Skip to content

Azure Security Policies

The Security Policies view provides a list of all security policies within the Cloudneeti application. Following is the security policies within the Cloudneeti application for different cloud account types, please refer Release Notes for latest updates.

Azure Security Policies

CategoryName Policy Title
Azure - Business continuity and DR Ensure that backup feature is configured for Virtual Machines
Azure - Business continuity and DR Ensure that backup policy is associated with every Backup Vault
Azure - Business continuity and DR Ensure that sufficient capacity is available for Virtual Machines (SLA)
Azure - Business continuity and DR Ensure that Backup feature is configured for App Service deployed on Standard and above App Service Plan
Azure - Business continuity and DR Ensure that Backup feature is configured for API Apps deployed on Standard and above App Service Plan
Azure - Business continuity and DR Ensure that Backup feature is configured for Function Apps deployed on Standard and above App Service Plan
Azure - Business continuity and DR Ensure that Backup feature is configured for Mobile Apps deployed on Standard and above App Service Plan
Azure - Compute (IaaS) Ensure that Vulnerability Assessment solutions is installed on the Virtual Machines
Azure - Compute (IaaS) Ensure that Endpoint Protection is installed on the Virtual Machines
Azure - Compute (IaaS) Ensure that latest OS patches are applied to all Virtual Machines
Azure - Compute (IaaS) Ensure that Disk Encryption policy is enforced on the Virtual Machines
Azure - Compute (IaaS) Ensure that operating system disks are encrypted for Windows Virtual Machines
Azure - Compute (IaaS) Ensure that data disks are encrypted for Windows Virtual Machines
Azure - Compute (IaaS) Ensure that VM agent is installed on Virtual Machines
Azure - Compute (IaaS) Ensure that Antivirus is enabled for Virtual Machines
Azure - Compute (IaaS) Ensure that auto update for Antivirus software is enabled on the Virtual Machines
Azure - Compute (IaaS) Ensure that real time protection is set to ON inside the Windows Virtual Machine
Azure - Compute (IaaS) Ensure that diagnostics is enabled on Virtual Machine
Azure - Compute (IaaS) Ensure that Service Fabric cluster consists more than one VM
Azure - Compute (IaaS) Ensure that Certificate security is enabled on the Service Fabric cluster
Azure - Compute (IaaS) Ensure that update mode is set to automatic for Service Fabric cluster
Azure - Compute (IaaS) Ensure that log analytics storage is enabled for Service Fabric cluster
Azure - Compute (IaaS) Ensure that Azure AD security is use to Service Fabric cluster
Azure - Compute (IaaS) Ensure that Log Analytics VM extension is enabled for Windows Virtual Machines
Azure - Compute (IaaS) Ensure that Windows Virtual Machines are always AD Domain joined
Azure - Compute (IaaS) Ensure that 'Unattached disks' are encrypted
Azure - Compute (IaaS) Ensure than ASC showing healthy state for Virtual Machine
Azure - Compute (IaaS) Ensure that Log Analytics VM extension is enabled for Linux Virtual Machines
Azure - Compute (IaaS) Ensure that operating system disks are encrypted for Linux Virtual Machines
Azure - Compute (IaaS) Ensure that data disks are encrypted for Linux Virtual Machines
Azure - Compute (IaaS) Ensure that Virtual Machines are using managed disks
Azure - Compute (IaaS) Ensure that only approved extensions are installed
Azure - Compute (PaaS and Serverless) Ensure HTTP/2 is enabled for an App Service Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that 'Always On' is enabled for App Services deployed on Basic and above App Service Plan
Azure - Compute (PaaS and Serverless) Ensure that 'Always On' is enabled for Api Apps deployed on Basic and above App Service Plan
Azure - Compute (PaaS and Serverless) Ensure that 'Always On' is enabled for Mobile Apps deployed on Basic and above App Service Plan
Azure - Compute (PaaS and Serverless) Ensure that 'Always On' is enabled for Function Apps deployed on Basic and above App Service Plan
Azure - Compute (PaaS and Serverless) Ensure that 'Auto Heal' is enabled for App Services
Azure - Compute (PaaS and Serverless) Ensure that 'Auto Heal' is enabled for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that 'Auto Heal' is enabled for Api Apps
Azure - Compute (PaaS and Serverless) Ensure that 'Auto Heal' is enabled for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that Register with Azure Active Directory is enabled on App Service
Azure - Compute (PaaS and Serverless) Ensure that Managed Service Identity (MSI) is enabled for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that Managed Service Identity (MSI) is enabled for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that Managed Service Identity (MSI) is enabled for Api Apps
Azure - Compute (PaaS and Serverless) Ensure Web Sockets are disabled for App Services
