module/ConfigurationProvider/ControlConfigurations/Subscription/SubscriptionCore.json
|
{
"FeatureName": "SubscriptionCore", "Reference": "aka.ms/azsktcp/sshealth", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count", "Description": "Minimize the number of admins/owners", "Id": "SubscriptionCore110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSubscriptionAdminCount", "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": false, "Rationale": "Each additional person in the Owner/Contributor role increases the attack surface for the entire subscription. The number of members in these roles should be kept to as low as possible.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Justify_Admins_Owners", "Description": "Justify all identities that are granted with admin/owner access on your subscription.", "Id": "SubscriptionCore111", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "ValidateCentralAccountsRBAC", "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators/Owners' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Right click the co-administrator account that has to be removed and click on the 'Remove co-administrator'. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": false, "DataObjectProperties": [ "Owners.ObjectId", "Owners.RoleDefinitionId", "Owners.RoleDefinitionName", "Owners.Scope", "Owners.SignInName", "CoAdmins.RoleDefinitionName", "CoAdmins.Scope", "CoAdmins.SignInName" ], "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your subscription. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Add_Required_Central_Accounts", "Description": "Mandatory central accounts must be present on the subscription", "Id": "SubscriptionCore120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckApprovedCentralAccountsRBAC", "Recommendation": "Run command 'Set-AzSKSubscriptionRBAC'. This command sets up all mandatory accounts on the target subscription. Run 'Get-Help Set-AzSKSubscriptionRBAC -full' for more help. ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": false, "DataObjectProperties": [ "ObjectId", "ObjectType", "RoleDefinitionName", "Scope", "Enabled" ], "FixControl": { "FixControlImpact": "Medium", "FixMethodName": "AddRequiredCentralAccounts", "Parameters": { "Tags": "" } }, "Rationale": "Certain central accounts are expected to be present in all subscriptions to support enterprise wide functions (e.g., security scanning, cost optimization, etc.). Certain other accounts may also be required depending on special functionality enabled in a subscription (e.g., Express Route network management). The script checks for presence of such 'mandatory' and 'scenario-specific' accounts. If these are not present per the current baseline, there may be security/functionality impact for your subscription.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts", "Description": "Deprecated/stale accounts must not be present on the subscription", "DisplayName": "Remove Orphaned accounts from your subscription(s)", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Id": "SubscriptionCore130", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDeprecatedAccountsRBAC", "AssessmentName": "00c6d40b-e990-6acf-d4f3-471e747a27c4", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "00c6d40b-e990-6acf-d4f3-471e747a27c4" ] }, "PolicyDefinitionId": "", "Recommendation": "Steps to remove role assignments of deprecated/invalid accounts are: a. To remove permanent role assignment use command 'Remove-AzRoleAssignment' or refer link, https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal b. To remove classic role assignments, refer link: https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#remove-a-co-administrator c. To remove PIM role assignments, refer link https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new#update-or-remove-an-existing-role-assignment. For bulk remediation of permanent and classic role assignments using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_AuthZ_Remove_Deprecated_Accounts.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "ControlSettings": { "DeprecatedAccounts": "" }, "Enabled": true, "DataObjectProperties": [ "ObjectId", "ObjectType", "Scope" ], "FixControl": { "FixControlImpact": "Medium", "FixMethodName": "RemoveDeprecatedAccounts" }, "PolicyDefinitionGuid": "6b1cbf55-e8b6-442f-ba4c-7246b6381474", "Rationale": "Deprecated accounts are ones that were once deployed to your subscription for some trial/pilot initiative (or some other purpose). These are not required any more and are a standing risk if present in any role on the subscription.", "CustomTags": [ "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "P2", "Wave3", "ShadowITActiveBaseline", "SN:Old_accts" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Description": "Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)", "Id": "SubscriptionCore140", "DisplayName": "Remove external accounts from Azure subscriptions", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "", "PolicyDefinitionId": "", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "DataObjectProperties": [ "ObjectId", "RoleDefinitionId", "SignInName", "Scope" ], "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc.", "CustomTags": [ "ActiveBaseline", "TenantBaseline", "P0", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "Wave1", "ShadowITActiveBaseline", "SN:ExternalAccounts" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities_Privileged_Roles", "Description": "Do not grant privileged permissions at the subscription scope to external accounts (i.e., accounts outside the native directory for the subscription)", "Id": "SubscriptionCore370", "DisplayName": "Remove external accounts with privileged roles at subscription scope", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsPrivilegedRolesRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{roleDefinitionName}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore", "Baseline", "Weekly" ], "Enabled": true, "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled.", "ControlSettings": { "PrivilegedRoles": [ "User Access Administrator", "Owner", "Contributor" ] }, "CustomTags": [] }, { "ControlID": "Azure_Subscription_MFA_Should_Be_Enabled_OwnerAccounts", "Description": "MFA should be enabled on accounts with Owner permissions on your subscription.", "Id": "SubscriptionCore141", "DisplayName": "All user accounts must use MFA.