", - "name": "st0000001", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_GRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "supportsHttpsTrafficOnly": true, - "accessTier": "Hot", - "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" - }, - "resources": [ - { - "comments": "Configure blob storage services", - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2019-06-01", - "name": "st0000001/default", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', 'st0000001')]" - ], - "sku": { - "name": "Standard_GRS" - }, - "properties": { - "cors": { - "corsRules": [] - }, - "deleteRetentionPolicy": { - "enabled": true, - "days": 7 - }, - "containerDeleteRetentionPolicy": { - "enabled": true, - "days": 7 - } - } + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_GRS" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "accessTier": "Hot", + "allowSharedKeyAccess": false, + "networkAcls": { + "defaultAction": "Deny" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2023-01-01", + "name": "[format('{0}/{1}', parameters('name'), 'default')]", + "properties": { + "deleteRetentionPolicy": { + "enabled": true, + "days": 7 + }, + "containerDeleteRetentionPolicy": { + "enabled": true, + "days": 7 } - ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + ] + } + ] } ``` @@ -98,9 +94,28 @@ To deploy Storage Accounts that pass this rule: For example: ```bicep -resource st0000001_blob 'Microsoft.Storage/storageAccounts/blobServices@2021-04-01' = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: name + location: location + sku: { + name: 'Standard_GRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true + minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowSharedKeyAccess: false + networkAcls: { + defaultAction: 'Deny' + } + } +} + +resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = { + parent: storageAccount name: 'default' - parent: st0000001 properties: { deleteRetentionPolicy: { enabled: true @@ -138,7 +153,8 @@ Storage accounts with: ## LINKS -- [Soft delete for Azure Storage blobs](https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview) -- [RBAC operations for Storage](https://docs.microsoft.com/azure/role-based-access-control/resource-provider-operations#microsoftstorage) -- [Blob storage features available in Azure Data Lake Storage Gen2](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-supported-blob-storage-features) -- [Azure resource template](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts/blobservices) +- [Data management for reliability](https://learn.microsoft.com/azure/well-architected/resiliency/data-management) +- [Storage Accounts and reliability](https://learn.microsoft.com/azure/well-architected/services/storage/storage-accounts/reliability) +- [Soft delete for Azure Storage blobs](https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview) +- [Blob storage features available in Azure Data Lake Storage Gen2](https://learn.microsoft.com/azure/storage/blobs/storage-feature-support-in-storage-accounts) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts/blobservices) diff --git a/docs/en/rules/Azure.Storage.UseReplication.md b/docs/en/rules/Azure.Storage.UseReplication.md index eee6d3bee8..a4c00bca9b 100644 --- a/docs/en/rules/Azure.Storage.UseReplication.md +++ b/docs/en/rules/Azure.Storage.UseReplication.md @@ -1,7 +1,7 @@ --- severity: Important pillar: Reliability -category: Data management +category: Requirements resource: Storage Account online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.UseReplication/ --- @@ -43,22 +43,24 @@ For example: ```json { - "comments": "Storage Account", - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2019-06-01", - "name": "st0000001", - "location": "[parameters('location')]", - "sku": { - "name": "Standard_GRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "supportsHttpsTrafficOnly": true, - "minimumTlsVersion": "TLS1_2", - "allowBlobPublicAccess": false, - "accessTier": "Hot" + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_GRS" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "accessTier": "Hot", + "allowSharedKeyAccess": false, + "networkAcls": { + "defaultAction": "Deny" } + } } ``` @@ -72,18 +74,19 @@ To deploy Storage Accounts that pass this rule: For example: ```bicep -resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = { - name: 'st0000001' +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: name location: location sku: { name: 'Standard_GRS' } kind: 'StorageV2' properties: { - supportsHttpsTrafficOnly: true - accessTier: 'Hot' allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true minimumTlsVersion: 'TLS1_2' + accessTier: 'Hot' + allowSharedKeyAccess: false networkAcls: { defaultAction: 'Deny' } @@ -105,6 +108,6 @@ Storage Accounts with