Azure - Compute (PaaS and Serverless) Ensure Web Sockets are disabled for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure Web Sockets are disabled for API Apps
Azure - Compute (PaaS and Serverless) Ensure Web Sockets are disabled for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Web Apps
Azure - Compute (PaaS and Serverless) Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for API Apps
Azure - Compute (PaaS and Serverless) Ensure that remote debugging is turned off for Function App
Azure - Compute (PaaS and Serverless) Ensure that IP restrictions rules are configured for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that IP restrictions rules are configured for App Service
Azure - Compute (PaaS and Serverless) Ensure that Custom Domains are configured in App Service
Azure - Compute (PaaS and Serverless) Ensure that Custom Domains are configured in Function App
Azure - Compute (PaaS and Serverless) Ensure that CORS should not allow every resource to access Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that Custom Domains are configured in Mobile App
Azure - Compute (PaaS and Serverless) Ensure that Custom Domains are configured in API App
Azure - Compute (PaaS and Serverless) Ensure that IP restrictions rules are configured for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that IP restrictions rules are configured for API Apps
Azure - Compute (PaaS and Serverless) Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that CORS should not allow every resource to access Function Apps
Azure - Compute (PaaS and Serverless) Ensure that CORS should not allow every resource to access Web Apps
Azure - Compute (PaaS and Serverless) Ensure that CORS should not allow every resource to access API Apps
Azure - Compute (PaaS and Serverless) Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
Azure - Compute (PaaS and Serverless) Ensure that HTTPS Only is enabled for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that HTTPS Only is enabled for API App Services
Azure - Compute (PaaS and Serverless) Ensure that HTTPS Only is enabled for Mobile App Services
Azure - Compute (PaaS and Serverless) Ensure that remote debugging is turned off for App Service
Azure - Compute (PaaS and Serverless) Ensure that 'App Service Authentication' is enabled for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that 'App Service Authentication' is enabled for API Apps
Azure - Compute (PaaS and Serverless) Ensure that 'App Service Authentication' is enabled for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that 'App Service Authentication' is enabled for Web apps
Azure - Compute (PaaS and Serverless) Ensure that remote debugging is turned off for Mobile App
Azure - Compute (PaaS and Serverless) Ensure that remote debugging is turned off for API App
Azure - Compute (PaaS and Serverless) Ensure that 'Availability Web Tests' are configured for API Apps
Azure - Compute (PaaS and Serverless) Ensure that 'Availability Web Tests' are configured for Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that 'Availability Web Tests' are configured for Function Apps
Azure - Compute (PaaS and Serverless) Ensure that 'App Insights' are configured for Azure Mobile Apps
Azure - Compute (PaaS and Serverless) Ensure that 'App Insights' are configured for Azure Function Apps
Azure - Compute (PaaS and Serverless) Ensure that 'App Insights' are configured for Azure API Apps
Azure - Compute (PaaS and Serverless) Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Azure - Compute (PaaS and Serverless) Ensure that 'HTTP Version' is the latest, if used to run the web app
Azure - Compute (PaaS and Serverless) Ensure HTTP/2 is enabled for an App Service Function Apps
Azure - Compute (PaaS and Serverless) Ensure HTTP/2 is enabled for an App Service API Apps
Azure - Data Analytics Ensure that HDInsight Cluster is AD Domain joined
Azure - Data Analytics Ensure that NSG always allows traffic from the specific IP addresses for HDInsight Cluster
Azure - Data Analytics Ensure that NSG always allows traffic from the specific region for HDInsight Cluster
Azure - Data Analytics Ensure that Enterprise Security Package is enabled for HDInsight cluster
Azure - Data Analytics Ensure that Service Identity is enabled for Azure Data Factory
Azure - Data Analytics Ensure that Azure Data Factory connection credentials are stored in Azure Key Vault
Azure - Data in Transit Ensure that TLS 1.0 and 1.1 protocols are disabled for Application Gateway
Azure - Data in Transit Ensure only SSL traffic is enabled for Application Gateway
Azure - Data in Transit Ensure that minimum protocol version of TLS1.2 or higher is enabled for Application Gateway
Azure - Data in Transit Ensure web app is using the latest version of TLS encryption
Azure - Data in Transit Ensure that TLS is configured for Function Apps
Azure - Data in Transit Ensure that TLS is configured for API Apps