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "94290b00-4d0c-d7b4-7cea-064a9554e681", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "94290b00-4d0c-d7b4-7cea-064a9554e681" ] }, "PolicyDefinitionId": "", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "Tags": [ "Automated", "AuthZ", "SubscriptionCore", "ExcludedControl" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_Subscription_MFA_Should_Be_Enabled_WriteAccounts", "Description": "MFA should be enabled accounts with write permissions on your subscription.", "Id": "SubscriptionCore142", "DisplayName": "All user accounts must use MFA", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "57e98606-6b1e-6193-0e3d-fe621387c16b", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "57e98606-6b1e-6193-0e3d-fe621387c16b" ] }, "PolicyDefinitionId": "", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "Tags": [ "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_SVC_Accounts_No_MFA", "Description": "Service accounts cannot support MFA and should not be used for subscription activity", "Id": "SubscriptionCore150", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckSVCAccountsRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore" ], "Enabled": false, "Rationale": "Service accounts are typically not multi-factor authentication capable. Quite often, teams who own these accounts don't exercise due care (e.g., someone may login interactively on servers using a service account exposing their credentials to attacks such as pass-the-hash, phishing, etc.) As a result, using service accounts in any privileged role in a subscription exposes the subscription to 'credential theft'-related attack vectors. (In effect, the subscription becomes accessible after just one factor (password) is compromised...this defeats the whole purpose of imposing the MFA requirement for cloud subscriptions.)", "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Limit_ClassicAdmin_Count", "Description": "Limit access per subscription to 2 or less classic administrators", "Id": "SubscriptionCore160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCoAdminCount", "DisplayName": "Limit access per subscription to 2 or less classic administrators", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' and select the 'Classic Administrators' tab. (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "NoOfClassicAdminsLimit": 2, "EligibleClassicRoles": [ "CoAdministrator", "ServiceAdministrator" ] }, "Rationale": "The v1 (ASM-based) version of Azure resource access model did not have much in terms of RBAC granularity. As a result, everyone who needed any access on a subscription or its resources had to be added to the Co-administrator role. These individuals are referred to as 'classic' administrators. In the v2 (ARM-based) model, this is not required at all and even the count of 2 classic admins currently permitted is for backward compatibility. (Some Azure services are still migrating onto the ARM-based model so creating/operating on them needs 'classic' admin privilege.)", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P1", "Wave7", "ShadowITActiveBaseline", "CSEOPilot", "SN:Subscription_AdminCount" ] }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Management_Certs", "Description": "Management certificates are classic methods for automation on Azure subscription but are risky because the hygiene tends to be laxed and can easily be compromised.", "Id": "SubscriptionCore170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "Do not use management certificates", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "2acd365d-e8b5-4094-bce4-244b7c51d67c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "AssignmentNotFound", "EffectiveVerificationResult": "Passed", "AppendMessageToStatusReason": "NOTE: MDC assessment is available only if there is at least one management certificate in the subscription. Since, MDC assessment result for this policy was not found, we are marking this control as Passed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Recommendation": "You need to remove any management certificates that are not required. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to Settings tab --> Management Certificates tab --> Delete unwanted management certificates.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "GraphRead", "SubscriptionCore", "Baseline" ], "Enabled": false, "Rationale": "Just like classic admins, management certificates were used in the v1 model for script/tool based automation on Azure subscriptions. These management certificates are risky because the (private) key management hygiene tends to be lax. These certificates have no role to play in the current ARM-based model and should be immediately cleaned up if found on a subscription. (VS-deployment certificates from v1 timeframe are a good example of these.)", "CustomTags": [ "TenantBaseline", "P0", "Wave5", "ShadowITActiveBaseline", "SN:mgmt_Cert", "MSD", "Prod", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_Subscription_Audit_Resolve_MDC_Alerts", "Description": "Resolve active Microsoft Defender for Cloud (MDC) alerts of medium severity or higher.", "Id": "SubscriptionCore190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterAlerts", "DisplayName": "Resolve active Microsoft Defender for Cloud (MDC) alerts of medium severity or higher", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Recommendation": "You need to address all active alerts on Microsoft Defender for Cloud. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to 'Microsoft Defender for Cloud'. (c) Click on 'Security alerts'. (d) Take appropriate action on all active alerts.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "ControlSettings": { "MDCAlertsGraceInDays": { "High": 0, "Medium": 30 } }, "ControlEvaluationDetails": { "RequiredProperties": [ "MDCAlerts" ] }, "Enabled": true, "Rationale": "Based on the policies that are enabled in the subscription, Microsoft Defender for Cloud raises alerts (which are typically indicative of resources that MDC suspects might be under attack or needing immediate attention). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks.", "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:Subscription_SecurityAlerts" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Add_SPNs_as_Owner", "Description": "Service Principal Names (SPNs) should not be Owners or Contributors on the subscription", "Id": "SubscriptionCore210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSPNsRBAC", "Recommendation": "If this SPN needs access to your subscription, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore" ], "Enabled": false, "DataObjectProperties": [ "ObjectId", "ObjectType", "RoleDefinitionId", "RoleDefinitionName", "Scope" ], "Rationale": "Just like AD-based service accounts, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. As a result, adding SPNs to a subscription in 'Owners' or 'Contributors' roles is risky.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_SI_Lock_Critical_Resources", "Description": "Critical application resources should be protected using a resource lock", "Id": "SubscriptionCore220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckResourceLocksUsage", "Recommendation": "Consider using Azure resource locks to protect those resources in the subscription that you absolutely cannot afford to be deleted (by accident). You have to identify such resources and apply locks to them. Run command 'New-AzResourceLock'. Run 'Get-Help New-AzResourceLock -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "SI", "SubscriptionCore" ], "Enabled": false, "Rationale": "A resource lock protects a resource from getting accidentally deleted. With proper RBAC configuration, it is possible to setup critical resources in a subscription in such a way that people can perform most operations on them but cannot delete them. resource locks can help ensure that important data is not lost by accidental/malicious deletion of such resources (thus ensuring that availability is not impacted).", "CustomTags": [] }, { "ControlID": "Azure_Subscription_Config_ARM_Policy", "Description": "ARM policies should be used to audit or deny certain activities in the subscription that can impact security", "Id": "SubscriptionCore230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckARMPoliciesCompliance", "Recommendation": "Run command 'Set-AzSKARMPolicies'. Run 'Get-Help Set-AzSKARMPolicies -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Config", "SubscriptionCore" ], "Enabled": false, "DataObjectProperties": [ "policyDefinition", "policyDefinitionName", "scope", "enabled" ], "FixControl": { "FixMethodName": "ConfigureARMPolicies", "FixControlImpact": "Medium", "Parameters": { "Tags": "" } }, "Rationale": "The AzSK subscription security setup configures a set of ARM policies which result in audit log entries upon actions that violate the policies. (For instance, an audit event is generated if someone creates a v1 resource in a subscription.) These policies help by raising visibility to potentially insecure actions. ", "CustomTags": [] }, { "ControlID": "Azure_Subscription_Audit_Configure_Critical_Alerts", "Description": "Alerts must be configured for critical actions on subscription and resources", "Id": "SubscriptionCore240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCriticalAlertsPresence", "Recommendation": "Run command 'Set-AzSKAlerts -Force'. Run 'Get-Help Set-AzSKAlerts -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Audit", "SubscriptionCore" ], "Enabled": false, "DataObjectProperties": [ "Name", "OperationName", "Severity", "Enabled" ], "FixControl": { "FixMethodName": "ConfigureAlerts", "FixControlImpact": "Medium", "Parameters": { "SecurityContactEmails": "", "Tags": "" } }, "PolicyDefinitionGuid": "SubscriptionCore240", "Rationale": "The AzSK subscription security setup configures Insights-based alerts for sensitive operations in the subscription. These alerts notify the configured security point of contact about various sensitive activities on the subscription and its resources (for instance, adding a new member to subscription 'Owners' group or deleting a firewall setting or creating a new web app deployment, etc.)", "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Custom_RBAC_Roles", "Description": "Do not use custom-defined RBAC roles", "Id": "SubscriptionCore250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCustomRBACRolesPresence", "Recommendation": "Run command 'Remove-AzRoleDefinition -Id {id}'. Run 'Get-Help Remove-AzRoleDefinition -full' for more help.", "DisplayName": "Do not use custom-defined RBAC roles", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Weekly" ], "Enabled": true, "Rationale": "Custom RBAC role definitions are usually tricky to get right. A lot of threat modeling goes in when the product team works on and defines the various 'out-of-box' roles ('Owners', 'Contributors', etc.). As much as possible, teams should use these roles for their RBAC needs. Using custom roles is treated as an exception and requires a rigorous review.", "CustomTags": [], "ControlSettings": { "ApprovedCustomRBACRoles": [] } }, { "ControlID": "Azure_Subscription_SI_Classic_Resources", "Description": "Do not use any classic resources on a subscription", "Id": "SubscriptionCore260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicResources", "Recommendation": "Migrate each v1/ASM-based resource in your app to a corresponding v2/ARM-based resource. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "DisplayName": "Remove classic resources on a subscription", "Category": "Migrate from Classic to ARM model", "ControlRequirements": "Secure management and deployment models must be used", "Enabled": true, "PolicyDefinitionGuid": "37e0d2fe-28a5-43d6-a273-67d37d1f5606", "Rationale": "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc.", "ControlSettings": { "ClassicResourceTypes": [ "Microsoft.ClassicCompute/virtualMachines", "Microsoft.ClassicStorage/storageAccounts", "Microsoft.ClassicCompute/domainNames", "Microsoft.ClassicNetwork/virtualNetworks", "Microsoft.ClassicNetwork/reservedIps", "Microsoft.ClassicNetwork/networkSecurityGroups", "Microsoft.MarketplaceApps/classicDevServices" ] }, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P1", "Wave6", "ShadowITActiveBaseline", "CSEOPilot", "SN:Sub_RBAC" ] }, { "ControlID": "Azure_Subscription_SI_Dont_Use_Classic_VMs", "Description": "Do not use any classic virtual machines on your subscription.", "Id": "SubscriptionCore261", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicVMs", "Recommendation": "Migrate each v1/ASM Virtual Machine in your subscription to a v2/ARM-based VM. Refer link https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview for resource migration.