AzureChecks.json
|
[ { "id": "entra_conditional_access_policy_require_mfa_for_management_api", "service": "Entra", "title": "Ensure Multifactor Authentication is Required for Windows Azure Service Management API", "description": "This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.", "risk": "Administrative access to the Windows Azure Service Management API should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multifactor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-azure-management", "checkScript": "Test-EntraConditionalAccessPolicyRequireMfaForManagementApi.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_global_admin_in_less_than_five_users", "service": "Entra", "title": "Ensure fewer than 5 users have global administrator assignment", "description": "This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access.", "risk": "The Global Administrator role has extensive privileges across all services in Microsoft Entra ID. The Global Administrator role should never be used in regular daily activities, administrators should have a regular user account for daily activities, and a separate account for administrative responsibilities. Limiting the number of Global Administrators helps mitigate the risk of unauthorized access, reduces the potential impact of human error, and aligns with the principle of least privilege to reduce the attack surface of an Azure tenant. Conversely, having at least two Global Administrators ensures that administrative functions can be performed without interruption in case of unavailability of a single admin.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5", "checkScript": "Test-EntraGlobalAdminInLessThanFiveUsers.ps1", "dependsOn": [], "permissions": { "graph": ["RoleManagement.Read.Directory"] } }, { "id": "entra_non_privileged_user_has_mfa", "service": "Entra", "title": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users", "description": "Enable multi-factor authentication for all non-privileged users.", "risk": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks", "checkScript": "Test-EntraNonPrivilegedUserHasMfa.ps1", "dependsOn": [], "permissions": { "graph": ["User.Read.All", "RoleManagement.Read.Directory", "UserAuthenticationMethod.Read.All"] } }, { "id": "entra_policy_default_users_cannot_create_security_groups", "service": "Entra", "title": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'", "description": "Restrict security group creation to administrators only.", "risk": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/users/groups-self-service-management", "checkScript": "Test-EntraPolicyDefaultUserCannotCreateSecurityGroup.ps1", "dependsOn": [], "permissions": { "graph": ["Directory.Read.All"] } }, { "id": "entra_policy_ensure_default_user_cannot_create_apps", "service": "Entra", "title": "Ensure That 'Users Can Register Applications' Is Set to 'No'", "description": "Require administrators or appropriately delegated users to register third-party applications.", "risk": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance", "checkScript": "Test-EntraPolicyEnsureDefaultUserCannotCreateApp.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_policy_ensure_default_user_cannot_create_tenants", "service": "Entra", "title": "Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'", "description": "Require administrators or appropriately delegated users to create new tenants.", "risk": "It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions", "checkScript": "Test-EntraPolicyEnsureDefaultUserCannotCreateTenant.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_policy_guest_invite_only_for_admin_roles", "service": "Entra", "title": "Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'", "description": "Restrict invitations to users with specific administrative roles only.", "risk": "Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain 'Need to Know' permissions and prevents inadvertent access to data. By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure", "checkScript": "Test-EntraPolicyGuestInviteOnlyForAdminRole.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_policy_guest_users_access_restrictions", "service": "Entra", "title": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'", "description": "Limit guest user permissions.", "risk": "Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction. 1. Guest users have the same access as members (most inclusive), 2. Guest users have limited access to properties and memberships of directory objects (default value), 3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). The recommended option is the 3rd, most restrictive: 'Guest user access is restricted to their own directory object'.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions", "checkScript": "Test-EntraPolicyGuestUserAccessRestriction.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_policy_restricts_user_consent_for_apps", "service": "Entra", "title": "Ensure 'User consent for applications' is set to 'Do not allow user consent'", "description": "Require administrators to provide consent for applications before use.", "risk": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/configure-user-consent?pivots=portal", "checkScript": "Test-EntraPolicyRestrictUserConsentForApp.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_policy_user_consent_for_verified_apps", "service": "Entra", "title": "Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'", "description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.", "risk": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal#configure-user-consent-to-applications", "checkScript": "Test-EntraPolicyUserConsentForVerifiedApp.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_privileged_user_has_mfa", "service": "Entra", "title": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users", "description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as, - Service Co-Administrators - Subscription Owners - Contributors", "risk": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks", "checkScript": "Test-EntraPrivilegedUserHasMfa.ps1", "dependsOn": [], "permissions": { "graph": ["RoleManagement.Read.Directory", "UserAuthenticationMethod.Read.All"] } }, { "id": "entra_security_defaults_enabled", "service": "Entra", "title": "Ensure Security Defaults is enabled on Microsoft Entra ID", "description": "Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.", "risk": "Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: - Requiring all users and admins to register for MFA. - Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. - Disabling authentication from legacy authentication clients, which can't do MFA.