Azure - Data in Transit Ensure that TLS is configured for Mobile Apps
Azure - Data in Transit Ensure that latest version of OWASP ruleset is used for Application Gateway
Azure - Data in Transit Ensure that WAF is enabled for Application Gateway
Azure - Data in Transit Ensure that your deployment architecture is protected by Azure SLA for Application Gateway
Azure - Data in Transit Ensure that WAF is set to 'Prevention mode' for Application Gateway
Azure - Fundamentals Ensure that Department tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that Environment tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that ProjectName tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that ApplicationOwner tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that BusinessUnit tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that CostCenter tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that DataProfile tag has been applied for individual Azure resources
Azure - Fundamentals Ensure that Resource Locks are set for mission critical Azure resources
Azure - Identity and Access Ensure that no custom subscription owner roles are created
Azure - Identity and Access Enforce the policy to set Password to 'always' expire in Azure Active Directory for all Organization Users
Azure - Identity and Access Ensure that Azure resources are accessible only through Organization Account
Azure - Identity and Access Ensure that Service Principal Certificates are renewed before it expires
Azure - Identity and Access Ensure that there are no guest users
Azure - Identity and Access Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
Azure - Identity and Access Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
Azure - Identity and Access Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
Azure - Identity and Access Ensure that 'Users can register applications' is set to 'No'
Azure - Identity and Access Ensure that 'Guest user permissions are limited' is set to 'Yes'
Azure - Identity and Access Ensure that 'Members can invite' is set to 'No'
Azure - Identity and Access Ensure that 'Guests can invite' is set to 'No'
Azure - Identity and Access Ensure that 'Self-service group management enabled' is set to 'No'
Azure - Identity and Access Ensure that 'Users can create security groups' is set to 'No'
Azure - Identity and Access Ensure that 'Users who can manage security groups' is set to 'None'
Azure - Identity and Access Ensure that 'Users can create Office 365 groups' is set to 'No'
Azure - Identity and Access Ensure that 'Users who can manage Office 365 groups' is set to 'None'
Azure - Identity and Access Ensure that 'Enable All Users group' is set to 'Yes'
Azure - Identity and Access Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
Azure - Identity and Access Ensure that 'Number of methods required to reset' is set to '2'
Azure - Identity and Access Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure - Identity and Access Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure - Identity and Access Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure - Identity and Access Ensure that multi-factor authentication is enabled for all privileged users
Azure - Key Management Ensure that AD Application keys are rotated before they expires
Azure - Key Management Ensure that the expiry date is set on all Secrets in a Key Vault
Azure - Key Management Ensure that Diagnostics logs are set with a retention period of at least 365 days for Azure Key Vaults
Azure - Key Management Ensure that Soft Delete is enabled for Key Vault
Azure - Key Management Ensure mission critical Azure KeyVaults are not open to the Internet
Azure - Key Management Ensure that the expiration date is set on all keys
Azure - Kubernetes & Containers Ensure Azure Active Directory RBAC is enabled for Azure Kubernetes Services (AKS)
Azure - Kubernetes & Containers Ensure that AAD is enabled in Kubernetes Service
Azure - Kubernetes & Containers Ensure that Monitoring is enabled for Azure Kubernetes Service
Azure - Kubernetes & Containers Ensure Azure Kubernetes Service clusters are always running with latest Kubernetes versions
Azure - Kubernetes & Containers Ensure that latest system updates are applied to all Azure Kubernetes Cluster nodes
Azure - Kubernetes & Containers Ensure that Diagnostics logs must be enabled with a retention period of at least 365 days for Azure Kubernetes Service
Azure - Kubernetes & Containers Ensure that credentials of service principal used for Container Registry are stored in Key Vault
Azure - Kubernetes & Containers Ensure that Container Registry has latest/patched image(s) all the time
Azure - Kubernetes & Containers Ensure that Activity logs for Data Container Registry are reviewed periodically
Azure - Kubernetes & Containers Ensure that only signed images are pushed to Container Registry
Azure - Kubernetes & Containers Ensure that a service principal is used to access container images in Container Registry
