Framework/Configurations/SVT/SubscriptionCore/SubscriptionCore.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
{
   "FeatureName": "SubscriptionCore",
   "Reference": "aka.ms/azsktcp/sshealth",
   "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count",
      "Description": "Minimize the number of admins/owners",
      "Id": "SubscriptionCore110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckSubscriptionAdminCount",
      "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Each additional person in the Owner/Contributor role increases the attack surface for the entire subscription. The number of members in these roles should be kept to as low as possible."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Justify_Admins_Owners",
      "Description": "Justify all identities that are granted with admin/owner access on your subscription.",
      "Id": "SubscriptionCore111",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "ValidateCentralAccountsRBAC",
      "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators/Owners' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Right click the co-administrator account that has to be removed and click on the 'Remove co-administrator'. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Owners.ObjectId",
        "Owners.RoleDefinitionId",
        "Owners.RoleDefinitionName",
        "Owners.Scope",
        "Owners.SignInName",
        "CoAdmins.RoleDefinitionName",
        "CoAdmins.Scope",
        "CoAdmins.SignInName"
      ],
      "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your subscription. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Add_Required_Central_Accounts",
      "Description": "Mandatory central accounts must be present on the subscription",
      "Id": "SubscriptionCore120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckApprovedCentralAccountsRBAC",
      "Recommendation": "Run command 'Set-AzSKSubscriptionRBAC'. This command sets up all mandatory accounts on the target subscription. Run 'Get-Help Set-AzSKSubscriptionRBAC -full' for more help. ",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "ObjectId",
        "ObjectType",
        "RoleDefinitionName",
        "Scope",
        "Enabled"
      ],
      "FixControl": {
        "FixControlImpact": "Medium",
        "FixMethodName": "AddRequiredCentralAccounts",
        "Parameters": {
          "Tags": ""
        }
      },
      "Rationale": "Certain central accounts are expected to be present in all subscriptions to support enterprise wide functions (e.g., security scanning, cost optimization, etc.). Certain other accounts may also be required depending on special functionality enabled in a subscription (e.g., Express Route network management). The script checks for presence of such 'mandatory' and 'scenario-specific' accounts. If these are not present per the current baseline, there may be security/functionality impact for your subscription."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts",
      "Description": "Deprecated/stale accounts must not be present on the subscription",
      "Id": "SubscriptionCore130",
      "ControlSeverity": "Critical",
      "Automated": "Yes",
      "MethodName": "CheckDeprecatedAccountsRBAC",
      "Recommendation": "Run command 'Remove-AzSKSubscriptionRBAC'. You can remove all the deprecated accounts using this command. Run 'Get-Help Remove-AzSKSubscriptionRBAC -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "ObjectId",
        "ObjectType",
        "Scope"
      ],
      "FixControl": {
        "FixControlImpact": "Medium",
        "FixMethodName": "RemoveDeprecatedAccounts"
      },
      "Rationale": "Deprecated accounts are ones that were once deployed to your subscription for some trial/pilot initiative (or some other purpose). These are not required any more and are a standing risk if present in any role on the subscription."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities",
      "Description": "Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)",
      "Id": "SubscriptionCore140",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckNonAADAccountsRBAC",
      "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "OwnerAccess",
        "GraphRead",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "ObjectId",
        "RoleDefinitionId",
        "SignInName",
        "Scope"
      ],
      "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Dont_Use_SVC_Accounts_No_MFA",
      "Description": "Service accounts cannot support MFA and should not be used for subscription activity",
      "Id": "SubscriptionCore150",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "CheckSVCAccountsRBAC",
      "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "OwnerAccess",
        "GraphRead",
        "SubscriptionCore"
 
      ],
      "Enabled": true,
      "Rationale": "Service accounts are typically not multi-factor authentication capable. Quite often, teams who own these accounts don't exercise due care (e.g., someone may login interactively on servers using a service account exposing their credentials to attacks such as pass-the-hash, phishing, etc.) As a result, using service accounts in any privileged role in a subscription exposes the subscription to 'credential theft'-related attack vectors. (In effect, the subscription becomes accessible after just one factor (password) is compromised...this defeats the whole purpose of imposing the MFA requirement for cloud subscriptions.)"