the following tags are automatically excluded from this ru ## LINKS -- [Multiple and paired regions](https://learn.microsoft.com/azure/architecture/framework/resiliency/design-requirements) -- [Azure Storage redundancy](https://docs.microsoft.com/azure/storage/common/storage-redundancy) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.storage/storageaccounts) +- [Meet application platform requirements](https://learn.microsoft.com/azure/well-architected/resiliency/design-requirements#meet-application-platform-requirements) +- [Azure Storage redundancy](https://learn.microsoft.com/azure/storage/common/storage-redundancy) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts) diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index 76127a4871..d7e7ddd8c9 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -318,7 +318,7 @@ AZR-000294 | [Azure.Defender.SQL](Azure.Defender.SQL.md) | Enable Microsoft Defe AZR-000295 | [Azure.Defender.AppServices](Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | GA AZR-000296 | [Azure.Defender.Storage](Azure.Defender.Storage.md) | Enable Microsoft Defender for Storage. | GA AZR-000297 | [Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | GA -AZR-000298 | [Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | GA +AZR-000298 | [Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | GA AZR-000299 | [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | GA AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | GA AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA @@ -415,7 +415,11 @@ AZR-000391 | [Azure.Storage.DefenderCloud.SensitiveData](Azure.Storage.DefenderC AZR-000392 | [Azure.MySQL.AAD](Azure.MySQL.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. | GA AZR-000393 | [Azure.Databricks.SecureConnectivity](Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | GA AZR-000394 | [Azure.MySQL.AADOnly](Azure.MySQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. | GA +AZR-000395 | [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | GA +AZR-000396 | [Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | GA AZR-000397 | [Azure.RSV.Immutable](Azure.RSV.Immutable.md) | Ensure immutability is configured to protect backup data. | GA AZR-000398 | [Azure.BV.Immutable](Azure.BV.Immutable.md) | Ensure immutability is configured to protect backup data. | GA +AZR-000399 | [Azure.Firewall.PolicyMode](Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | GA +AZR-000400 | [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index b6078d308d..fb14322547 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -85,6 +85,7 @@ Name | Synopsis | Severity | Level [Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | Important | Error [Azure.ASE.MigrateV3](Azure.ASE.MigrateV3.md) | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning +[Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important | Error ### Instrumentation @@ -145,6 +146,7 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error @@ -309,9 +311,8 @@ Name | Synopsis | Severity | Level [Azure.KeyVault.PurgeProtect](Azure.KeyVault.PurgeProtect.md) | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important | Error [Azure.KeyVault.SoftDelete](Azure.KeyVault.SoftDelete.md) | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important | Error [Azure.Storage.ContainerSoftDelete](Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important | Error -[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important | Error +[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important | Error [Azure.Storage.SoftDelete](Azure.Storage.SoftDelete.md) | Enable blob soft delete on Storage Accounts. | Important | Error -[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage Accounts not using geo-replicated storage (GRS) may be at risk. | Important | Error ### Design @@ -370,6 +371,7 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.SKU](Azure.AppConfig.SKU.md) | App Configuration should use a minimum size of Standard. | Important | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error [Azure.SignalR.SLA](Azure.SignalR.SLA.md) | Use SKUs that include an SLA when configuring SignalR Services. | Important | Error +[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage Accounts not using geo-replicated storage (GRS) may be at risk. | Important | Error [Azure.WebPubSub.SLA](Azure.WebPubSub.SLA.md) | Use SKUs that include an SLA when configuring Web PubSub Services. | Important | Error ### Resiliency and dependencies @@ -440,6 +442,12 @@ Name | Synopsis | Severity | Level [Azure.Storage.BlobPublicAccess](Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important | Error [Azure.WebPubSub.ManagedIdentity](Azure.WebPubSub.ManagedIdentity.md) | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important | Error +### Authorization + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning + ### Azure resources Name | Synopsis | Severity | Level @@ -554,8 +562,8 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Azure AD identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error +[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error [Azure.KeyVault.AccessPolicy](Azure.KeyVault.AccessPolicy.md) | Use the principal of least privilege when assigning access to Key Vault. | Important | Error -[Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning [Azure.MySQL.AADOnly](Azure.MySQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. | Important | Error [Azure.PostgreSQL.AADOnly](Azure.PostgreSQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. | Important | Error [Azure.RBAC.CoAdministrator](Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important | Error @@ -595,6 +603,12 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.KeyVault.AutoRotationPolicy](Azure.KeyVault.AutoRotationPolicy.md) | Key Vault keys should have auto-rotation enabled. | Important | Error +### Logs and alerts + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error + ### Monitor Name | Synopsis | Severity | Level @@ -619,6 +633,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical | Error +[Azure.Firewall.PolicyMode](Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical | Error [Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical | Error @@ -698,7 +713,6 @@ Name | Synopsis | Severity | Level [Azure.DefenderCloud.Contact](Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important | Error [Azure.DefenderCloud.Provisioning](Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important | Error [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error -[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error [Azure.MariaDB.DefenderCloud](Azure.MariaDB.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important | Error [Azure.MySQL.DefenderCloud](Azure.MySQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important | Error [Azure.PostgreSQL.DefenderCloud](Azure.PostgreSQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important | Error diff --git a/docs/en/rules/resource.md b/docs/en/rules/resource.md index fcdc339ac6..440d2c8c54 100644 --- a/docs/en/rules/resource.md +++ b/docs/en/rules/resource.md @@ -287,6 +287,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error @@ -381,6 +382,7 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error +[Azure.Firewall.PolicyMode](Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error ## Front Door @@ -389,6 +391,7 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important | Error [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error +[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | Error [Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness | Error [Azure.FrontDoor.Probe](Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important | Error @@ -503,6 +506,7 @@ Name | Synopsis | Severity | Level [Azure.PublicIP.AvailabilityZone](Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important | Error +[Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness | Error [Azure.PublicIP.StandardSKU](Azure.PublicIP.StandardSKU.md) | Public IP addresses should be deployed with Standard SKU for production workloads. | Important | Error @@ -586,7 +590,7 @@ Name | Synopsis | Severity | Level [Azure.Storage.DefenderCloud](Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical | Error [Azure.Storage.DefenderCloud.MalwareScan](Azure.Storage.DefenderCloud.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical | Error [Azure.Storage.DefenderCloud.SensitiveData](Azure.Storage.DefenderCloud.SensitiveData.md) | Enable sensitive data threat detection in Microsoft Defender for Storage. | Critical | Error -[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important | Error +[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important | Error [Azure.Storage.Firewall](Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important | Error [Azure.Storage.MinTLS](Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness | Error diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index 76127a4871..d7e7ddd8c9 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -318,7 +318,7 @@ AZR-000294 | [Azure.Defender.SQL](Azure.Defender.SQL.md) | Enable Microsoft Defe AZR-000295 | [Azure.Defender.AppServices](Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | GA AZR-000296 | [Azure.Defender.Storage](Azure.Defender.Storage.md) | Enable Microsoft Defender for Storage. | GA AZR-000297 | [Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | GA -AZR-000298 | [Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | GA +AZR-000298 | [Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | GA AZR-000299 | [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | GA AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | GA AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA @@ -415,7 +415,11 @@ AZR-000391 | [Azure.Storage.DefenderCloud.SensitiveData](Azure.Storage.DefenderC AZR-000392 | [Azure.MySQL.AAD](Azure.MySQL.