Azure - Kubernetes & Containers Ensure that all users/identities are granted minimum required permissions on Container Registry using Role Based Access Control (RBAC)
Azure - Kubernetes & Containers Ensure that management ports are not kept open on Kubernetes nodes unless required
Azure - Kubernetes & Containers Ensure that cluster admin level access is not directly or indirectly granted to developers
Azure - Kubernetes & Containers Ensure that container images (including nested images) deployed in Kubernetes are from a trustworthy source
Azure - Kubernetes & Containers Ensure that default cluster namespace is not used to deploy applications
Azure - Kubernetes & Containers Ensure that all Kubernetes Service secrets are stored in Key Vault
Azure - Kubernetes & Containers Ensure that all the Kubernetes cluster nodes have all the required OS patches installed
Azure - Kubernetes & Containers Ensure that Pod Identity is used for accessing other AAD(Azure Active Directory)-protected resources from the Kubernetes Service
Azure - Kubernetes & Containers Ensure that issues/recommendations provided by kube advisor are reviewed periodically
Azure - Kubernetes & Containers Ensure that data transit inside/across Kubernetes are using encrypted channel
Azure - Kubernetes & Containers Ensure that all users/identities are granted minimum required permissions on Kubernetes Cluster using Role Based Access Control (RBAC)
Azure - Logging and Auditing Ensure that 'Availability Web Tests' are configured for Azure Web Apps
Azure - Logging and Auditing Ensure that a Log Profile exists for Azure Monitor
Azure - Logging and Auditing Ensure that retention period is set to 365 days or greater for Activity Logs
Azure - Logging and Auditing Ensure that Activity Log Alert exists for Create Policy Assignment
Azure - Logging and Auditing Ensure Activity Log Alert exists for Create or Update Network Security Group
Azure - Logging and Auditing Ensure Activity Log Alert exists for Delete Network Security Group
Azure - Logging and Auditing Ensure Activity Log Alert exists for Create or Update Network Security Group Rule
Azure - Logging and Auditing Ensure Activity Log Alert exists for Delete Network Security Group Rule
Azure - Logging and Auditing Ensure Activity Log Alert exists for Create or Update Security Solution
Azure - Logging and Auditing Ensure Activity Log Alert exists for Delete Security Solution
Azure - Logging and Auditing Ensure Activity Log Alert(s) have configured for Create or Update SQL Server Firewall Rule
Azure - Logging and Auditing Ensure Activity Log Alert exists for Delete SQL Server Firewall Rule
Azure - Logging and Auditing Ensure Activity Log Alert exists for Update Security Policy
Azure - Logging and Auditing Ensure that Logging is enabled for Azure Key Vault
Azure - Logging and Auditing Ensure that Auditing and Monitoring is enabled for App Service
Azure - Logging and Auditing Ensure that Auditing and Monitoring is enabled for Mobile App
Azure - Logging and Auditing Ensure that Auditing and Monitoring is enabled for API App
Azure - Logging and Auditing Ensure that Auditing and Monitoring is enabled for Function App
Azure - Logging and Auditing Ensure that data retention period is set to 365 days or longer for Log Analytics
Azure - Logging and Auditing Ensure Audit Profile captures all the Activities
Azure - Logging and Auditing Ensure Log Profile captures activity logs for all Regions including global
Azure - Logging and Auditing Ensure Storage Container storing activity logs is not Publicly accessible
Azure - Logging and Auditing Ensure the storage account containing the container with activity logs is encrypted with BYOK
Azure - Logging and Auditing Ensure that 'Geo replication' is enabled for Cosmos DB
Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL database
Azure - Logging and Auditing Ensure that periodic recurring scans is enabled for SQL server
Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL Server
Azure - Logging and Auditing Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL Server
Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL Server
Azure - Logging and Auditing Ensure that 'Advanced Data Security' on a SQL database is set to 'On'
Azure - Logging and Auditing Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL database
Azure - Logging and Auditing Ensure that 'Send scan reports to' is set for SQL Server
Azure - Networking Ensure that inbound and outbound traffic rules are configured for Subnets by associating NSGs to Subnets
Azure - Networking Ensure that DenyAll rule is configured for all NSG's
Azure - Networking Ensure that RDP access is restricted from the internet on NSG's
Azure - Networking Ensure that SSH access is restricted from the internet on NSG's
Azure - Networking Ensure that Network Watcher is 'Enabled'
Azure - Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
