Security
azure-mssql-service-mintls-version
azure-mssql-service-mintls-version
Ensure MSSQL is using the latest version of TLS encryption
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
azure-instance-extensions
azure-instance-extensions
Ensure Virtual Machine Extensions are not Installed
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-mysql-public-access-disabled
azure-mysql-public-access-disabled
Ensure public network access enabled is set to False for MySQL servers
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-cosmosdb-disables-public-network
azure-cosmosdb-disables-public-network
Ensure that Azure Cosmos DB disables public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-storage-account-minimum-tlsversion
azure-storage-account-minimum-tlsversion
Ensure Storage Account is using the latest version of TLS encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
azure-mysql-encryption-enabled
azure-mysql-encryption-enabled
Ensure that MySQL server enables infrastructure encryption
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-postgresql-encryption-enabled
azure-postgresql-encryption-enabled
Ensure that PostgreSQL server enables infrastructure encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-batchaccount-uses-keyvault-encrpytion
azure-batchaccount-uses-keyvault-encrpytion
Ensure that Azure Batch account uses key vault to encrypt data
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-mariadb-public-access-disabled
azure-mariadb-public-access-disabled
Ensure public network access enabled is set to False for MariaDB servers
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-key-no-expiration-date
azure-key-no-expiration-date
Ensure that the expiration date is set on all keys
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-managed-disk-encryption
azure-managed-disk-encryption
Ensure Azure managed disk has encryption enabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-search-publicnetwork-access-disabled
azure-search-publicnetwork-access-disabled
Ensure that Azure Cognitive Search disables public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-dataexplorer-uses-disk-encryption
azure-dataexplorer-uses-disk-encryption
Ensure that Azure Data Explorer uses disk encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-functionapps-enable-auth
azure-functionapps-enable-auth
Ensure that function apps enables Authentication
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-redis-cache-public-network-access-enabled
azure-redis-cache-public-network-access-enabled
Ensure that Azure Cache for Redis disables public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-network-watcher-flowlog-period
azure-network-watcher-flowlog-period
Ensure that Network Security Group Flow Log retention period is 90 days or greater
azure-storage-blob-service-container-private-access
azure-storage-blob-service-container-private-access
Ensure that Public access level is set to Private for blob containers
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-containergroup-deployed-into-virtualnetwork
azure-containergroup-deployed-into-virtualnetwork
Ensure that Azure Container group is deployed into virtual network
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-postgresql-server-public-access-disabled
azure-postgresql-server-public-access-disabled
Ensure public network access enabled is set to False for PostgreSQL servers
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-cosmosdb-accounts-restricted-access
azure-cosmosdb-accounts-restricted-access
Ensure Cosmos DB accounts have restricted access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-vmencryption-at-host-enabled
azure-vmencryption-at-host-enabled
Ensure that Virtual machine scale sets have encryption at host enabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-datafactory-uses-git-repository
azure-datafactory-uses-git-repository
Ensure that Azure Data Factory uses Git repository for source control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-iot-no-public-network-access
azure-iot-no-public-network-access
Ensure that Azure IoT Hub disables public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-managed-disk-encryption-set
azure-managed-disk-encryption-set
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-storage-sync-public-access-disabled
azure-storage-sync-public-access-disabled
Ensure that Azure File Sync disables public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-monitor-log-profile-retention-days
azure-monitor-log-profile-retention-days
Ensure that Activity Log Retention is set 365 days or greater
azure-cosmosdb-disable-access-key-write
azure-cosmosdb-disable-access-key-write
Ensure that Cosmos DB accounts have access key write capability disabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-redis-cache-enable-non-ssl-port
azure-redis-cache-enable-non-ssl-port
Ensure that only SSL are enabled for Cache for Redis
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
azure-dataexplorer-double-encryption-enabled
azure-dataexplorer-double-encryption-enabled
Ensure that Azure Data Explorer uses double encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-cognitiveservices-disables-public-network
azure-cognitiveservices-disables-public-network
Ensure that Cognitive Services accounts disable public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-automation-encrypted
azure-automation-encrypted
Ensure that Automation account variables are encrypted
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-storage-account-disable-public-access
azure-storage-account-disable-public-access
Ensure default network access rule for Storage Accounts is set to deny
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-functionapp-disallow-cors
azure-functionapp-disallow-cors
ensure that CORS disallows all resources to access Function app
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-942: Permissive Cross-domain Policy with Untrusted Domains
OWASP:
- A05:2021 - Security Misconfiguration
azure-datalake-store-encryption
azure-datalake-store-encryption
Ensure that Data Lake Store accounts enables encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-mysql-mintls-version
azure-mysql-mintls-version
Ensure MySQL is using the latest version of TLS encryption
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
azure-key-backedby-hsm
azure-key-backedby-hsm
Ensure that key vault key is backed by HSM
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-datafactory-no-public-network-access
azure-datafactory-no-public-network-access
Ensure that Azure Data factory public network access is disabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-cosmosdb-have-cmk
azure-cosmosdb-have-cmk
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-sqlserver-public-access-disabled
azure-sqlserver-public-access-disabled
Ensure that SQL server disables public network access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-service-fabric-cluster-protection-level
azure-service-fabric-cluster-protection-level
Ensure that Service Fabric use three levels of protection available
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-320: CWE CATEGORY: Key Management Errors
OWASP:
- A03:2017 - Sensitive Data Exposure
azure-remote-debugging-not-enabled
azure-remote-debugging-not-enabled
Ensure that remote debugging is not enabled for app services
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-scale-set-password
azure-scale-set-password
Ensure that Virtual machine does not enable password authentication
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-customrole-definition-subscription-owner
azure-customrole-definition-subscription-owner
Ensure that no custom subscription owner roles are created
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-postgresql-min-tls-version
azure-postgresql-min-tls-version
Ensure PostgreSQL is using the latest version of TLS encryption
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
azure-sqlserver-no-public-access
azure-sqlserver-no-public-access
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
azure-eventgrid-domain-network-access
azure-eventgrid-domain-network-access
Ensure that Azure Event Grid Domain public network access is disabled
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control