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Limit_ClassicAdmin_Count",
      "Description": "There should not be more than $($this.ControlSettings.NoOfClassicAdminsLimit) classic administrators",
      "Id": "SubscriptionCore160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCoAdminCount",
      "Recommendation": "You need to remove any 'Classic Administrators/Co-Administrators' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' and select the 'Classic Administrators' tab. (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "RoleDefinitionName",
        "Scope",
        "SignInName"
      ],
      "Rationale": "The v1 (ASM-based) version of Azure resource access model did not have much in terms of RBAC granularity. As a result, everyone who needed any access on a subscription or its resources had to be added to the Co-administrator role. These individuals are referred to as 'classic' administrators. In the v2 (ARM-based) model, this is not required at all and even the count of 2 classic admins currently permitted is for backward compatibility. (Some Azure services are still migrating onto the ARM-based model so creating/operating on them needs 'classic' admin privilege.)"
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Remove_Management_Certs",
      "Description": "Use of management certificates is not permitted.",
      "Id": "SubscriptionCore170",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckManagementCertsPresence",
      "Recommendation": "You need to remove any management certificates that are not required. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to Settings tab --> Management Certificates tab --> Delete unwanted management certificates.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "OwnerAccess",
        "GraphRead",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Just like classic admins, management certificates were used in the v1 model for script/tool based automation on Azure subscriptions. These management certificates are risky because the (private) key management hygiene tends to be lax. These certificates have no role to play in the current ARM-based model and should be immediately cleaned up if found on a subscription. (VS-deployment certificates from v1 timeframe are a good example of these.)"
    },
    {
      "ControlID": "Azure_Subscription_Config_Azure_Security_Center",
      "Description": "Azure Security Center (ASC) must be correctly configured on the subscription",
      "Id": "SubscriptionCore180",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAzureSecurityCenterSettings",
      "Recommendation": "Run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>' -SecurityContactEmails '<comma separated emails ids>' -SecurityPhoneNumber '<contact number>'. Run 'Get-Help Set-AzSKAzureSecurityCenterPolicies -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Config",
        "SOX",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "id",
        "properties.logCollection",
        "properties.recommendations",
        "properties.securityContactConfiguration.areNotificationsOn",
        "properties.securityContactConfiguration.securityContactEmails",
        "properties.securityContactConfiguration.securityContactPhone",
        "properties.securityContactConfiguration.sendToAdminOn"
      ],
      "FixControl": {
        "FixMethodName": "ConfigureSecurityCenter",
        "FixControlImpact": "Medium",
        "Parameters": {
          "SecurityContactEmails": "",
          "SecurityPhoneNumber": ""
        }
      },
      "Rationale": "The Security Center feature in Azure helps with important central settings for the subscription such as configuring a security point of contact. It also supports key policy settings (e.g., is patching configured for VMs?, is threat detection enabled for SQL?, etc.) and alerts about resources which are not compliant to those policy settings. Correctly configuring ASC is critical as it gives a baseline layer of protection for the subscription and commonly used resource types."
    },
    {
      "ControlID": "Azure_Subscription_Audit_Resolve_Azure_Security_Center_Alerts",
      "Description": "Pending Azure Security Center (ASC) alerts must be resolved",
      "Id": "SubscriptionCore190",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAzureSecurityCenterAlerts",
      "Recommendation": "You need to address all active alerts on Azure Security Center. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Security Center. (c) Click on Security Alerts under 'Threat Protection' category. (d) Take appropriate actions on all active alerts.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Based on the policies that are enabled in the subscription, Azure Security Center raises alerts (which are typically indicative of resources that ASC suspects might be under attack or needing immediate attention). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Dont_Add_SPNs_as_Owner",
      "Description": "Service Principal Names (SPNs) should not be Owners or Contributors on the subscription",
      "Id": "SubscriptionCore210",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckSPNsRBAC",
      "Recommendation": "If this SPN needs access to your subscription, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "OwnerAccess",
        "GraphRead",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "ObjectId",
        "ObjectType",
        "RoleDefinitionId",
        "RoleDefinitionName",
        "Scope"
      ],
      "Rationale": "Just like AD-based service accounts, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. As a result, adding SPNs to a subscription in 'Owners' or 'Contributors' roles is risky."