Azure - Networking Ensure that DDOS protection is enabled for Virtual Network
Azure - Networking Ensure that Flow Log Status is set to On for Network Security Groups
Azure - Networking Ensure that ingress traffic to 'Known internal web port' (TCP:8000) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'Known internal web port' (TCP:8080) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'NetBIOS Name Service' (UDP:137) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'NetBios Datagram Service' (UDP:138) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'NetBios Datagram Service' (UDP:139) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'SNMP' (UDP:161) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to CiscoSecure,websm (TCP:9090) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'Cassandra' (TCP:7001) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'MSSQL Server' (TCP:1433) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'MySQL' (TCP:3306) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'Postgres SQL' (TCP:5432) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'SQL Server Analysis Services' (TCP:2383) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Cassandra Client (TCP:9042) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Cassandra Internode Communication (TCP:7000) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Cassandra Monitoring (TCP:7199) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Cassandra OpsCenter Monitoring (TCP:61620) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Cassandra OpsCenter Website (TCP:8888) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Cassandra Thrift (TCP:9160) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Elastic search (TCP:9200) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Elastic search (TCP:9300) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to LDAP (UDP:389) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Memcached (TCP:11211) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Memcached (UDP:11211) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Mongo (TCP:27017) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Oracle DB (TCP:1521) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Oracle DB (TCP:2483) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Oracle DB (UDP:2483) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Redis (TCP:6379) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Remote Desktop (TCP:3389) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to SSH (TCP:22) is restricted from the public internet on NSG's
Azure - Networking Ensure that less than 3 Public IP's (i.e. NIC's with Public IP) are used for Virtual Network
Azure - Networking Ensure that ingress traffic to bitcoin ports (TCP 8332 and 8333) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to Ethereum port (TCP 8545) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to 'POP3' (TCP:110) is restricted from the public internet on NSG's
Azure - Networking Ensure that ingress traffic to SMTP (TCP:25) is restricted from the public internet on NSG's
Azure - Security Center Ensure that AAD authentication in Service Fabric is set to enabled in ASC
Azure - Security Center Ensure that AAD authentication in SQL server is set to enabled in ASC
Azure - Security Center Ensure that monitor of Adaptive Application whitelisting is set to enabled in ASC
Azure - Security Center Ensure that Automatic Provisioning of monitoring agent is set to On in ASC
Azure - Security Center Ensure that Cluster Protection level in Service Fabric is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Batch Account is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Data Lake Analytics is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Data Lake Store is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Event Hub is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Key Vault is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Logic Apps is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Redis Cache is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Search Service is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Service Bus is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Virtual Machine Scale Sets is set to enabled in ASC
Azure - Security Center Ensure that diagnostics logs in Stream Analytics is set to enabled in ASC
Azure - Security Center Ensure that disable unrestricted network to storage account is set to enabled in ASC
Azure - Security Center Ensure that monitor disk encryption is set to enabled in ASC
Azure - Security Center Designate up to 3 subscription owners is set to enabled in ASC
Azure - Security Center Designate more than one subscription owner is set to enabled in ASC
Azure - Security Center Ensure that MFA is enabled for all subscription accounts with owner permissions in ASC
