module/ConfigurationProvider/ControlConfigurations/Services/LogicApps.json
|
{
"FeatureName": "LogicApps", "Reference": "aka.ms/azsktcp/logicapps", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_LogicApps_Deploy_Dont_Use_Apps_In_Same_RG_Unless_Trust", "Description": "Multiple Logic Apps should not be deployed in the same resource group unless they trust each other", "Id": "LogicApps110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLogicAppsInSameRG", "Rationale": "API Connections contain critical information like credentials/secrets, etc., provided as part of configuration. Logic App can use all API Connections present in the same Resource Group. Thus, Resource Group should be considered as security boundary when threat modeling.", "Recommendation": "Separate Logic Apps into different resource groups unless the apps trust each other and need to use API Connections present in the resource group.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy" ], "Enabled": false }, { "ControlID": "Azure_LogicApps_AuthZ_Connector_Use_Min_Permissions", "Description": "Logic App connectors must have minimum required permissions on data source", "Id": "LogicApps130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "This ensures that connectors can be used only towards intended actions in the Logic App", "Recommendation": "Connectors must be configured with minimum permissions. E.g., 'SQL Server-Get Row' must use an account with only Read permission on the required table.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": false }, { "ControlID": "Azure_LogicApps_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "LogicApps140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Assign 'Logic App Contributor' role to developers and 'Logic App Operator' role to operators. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-access-to-manage-or-edit-logic-apps", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control", "Description": "Restrict your Logic App to accept trigger requests only from specified IP addresses", "Id": "LogicApps150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckTriggersAccessControl", "DisplayName": "Restrict your Logic App to accept trigger requests only from specified IP addresses", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Specifying the IP range ensures that the triggers can be invoked only from a restricted set of endpoints.", "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Workflow settings --> Access Control Configuration and setting the IP addresses/ranges. Do not add Any-to-Any IP range as this means access to all IPs. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "NetSec", "Baseline", "Daily" ], "ControlSettings": { "AnyIPRangeIPV4Begin": "0.0.0.0", "AnyIPRangeIPV4End": "255.255.255.255", "AnyIPRangeIPV6Begin": "::", "AnyIPRangeIPV6End": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "AnyIPCIDRSuffix": "/0" }, "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthZ_Provide_Contents_Access_Control", "Description": "Access requests to input/output data of Logic App run history must be restricted to specified IP addresses", "Id": "LogicApps160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckContentsAccessControl", "DisplayName": "Access requests to input/output data of Logic App run history must be restricted to specified IP addresses", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.", "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Workflow settings --> Access Control Configuration and setting the IP addresses/ranges. Do not add Any-to-Any IP range as this means access to all IPs. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "NetSec", "Baseline", "Daily" ], "ControlSettings": { "AnyIPRangeIPV4Begin": "0.0.0.0", "AnyIPRangeIPV4End": "255.255.255.255", "AnyIPRangeIPV6Begin": "::", "AnyIPRangeIPV6End": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "AnyIPCIDRSuffix": "/0" }, "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Dont_Allow_PlainText_Secrets_In_Codeview", "Description": "Application secrets and credentials must not be in plain text in source code (code view) of a Logic App", "Id": "LogicApps180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsSecretsHandling", "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Use 'secureString' type parameter in Logic App code view for secret parameters. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-parameters-and-inputs-within-a-workflow", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": false }, { "ControlID": "Azure_LogicApps_DP_Rotate_Keys", "Description": "Logic App access keys must be rotated periodically", "Id": "LogicApps190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Rotate access keys at regular intervals. Naviagte to Logic App --> Access Keys --> Regenerate Access Key to generate a new access key.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": false }, { "ControlID": "Azure_LogicApps_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "LogicApps200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "PolicyDefinitionGuid": "34f95f76-5386-4de7-b824-0d8478470c9d", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", "Enabled": false }, { "ControlID": "Azure_LogicApps_BCDR_Backup_Periodically", "Description": "Logic App Code View code should be backed up periodically", "Id": "LogicApps210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Logic App code view contains application's workflow logic and API connections detail which could be lost if there is no backup. No backup/disaster recovery feature is available out of the box in Logic Apps.", "Recommendation": "Navigate to Logic App --> Logic App Code View and save content to a backup location.", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": false }, { "ControlID": "Azure_LogicApps_DP_Avoid_Plaintext_Secrets", "Description": "Logic Apps must not have secrets/credentials present in plain text", "Id": "LogicApps220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "LogicAppsAvoidPlaintextSecrets", "DisplayName": "Logic Apps must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the information available in the UI, rotate those credentials and remove them. Use KeyVault to store secrets/credentials and KeyVault connector to fetch those secrets/credentials: https://docs.microsoft.com/en-us/connectors/keyvault/.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Wave9", "ShadowITActiveBaseline", "TenantBaseline", "Prod" ], "Enabled": true }, { "ControlID": "Azure_LogicApps_AuthN_Connectors_Use_AAD", "Description": "Logic App connectors must use AAD-based authentication wherever possible", "Id": "LogicApps230", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsAADAuth", "DisplayName": "Logic App connectors must use AAD-based authentication wherever possible", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "For HTTP based connectors, Go to Azure Portal --> Logic App --> Logic app designer --> For each non compliant connector --> Update Authentication type to either Managed Identity or Active Directory Oauth. For more details on AAD auth, refer: https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http#azure-active-directory-oauth-authentication. For other connectors you must manually verify that AAD authentication is used for connectors that support it.", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "Baseline", "Weekly" ], "ControlSettings": { "AllowedAuthTypes": [ "ActiveDirectoryOAuth", "ManagedServiceIdentity" ], "ConnectorTypesToEvaluate": [ "HTTP" ], "NonCompliantConnectorTypes": [ "FTP" ], "CompliantConnectorTypes": [ "office365" ], "NotApplicableConnectorTypes": [ "Request", "Recurrence", "Response", "If", "Switch", "Until", "ForEach" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "Connectors" ] }, "Enabled": true }, { "ControlID": "Azure_LogicApps_DP_Connectors_Encrypt_Data_In_Transit", "Description": "Data transit across Logic App connectors must use encrypted channel", "Id": "LogicApps240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckConnectorsEncryptionInTransit", "DisplayName": "Data transit across Logic App connectors must use encrypted channel", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "For connectors which are HTTP-based, Go to Azure Portal --> Logic App --> Logic app designer --> For each non compliant connector --> Use HTTPS URLs. For other connectors you must manually verify that encrypted connections are used by the connector protocol.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Weekly" ], "ControlSettings": { "ConnectorTypesToEvaluate": [ "HTTP", "HttpWebhook" ], "NonCompliantConnectorTypes": [ "FTP" ], "CompliantConnectorTypes": [ "office365", "Request", "azureblob", "sql", "Response" ], "NotApplicableConnectorTypes": [ "Recurrence", "If", "Switch", "Until", "ForEach" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "Connectors" ] }, "Enabled": true } ] } |