    },
    {
      "ControlID": "Azure_Subscription_SI_Lock_Critical_Resources",
      "Description": "Critical application resources should be protected using a resource lock",
      "Id": "SubscriptionCore220",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckResourceLocksUsage",
      "Recommendation": "Consider using Azure resource locks to protect those resources in the subscription that you absolutely cannot afford to be deleted (by accident). You have to identify such resources and apply locks to them. Run command 'New-AzResourceLock'. Run 'Get-Help New-AzResourceLock -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "SI",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "A resource lock protects a resource from getting accidentally deleted. With proper RBAC configuration, it is possible to setup critical resources in a subscription in such a way that people can perform most operations on them but cannot delete them. resource locks can help ensure that important data is not lost by accidental/malicious deletion of such resources (thus ensuring that availability is not impacted)."
    },
    {
      "ControlID": "Azure_Subscription_Config_ARM_Policy",
      "Description": "ARM policies should be used to audit or deny certain activities in the subscription that can impact security",
      "Id": "SubscriptionCore230",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckARMPoliciesCompliance",
      "Recommendation": "Run command 'Set-AzSKARMPolicies'. Run 'Get-Help Set-AzSKARMPolicies -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Config",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "policyDefinition",
        "policyDefinitionName",
        "scope",
        "enabled"
      ],
      "FixControl": {
        "FixMethodName": "ConfigureARMPolicies",
        "FixControlImpact": "Medium",
        "Parameters": {
          "Tags": ""
        }
      },
      "Rationale": "The AzSK subscription security setup configures a set of ARM policies which result in audit log entries upon actions that violate the policies. (For instance, an audit event is generated if someone creates a v1 resource in a subscription.) These policies help by raising visibility to potentially insecure actions. "
    },
    {
      "ControlID": "Azure_Subscription_Audit_Configure_Critical_Alerts",
      "Description": "Alerts must be configured for critical actions on subscription and resources",
      "Id": "SubscriptionCore240",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCriticalAlertsPresence",
      "Recommendation": "Run command 'Set-AzSKAlerts -Force'. Run 'Get-Help Set-AzSKAlerts -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Audit",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Name",
        "OperationName",
        "Severity",
        "Enabled"
      ],
      "FixControl": {
        "FixMethodName": "ConfigureAlerts",
        "FixControlImpact": "Medium",
        "Parameters": {
          "SecurityContactEmails": "",
          "Tags": ""
        }
      },
      "Rationale": "The AzSK subscription security setup configures Insights-based alerts for sensitive operations in the subscription. These alerts notify the configured security point of contact about various sensitive activities on the subscription and its resources (for instance, adding a new member to subscription 'Owners' group or deleting a firewall setting or creating a new web app deployment, etc.)"
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Custom_RBAC_Roles",
      "Description": "Do not use custom-defined RBAC roles",
      "Id": "SubscriptionCore250",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckCustomRBACRolesPresence",
      "Recommendation": "Run command 'Remove-AzRoleDefinition -Id {id}'. Run 'Get-Help Remove-AzRoleDefinition -full' for more help.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Custom RBAC role definitions are usually tricky to get right. A lot of threat modeling goes in when the product team works on and defines the various 'out-of-box' roles ('Owners', 'Contributors', etc.). As much as possible, teams should use these roles for their RBAC needs. Using custom roles is treated as an exception and requires a rigorous review."