Azure - Security Center Ensure that MFA is enabled for all subscription accounts with read permissions in ASC
Azure - Security Center Ensure that MFA is enabled for all subscription accounts with write permissions in ASC
Azure - Security Center Ensure that deprecated accounts is removed on subscription are set to enabled in ASC
Azure - Security Center Ensure that deprecated accounts with owner permissions are removed from subscription is set to enabled in ASC
Azure - Security Center Ensure that external accounts with owner permissions are removed from subscription is set to enabled in ASC
Azure - Security Center Ensure that external accounts with read permissions are removed from subscription is set to enabled in ASC
Azure - Security Center Ensure that external accounts with write permissions are removed from subscription is set to enabled in ASC
Azure - Security Center Ensure that metric alerts in Batch account is set to enabled in ASC
Azure - Security Center Ensure that namespace authorization rules in service bus is set to enabled in ASC
Azure - Security Center Ensure that monitoring of network security groups is set to enabled in ASC
Azure - Security Center Ensure that next generation firewall is set to enabled in ASC
Azure - Security Center Ensure that monitoring of OS vulnerabilities is set to enabled in ASC
Azure - Security Center Ensure that secure transfer to storage account is set to enabled in ASC
Azure - Security Center Ensure that security contact email is provided in ASC
Azure - Security Center Ensure that phone number is provided in ASC
Azure - Security Center Ensure that alert notification is set to On in ASC
Azure - Security Center Ensure that email notification is set to On to subscription owners in ASC
Azure - Security Center Ensure that monitoring of SQL auditing is set to enabled in ASC
Azure - Security Center Ensure that SqlDb Vulnerability Assessment is set to enabled in ASC
Azure - Security Center Ensure that monitor SQL encryption is set to enabled in ASC
Azure - Security Center Ensure that monitor storage blob encryption is set to enabled in ASC
Azure - Security Center Ensure that in ASC standard tier is selected
Azure - Security Center Ensure that monitor system updates is set to enabled in ASC
Azure - Security Center Ensure that web application firewall is set to enabled in ASC
Azure - Security Center Ensure that vulnerability assessment is set to enabled in ASC
Azure - Security Center Ensure that monitoring of SQL managed instances without Advanced Data Security is enabled in ASC
Azure - Security Center Ensure that monitoring of permissive network access to app-services is enabled in ASC
Azure - Security Center Ensure that all Advanced Threat Protection types on SQL managed instance is enabled in ASC
Azure - Security Center Ensure that monitoring of SQL managed server without Advanced Data Security is enabled in ASC
Azure - Security Center Ensure that monitoring of access rules in Event Hub namespaces is enabled in ASC
Azure - Security Center Ensure that all Advanced Threat Protection types on SQL server is enabled in ASC
Azure - Security Center Ensure that monitoring of auditing policy Action-Groups and Actions setting is enabled in ASC
Azure - Security Center Ensure that monitoring of the use of HTTPS in API app is enable in ASC
Azure - Security Center Ensure that monitoring of using built-in RBAC rules is enabled in ASC
Azure - Security Center Ensure that the Audit monitoring of SQL Servers is enabled in ASC
Azure - Security Center Ensure that monitoring of Kubernetes Services without authorized IP ranges is enabled in ASC
Azure - Security Center Ensure that monitoring of access rules in Event Hubs is enabled in ASC
Azure - Security Center Ensure that monitoring of CORS restrictions for API App is enabled in ASC
Azure - Security Center Ensure that monitoring of Automation Account Encryption is enabled in ASC
Azure - Security Center Ensure that monitoring of CORS restrictions for Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of CORS restrictions for Function App is enabled in ASC
Azure - Security Center Ensure that monitoring of diagnostics logs in selective app services is enabled in ASC
Azure - Security Center Ensure that monitoring of DDoS protection for virtual network is enabled in ASC
Azure - Security Center Ensure that endpoint protection monitoring for virtual machine scale sets is enabled in ASC
Azure - Security Center Ensure that monitoring of diagnostic logs in IoT Hubs is enabled in ASC
Azure - Security Center Ensure that monitoring of the use of HTTPS in function app is enabled in ASC
Azure - Security Center Ensure that 'Send alerts to' is set in SQL server Advanced Data Security settings is enabled in ASC
Azure - Security Center Ensure that monitoring of network just In time access is enabled in ASC
Azure - Security Center Ensure that IP Forwarding monitoring on virtual machines is disabled in ASC