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SI", "SubscriptionCore" ], "Enabled": false, "DataObjectProperties": [ "ResourceId", "SubscriptionId" ], "Rationale": "You should use new Azure (v2) resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_NetSec_Justify_PublicIPs", "Description": "Verify the list of public IP addresses on your subscription", "Id": "SubscriptionCore270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIpUsage", "Recommendation": "Verify the list of public IP addresses used and delete the unwanted and unused ones immediately! To delete run 'Remove-AzPublicIpAddress -ResourceGroupName {ResourceGroupName} -Name {PublicIpAddressName}'. You might encounter an error if the public IP resource is associated with some other resource. Refer link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address#view-change-settings-for-or-delete-a-public-ip-address for more details.", "Tags": [ "SDL", "Automated", "Access", "NetSec", "SubscriptionCore" ], "Enabled": false, "Rationale": "Public IPs provide direct access over the internet exposing a cloud resource to all type of attacks over the public network. Hence use of public IPs should be carefully scrutinized/reviewed.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access", "Description": "Do not grant permanent access for privileged subscription level roles", "Id": "SubscriptionCore281", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPermanentRoleAssignments", "DisplayName": "Do not grant permanent access for privileged subscription level roles", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at subscription scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.", "Tags": [ "SDL", "Automated", "Access", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in subscription are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically).", "ControlSettings": { "CriticalPIMRoles": [ "Owner", "Contributor", "User Access Administrator" ], "CriticalPIMRoleIds": [ "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "b24988ac-6180-42a0-ab88-20f7382dd24c", "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ], "AllowedIdentityDisplayNames": [ "MS-PIM" ], "ExemptedPIMGroupsPattern": "JIT_(.)*_ElevatedAccess" }, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P0", "CSEOPilot", "Wave6", "ShadowITActiveBaseline", "SN:JIT_Sub" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access_RG", "Description": "Do not grant permanent access for privileged roles at resource group level", "Id": "SubscriptionCore282", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRGLevelPermanentRoleAssignments", "DisplayName": "Do not grant permanent access for privileged roles at resource group level", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at resource group scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}/resourceGroups/{resourceGroupName}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.", "Tags": [ "SDL", "Automated", "Access", "AuthZ", "SubscriptionCore", "RGPersistentAccess", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "CriticalPIMRoles": [ "Owner", "User Access Administrator" ], "CriticalPIMRoleIds": [ "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ], "AllowedIdentityDisplayNames": [ "MS-PIM" ], "ExemptedPIMGroupsPattern": "JIT_(.)*_ElevatedAccess" }, "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in resource group are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically).", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P1", "CSEOPilot", "Wave6", "ShadowITActiveBaseline", "SN:JIT_Resource" ] }, { "ControlID": "Azure_Subscription_Config_Add_Required_Tags", "Description": "Mandatory tags must be set per your organization policy", "Id": "SubscriptionCore290", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMandatoryTags", "DisplayName": "Mandatory tags must be set per your organization policy", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags#portal", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline", "Weekly", "SubscriptionCore" ], "Enabled": true, "Rationale": "Certain tags are expected to be present in all resources to support enterprise wide functions (e.g., security visibility based on environment, security scanning, cost optimization, etc.). The script checks for presence of such 'mandatory' and 'scenario-specific' tags. ", "ControlSettings": { "ExcludeResourceGroupsPattern": [ "ERNetwork-[0-9]", "ERvNet.*", "ERNetwork.*", "defaultresourcegroup-*", "NetworkWatcherRG" ], "MandatoryTags": [ { "Name": "Env", "Type": "string", "Values": [ "Production", "Pre-Production" ], "ValidateTagValueType": false, "IgnorePatternWhitespaceForTagName": true, "Scope": "ResourceGroup" }, { "Name": "ComponentID", "Type": "Guid", "Values": [], "ValidateTagValueType": true, "IgnorePatternWhitespaceForTagName": true, "Scope": "ResourceGroup" }, { "Name": "Env", "Type": "string", "Values": [ "Production", "Pre-Production" ], "ValidateTagValueType": false, "IgnorePatternWhitespaceForTagName": true, "Scope": "Subscription" }, { "Name": "ComponentID", "Type": "Guid", "Values": [], "ValidateTagValueType": true, "IgnorePatternWhitespaceForTagName": true, "Scope": "Subscription" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "RequiredTags" ] }, "CustomTags": [] }, { "ControlID": "Azure_Subscription_Config_MDC_Defender_Plans", "Description": "Enable all Azure Defender plans in Microsoft Defender for Cloud", "Id": "SubscriptionCore300", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefender", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "DisplayName": "Enable all Azure Defender plans in Microsoft Defender for Cloud", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "VirtualMachines", "DisplayName": "Servers" }, { "Type": "SqlServers", "DisplayName": "Azure SQL Databases" }, { "Type": "AppServices", "DisplayName": "App Service" }, { "Type": "StorageAccounts", "DisplayName": "Storage" }, { "Type": "KeyVaults", "DisplayName": "Key Vault" }, { "Type": "SqlServerVirtualMachines", "DisplayName": "SQL servers on machines" }, { "Type": "Arm", "DisplayName": "Resource