Best practice
azure-appgateway-enables-waf
azure-appgateway-enables-waf
Ensure that Application Gateway enables WAF
azure-appservice-https-20-enabled
azure-appservice-https-20-enabled
Ensure that HTTP Version is the latest if used to run the web app
azure-postgresql-geo-backup-enabled
azure-postgresql-geo-backup-enabled
Ensure that PostgreSQL server enables geo-redundant backups
azure-sqlserver-email-alerts-enabled
azure-sqlserver-email-alerts-enabled
Ensure that Send Alerts To is enabled for MSSQL servers
azure-appservice-used-azure-files
azure-appservice-used-azure-files
Ensure that app services use Azure Files
azure-ad-used-auth-service-fabric
azure-ad-used-auth-service-fabric
Ensures that Active Directory is used for authentication for Service Fabric
azure-defenderon-sqlservers-vms
azure-defenderon-sqlservers-vms
Ensure that Azure Defender is set to On for SQL servers on machines
azure-securitycenter-standard-pricing
azure-securitycenter-standard-pricing
Ensure that standard pricing tier is selected
azure-vmscale-sets-auto-os-image-patching-enabled
azure-vmscale-sets-auto-os-image-patching-enabled
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets
azure-networkinterface-enable-ip-forwarding
azure-networkinterface-enable-ip-forwarding
Ensure that Network Interfaces disable IP forwarding
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-postgresql-server-connection-throttling-enabled
azure-postgresql-server-connection-throttling-enabled
Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server
azure-securitycenter-contact-phone
azure-securitycenter-contact-phone
Ensure that Security contact Phone number is set
azure-defenderon-servers
azure-defenderon-servers
Ensure that Azure Defender is set to On for Servers
azure-appservice-dotnet-framework-version
azure-appservice-dotnet-framework-version
Ensure that Net Framework version is the latest, if used as a part of the web app
azure-postgresql-server-log-connections-enabled
azure-postgresql-server-log-connections-enabled
Ensure server parameter log_connections is set to ON for PostgreSQL Database Server
azure-appservice-python-version
azure-appservice-python-version
Ensure that Python version is the latest, if used to run the web app
azure-functionapps-accessible-over-https
azure-functionapps-accessible-over-https
Ensure that HTTP Version is the latest if used to run the Function app
azure-sqlserver-threat-detection-types
azure-sqlserver-threat-detection-types
Ensure that Threat Detection types is set to All
azure-aks-uses-azure-policies-addon
azure-aks-uses-azure-policies-addon
Ensure that AKS uses Azure Policies Add-on
azure-defenderon-appservices
azure-defenderon-appservices
Ensure that Azure Defender is set to On for App Service
azure-securitycenter-email-alert-admins
azure-securitycenter-email-alert-admins
Ensure that Send email notification for high severity alerts is set to On
azure-securitcenter-email-alert
azure-securitcenter-email-alert
Ensure that Send email notification for high severity alerts is set to On
azure-mariadb-geo-backup-enabled
azure-mariadb-geo-backup-enabled
Ensure that MariaDB server enables geo-redundant backups
azure-secret-content-type
azure-secret-content-type
Ensure that key vault secrets have “content_type” set
azure-keyvault-enables-firewall-rules-settings
azure-keyvault-enables-firewall-rules-settings
Ensure that key vault allows firewall rules settings
azure-mysql-threat-detection-enabled
azure-mysql-threat-detection-enabled
Ensure that MySQL server enables Threat detection policy
azure-securitycenter-contact-emails
azure-securitycenter-contact-emails
Ensure that Security contact emails is set
azure-keyvault-recovery-enabled
azure-keyvault-recovery-enabled
Ensure the key vault is recoverable https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
azure-postgresql-server-log-checkpoint-enabled
azure-postgresql-server-log-checkpoint-enabled
Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server
azure-appservice-php-version
azure-appservice-php-version
Ensure that PHP version is the latest, if used to run the web app
azure-mariadb-sslenforcement-enabled
azure-mariadb-sslenforcement-enabled
Ensure Enforce SSL connection is set to Enabled for MariaDB servers
azure-frontdoor-enables-waf
azure-frontdoor-enables-waf
Ensure that Azure Front Door enables WAF
azure-secret-expiration-date
azure-secret-expiration-date
Ensure that the expiration date is set on all secrets
azure-monitor-log-profile-categories
azure-monitor-log-profile-categories
Ensure audit profile captures all the activities
azure-monitor-log-profile-retention-days
azure-monitor-log-profile-retention-days
Ensure that Activity Log Retention is set 365 days or greater
azure-sqlserver-email-alerts-toadmins-enabled
azure-sqlserver-email-alerts-toadmins-enabled
Ensure that Email service and co-administrators is Enabled for MSSQL servers
azure-defenderon-keyvaults
azure-defenderon-keyvaults
Ensure that Azure Defender is set to On for Key Vault
azure-postgresql-flexi-server-geo-backup-enabled
azure-postgresql-flexi-server-geo-backup-enabled
Ensure that PostgreSQL Flexible server enables geo-redundant backups
azure-postgresql-threat-detection-enabled
azure-postgresql-threat-detection-enabled
Ensure that PostgreSQL server enables Threat detection policy
azure-appservice-java-version
azure-appservice-java-version
Ensure that Java version is the latest, if used to run the web app
azure-keyvault-enables-purge-protection
azure-keyvault-enables-purge-protection
Ensure that key vault enables purge protection
azure-functionapp-http-version-latest
azure-functionapp-http-version-latest
Ensure that HTTP Version is the latest if used to run the Function app
azure-storage-account-enables-secure-transfer
azure-storage-account-enables-secure-transfer
Ensure that storage account enables secure transfer
azure-mysql-server-tlsenforcement-enabled
azure-mysql-server-tlsenforcement-enabled
Ensure Enforce SSL connection is set to Enabled for MySQL servers
azure-appservice-ftps-state
azure-appservice-ftps-state
Ensure FTP deployments are disabled
azure-defenderon-storage
azure-defenderon-storage
Ensure that Azure Defender is set to On for Storage
azure-mysql-geo-backup-enabled
azure-mysql-geo-backup-enabled
Ensure that MySQL server enables geo-redundant backups
azure-synapse-workscape-enables-managed-virtual-network
azure-synapse-workscape-enables-managed-virtual-network
Ensure that Azure Synapse workspaces enables managed virtual networks
azure-defenderon-sqlservers
azure-defenderon-sqlservers
Ensure that Azure Defender is set to On for SQL servers
azure-defenderon-container-registry
azure-defenderon-container-registry
Ensure that Azure Defender is set to On for Container
azure-defenderon-kubernetes
azure-defenderon-kubernetes
Ensure that Azure Defender is set to On for Kubernetes
azure-frontdoor-use-wafmode
azure-frontdoor-use-wafmode
Ensure that Azure Front Door uses WAF and configured in “Detection” or “Prevention” modes
azure-postgresql-ssl-enforcement-enabled
azure-postgresql-ssl-enforcement-enabled
Ensure Enforce SSL connection is set to Enabled for PostgreSQL servers
azure-keyvault-enables-soft-delete
azure-keyvault-enables-soft-delete
Ensure that key vault enables soft delete
azure-waf-specificed-mode-app-gw
azure-waf-specificed-mode-app-gw
Ensure that Application Gateway uses WAF in “Detection” or “Prevention” modes