Azure - Security Center Ensure that monitoring of IP restrictions for API App is enabled in ASC
Azure - Security Center Ensure that monitoring of Open Management Ports on virtual machines is enabled in ASC
Azure - Security Center Ensure that monitoring of IP restrictions for Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of IP restrictions for Function App is enabled in ASC
Azure - Security Center Ensure that monitoring of web sockets for API App is enabled in ASC
Azure - Security Center Ensure that monitoring of diagnostics logs in App Services is enabled in ASC
Azure - Security Center Ensure that monitoring of web sockets for Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of web sockets for Function App is enabled in ASC
Azure - Security Center Ensure that monitoring of custom domain use in API App is enabled in ASC
Azure - Security Center Ensure that monitoring of Endpoint Protection is enabled in ASC
Azure - Security Center Ensure that monitoring of custom domain use in Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of custom domain use in Function App is enabled in ASC
Azure - Security Center Ensure that monitoring of .Net version in Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of .Net version in API App is enabled in ASC
Azure - Security Center Ensure that monitoring of Java version in web app is enabled in ASC
Azure - Security Center Ensure that monitoring of Java version in API App is enabled in ASC
Azure - Security Center Ensure that monitoring of PHP version in the API App is enabled in ASC
Azure - Security Center Ensure that monitoring of Node.js version in Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of Python version in API App is enabled in ASC
Azure - Security Center Ensure that monitoring of PHP version in Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of Internet-facing VM for NSG traffic hardening is enabled in ASC
Azure - Security Center Ensure that monitoring of Python version in Web App is enabled in ASC
Azure - Security Center Ensure that monitoring of NSG for virtual machines is enabled in ASC
Azure - Security Center Ensure that monitoring of NSG for Subnet is enabled in ASC
Azure - Security Center Ensure that monitoring of Kubernetes Services without pod security policy is enabled in ASC
Azure - Security Center Ensure that monitoring of remote debugging for API App is enabled in ASC
Azure - Security Center Ensure that monitoring of remote debugging for Function App is enabled in ASC
Azure - Security Center Ensure that monitoring of remote debugging for Web App is enabled in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days for Batch accounts is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Azure Search service is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Data Lake Analytics is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Data Lake Store accounts is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Event Hub accounts is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in IoT Hub accounts is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Key Vault vaults is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Logic Apps workflows is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Service Bus is set in ASC
Azure - Security Center Ensure that required diagnostic logs retention period in days in Stream Analytics is set in ASC
Azure - Security Center Ensure that monitoring of Kubernetes Services without RBAC is enabled in ASC
Azure - Security Center Ensure that monitoring of sensitive data is classified on SQL database is enabled in ASC
Azure - Security Center Ensure that monitoring of SQL managed instances alerts being sent to admins and subscription owners is enabled in ASC
Azure - Security Center Ensure that monitoring of classic storage accounts migration to ARM is enabled in ASC
Azure - Security Center Ensure that reporting of system updates in virtual machine scale sets is enabled in ASC
Azure - Security Center Ensure that monitoring of unencrypted SQL databases is enabled in ASC
Azure - Security Center Ensure that monitoring of classic virtual machines is enabled in ASC
Azure - Security Center Ensure that OS vulnerabilities monitoring for virtual machine scale sets is enabled in ASC
Azure - Security Center Ensure that the detection of VM vulnerabilities by a Vulnerability Assessment solution is enabled in ASC
Azure - Security Center Ensure that Vulnerability Assessment on your SQL managed instances is enabled in ASC
Azure - Security Center Ensure that Vulnerability Assessment on your SQL servers is enabled in ASC
Azure - Security Center Ensure that monitoring of the use of HTTPS in Web App is enabled in ASC
Azure - Security Center Ensure that Vulnerabilities in container security configurations should be remediated in ASC.
Azure - Security Center Ensure that Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version in ASC.
