Framework/Configurations/SVT/Services/LogicApps.json
|
{
"FeatureName": "LogicApps", "Reference": "aka.ms/azsdkosstcp/logicapps", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_LogicApps_Deploy_Dont_Use_Apps_In_Same_RG_Unless_Trust", "Description": "Multiple Logic Apps should not be deployed in the same resource group unless they trust each other", "Id": "LogicApps110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLogicAppsInSameRG", "Recommendation": "Logic app can use API Connections present in same resource group so verify that Logic Apps present in same resource group trust each other.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthN_Connectors_Use_AAD", "Description": "Logic App connectors must use AAD-based authentication wherever possible", "Id": "LogicApps120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsAADAuth", "Recommendation": "For HTTP based connectors refer:- https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http#azure-active-directory-oauth-authentication", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Connector_Use_Min_Permissions", "Description": "Logic App connectors must have minimum required permissions on data source", "Id": "LogicApps130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Connector must be configured with minimum permissions. E.g. 'SQL Server-Get row' must use a service account with only 'read' permission on the required table.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "LogicApps140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Assign 'Logic App Contributor' role to developer and 'Logic App Operator' role to the operator. Refer:-https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-access-to-manage-or-edit-logic-apps", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control", "Description": "If Logic App fires on an HTTP Request (e.g. Request or Webhook) then provide IP ranges for triggers to prevent unauthorized triggers", "Id": "LogicApps150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckTriggersAccessControl", "Recommendation": "Provide access control by navigating to Portal-->Logic App-->Access Control Configuration (Don't add IP range $($this.ControlSettings.UniversalIPRange))", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Contents_Access_Control", "Description": "Must provide IP ranges for contents to prevent unauthorized access to inputs/outputs data of Logic App run history", "Id": "LogicApps160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckContentsAccessControl", "Recommendation": "Provide access control by navigating to Portal-->Logic App-->Access Control Configuration (Don't add IP range $($this.ControlSettings.UniversalIPRange))", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Encrypt_Data_In_Transit", "Description": "Data transit across connectors must use encrypted channel", "Id": "LogicApps170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsEncryptionInTransit", "Recommendation": "Use HTTPS URI in HTTP based connectors.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Dont_Allow_PlainText_Secrets_In_Codeview", "Description": "Application secrets/credentials must not be in plain text in source code (code view) of a Logic App", "Id": "LogicApps180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsSecretsHandling", "Recommendation": "Use 'secureString' type parameter in Logic App codeview for secret parameters. Refer:- https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-parameters-and-inputs-within-a-workflow", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Rotate_Keys", "Description": "Logic App access key must be rotated periodically", "Id": "LogicApps190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Naviagte to Logic App --> Access keys --> Regenerate Access Key for regenerating access key.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "LogicApps200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Enable diagnostics logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever)(forever). Refer:- https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-monitor-your-logic-apps#azure-diagnostics-and-alerts", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_BCDR_Backup_Periodically", "Description": "Logic App Code View backup should be taken periodically", "Id": "LogicApps210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Navigate to Logic App --> Logic App Code View and save content to backup location.", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true } ] } |