Framework/Configurations/SVT/Services/LoadBalancer.json

{
   "FeatureName": "LoadBalancer",
   "Reference": "aka.ms/azsdkosstcp",
   "IsManintenanceMode": false,
   "Controls": [
      {
         "ControlID": "Azure_LoadBalancer_AuthZ_Grant_Min_RBAC_Access",
         "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
         "Id": "LoadBalancer110",
         "ControlSeverity": "Medium",
         "Automated": "Yes",
         "MethodName": "CheckRBACAccess",
         "Recommendation": "Remove any excessive privileges granted on the Load Balancer. Assign 'Log Analytics Contributor, Network Contributor, Virtual Machine Contributor' RBAC role to developers who manages Load Balancer configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "AuthZ",
            "RBAC"
         ],
         "Enabled": true
      },
      {
         "ControlID": "Azure_LoadBalancer_Audit_Enable_Diagnostics_Log",
         "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
         "Id": "LoadBalancer120",
         "ControlSeverity": "Medium",
         "Automated": "Yes",
         "MethodName": "CheckDiagnosticsSettings",
         "Recommendation": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days. Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled $true. Refer: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "Audit",
            "Diagnostics"
         ],
         "Enabled": true
      },
      {
         "ControlID": "Azure_LoadBalancer_NetSec_Justify_PublicIPs",
         "Description": "Public IPs on a internet facing Load Balancer should be carefully reviewed",
         "Id": "LoadBalancer130",
         "ControlSeverity": "High",
         "Automated": "Yes",
         "MethodName": "CheckPublicIP",
         "Recommendation": "Use steps on portal :LoadBalancer Properties -> Frontend IP configuration -> Click on Context menu of desired Frontend IP configuration -> Delete",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "NetSec"
         ],
         "Enabled": true,
         "DataObjectProperties": [
            "PublicIpAllocationMethod",
            "IpConfiguration",
            "Id",
            "DnsSettings"
         ]
      }
   ]
}