AzSDK

2.2.0

Framework/Configurations/SVT/Services/CDN.json

{
  "FeatureName": "CDN",
  "Reference": "aka.ms/azsdkosstcp",
  "IsManintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_CDN_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "CDN110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Recommendation": "Remove any excessive privileges granted on the CDN. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_CDN_AuthN_Config_Token_AuthN",
      "Description": "CDN profile endpoints must use token authentication",
      "Id": "CDN120",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "To enable token authentication (currently available on Premium Verizon tier), go to Azure Portal --> your CDN Profile --> Manage --> HTTP LARGE --> Token Auth. Please refer https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth for more details on token authentication.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "AuthN"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_CDN_DP_TokenKey_Protection",
      "Description": "Token encryption key must be protected in a key vault (when a website generates tokens via code).",
      "Id": "CDN130",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Refer https://azure.microsoft.com/en-in/documentation/articles/key-vault-get-started/ (Key Vault) and https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth (token-based authentication in CDN).",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_CDN_DP_Enable_Https",
      "Description": "CDN endpoints must use HTTPS protocol while providing data to the client browser/machine or while fetching data from the origin server",
      "Id": "CDN140",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCDNHttpsProtocol",
      "Recommendation": "To enable HTTPS protocol: Go to Azure Portal --> your CDN Profile --> your CDN Endpoint --> Origin --> Select HTTPS --> Save.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_CDN_DP_Use_Only_For_Public_Data",
      "Description": "Do not put any sensitive data in a CDN. CDN is suitable only for resources where anonymous access is not a concern",
      "Id": "CDN150",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Refer: https://docs.microsoft.com/en-gb/azure/architecture/best-practices/cdn.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "DP"
      ],
       "Enabled": true
    },
    {
      "ControlID": "Azure_CDN_Audit_Configure_Real_Time_Alerts",
      "Description": "Configure real time alerts on status code 403 to be observant of any unauthorized request for CDN endpoint",
      "Id": "CDN170",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "To set up alerts: Go to Azure Portal --> your CDN Profile --> Manage --> Analytics --> Real-Time Stats --> Real-Time Alerts.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Audit"
      ],
      "Enabled": true
    }
  ]
}