module/ConfigurationProvider/ControlConfigurations/Services/RedisCache.json
|
{
"FeatureName": "RedisCache", "Reference": "aka.ms/azsktcp/rediscache", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_RedisCache_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "RedisCache110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Redis Cache. Assign 'Redis Cache Contributor' RBAC role to developers who manages Redis Cache configurations. Run command: Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "RedisCache" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_RedisCache_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least 365 days.", "Id": "RedisCache120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal", "Tags": [ "SDL", "TCP", "Manual", "Audit", "Diagnostics", "RedisCache" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_RedisCache_AuthZ_Configure_IP_Range", "Description": "Configure Redis Cache firewall settings for additional protection", "Id": "RedisCache130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRedisCacheFirewallIPAddressRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.", "Recommendation": "Enable firewall and add rules specifying permitted IPs/ranges. Do not add IP range 0.0.0.0-255.255.255.255 as that allows access to all possible IPs. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall, (REST API) https://docs.microsoft.com/en-in/rest/api/redis/redisfirewallrule. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "RedisCache", "NetSec" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_RedisCache_BCDR_Use_RDB_Backup", "DisplayName": "Redis Data Persistence should be enabled to back up Redis Cache data", "Description": "Redis Data Persistence should be enabled to back up Redis Cache data", "Id": "RedisCache140", "ControlSeverity": "Medium", "Category": "Data persistence should be ensured", "ControlRequirements": "Data should be backed to ensure quicker and efficient recovery", "Automated": "Yes", "MethodName": "CheckRedisCacheRDBBackup", "Rationale": "Enabling backup on Redis Cache ensures that there is always a previous snapshot of data that can be leveraged towards recovery scenarios.", "Recommendation": "Configure data persistence. Refer: https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-premium-persistence", "ControlEvaluationDetails": { "RequiredProperties": [ "RedisConfiguration" ] }, "Tags": [ "Baseline", "Weekly", "SDL", "Best Practice", "Automated", "BCDR", "RedisCache" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "RDBBackApplicableSku": [ "premium" ] } }, { "ControlID": "Azure_RedisCache_DP_Use_SSL_Port", "Description": "Non-SSL port must not be enabled for Redis Cache", "Id": "RedisCache150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedisCacheSSLConfig", "DisplayName": "Non-SSL port must not be enabled for Redis Cache", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Encryption provides data confidentiality as it traverses from the source to the destination server over untrusted networks, and at rest against threats and compromise", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To disable Non-SSL port for Redis Cache, run command: Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false", "Tags": [ "SDL", "TCP", "Automated", "DP", "RedisCache", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave8", "SN:Redis_SSL" ] }, { "ControlID": "Azure_RedisCache_DP_Use_SSL_Port_Trial", "Description": "[Trial] Non-SSL port must not be enabled", "Id": "RedisCache155", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[Trial] Non-SSL port must not be enabled", "Category": "Data must be encrypted in transit and at rest", "ControlRequirements": "Encryption provides data confidentiality as it traverses from the source to the destination server over untrusted networks, and at rest against threats and compromise", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To disable Non-SSL port for Redis Cache, run command: Set-AzRedisCache -ResourceGroupName <String> -Name <String> -EnableNonSslPort $false", "Tags": [ "SDL", "TCP", "Automated", "DP", "RedisCache", "Baseline" ], "Enabled": true, "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "35b25be2-d08a-e340-45ed-f08a95d804fc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "CustomTags": [ "Daily", "Trial" ] }, { "ControlID": "Azure_RedisCache_DP_Rotate_Keys", "Description": "Access keys must be rotated periodically", "Id": "RedisCache160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Rotate keys at regular intervals. To generate a new key, run command 'New-AzRedisCacheKey'. Run 'Get-Help New-AzRedisCacheKey -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "DP", "RedisCache" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_RedisCache_AuthN_Dont_Share_Cache_Instances", "Description": "Do not share cache instances across applications", "Id": "RedisCache170", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "There is no access control within a cache. If multiple applications share the same cache they will be able to freely access each others cached data which may lead to compromise.", "Recommendation": "Create a separate Redis Cache instance for each application. Refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-web-app-howto#configure-the-application-to-use-redis-cache", "Tags": [ "SDL", "TCP", "Manual", "AuthN", "RedisCache" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_RedisCache_NetSec_Configure_Virtual_Network_For_Domain_App", "Description": "Redis Cache instance should be confined within a virtual network for domain-joined scenarios", "Id": "RedisCache180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Azure Virtual Network (VNet) deployment provides enhanced security and isolation for Azure Redis Cache, as well as subnets, access control policies, and other features to further restrict access.", "Recommendation": "For steps to configure Azure Redis Cache on a Virtual Network, refer: https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet", "Tags": [ "SDL", "TCP", "Manual", "NetSec", "RedisCache" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_RedisCache_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure RedisCache", "Id": "RedisCache190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedisCacheTLSVersion", "DisplayName": "Use approved version of TLS for Azure RedisCache", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Recommendation": "Go to Azure Portal --> your Redis Cache instance --> Settings --> Advanced Settings --> Set Minimum TLS version to '1.2'", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Weekly" ], "Enabled": true, "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [] } ] } |