Framework/Configurations/SVT/SubscriptionCore/SubscriptionCore.json
|
{
"FeatureName": "SubscriptionCore", "Reference": "aka.ms/azsdkosstcp/sshealth", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count", "Description": "Minimize the number of admins/owners", "Id": "SubscriptionCore110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSubscriptionAdminCount", "Recommendation": "There are 2 steps involved. You need to clean up (1) unexpected 'Classic Administrators'and (2) unexpected 'Owners' on the subscription. (1) Steps to clean up classic administrators (a) Go to https://manage.windowsazure.com/ --> settings tab -> administrators --> select and remove unwanted administrators using remove icon on the bottom ribbon (2) To remove unwanted members from the Owners group simply run the command 'Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Add_Required_Central_Accounts", "Description": "Mandatory central accounts must be present on the subscription", "Id": "SubscriptionCore120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckApprovedCentralAccountsRBAC", "Recommendation": "Run command 'Set-AzSDKSubscriptionRBAC'. This command sets up all mandatory accounts on the target subscription. Run 'Get-Help Set-AzSDKSubscriptionRBAC -full' for more help. ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts", "Description": "Deprecated/stale accounts must not be present on the subscription", "Id": "SubscriptionCore130", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDeprecatedAccountsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. You can remove all the deprecated accounts using this command. If the deprecated account is a classic admin then you may have to remove directly via the classic portal. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Description": "Must not grant access to non-AD/AAD accounts (e.g., Live ID accounts) in the subscription", "Id": "SubscriptionCore140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SOX", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_SVC_Accounts_No_MFA", "Description": "Service accounts cannot support MFA and should not be used for subscription activity", "Id": "SubscriptionCore150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSVCAccountsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess" ], "Enabled": false }, { "ControlID": "Azure_Subscription_AuthZ_Limit_CoAdmin_Count", "Description": "There should not be more than $($this.ControlSettings.NoOfClassicAdminsLimit) classic administrators", "Id": "SubscriptionCore160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCoAdminCount", "Recommendation": "You need to clean up any unexpected 'Classic Administrators'. Please follow these steps: (a) Logon to https://manage.windowsazure.com/ (b)Navigate to the Settings tab and click the administrators tab to list all administrators (c) Select the account that has be removed and click on the Remove icon on the bottom ribbon (d) Perform this operation for all the co-administrators that need to be removed from the subscription.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Management_Certs", "Description": "Use of management certificates is not permitted.", "Id": "SubscriptionCore170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckManagementCertsPresence", "Recommendation": "Logon to https://manage.windowsazure.com/ --> Settings tab --> Management Certificates tab --> Delete unwanted management certs using delete icon on the bottom ribbon.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Config_Azure_Security_Center", "Description": "Azure Security Center (ASC) must be correctly configured on the subscription", "Id": "SubscriptionCore180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterSettings", "Recommendation": "Run command 'Set-AzSDKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>' -SecurityContactEmails '<comma separated emails ids>' -SecurityPhoneNumber '<contact number>'. Run 'Get-Help Set-AzSDKAzureSecurityCenterPolicies -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SOX" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Audit_Resolve_Azure_Security_Center_Alerts", "Description": "Pending Azure Security Center (ASC) alerts must be resolved", "Id": "SubscriptionCore190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterAlerts", "Recommendation": "You need to address all active alerts on Azure Security Center. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Security Center. (c) Click on Security Alerts under Detection category. (d) Take appropriate actions on all pending alerts.", "Tags": [ "SDL", "TCP", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Audit_Resolve_Azure_Security_Center_Recommendations", "Description": "Pending Azure Security Center (ASC) tasks and recommendations must be resolved", "Id": "SubscriptionCore200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterRecommendations", "Recommendation": "You need to review and act on all active recommendations and tasks on Azure Security Center. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Security Center. (c) Click on Recommendations under Prevention category. (d) Take appropriate actions on all pending recommendations and tasks.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Add_SPNs_as_Owner", "Description": "Service Principal Names (SPNs) should not be Owners or Contributors on the subscription", "Id": "SubscriptionCore210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSPNsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SOX" ], "Enabled": true }, { "ControlID": "Azure_Subscription_SI_Lock_Critical_Resources", "Description": "Critical application resources should be protected using a resource lock", "Id": "SubscriptionCore220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckResourceLocksUsage", "Recommendation": "Run command 'New-AzureRmResourceLock'. Run 'Get-Help New-AzureRmResourceLock -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "SI" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Config_ARM_Policy", "Description": "ARM policies should be used to audit or deny certain activities in the subscription that can impact security", "Id": "SubscriptionCore230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckARMPoliciesCompliance", "Recommendation": "Run command 'Set-AzSDKARMPolicies'. Run 'Get-Help Set-AzSDKARMPolicies -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Config" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Audit_Configure_Critical_Alerts", "Description": "Alerts must be configured for critical actions on subscription and resources", "Id": "SubscriptionCore240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCriticalAlertsPresence", "Recommendation": "Run command 'Set-AzSDKAlerts'. Run 'Get-Help Set-AzSDKAlerts -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Custom_RBAC_Roles", "Description": "Do not use custom-defined RBAC roles", "Id": "SubscriptionCore250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCustomRBACRolesPresence", "Recommendation": "Run command 'Remove-AzureRmRoleDefinition'. Run 'Get-Help Remove-AzureRmRoleDefinition -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Classic_Resources", "Description": "Do no use any classics resources on a subscription", "Id": "SubscriptionCore260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicResources", "Recommendation": "Migrate each VM/ASM-based resource in your app to a corresponding v2/ARM-based resource.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true } ] } |