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults", "checkScript": "Test-EntraSecurityDefaultsEnabled.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_trusted_named_locations_exists", "service": "Entra", "title": "Ensure Trusted Locations Are Defined", "description": "Microsoft Entra ID Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.", "risk": "Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Microsoft Entra ID from untrusted locations or untrusted source IP addresses/ranges.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition", "checkScript": "Test-EntraTrustedNamedLocationExist.ps1", "dependsOn": [], "permissions": { "graph": ["Policy.Read.All"] } }, { "id": "entra_user_with_vm_access_has_mfa", "service": "Entra", "title": "Ensure only MFA enabled identities can access privileged Virtual Machine", "description": "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal", "risk": "Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts. For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-EntraUserWithVmAccessHasMfa.ps1", "dependsOn": [], "permissions": { "graph": ["UserAuthenticationMethod.Read.All"], "arm": ["Microsoft.Authorization/roleAssignments/read"] } }, { "id": "entra_users_cannot_create_microsoft_365_groups", "service": "Entra", "title": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'", "description": "Restrict Microsoft 365 group creation to administrators only.", "risk": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/community/all-about-groups#microsoft-365-groups", "checkScript": "Test-EntraUserCannotCreateMicrosoft365Group.ps1", "dependsOn": [], "permissions": { "graph": ["Directory.Read.All"] } }, { "id": "iam_custom_role_has_permissions_to_administer_resource_locks", "service": "IAM", "title": "Ensure an IAM custom role has permissions to administer resource locks", "description": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks", "risk": "In Azure, resource locks are a way to prevent accidental deletion or modification of critical resources. These locks can be set at the resource group level or the individual resource level. Resource locks administration is a critical task that should be preformed from a custom role with the appropriate permissions. This ensures that only authorized users can administer resource locks.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json", "checkScript": "Test-IamCustomRoleHasPermissionToAdministerResourceLock.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Authorization/roleDefinitions/read"] } }, { "id": "iam_role_user_access_admin_restricted", "service": "IAM", "title": "Ensure 'User Access Administrator' role is restricted", "description": "Checks for active assignments of the highly privileged 'User Access Administrator' role in Azure subscriptions.", "risk": "Persistent assignment of this role can lead to privilege escalation and unauthorized access, increasing the risk of security breaches.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator", "checkScript": "Test-IamRoleUserAccessAdminRestricted.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Authorization/roleDefinitions/read", "Microsoft.Authorization/roleAssignments/read"] } }, { "id": "iam_subscription_roles_owner_custom_not_created", "service": "IAM", "title": "Ensure that no custom subscription owner roles are created", "description": "Ensure that no custom subscription owner roles are created", "risk": "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles", "checkScript": "Test-IamSubscriptionRolesOwnerCustomNotCreated.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Authorization/roleDefinitions/read"] } }, { "id": "keyvault_key_expiration_set_in_non_rbac", "service": "KeyVault", "title": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.", "description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", "risk": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis", "checkScript": "Test-KeyvaultKeyExpirationSetInNonRbac.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"], "keyvaultDataPlane": ["keys/list"] } }, { "id": "keyvault_key_rotation_enabled", "service": "KeyVault", "title": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services", "description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.", "risk": "Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation", "checkScript": "Test-KeyvaultKeyRotationEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"], "keyvaultDataPlane": ["keys/list"] } }, { "id": "keyvault_logging_enabled", "service": "KeyVault", "title": "Ensure that logging for Azure Key Vault is 'Enabled'", "description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.", "risk": "Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging", "checkScript": "Test-KeyvaultLoggingEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read", "Microsoft.Insights/diagnosticSettings/read"] } }, { "id": "keyvault_non_rbac_secret_expiration_set", "service": "KeyVault", "title": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults", "description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", "risk": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis", "checkScript": "Test-KeyvaultNonRbacSecretExpirationSet.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"], "keyvaultDataPlane": ["secrets/list"] } }, { "id": "keyvault_private_endpoints", "service": "KeyVault", "title": "Ensure that Private Endpoints are Used for Azure Key Vault", "description": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.", "risk": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview", "checkScript": "Test-KeyvaultPrivateEndpoint.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"] } }, { "id": "keyvault_rbac_enabled", "service": "KeyVault", "title": "Enable Role Based Access Control for Azure Key Vault", "description": "WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.", "risk": "The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps", "checkScript": "Test-KeyvaultRbacEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"] } }, { "id": "keyvault_rbac_key_expiration_set", "service": "KeyVault", "title": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults", "description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set", "risk": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis", "checkScript": "Test-KeyvaultRbacKeyExpirationSet.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"], "keyvaultDataPlane": ["keys/list"] } }, { "id": "keyvault_rbac_secret_expiration_set", "service": "KeyVault", "title": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults", "description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", "risk": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis", "checkScript": "Test-KeyvaultRbacSecretExpirationSet.