Framework/Configurations/SVT/Services/Search.json
|
{
"FeatureName": "Search", "Reference": "aka.ms/azsdkosstcp/azsearch", "IsManintenanceMode": false, "controls": [ { "ControlID": "Azure_Search_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "Search110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Remove any excessive privileges granted on the Search service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Least_Privilege_For_Monitoring", "Description": "Users monitoring/supporting the Search service should be provided with minimum required permissions", "Id": "Search120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Remove any excessive privileges granted on the Search service to monitoring/support teams. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Search_DP_Encrypt_At_Rest", "Description": "Sensitive data at data source must be encrypted at rest", "Id": "Search130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "To enabled encryption for a SQL DB, run command 'Set-AzureRmSqlDatabaseTransparentDataEncryption -DatabaseName '<DBName>' -ResourceGroupName '<RGName>' -ServerName '<SQLServerName>' -State 'Enabled''. Run 'Get-Help Set-AzureRmSqlDatabaseTransparentDataEncryption -full' for more help. To enable encryption for Azure Storage, run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'Blob/File''. Run 'Get-Help Set-AzureRmStorageAccount -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Search_DP_Encrypt_In_Transit", "Description": "Sensitive data must be encrypted in transit", "Id": "Search140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "For SQL DB, specify 'Encrypt=True, TrustServerCertificate=False' parameters in your application's connection string. For Azure Storage, use HTTPS protocol for data access.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Grant_Admin_Keys_For_Manage_Access_Only", "Description": "Admin keys must be furnished only for clients who need to manage the search catalog of Search service", "Id": "Search150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Admin keys should be maintained and owned only by Search service administrators and must be rotated periodically as per the company standards. To get the Admin keys, go to Azure Portal --> your Search service --> Settings --> Keys.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Search_AuthZ_Grant_Only_QueryKey_Access_to_Readers", "Description": "Consumers who require read access on Search service must only be granted 'query' keys", "Id": "Search160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Ensure that Search clients are granted access to 'query' keys only (and not 'admin' keys). To get 'query' keys, go to Azure Portal --> your Search service --> Settings --> Keys --> Manage query keys.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Search_Availability_Configure_Three_Replicas", "Description": "Search service must have at least three replicas for high availability", "Id": "Search170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSearchReplicaCount", "Recommendation": "Go to Azure Portal --> your Search service --> Settings --> Scale --> Replicas. Ensure that at least 3 replicas are setup.", "Tags": [ "SDL", "TCP", "Automated", "Availability" ], "Enabled": true }, { "ControlID": "Azure_Search_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days", "Id": "Search180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Run command 'Set-AzureRmDiagnosticSetting -ResourceId '<SearchServiceResourceId>' -StorageAccountId '<StorageAccountId>' -Enable $true -RetentionEnabled $true -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) '. Run 'Get-Help Set-AzureRmDiagnosticSetting -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true } ] } |