Framework/Configurations/SVT/Services/LoadBalancer.json

{
   "FeatureName": "LoadBalancer",
   "Reference": "aka.ms/azsktcp/loadbalancer",
   "IsMaintenanceMode": false,
   "Controls": [
      {
         "ControlID": "Azure_LoadBalancer_AuthZ_Grant_Min_RBAC_Access",
         "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
         "Id": "LoadBalancer110",
         "ControlSeverity": "Medium",
         "Automated": "Yes",
         "MethodName": "CheckRBACAccess",
         "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
         "Recommendation": "Remove any excessive privileges granted on the Load Balancer. Assign 'Log Analytics Contributor, Network Contributor, Virtual Machine Contributor' RBAC role to developers who manages Load Balancer configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "AuthZ",
            "RBAC",
            "LoadBalancer"
         ],
         "Enabled": true
      },
      {
         "ControlID": "Azure_LoadBalancer_Audit_Enable_Diagnostics_Log",
         "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
         "Id": "LoadBalancer120",
         "ControlSeverity": "Medium",
         "Automated": "Yes",
         "MethodName": "CheckDiagnosticsSettings",
         "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
         "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "Audit",
            "Diagnostics",
            "LoadBalancer"
         ],
         "Enabled": true
      },
      {
         "ControlID": "Azure_LoadBalancer_NetSec_Justify_PublicIPs",
         "Description": "Public IPs on a internet facing Load Balancer should be carefully reviewed",
         "Id": "LoadBalancer130",
         "ControlSeverity": "High",
         "Automated": "Yes",
         "MethodName": "CheckPublicIP",
         "Rationale": "Public IPs provide direct access over the internet exposing the infrastructure behind the load balancer to all type of attacks over the public network.",
         "Recommendation": "Use steps on portal :LoadBalancer Properties -> Frontend IP configuration -> Click on Context menu of desired Frontend IP configuration -> Delete",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "NetSec",
            "LoadBalancer"
         ],
         "Enabled": true,
         "DataObjectProperties": [
            "PublicIpAllocationMethod",
            "IpConfiguration",
            "Id",
            "DnsSettings"
         ]
      }
   ]
}