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"], "keyvaultDataPlane": ["secrets/list"] } }, { "id": "keyvault_recoverable", "service": "KeyVault", "title": "Ensure the Key Vault is Recoverable", "description": "The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.", "risk": "There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault: 1. enableSoftDelete: Setting this parameter to 'true' for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged. 2. enablePurgeProtection: enableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to 'true' ensures that the Key Vault and its objects cannot be purged. Enabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli", "checkScript": "Test-KeyvaultRecoverable.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"] } }, { "id": "keyvault_public_network_access_disabled", "service": "KeyVault", "title": "Ensure that public network access when using private endpoint is disabled.", "description": "Checks if Key Vaults with private endpoints have public network access disabled.", "risk": "Allowing public network access to Key Vault when using private endpoint can expose sensitive data to unauthorized access.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security", "checkScript": "Test-KeyvaultPublicNetworkAccessDisabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.KeyVault/vaults/read"] } }, { "id": "storage_account_key_access_disabled", "service": "Storage", "title": "Ensure allow storage account key access is disabled", "description": "Ensures that access to Azure Storage Accounts using account keys is disabled, enforcing the use of Microsoft Entra ID (formerly Azure AD) for authentication.", "risk": "Using Shared Key authorization poses a security risk due to the high privileges associated with storage account keys and the difficulty in auditing such access. Disabling Shared Key access helps enforce identity-based authentication via Microsoft Entra ID, enhancing security and traceability.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent", "checkScript": "Test-StorageAccountKeyAccessDisabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_blob_public_access_level_is_disabled", "service": "Storage", "title": "Ensure that the 'Public access level' is set to 'Private (no anonymous access)' for all blob containers in your storage account", "description": "Ensure that the 'Public access level' configuration setting is set to 'Private (no anonymous access)' for all blob containers in your storage account in order to block anonymous access to these Microsoft Azure resources.", "risk": "A user that accesses blob containers anonymously can use constructors that do not require credentials such as shared access signatures.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageBlobPublicAccessLevelIsDisabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read"] } }, { "id": "storage_blob_versioning_is_enabled", "service": "Storage", "title": "Ensure Blob Versioning is Enabled on Azure Blob Storage Accounts", "description": "Ensure that blob versioning is enabled on Azure Blob Storage accounts to automatically retain previous versions of objects.", "risk": "Without blob versioning, accidental or malicious changes to blobs cannot be easily recovered, leading to potential data loss.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable", "checkScript": "Test-StorageBlobVersioningIsEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/blobServices/read"] } }, { "id": "storage_cross_tenant_replication_disabled", "service": "Storage", "title": "Ensure cross-tenant replication is disabled", "description": "Ensure that cross-tenant replication is not enabled on Azure Storage Accounts to prevent unintended replication of data across tenant boundaries.", "risk": "If cross-tenant replication is enabled, sensitive data could be inadvertently replicated across tenants, increasing the risk of data leakage, unauthorized access, or non-compliance with data governance and privacy policies.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal", "checkScript": "Test-StorageCrossTenantReplicationDisabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_default_network_access_rule_is_denied", "service": "Storage", "title": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny", "description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access toselected networks, the default action must be changed.", "risk": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtualnetworks, allowing a secure network boundary for specific applications to be built.Access can also be granted to public internet IP address ranges to enable connectionsfrom specific internet or on-premises clients. When network rules are configured, onlyapplications from allowed networks can access a storage account. When calling from anallowed network, applications continue to require proper authorization (a valid accesskey or SAS token) to access the storage account.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageDefaultNetworkAccessRuleIsDenied.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_default_to_entra_authorization_enabled", "service": "Storage", "title": "Ensure Microsoft Entra authorization is enabled by default for Azure Storage Accounts", "description": "Ensure that the Azure Storage Account setting 'Default to Microsoft Entra authorization in the Azure portal' is enabled to enforce the use of Microsoft Entra ID for accessing blobs, files, queues, and tables.", "risk": "If this setting is not enabled, the Azure portal may authorize access using less secure methods such as Shared Key, increasing the risk of unauthorized data access.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory", "checkScript": "Test-StorageDefaultToEntraAuthorizationEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_ensure_azure_services_are_trusted_to_access_is_enabled", "service": "Storage", "title": "Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled for storage accounts", "description": "Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.", "risk": "Not allowing to access storage account by Azure services the following services: Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are not granted access to your storage account", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageEnsureAzureServicesAreTrustedToAccessIsEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_ensure_encryption_with_customer_managed_keys", "service": "Storage", "title": "Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys", "description": "Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys", "risk": "If you want to control and manage storage account contents encryption key yourself you must specify a customer-managed key", "severity": "high", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageEnsureEncryptionWithCustomerManagedKey.