AzSDK

2.4.0

Framework/Configurations/SVT/Services/LoadBalancer.json

                                {

  "FeatureName": "LoadBalancer",

  "Reference": "aka.ms/azsdkosstcp",

  "IsManintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_LoadBalancer_AuthZ_Grant_Min_RBAC_Access",

      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

      "Id": "LoadBalancer110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRBACAccess",

      "Recommendation": "Remove any excessive privileges granted on the Load Balancer. Assign 'Log Analytics Contributor, Network Contributor, Virtual Machine Contributor' RBAC role to developers who manages Load Balancer configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthZ",

        "RBAC"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_LoadBalancer_Audit_Enable_Diagnostics_Log",

      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",

      "Id": "LoadBalancer120",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckDiagnosticsSettings",

      "Recommendation": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days. Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled $true. Refer: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Audit",

        "Diagnostics"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_LoadBalancer_NetSec_Justify_PublicIPs",

      "Description": "Public IPs on a internet facing Load Balancer should carefully reviewed",

      "Id": "LoadBalancer130",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckPublicIP",

      "Recommendation": "Use steps on portal :LoadBalancer Properties -> Frontend IP configuration -> Click on Context menu of desired Frontend IP configuration -> Delete",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "NetSec"

      ],

      "Enabled": true,

      "DataObjectProperties": [

        "PublicIpAllocationMethod",

        "IpConfiguration",

        "Id",

        "DnsSettings"

      ]

    }

  ]

}