Framework/Configurations/SVT/Services/RedisCache.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
{
  "FeatureName": "RedisCache",
  "Reference": "aka.ms/azsktcp/rediscache",
  "IsManintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_RedisCache_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "RedisCache110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Redis Cache. Assign 'Redis Cache Contributor' RBAC role to developers who manages Redis Cache configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "RedisCache120",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Audit",
        "Diagnostics"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_AuthZ_Configure_IP_Range",
      "Description": "Configure Redis Cache firewall settings for additional protection",
      "Id": "RedisCache130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheFirewallIPAddressRange",
      "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.",
      "Recommendation": "Enable firewall and add rules specifying permitted IPs/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as that allows access to all possible IPs. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall, (REST API) https://docs.microsoft.com/en-in/rest/api/redis/redisfirewallrule",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup",
      "Description": "Redis Data Persistence should be enabled to back up Redis Cache data",
      "Id": "RedisCache140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheRDBBackup",
      "Rationale": "Enabling backup on Redis Cache ensures that there is always a previous snapshot of data that can be leveraged towards recovery scenarios.",
      "Recommendation": "Configure data persistence. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#redis-data-persistence",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "BCDR"
      ],
      "Enabled": true
    },
   {
      "ControlID": "Azure_RedisCache_DP_Use_SSL_Port",
      "Description": "Non-SSL port must not be enabled",
      "Id": "RedisCache150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckRedisCacheSSLConfig",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "To disable Non-SSL port for Redis Cache, run command : Set-AzureRmRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false",
      "Tags": [
         "SDL",
         "TCP",
         "Automated",
         "DP"
      ],
      "Enabled": true,
      "FixControl": {
         "FixMethodName": "DisableNon_SSLport_RedisCache",
         "FixControlImpact": "High"
      }
   },
    {
      "ControlID": "Azure_RedisCache_DP_Rotate_Keys",
      "Description": "Access keys must be rotated periodically",
      "Id": "RedisCache160",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Rotate keys at regular intervals. To generate a new key, run command 'New-AzureRmRedisCacheKey'. Run 'Get-Help New-AzureRmRedisCacheKey -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_RedisCache_AuthN_Dont_Share_Cache_Instances",
      "Description": "Do not share cache instances across applications",
      "Id": "RedisCache170",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "There is no access control within a cache. If multiple applications share the same cache they will be able to freely access each others cached data which may lead to compromise.",
      "Recommendation": "Create a separate Redis Cache instance for each application. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-web-app-howto#configure-the-application-to-use-redis-cache",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN"
      ],
      "Enabled": true
    },
      {
      "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_For_Domain_App",
      "Description": "Redis Cache instance should be confined within a virtual network for domain-joined scenarios",
      "Id": "RedisCache180",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Azure Virtual Network (VNet) deployment provides enhanced security and isolation for Azure Redis Cache, as well as subnets, access control policies, and other features to further restrict access.",
      "Recommendation": "For steps to configure Azure Redis Cache on a Virtual Network, refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "NetSec"
      ],
      "Enabled": true
    }
  ]
}