Manager" }, { "Type": "Dns", "DisplayName": "DNS" }, { "Type": "Containers", "DisplayName": "Containers" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterTier" ] }, "CustomTags": [ "ActiveBaseline", "TenantBaseline", "P0", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "Wave3", "ShadowITActiveBaseline", "SN:Defender" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Defender_Plans_Trial", "Description": "[Trial] Enable all Azure Defender plans in Microsoft Defender for Cloud", "Id": "SubscriptionCore510", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMDCDefenderTrial", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "56a6e81f-7413-4f72-9a1b-aaeeaa87c872", "58d72d9d-0310-4792-9a3b-6dd111093cdb", "0876ef51-fee7-449d-ba1e-f2662c7e43c6", "1be22853-8ed1-4005-9907-ddad64cb1417", "b1af52e4-e968-4e2b-b6d0-6736c9651f0a", "6ac66a74-761f-4a59-928a-d373eea3f028", "f0fb2a7e-16d5-849f-be57-86db712e9bd0", "aae10e53-8403-3576-5d97-3b00f97332b2", "e599a9fe-30e3-47c6-a173-8b4b6d9d3255" ] }, "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing. For bulk remediation using PowerShell, refer https://aka.ms/azts-docs/rscript/Azure_Subscription_Config_MDC_Defender_Plans", "DisplayName": "[Trial] Enable all Azure Defender plans in Microsoft Defender for Cloud", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "Enabled": true, "Rationale": "Azure Defender enables advanced threat detection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more.", "ControlSettings": { "ReqMDCTier": "Standard", "ReqMDCTierResourceTypes": [ { "Type": "VirtualMachines", "DisplayName": "Servers" }, { "Type": "SqlServers", "DisplayName": "Azure SQL Databases" }, { "Type": "AppServices", "DisplayName": "App Service" }, { "Type": "StorageAccounts", "DisplayName": "Storage" }, { "Type": "KeyVaults", "DisplayName": "Key Vault" }, { "Type": "SqlServerVirtualMachines", "DisplayName": "SQL servers on machines" }, { "Type": "Arm", "DisplayName": "Resource Manager" }, { "Type": "Dns", "DisplayName": "DNS" }, { "Type": "Containers", "DisplayName": "Containers" } ] }, "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_Subscription_Check_Credential_Rotation", "Description": "Ensure any credentials approaching expiry are rotated soon.", "Id": "SubscriptionCore310", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCredentialHygiene", "Recommendation": "Run Update-AzSKTrackedCredential with the 'ResetLastUpdate' switch with other required parameters (Subscription Id, credential name, etc.).", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": false, "Rationale": "Periodic credential rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks. Credential expiry can also impact availability of existing apps.", "CustomTags": [] }, { "ControlID": "Azure_Subscription_Use_Only_Alt_Credentials", "Description": "Use Smart-Card ALT (SC-ALT) accounts to access critical roles on subscription and resource groups", "Id": "SubscriptionCore320", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNonAlternateAccounts", "DisplayName": "Use Smart-Card ALT (SC-ALT) accounts to access critical roles on subscription and resource groups", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Go to Azure portal -> Privileged Identity Management -> Azure Resources -> Select the scope -> Members-> Eligible roles and verify the non alternate accounts. Ensure that only alternate accounts are used as members of critical roles in the subscription. Do not use day to day user accounts.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "ControlSettings": { "CriticalPIMRoles": { "Subscription": [ "Owner", "Contributor", "User Access Administrator" ], "ResourceGroup": [ "Owner", "User Access Administrator" ] } }, "Enabled": true, "Rationale": "The regular / day to day use accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire cloud subscription to risk if it is a member of critical roles in the subscription. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the cloud subscriptions from this risk. Moreover, for complete protection, all sensitive access must be done using a secure admin workstation (SAW) and Azure Privileged Identity Management (PIM).", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P0", "Wave6", "ShadowITActiveBaseline", "SN:Sub_SC-ALT" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Security_Policy", "Description": "Microsoft Defender for Cloud (MDC) policies must be correctly configured on the subscription.", "Id": "SubscriptionCore330", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityPolicy", "DisplayName": "Microsoft Defender for Cloud (MDC) policies must be correctly configured on the subscription.", "Category": "", "ControlRequirements": "", "Recommendation": "Run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>'. Run 'Get-Help Set-AzSKAzureSecurityCenterPolicies -full' for more help. You can also manage your policy settings from azure portal https://portal.azure.com for more details, visit https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy ", "Tags": [ "SDL", "TCP", "Automated", "Config", "SubscriptionCore" ], "Enabled": false, "Rationale": "MDC security policies define the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators. It provides key policy settings (e.g., is patching configured for VMs?, is threat detection enabled for SQL?, etc.) and alerts about resources which are not compliant to those policy settings. Correctly configuring MDC is critical as it gives a baseline layer of protection for the subscription and commonly used resource