Framework/Configurations/SVT/SubscriptionCore/SubscriptionCore.json
|
{
"FeatureName": "SubscriptionCore", "Reference": "aka.ms/azsdkosstcp/sshealth", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count", "Description": "Minimize the number of admin/owners", "Id": "SubscriptionCore110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSubscriptionAdminCount", "Recommendation": "There are 2 steps involved. You need to clean up any unexpected 'Classic Administrators'and unexpected 'Owners' on the subscription. (1) Steps to clean up classic administrators (a) Logon to https://manage.windowsazure.com/ (b) Navigate to the Settings tab followed by click administrators tab to list all the administrators (c) Select the account that has be removed and click on the Remove icon on the bottom ribbon (d) Perform this operation for all the accounts that has to be removed from the subscription. (2) Steps to clean up subscription owners run the command 'Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Add_Required_Central_Accounts", "Description": "Mandatory central accounts must be present on the subscription", "Id": "SubscriptionCore120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckApprovedCentralAccountsRBAC", "Recommendation": "Run command 'Set-AzSDKSubscriptionRBAC'.Run 'Get-Help Set-AzSDKSubscriptionRBAC -full' to get the complete details about this command. This would setup all the required mandatory accounts on the subscription.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts", "Description": "Deprecated/stale accounts must not be present on the subscription", "Id": "SubscriptionCore130", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDeprecatedAccountsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command. You can remove all the deprecated accounts using this command. If the deprecated account is a classic admin then directly remove from the classic portal.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Description": "Must not grant access to non-AD/AAD accounts (e.g., LiveId) in the subscription", "Id": "SubscriptionCore140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SOX", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_SVC_Accounts_No_MFA", "Description": "Service accounts cannot support MFA and should not be used for subscription activity", "Id": "SubscriptionCore150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSVCAccountsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess" ], "Enabled": false }, { "ControlID": "Azure_Subscription_AuthZ_Limit_CoAdmin_Count", "Description": "There should not be more than $($this.ControlSettings.NoOfClassicAdminsLimit) classic administrators", "Id": "SubscriptionCore160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCoAdminCount", "Recommendation": "You need to clean up any unexpected 'Classic Administrators'. Please follow these steps (a) Logon to https://manage.windowsazure.com/ (b)Navigate to the Settings tab followed by click administrators tab to list all the administrators (c)Select the account that has be removed and click on the Remove icon on the bottom ribbon (d) Perform this operation for all the accounts that has to be removed from the subscription.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Management_Certs", "Description": "Use of management certificates is not permitted.", "Id": "SubscriptionCore170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckManagementCertsPresence", "Recommendation": "Use management cert removal tool from C+E team to cleanup unwanted management certs.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Config_Azure_Security_Center", "Description": "Azure Security Center (ASC) must be correctly configured on the subscription", "Id": "SubscriptionCore180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterSettings", "Recommendation": "Run command 'Set-AzSDKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>' -SecurityContactEmails '<comma separated emails ids>' -SecurityPhoneNumber '<contact number>'. Run 'Get-Help Set-AzSDKAzureSecurityCenterPolicies -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SOX" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Audit_Resolve_Azure_Security_Center_Alerts", "Description": "Pending Azure Security Center (ASC) alerts must be resolved", "Id": "SubscriptionCore190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterAlerts", "Recommendation": "You need to act on all the active alerts on Azure Security Center. Please follow these steps (a) Logon to https://portal.azure.com/ (b) Navigate to Security Center resource. (c) Click on Security alerts under Detection Category. (d) Take action on all the pending alerts.", "Tags": [ "SDL", "TCP", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Audit_Resolve_Azure_Security_Center_Recommendations", "Description": "Pending Azure Security Center (ASC) tasks and recommendations must be resolved", "Id": "SubscriptionCore200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterRecommendations", "Recommendation": "You need to act on all the active recommendations and tasks on Azure Security Center. Please follow these steps (a) Logon to https://portal.azure.com/ (b) Navigate to Security Center resource. (c) Click on recommendations under Prevention Category. (d) Take action on all the pending recommendations and tasks.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Add_SPNs_as_Owner", "Description": "Service Principal Names (SPNs) should not be Owners/Contributors on the subscription", "Id": "SubscriptionCore210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSPNsRBAC", "Recommendation": "Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'.Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SOX" ], "Enabled": true }, { "ControlID": "Azure_Subscription_SI_Lock_Critical_Resources", "Description": "Critical application resources should be protected using a resource lock", "Id": "SubscriptionCore220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckResourceLocksUsage", "Recommendation": "Run command 'New-AzureRmResourceLock'. Run 'Get-Help New-AzureRmResourceLock -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "SI" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Config_ARM_Policy", "Description": "ARM policies should be used to limit certain actions in the subscription that may impact security", "Id": "SubscriptionCore230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckARMPoliciesCompliance", "Recommendation": "Run command 'Set-AzSDKARMPolicies'. Run 'Get-Help Set-AzSDKARMPolicies -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "Config" ], "Enabled": true }, { "ControlID": "Azure_Subscription_Audit_Configure_Critical_Alerts", "Description": "Alerts must be configured for critical actions on subscription and resources", "Id": "SubscriptionCore240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCriticalAlertsPresence", "Recommendation": "Run command 'Set-AzSDKAlerts'. Run 'Get-Help Set-AzSDKAlerts -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Custom_RBAC_Roles", "Description": "Do not use custom-defined RBAC roles", "Id": "SubscriptionCore250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCustomRBACRolesPresence", "Recommendation": "Run command 'Remove-AzureRmRoleDefinition'. Run 'Get-Help Remove-AzureRmRoleDefinition -full' to get the complete details about this command.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Subscription_AuthZ_Classic_Resources", "Description": "Do no use any classics resources on a subscription", "Id": "SubscriptionCore260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicResources", "Recommendation": "Plan to deprecate classic resources usage in your application.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true } ] } |