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_ensure_file_shares_soft_delete_is_enabled", "service": "Storage", "title": "Ensure soft delete for Azure File Shares is enabled", "description": "Ensure that soft delete is enabled for Azure File Shares to protect against accidental or malicious deletion of important data. This feature allows deleted file shares to be retained for a specified period, during which they can be recovered before permanent deletion occurs.", "risk": "Without soft delete enabled, accidental or malicious deletions of file shares result in permanent data loss, making recovery impossible unless a separate backup mechanism is in place.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal", "checkScript": "Test-StorageEnsureFileSharesSoftDeleteIsEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/fileServices/read"] } }, { "id": "storage_ensure_minimum_tls_version_12", "service": "Storage", "title": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'", "description": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'", "risk": "TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST", "severity": "medium", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageEnsureMinimumTlsVersion12.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_ensure_private_endpoints_in_storage_accounts", "service": "Storage", "title": "Ensure Private Endpoints are used to access Storage Accounts", "description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.", "risk": "Storage accounts that are not configured to use Private Endpoints are accessible over the public internet. This can lead to data exfiltration and other security issues.", "severity": "medium", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints", "checkScript": "Test-StorageEnsurePrivateEndpointInStorageAccount.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_ensure_soft_delete_is_enabled", "service": "Storage", "title": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage", "description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.", "risk": "Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the Retention policies ranging from 7 days to 365 days.", "severity": "medium", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", "checkScript": "Test-StorageEnsureSoftDeleteIsEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/blobServices/read"] } }, { "id": "storage_geo_redundant_enabled", "service": "Storage", "title": "Ensure geo-redundant storage (GRS) is enabled on critical Azure Storage Accounts", "description": "Geo-redundant storage (GRS) must be enabled on critical Azure Storage Accounts to ensure data durability and availability in the event of a regional outage. GRS replicates data within the primary region and asynchronously to a secondary region, offering enhanced resilience and supporting disaster recovery strategies.", "risk": "Without GRS, critical data may be lost or become unavailable during a regional outage, compromising data durability and disaster recovery efforts.", "severity": "high", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy", "checkScript": "Test-StorageGeoRedundantEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_infrastructure_encryption_is_enabled", "service": "Storage", "title": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' ", "description": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' ", "risk": "Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised", "severity": "low", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageInfrastructureEncryptionIsEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_key_rotation_90_days", "service": "Storage", "title": "Ensure that Storage Account Access Keys are Periodically Regenerated", "description": "Ensure that Storage Account Access Keys are Periodically Regenerated", "risk": "If the access keys are not regenerated periodically, the likelihood of accidental exposures increases, which can lead to unauthorized access to your storage account resources.", "severity": "medium", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal", "checkScript": "Test-StorageKeyRotation90Day.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_secure_transfer_required_is_enabled", "service": "Storage", "title": "Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol.", "description": "Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol.", "risk": "Requests to the storage account sent outside of a secure connection can be eavesdropped", "severity": "medium", "categories": [ "encryption" ], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "", "checkScript": "Test-StorageSecureTransferRequiredIsEnabled.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read"] } }, { "id": "storage_smb_channel_encryption_with_secure_algorithm", "service": "Storage", "title": "Ensure SMB channel encryption uses a secure algorithm for SMB file shares", "description": "Implement SMB channel encryption with a secure algorithm for SMB file shares to ensure data confidentiality and integrity in transit.", "risk": "Not using the recommended SMB channel encryption may expose data transmitted over SMB channels to unauthorized interception and tampering.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares", "checkScript": "Test-StorageSmbChannelEncryptionWithSecureAlgorithm.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/fileServices/read"] } }, { "id": "storage_smb_protocol_version_is_latest", "service": "Storage", "title": "Ensure SMB protocol version for file shares is set to the latest version.", "description": "Ensure that SMB file shares are configured to use only the latest SMB protocol version.", "risk": "Allowing older SMB protocol versions may expose file shares to known vulnerabilities and security risks.", "severity": "medium", "categories": [], "remediation": { "text": "See Devolutions PAM for remediation guidance.", "url": "https://devolutions.net/pam" }, "relatedUrl": "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol#smb-security-settings", "checkScript": "Test-StorageSmbProtocolVersionIsLatest.ps1", "dependsOn": [], "permissions": { "arm": ["Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/fileServices/read"] } } ] |