types.", "ControlSettings": { "MDCPolicyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "MDCPoliciesDesiredEffects": { "systemUpdatesMonitoringEffect": "AuditIfNotExists", "systemConfigurationsMonitoringEffect": "AuditIfNotExists", "endpointProtectionMonitoringEffect": "AuditIfNotExists", "sqlEncryptionMonitoringEffect": "AuditIfNotExists", "apiAppDisableRemoteDebuggingMonitoringEffect": "AuditIfNotExists", "functionAppDisableRemoteDebuggingMonitoringEffect": "AuditIfNotExists", "webAppDisableRemoteDebuggingMonitoringEffect": "AuditIfNotExists", "apiAppEnforceHttpsMonitoringEffect": "AuditIfNotExists", "functionAppEnforceHttpsMonitoringEffect": "AuditIfNotExists", "webAppEnforceHttpsMonitoringEffect": "AuditIfNotExists", "aadAuthenticationInServiceFabricMonitoringEffect": "Audit", "clusterProtectionLevelInServiceFabricMonitoringEffect": "Audit", "sqlServerAdvancedDataSecurityMonitoringEffect": "AuditIfNotExists", "aadAuthenticationInSqlServerMonitoringEffect": "AuditIfNotExists", "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": "Audit", "secureTransferToStorageAccountMonitoringEffect": "Audit", "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": "AuditIfNotExists", "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": "AuditIfNotExists", "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": "AuditIfNotExists", "identityRemoveDeprecatedAccountMonitoringEffect": "AuditIfNotExists", "classicStorageAccountsMonitoringEffect": "Audit", "classicComputeVMsMonitoringEffect": "Audit", "diskEncryptionMonitoringEffect": "AuditIfNotExists", "vulnerabilityAssesmentMonitoringEffect": "AuditIfNotExists", "vmssOsVulnerabilitiesMonitoringEffect": "AuditIfNotExists", "vmssEndpointProtectionMonitoringEffect": "AuditIfNotExists", "vmssSystemUpdatesMonitoringEffect": "AuditIfNotExists", "sqlDbVulnerabilityAssesmentMonitoringEffect": "AuditIfNotExists", "vnetEnableDDoSProtectionMonitoringEffect": "AuditIfNotExists", "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": "AuditIfNotExists", "identityEnableMFAForOwnerPermissionsMonitoringEffect": "AuditIfNotExists", "identityEnableMFAForWritePermissionsMonitoringEffect": "AuditIfNotExists", "identityEnableMFAForReadPermissionsMonitoringEffect": "AuditIfNotExists", "diagnosticsLogsInRedisCacheMonitoringEffect": "Audit" } }, "CustomTags": [ "SOX" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Enable_AutoProvisioning", "Description": "Auto Provisioning must be set to ON in Microsoft Defender for Cloud.", "Id": "SubscriptionCore340", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAutoProvisioningForSecurity", "DisplayName": "Turn on Microsoft Monitoring Agent (MMA) to enable Security Monitoring", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "For setting AutoProvisioning settings for your subscription, go to azure portal https://portal.azure.com. On the portal go to -->Security center - Pricing & Settings-->Select your subscription-->Settings - Data Collection, you can also run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>'' for setting up AutoProvisioning settings ", "Tags": [ "SDL", "TCP", "Automated", "Config", "SubscriptionCore", "Baseline", "Weekly", "CSEOPilotP1", "CSEOPilotSub" ], "Enabled": true, "DataObjectProperties": [ "id", "properties.logCollection", "properties.recommendations", "properties.securityContactConfiguration.areNotificationsOn", "properties.securityContactConfiguration.securityContactEmails", "properties.securityContactConfiguration.securityContactPhone", "properties.securityContactConfiguration.sendToAdminOn" ], "FixControl": { "FixMethodName": "ConfigureSecurityCenter", "FixControlImpact": "Medium" }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterAutoProvision" ] }, "Rationale": "MDC monitors various security parameters on a VM such as missing updates, OS security settings, endpoint protection status, and health and threat detections, etc using a monitoring agent. This agent needs to be provisioned and running on VMs for the monitoring work. When automatic provisioning is ON, MDC provisions the Microsoft Monitoring Agent (MMA) on all supported Azure VMs and any new ones that are created.", "CustomTags": [ "SOX", "SN:MMA" ] }, { "ControlID": "Azure_Subscription_Config_MDC_Setup_SecurityContacts", "Description": "Configure security contacts and alerts of medium severity or higher on your subscription.", "Id": "SubscriptionCore350", "DisplayName": "Configure security contacts and alerts of medium severity or higher on your subscription", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityContactDetails", "Recommendation": "Go to Azure Portal -> Microsoft Defender for Cloud -> Environment settings -> Select your subscription -> Go to 'Email notifications' -> a. In the 'Email recipients', Select 'Owner' and 'Service Admin' as email recipients and specify at least one email recipient. b. In the 'Notification types', Select the check box to notify about alerts and select the alert severity to 'Medium' or 'Low' -> Save.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "SecurityContacts": { "AlertNotificationState": "On", "AlertNotificationSeverities": [ "Medium", "Low" ], "NotificationsRecipientsState": "On", "NotificationsRecipientsRoleName": [ "Owner", "ServiceAdmin" ] } }, "ControlEvaluationDetails": { "RequiredProperties": [ "SecurityCenterContacts" ] }, "Rationale": "Security contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your customer data has been accessed by an unlawful or unauthorized party.", "CustomTags": [ "SOX", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:Subscription_SecurityContacts" ] }, { "ControlID": "Azure_Subscription_SI_No_Billing_Activity", "Description": "Subscriptions with no billing activity and resources for over 90 days must be deleted.", "Id": "SubscriptionCore380", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckSubsBillingActivity", "DisplayName": "Subscriptions with no billing activity and resources must be deleted", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "To cancel subscription in the Azure portal, 1. Select your subscription from the Subscriptions page in the Azure portal. 2. Select the subscription that you want to cancel. 3. Select Overview, and then select Cancel subscription. 4. Follow prompts and finish cancellation. For detailed instructions, refer: https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/cancel-azure-subscription.", "Tags": [ "SDL", "TCP", "SI", "Automated", "SubscriptionCore", "Baseline", "Daily" ], "Enabled": true, "Rationale": "Cleaning up unused subscriptions is suggested as a good hygiene practice.", "CustomTags": [ "Wave1", "ActiveBaseline", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "ShadowITActiveBaseline", "SN:AzSub_NotUsed_Deleted" ], "ControlSettings": { "MinReqdBillingPeriodInDays": 90, "GracePeriodForDisabledSubsInDays": 0 } }, { "ControlID": "Azure_Subscription_Configure_Conditional_Access_for_PIM", "Description": "Enable policy to require PIM elevation from SAW for admin roles in Azure subscriptions", "Id": "SubscriptionCore283", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPIMCATag", "DisplayName": "Enable policy to require PIM elevation from SAW for admin roles in Azure subscriptions", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "To configure Conditional Access Policy, refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings. **Note:** Follow the same steps for 'Owner', 'Contributor' and 'User Access Administrator' roles. To create Policy for your organization, refer https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json#create-a-conditional-access-policy.