Azure - Storage and Databases Ensure that encryption is enabled for Azure Storage Service
Azure - Storage and Databases Ensure that 'Data encryption' is set to 'On' for SQL Databases
Azure - Storage and Databases Ensure that 'Auditing' is set to 'On' for SQL Databases
Azure - Storage and Databases Ensure that 'Auditing' is set to 'On' for SQL Server
Azure - Storage and Databases Ensure that 'Secure transfer required' is 'Enabled' for Storage Account
Azure - Storage and Databases Ensure that 'Threat Detection types' is set to 'All' for SQL Server
Azure - Storage and Databases Ensure that 'Storage service encryption' is set to Enabled for File Service
Azure - Storage and Databases Ensure that 'Storage service encryption' is set to Enabled for Blob Service
Azure - Storage and Databases Ensure that 'Geo-redundant' is enabled for Azure Storage
Azure - Storage and Databases Ensure that 'Public access level' is set to Private for Blob Containers
Azure - Storage and Databases Ensure that firewall rules are set as appropriate for SQL Servers
Azure - Storage and Databases Ensure that 'Threat Detection types' is set to 'All' for SQL Databases
Azure - Storage and Databases Ensure that 'Threat Detection' Retention is 'greater than 90 days' for SQL Server
Azure - Storage and Databases Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Servers
Azure - Storage and Databases Ensure that Azure Active Directory Admin is configured for SQL Server
Azure - Storage and Databases Ensure that 'Advanced Data Security' on a SQL server is set to 'On'
Azure - Storage and Databases Ensure that 'Threat' Retention is 'greater than 90 days' for SQL Databases
Azure - Storage and Databases Ensure that 'Geo replication' is enabled for SQL Databases
Azure - Storage and Databases Ensure that 'Data Masking' is enabled for SQL Databases
Azure - Storage and Databases Ensure that DataProfile tag has been applied for SQL Databases
Azure - Storage and Databases Ensure that Diagnostics is enabled for SQL Databases
Azure - Storage and Databases Ensure that DataProfile tag has been applied for Azure Storage
Azure - Storage and Databases Ensure that DataProfile tag has been applied for SQL DB Servers
Azure - Storage and Databases Ensure that threat detection is enabled for SQL Data Warehouse
Azure - Storage and Databases Ensure that firewall is enabled for SQL Data Warehouse
Azure - Storage and Databases Ensure that encryption is enabled for SQL Data Warehouse
Azure - Storage and Databases Ensure that auditing is enabled for SQL Data Warehouse
Azure - Storage and Databases Ensure that failover is enabled for Cosmos DB
Azure - Storage and Databases Ensure that firewall is enabled for Cosmos DB
Azure - Storage and Databases Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Azure - Storage and Databases Ensure default network access rule for Storage Accounts is set to deny
Azure - Storage and Databases Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
Azure - Storage and Databases Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Azure - Storage and Databases Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Azure - Storage and Databases Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Azure - Storage and Databases Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Azure - Storage and Databases Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Azure - Storage and Databases Ensure SQL server's TDE protector is encrypted with BYOK
Azure - Storage and Databases Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Azure - Storage and Databases Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Azure - Storage and Databases Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly
Azure - Storage and Databases Ensure the 'Allow access to Azure services' flag is disabled for SQL Server
Azure - Storage and Databases Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL Database
Azure - Storage and Databases Ensure Advanced Threat Protection is enabled for Storage Accounts
Azure - Storage and Databases Ensure that 'Eventual' consistency is disabled for Cosmos DB
Azure - Storage and Databases Ensure that firewall is enabled for Azure Data Lake Storage Gen1
Azure - Storage and Databases Ensure that diagnostics log is enabled for Azure Data Lake Storage Gen1
Azure - Storage and Databases Ensure that encryption of sensitive data is enabled for Azure Data Lake Storage Gen1
Azure - Storage and Databases Ensure that 'Send scan reports to' is set for SQL database
Azure - Storage and Databases Ensure that periodic recurring scans is enabled for SQL database
Azure - Storage and Databases Ensure that shared access signature tokens are allowed only over https
Azure - Storage and Databases Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL database
Azure - Storage and Databases Ensure that shared access signature tokens expire within an hour
Azure - Storage and Databases Ensure Storage logging is enabled for Queue service for read, write, and delete requests
Azure - Storage and Databases Ensure that storage account access keys are periodically regenerated
Azure - Storage and Databases Ensure that secrets and keys must not be in plain text in notebooks and jobs
Azure - Storage and Databases Ensure that use Azure Key Vault backed secret scope to hold secrets
Azure - Storage and Databases Ensure that all users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)
Azure - Storage and Databases Ensure that Minimize the number of workspace admins
Azure - Storage and Databases Ensure that All users must be granted minimum required permissions on clusters
Azure - Storage and Databases Ensure that the parameterized SQL queries used to access the database
Azure - Storage and Databases Ensure that CosmosDb Account keys are rotated periodically
Azure - Storage and Databases Ensure that resource tokens are generated with least privileges and expiry needed by clients
Azure - Storage and Databases Do not send resource token with read write (RW) permission to untrusted clients