module/ConfigurationProvider/ControlConfigurations/Services/CDN.json
|
{
"FeatureName": "CDN", "Reference": "aka.ms/azsktcp/cdn", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_CDN_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "CDN110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the CDN. Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_CDN_AuthN_Config_Token_AuthN", "Description": "CDN profile endpoints must use token authentication", "Id": "CDN120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Using token authentication prevents Azure CDN from serving assets to unauthorized clients. This keeps other sites from 'hotlinking' content and using your assets without permission", "Recommendation": "To enable token authentication (currently available on Premium Verizon tier), go to Azure Portal --> your CDN Profile --> Manage --> HTTP LARGE --> Token Auth. Please refer https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth for more details on token authentication.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthN" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_CDN_DP_TokenKey_Protection", "Description": "Token encryption key must be protected in a key vault (when a website generates tokens via code).", "Id": "CDN130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Refer https://azure.microsoft.com/en-in/documentation/articles/key-vault-get-started/ (Key Vault) and https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth (token-based authentication in CDN).", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_CDN_DP_Enable_Https", "Description": "CDN endpoints must use HTTPS protocol while providing data to the client browser/machine or while fetching data from the origin server", "Id": "CDN140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCDNHttpsProtocol", "DisplayName": "CDN endpoints must use HTTPS protocol while providing data to the client browser/machine or while fetching data from the origin server", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "Enable only HTTPs protocol for endpoints, to enable HTTPS protocol: Go to Azure Portal --> your CDN Profile --> your CDN Endpoint --> Origin --> Select HTTPS --> Save. Else implement through PowerShell as follows: `$ce= Get-AzCdnEndpoint -EndpointName <EndpointName> -ProfileName <CDNprofile> -ResourceGroupName <RGName>; `$ce.IsHttpAllowed =`$false; `$ce.IsHttpsAllowed =`$true; Set-AzCdnEndpoint -CdnEndpoint `$ce. Note: In the interest of user experience, enable both HTTP and HTTPS protocol along with HTTP to HTTPS redirection rule configured in rules engine for all endpoints, to enable HTTP and HTTPS protocol: Go to Azure Portal --> your CDN Profile --> your CDN Endpoint --> Origin --> Select HTTPS and HTTP --> Save. Else implement through PowerShell as follows: `$ce= Get-AzCdnEndpoint -EndpointName <EndpointName> -ProfileName <CDNprofile> -ResourceGroupName <RGName>; `$ce.IsHttpAllowed =`$true; `$ce.IsHttpsAllowed =`$true; Set-AzCdnEndpoint -CdnEndpoint `$ce and refer: https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine to configure HTTP to HTTPs redirection rule in rules engine.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Weekly", "CSEOPilotSub" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "IsHttpAllowed", "IsHttpsAllowed" ] }, "CustomTags": [ "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_CDN_DP_Use_Only_For_Public_Data", "Description": "Do not put any sensitive data in a CDN. CDN is suitable only for resources where anonymous access is not a concern", "Id": "CDN150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Azure CDN does not provide any access control feature to restrict/secure access to content. Thus no private data should be stored in CDN.", "Recommendation": "Refer: https://docs.microsoft.com/en-gb/azure/architecture/best-practices/cdn.", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_CDN_Audit_Configure_Real_Time_Alerts", "Description": "Configure real time alerts on status code 403 to be observant of any unauthorized request for CDN endpoint", "Id": "CDN170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Setting up real-time alerts provides real-time notifications about the performance of the endpoints and any unauthorized request in your CDN profile.", "Recommendation": "To set up alerts: Go to Azure Portal --> your CDN Profile --> Manage --> Analytics --> Real-Time Stats --> Real-Time Alerts.", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration_Trial", "Description": "Front Door should have Web Application Firewall configured", "Id": "FrontDoorCDNProfile110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckWAFConfiguredInFrontDoorCDNProfile", "DisplayName": "[Trial] Front Door should have Web Application Firewall configured", "Rationale": "Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits & vulnerablities. It keeps your service highly available for your users and helps you meet compliance requirements.", "Recommendation": "To configure WAF, Go to Azure Portal --> Web Application Firewall -> Create -> Select Policy For: Global WAF (Front Door). Select Front Door Tier: Standard or Classic. Select appropriate Resource Group & Subscription. Give the Policy a name. In association Tab, add the Front Door Profiles (Endpoints). Finally, Click on 'Review + Create' button. For more information visit: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal", "Tags": [ "Baseline", "NetSec" ], "Enabled": true, "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_FrontDoor_CDNProfile_DP_Use_Secure_TLS_Version_Trial", "Description": "[Trial] Front Door should have Approved Minimum TLS version", "Id": "FrontDoorCDNProfile120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckTLSConfigurationInFrontDoorCDNProfile", "DisplayName": "[Trial] Front Door should have Approved Minimum TLS version", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To configure TLS Version, Go to Azure Portal --> Front Door and CDN profiles -> Select Front door with pricing tier as Standard/Premium -> Goto Domains -> Select Certification Type for All the domains listed -> Select Minimum TLS Version as 1.2", "Tags": [ "Baseline", "DP", "Automated" ], "Enabled": true, "Category": "Encrypt data in transit", "CustomTags": [ "Trial", "Daily", "SN:FRONTDOORCDNPROFILE_TLS" ], "ControlSettings": { "MinReqTLSVersion": "12" }, "ControlEvaluationDetails": { "RequiredProperties": [ "FrontDoorEndpointMinTLSVersion" ] } } ] } |