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline", "Daily", "CSEOPilotSub" ], "ControlSettings": { "RuleName": "acrsRule", "RuleSettings": "{\"acrsRequired\":true,\"acrs\":\"urn:microsoft:req1,c1\"}" }, "Enabled": true, "Rationale": "By using Conditional Access policies for privileged roles, you can apply the right access controls to make sure certain requirements are met before the end user gets access to the resource", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P0", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:Subscription_PIM_SAW" ] }, { "ControlID": "Azure_Subscription_Configure_Conditional_Access_for_PIM_Trial", "Description": "[Trial] Enable policy to require PIM elevation from SAW for admin roles in Azure subscriptions", "Id": "SubscriptionCore286", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPIMCATagTrial", "DisplayName": "[Trial] Enable policy to require PIM elevation from SAW for admin roles in Azure subscriptions", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "To configure Conditional Access Policy, refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings. **Note:** Follow the same steps for 'Owner', 'Contributor' and 'User Access Administrator' roles. To create Policy for your organization, refer https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json#create-a-conditional-access-policy.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "RequiredAcrsRule": { "claimValue": "urn:microsoft:req1", "id": "AuthenticationContext_EndUser_Assignment", "ruleType": "RoleManagementPolicyAuthenticationContextRule" }, "RequiredRoles": { "User Access Administrator": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", "Owner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "Contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c" } }, "Enabled": false, "Rationale": "By using Conditional Access policies for privileged roles, you can apply the right access controls to make sure certain requirements are met before the end user gets access to the resource", "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_Subscription_SI_Dont_Use_B2C_Tenant", "Description": "Do not use any Azure Active Directory B2C tenant in a subscription", "Id": "SubscriptionCore410", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfAADB2CTenant", "Recommendation": "Refer: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/tutorial-delete-tenant.md to delete the Azure B2C tenant and unregister the 'Microsoft.AzureActiveDirectory' resource provider in the subscription. Refer to https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types for more information on resource providers.", "Tags": [ "SDL", "Best Practice", "Automated", "Baseline", "Daily", "SI", "SubscriptionCore" ], "DisplayName": "Remove Azure Active Directory B2C tenant(s) in a subscription", "Enabled": true, "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "This Service depends mainly on 3rd party identity provider, and that can cause authenticity attacks. Closing unnecessary or high-risk Azure B2C usage will reduce the attack surface, reduce risk to the enterprise and protect against identity attacks.", "ControlSettings": { "ResourceTypeName": "Microsoft.AzureActiveDirectory/b2cDirectories" }, "CustomTags": [ "SN:Azure_B2C", "Wave9", "ShadowITActiveBaseline", "TenantBaseline", "Prod" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_NonAD_Identities_Privileged_Roles", "Description": "Do not grant privileged roles at the subscription level to external accounts and service principal names (SPNs)", "Id": "SubscriptionCore420", "DisplayName": "Do not grant privileged roles at the subscription level to external accounts and service principal names (SPNs)", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsAndNonAADIdentitiesRBAC", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "If these SPNs or External accounts need access to your subscription, make sure you add them at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might be sufficient. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN or External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "ControlSettings": { "CriticalRoles": [ "Owner", "Contributor", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": false, "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. Similarly, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs or External account to a Subscription with privileged roles is risky.", "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_Privileged_Roles_Trial", "Description": "[Trial] Do not grant privileged roles at the subscription level to service principal names (SPNs)", "Id": "SubscriptionCore460", "DisplayName": "[Trial] Do not grant privileged roles at the subscription level to service principal names (SPNs)", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsRBACTrial", "ControlScanSource": "Reader", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "If these SPNs need access to your subscription, make sure you add them at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might be sufficient. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "Contributor", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "Rationale": "SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs to a Subscription with privileged roles is risky.", "CustomTags": [ "Trial", "Daily", "SN:SPN_SubsPrivRole" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_NonAD_Identities_Privileged_Roles_Trial", "Description": "[Trial] Do not grant privileged roles at the subscription level to external accounts", "Id": "SubscriptionCore470", "DisplayName": "[Trial] Do not grant privileged roles at the subscription level to external accounts", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckNonAADIdentitiesRBACTrial", "ControlScanSource": "Reader", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "If these External accounts need access to your subscription, make sure you add them at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might be sufficient. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "Contributor", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. As a result, adding External account to a Subscription with privileged roles is risky.", "CustomTags": [ "Trial", "Daily", "SN:NonAD_SubsPrivRole" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_NonAD_Identities_Privileged_Roles_RG", "Description": "Do not grant privileged roles at the Resource Group level to external accounts and service principal names (SPNs)", "Id": "SubscriptionCore430", "DisplayName": "Do not grant privileged roles at the Resource Group level to external accounts and service principal names (SPNs)", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsAndNonAADIdentitiesRGRBAC", "Recommendation": "If these SPNs or External accounts need access to your RG, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Resource Group' scope. Exact permission will vary based on your use case. If you want to remove the SPN or External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "ControlSettings": { "CriticalRoles": [ "Owner", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": false, "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. Similarly, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs or External account to a Resource group with privileged roles is risky.", "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_SPNs_Privileged_Roles_RG_Trial", "Description": "[Trial] Do not grant privileged roles at the Resource Group level to service principal names (SPNs)", "Id": "SubscriptionCore480", "DisplayName": "[Trial] Do not grant privileged roles at the Resource Group level to service principal names (SPNs)", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckSPNsRGRBACTrial", "ControlScanSource": "Reader", "Recommendation": "If these SPNs need access to your RG, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Resource Group' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. Also, SPNs and Managed Identities can't be granted Just-In-Time access. As a result, adding SPNs to a Resource group with privileged roles is risky.", "CustomTags": [ "Trial", "Daily", "SN:SPN_RGPrivRole" ] }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_NonAD_Identities_Privileged_Roles_RG_Trial", "Description": "[Trial] Do not grant privileged roles at the Resource Group level to external accounts", "Id": "SubscriptionCore490", "DisplayName": "[Trial] Do not grant privileged roles at the Resource Group level to external accounts", "ControlSeverity": "High", "Category": "Least privilege access to subscription and resources", "Automated": "Yes", "MethodName": "CheckNonAADIdentitiesRGRBACTrial", "ControlScanSource": "Reader", "Recommendation": "If these External accounts need access to your RG, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Resource Group' scope. Exact permission will vary based on your use case. If you want to remove External account, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore", "Baseline" ], "ControlSettings": { "CriticalRoles": [ "Owner", "User Access Administrator" ], "AllowedIdentityDisplayNames": [ ], "AllowedIdentityObjectIds": [ ] }, "Enabled": true, "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Non-AD accounts (such as xyz@contoso.com, pqr@outlook.com, etc.) are not managed to the same standards as native enterprise tenant identities. They might not have multi-factor authentication enabled. As a result, adding External account to a Resource group with privileged roles is risky.", "CustomTags": [ "Trial", "Daily", "SN:NonAD_RGPrivRole" ] }, { "ControlID": "Azure_Subscription_DP_Avoid_Plaintext_Secrets_Tags", "Description": "Tags for resources in a subscription must not have secrets/credentials present in plain text", "Id": "SubscriptionCore440", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionResourceTagsAvoidPlaintextSecrets", "DisplayName": "Tags for resources in a subscription must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials at tags of the particular resource using the information provided in the UI, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Wave9", "ShadowITActiveBaseline", "TenantBaseline", "Prod" ], "Enabled": true }, { "ControlID": "Azure_Subscription_DP_Avoid_Plaintext_Secrets_Deployments", "Description": "Deployments in a subscription must not have secrets/credentials present in plain text", "Id": "SubscriptionCore450", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "SubscriptionDeploymentsAvoidPlaintextSecrets", "DisplayName": "Deployments in a subscription must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials at the inputs/outputs section of the deployment of the particular subscription/resource group using the information provided in the UI, rotate those credentials and delete the deployment (Please note that deleting a succeeded deployment does not delete the resources deployed as part of that deployment). Use KeyVault to store secrets/credentials. Templates for deployments also provides a secure way of passing secrets using the 'SecureString' type of parameters. The SecureString type helps us mask secrets that are part of input parameters.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Wave9", "ShadowITActiveBaseline", "TenantBaseline", "Prod" ], "Enabled": true }, { "ControlID": "Azure_Subscription_SI_Follow_ManagementGroup_Hierarchy", "Description": "Subscription should be part of descendant Management Group and not root MG", "Id": "SubscriptionCore500", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckParentMG", "Recommendation": "Add subscription to Management Group as per organizational guidance.", "DisplayName": "Follow Management Group Hierarchy for subscription", "Category": "Monitoring must be correctly configured", "ControlRequirements": "As per prescribed organizational guidance, subscription should be part of relevant Managment Group and not part of root Management Group directly.", "ControlEvaluationDetails": { "RequiredProperties": [ "SubMGHierarchy" ] }, "Tags": [ "Automated", "SubscriptionCore", "Baseline" ], "Enabled": false, "Rationale": "Subscriptions should follow Management Group hierarchy.This would help in driving compliance by assingning policies at Management Group level.", "CustomTags": [ "Daily" ] } ] } |