AzSK

3.5.0

Framework/Configurations/SVT/Services/TrafficManager.json

                                {

  "FeatureName": "TrafficManager",

  "Reference": "aka.ms/azsktcp/trafficmanager",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_TrafficManager_AuthZ_Grant_Min_RBAC_Access",

      "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

      "Id": "TrafficManager110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRBACAccess",

      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

      "Recommendation": "Clean up any unauthorized users on the Traffic Manager Profile. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthZ",

        "RBAC"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_TrafficManager_DP_Enable_HTTPS",

      "Description": "Traffic Manager profile should use HTTPS protocol for endpoint monitoring",

      "Id": "TrafficManager120",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckTrafficManagerEndpointMonitorProtocol",

      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",

      "Recommendation": "To enable HTTPS protocol for endpoint monitoring, go to Azure Portal --> your Traffic Manager Profile --> Configuration -->  Select HTTPS --> Save. Else implement through PowerShell as follows: `$tp = Get-AzureRmTrafficManagerProfile -Name <profile Name> -ResourceGroupName <RGName>;  `$tp.MonitorProtocol = 'HTTPS'; `$tp.MonitorPath=<MonitorPath>; Set-AzureRmTrafficManagerProfile -TrafficManagerProfile `$tp",

      "Tags": [

        "SDL",

        "Best Practice",

        "Automated",

        "DP"

      ],

      "Enabled": true,

      "FixControl": {

         "FixMethodName": "EnableHttpsAsMonitorProtocol",

         "FixControlImpact": "Medium"

      }

    }

  ]

}