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. | GA AZR-000393 | [Azure.Databricks.SecureConnectivity](Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | GA AZR-000394 | [Azure.MySQL.AADOnly](Azure.MySQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. | GA +AZR-000395 | [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | GA +AZR-000396 | [Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | GA AZR-000397 | [Azure.RSV.Immutable](Azure.RSV.Immutable.md) | Ensure immutability is configured to protect backup data. | GA AZR-000398 | [Azure.BV.Immutable](Azure.BV.Immutable.md) | Ensure immutability is configured to protect backup data. | GA +AZR-000399 | [Azure.Firewall.PolicyMode](Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | GA +AZR-000400 | [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index b6078d308d..fb14322547 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -85,6 +85,7 @@ Name | Synopsis | Severity | Level [Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | Important | Error [Azure.ASE.MigrateV3](Azure.ASE.MigrateV3.md) | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning +[Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important | Error ### Instrumentation @@ -145,6 +146,7 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error @@ -309,9 +311,8 @@ Name | Synopsis | Severity | Level [Azure.KeyVault.PurgeProtect](Azure.KeyVault.PurgeProtect.md) | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important | Error [Azure.KeyVault.SoftDelete](Azure.KeyVault.SoftDelete.md) | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important | Error [Azure.Storage.ContainerSoftDelete](Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important | Error -[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important | Error +[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important | Error [Azure.Storage.SoftDelete](Azure.Storage.SoftDelete.md) | Enable blob soft delete on Storage Accounts. | Important | Error -[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage Accounts not using geo-replicated storage (GRS) may be at risk. | Important | Error ### Design @@ -370,6 +371,7 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.SKU](Azure.AppConfig.SKU.md) | App Configuration should use a minimum size of Standard. | Important | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error [Azure.SignalR.SLA](Azure.SignalR.SLA.md) | Use SKUs that include an SLA when configuring SignalR Services. | Important | Error +[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage Accounts not using geo-replicated storage (GRS) may be at risk. | Important | Error [Azure.WebPubSub.SLA](Azure.WebPubSub.SLA.md) | Use SKUs that include an SLA when configuring Web PubSub Services. | Important | Error ### Resiliency and dependencies @@ -440,6 +442,12 @@ Name | Synopsis | Severity | Level [Azure.Storage.BlobPublicAccess](Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important | Error [Azure.WebPubSub.ManagedIdentity](Azure.WebPubSub.ManagedIdentity.md) | Configure Web PubSub Services to use managed identities to access Azure resources securely. | Important | Error +### Authorization + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning + ### Azure resources Name | Synopsis | Severity | Level @@ -554,8 +562,8 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Azure AD identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error +[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error [Azure.KeyVault.AccessPolicy](Azure.KeyVault.AccessPolicy.md) | Use the principal of least privilege when assigning access to Key Vault. | Important | Error -[Azure.KeyVault.RBAC](Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness | Warning [Azure.MySQL.AADOnly](Azure.MySQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. | Important | Error [Azure.PostgreSQL.AADOnly](Azure.PostgreSQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. | Important | Error [Azure.RBAC.CoAdministrator](Azure.RBAC.CoAdministrator.md) | Delegate access to manage Azure resources using role-based access control (RBAC). | Important | Error @@ -595,6 +603,12 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.KeyVault.AutoRotationPolicy](Azure.KeyVault.AutoRotationPolicy.md) | Key Vault keys should have auto-rotation enabled. | Important | Error +### Logs and alerts + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error + ### Monitor Name | Synopsis | Severity | Level @@ -619,6 +633,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical | Error +[Azure.Firewall.PolicyMode](Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical | Error [Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical | Error @@ -698,7 +713,6 @@ Name | Synopsis | Severity | Level [Azure.DefenderCloud.Contact](Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important | Error [Azure.DefenderCloud.Provisioning](Azure.DefenderCloud.Provisioning.md) | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | Important | Error [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error -[Azure.KeyVault.Logs](Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important | Error [Azure.MariaDB.DefenderCloud](Azure.MariaDB.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | Important | Error [Azure.MySQL.DefenderCloud](Azure.MySQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | Important | Error [Azure.PostgreSQL.DefenderCloud](Azure.PostgreSQL.DefenderCloud.md) | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | Important | Error diff --git a/docs/es/rules/resource.md b/docs/es/rules/resource.md index fcdc339ac6..440d2c8c54 100644 --- a/docs/es/rules/resource.md +++ b/docs/es/rules/resource.md @@ -287,6 +287,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error @@ -381,6 +382,7 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error +[Azure.Firewall.PolicyMode](Azure.Firewall.PolicyMode.md) | Deny high confidence malicious IP addresses, domains and URLs. | Critical | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error ## Front Door @@ -389,6 +391,7 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | Important | Error [Azure.FrontDoor.Logs](Azure.FrontDoor.Logs.md) | Audit and monitor access through Front Door. | Important | Error +[Azure.FrontDoor.ManagedIdentity](Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important | Error [Azure.FrontDoor.MinTLS](Azure.FrontDoor.MinTLS.md) | Front Door Classic instances should reject TLS versions older than 1.2. | Critical | Error [Azure.FrontDoor.Name](Azure.FrontDoor.Name.md) | Front Door names should meet naming requirements. | Awareness | Error [Azure.FrontDoor.Probe](Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important | Error @@ -503,6 +506,7 @@ Name | Synopsis | Severity | Level [Azure.PublicIP.AvailabilityZone](Azure.PublicIP.AvailabilityZone.md) | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | Important | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP address should be attached or removed. | Important | Error +[Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses. Basic SKU for Public IP addresses will be retired. | Important | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Public IP names should meet naming requirements. | Awareness | Error [Azure.PublicIP.StandardSKU](Azure.PublicIP.StandardSKU.md) | Public IP addresses should be deployed with Standard SKU for production workloads. | Important | Error @@ -586,7 +590,7 @@ Name | Synopsis | Severity | Level [Azure.Storage.DefenderCloud](Azure.Storage.DefenderCloud.md) | Enable Microsoft Defender for Storage for storage accounts. | Critical | Error [Azure.Storage.DefenderCloud.MalwareScan](Azure.Storage.DefenderCloud.MalwareScan.md) | Enable Malware Scanning in Microsoft Defender for Storage. | Critical | Error [Azure.Storage.DefenderCloud.SensitiveData](Azure.Storage.DefenderCloud.SensitiveData.md) | Enable sensitive data threat detection in Microsoft Defender for Storage. | Critical | Error -[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable fileshare soft delete on Storage Accounts | Important | Error +[Azure.Storage.FileShareSoftDelete](Azure.Storage.FileShareSoftDelete.md) | Enable soft delete on Storage Accounts file shares. | Important | Error [Azure.Storage.Firewall](Azure.Storage.Firewall.md) | Storage Accounts should only accept explicitly allowed traffic. | Important | Error [Azure.Storage.MinTLS](Azure.Storage.MinTLS.md) | Storage Accounts should reject TLS versions older than 1.2. | Critical | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Storage Account names should meet naming requirements. | Awareness | Error diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml index 8c11a02904..d185941733 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.yaml @@ -31,4 +31,4 @@ spec: - SystemAssigned,UserAssigned - SystemAssigned, UserAssigned - #endregion Rules +#endregion Rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 index 11669e6081..48ff516dd7 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Storage Accounts not using geo-replicated storage (GRS) may be at risk. -Rule 'Azure.Storage.UseReplication' -Ref 'AZR-000195' -Type 'Microsoft.Storage/storageAccounts' -If { (ShouldStorageReplicate) } -Tag @{ release = 'GA'; ruleSet = '2020_06' } { +Rule 'Azure.Storage.UseReplication' -Ref 'AZR-000195' -Type 'Microsoft.Storage/storageAccounts' -If { (ShouldStorageReplicate) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Reliability'; } { $Assert.In($TargetObject, 'sku.name', @( 'Standard_GRS' 'Standard_RAGRS' @@ -16,7 +16,7 @@ Rule 'Azure.Storage.UseReplication' -Ref 'AZR-000195' -Type 'Microsoft.Storage/s } # Synopsis: Enable soft delete on Storage Accounts -Rule 'Azure.Storage.SoftDelete' -Ref 'AZR-000197' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices' -If { !(IsCloudShell) -and !(IsHnsStorage) -and !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06' } { +Rule 'Azure.Storage.SoftDelete' -Ref 'AZR-000197' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices' -If { !(IsCloudShell) -and !(IsHnsStorage) -and !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Reliability'; } { $services = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Storage/storageAccounts') { $services = @(GetSubResources -ResourceType 'Microsoft.Storage/storageAccounts/blobServices'); @@ -30,7 +30,7 @@ Rule 'Azure.Storage.SoftDelete' -Ref 'AZR-000197' -Type 'Microsoft.Storage/stora } # Synopsis: Use containers configured with a private access type that requires authorization. -Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices/containers' -If { !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06' } { +Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices/containers' -If { !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { $containers = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Storage/storageAccounts') { $containers = @(GetSubResources -ResourceType 'Microsoft.Storage/storageAccounts/blobServices/containers'); @@ -45,7 +45,7 @@ Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/s } # Synopsis: Use Storage naming requirements -Rule 'Azure.Storage.Name' -Ref 'AZR-000201' -Type 'Microsoft.Storage/storageAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { +Rule 'Azure.Storage.Name' -Ref 'AZR-000201' -Type 'Microsoft.Storage/storageAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { # https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftstorage # Between 3 and 24 characters long @@ -56,8 +56,8 @@ Rule 'Azure.Storage.Name' -Ref 'AZR-000201' -Type 'Microsoft.Storage/storageAcco Match 'Name' '^[a-z0-9]{3,24}$' -CaseSensitive } -# Synopsis: Enable soft delete for file shares -Rule 'Azure.Storage.FileShareSoftDelete' -Ref 'AZR-000298' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/fileServices' -If { (IsFileStorage) -and !(IsCloudShell) -and !(IsHnsStorage) } -Tag @{ release = 'GA'; ruleSet = '2022_09'; } { +# Synopsis: Enable soft delete on Storage Accounts file shares. +Rule 'Azure.Storage.FileShareSoftDelete' -Ref 'AZR-000298' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/fileServices' -If { (IsFileStorage) -and !(IsCloudShell) -and !(IsHnsStorage) } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Reliability'; } { $services = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Storage/storageAccounts') { $services = @(GetSubResources -ResourceType 'Microsoft.Storage/storageAccounts/fileServices'); @@ -73,8 +73,8 @@ Rule 'Azure.Storage.FileShareSoftDelete' -Ref 'AZR-000298' -Type 'Microsoft.Stor } } -# Synopsis: Enable soft delete on blob containers -Rule 'Azure.Storage.ContainerSoftDelete' -Ref 'AZR-000289' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices' -If { !(IsCloudShell) -and !(IsHnsStorage) -and !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2022_09' } { +# Synopsis: Enable container soft delete on Storage Accounts. +Rule 'Azure.Storage.ContainerSoftDelete' -Ref 'AZR-000289' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices' -If { !(IsCloudShell) -and !(IsHnsStorage) -and !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Reliability'; } { $services = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Storage/storageAccounts') { $services = @(GetSubResources -ResourceType 'Microsoft.Storage/storageAccounts/blobServices'); @@ -211,7 +211,7 @@ function global:IsLargeFileSharesEnabled { function global:IsPublicNetworkAccessEnabled { [CmdletBinding()] - param () + param () process { $Assert.HasDefaultValue($TargetObject, 'properties.publicNetworkAccess', 'Enabled').Result } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml index 0294803d78..f151927652 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.yaml @@ -17,6 +17,7 @@ metadata: tags: release: 'GA' ruleSet: '2021_09' + Azure.WAF/pillar: 'Security' spec: type: - Microsoft.Storage/storageAccounts