    },
    {
      "ControlID": "Azure_Subscription_SI_Classic_Resources",
      "Description": "Do not use any classic resources on a subscription",
      "Id": "SubscriptionCore260",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPresenceOfClassicResources",
      "Recommendation": "Migrate each v1/ASM-based resource in your app to a corresponding v2/ARM-based resource. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "AttestComparisionType": "NumLesserOrEqual",
      "Enabled": true,
      "Rationale": "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc."
    },
    {
      "ControlID": "Azure_Subscription_SI_Dont_Use_Classic_VMs",
      "Description": "Do not use any classic virtual machines on your subscription.",
      "Id": "SubscriptionCore261",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPresenceOfClassicVMs",
      "Recommendation": "Migrate each v1/ASM Virtual Machine in your subscription to a v2/ARM-based VM. Refer link https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview for resource migration.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthZ",
        "SI",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "ResourceId",
        "SubscriptionId"
      ],
      "Rationale": "You should use new Azure (v2) resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc."
    },
    {
      "ControlID": "Azure_Subscription_NetSec_Justify_PublicIPs",
      "Description": "Verify the list of public IP addresses on your subscription",
      "Id": "SubscriptionCore270",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPublicIpUsage",
      "Recommendation": "Verify the list of public IP addresses used and delete the unwanted and unused ones immediately! To delete run 'Remove-AzPublicIpAddress -ResourceGroupName {ResourceGroupName} -Name {PublicIpAddressName}'. You might encounter an error if the public IP resource is associated with some other resource. Refer link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address#view-change-settings-for-or-delete-a-public-ip-address for more details.",
      "Tags": [
        "SDL",
        "Automated",
        "Access",
        "NetSec",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Public IPs provide direct access over the internet exposing a cloud resource to all type of attacks over the public network. Hence use of public IPs should be carefully scrutinized/reviewed."
    },
    {
      "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access",
      "Description": "Permanent access should not be granted for privileged subscription level roles",
      "Id": "SubscriptionCore281",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPermanentRoleAssignments",
      "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at subscription scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.",
      "Tags": [
        "SDL",
        "Automated",
        "Access",
        "AuthZ",
        "SubscriptionCore"
            ],
      "Enabled": true,
      "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in subscription are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically)."
     },
     {
      "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access_RG",
      "Description": "Permanent access should not be granted for privileged roles at resource group level",
      "Id": "SubscriptionCore282",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckRGLevelPermanentRoleAssignments",
      "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at resource group scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}/resourceGroups/{resourceGroupName}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.",
      "Tags": [
        "SDL",
        "Automated",
        "Access",
        "AuthZ",
        "SubscriptionCore",
        "RGPersistentAccess"
            ],
      "Enabled": true,
      "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in resource group are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically)."
     },
     {
      "ControlID": "Azure_Subscription_Config_Add_Required_Tags",
      "Description": "Mandatory tags must be set per your organization policy",
      "Id": "SubscriptionCore290",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckMandatoryTags",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags#portal",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Certain tags are expected to be present in all resources to support enterprise wide functions (e.g., security visibility based on environment, security scanning, cost optimization, etc.). The script checks for presence of such 'mandatory' and 'scenario-specific' tags. "
    },
    {
      "ControlID": "Azure_Subscription_Config_ASC_Tier",
      "Description": "$($this.ControlSettings.SubscriptionCore.ASCTier) tier must be enabled for Azure Security Center",
      "Id": "SubscriptionCore300",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckASCTier",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "ASC standard tier enables advanced threat detection capabilities, which uses built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more"
    },
    {
      "ControlID": "Azure_Subscription_Check_Credential_Rotation",
      "Description": "Ensure any credentials approaching expiry are rotated soon.",
      "Id": "SubscriptionCore310",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCredentialHygiene",
      "Recommendation": "Run Update-AzSKTrackedCredential with the 'ResetLastUpdate' switch with other required parameters (Subscription Id, credential name, etc.).",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "SubscriptionCore"
      ],
      "Enabled": true,
      "Rationale": "Periodic credential rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks. Credential expiry can also impact availability of existing apps."
    }
  ]
}