diff --git a/docs/changelog.md b/docs/changelog.md index 953a25e704..5873e2dcec 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -30,6 +30,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased +- New features: + - Added `Azure.Pillar.Security.L2` experimental baseline for the Security pillar Level 2 maturity. + [#3726](https://github.com/Azure/PSRule.Rules.Azure/issues/3726) + - Added `Azure.WAF/maturity: L2` labels to Security pillar rules covering network ingress, authentication controls, workload hardening, deployment practices, and maintenance. - Updated rules: - Azure Kubernetes Service: - Updated `Azure.AKS.Version` to use `1.33.7` as the minimum version by @BernieWhite. diff --git a/docs/en/rules/Azure.ACR.AnonymousAccess.md b/docs/en/rules/Azure.ACR.AnonymousAccess.md index d44f3b1840..54b4c12185 100644 --- a/docs/en/rules/Azure.ACR.AnonymousAccess.md +++ b/docs/en/rules/Azure.ACR.AnonymousAccess.md @@ -143,6 +143,7 @@ For example: You are a software vendor and intend to distribute container images ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1) - [Make your container registry content publicly available](https://learn.microsoft.com/azure/container-registry/anonymous-pull-access) - [Azure security baseline for Container Registry](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline) - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#im-1-use-centralized-identity-and-authentication-system) diff --git a/docs/en/rules/Azure.ACR.ContainerScan.md b/docs/en/rules/Azure.ACR.ContainerScan.md index 2b7f393de5..f4b055da3e 100644 --- a/docs/en/rules/Azure.ACR.ContainerScan.md +++ b/docs/en/rules/Azure.ACR.ContainerScan.md @@ -99,6 +99,7 @@ This rule applies when analyzing resources deployed (in-flight) to Azure and doe ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for container registries](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-container-registries-introduction) - [Container security in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) diff --git a/docs/en/rules/Azure.ACR.ContentTrust.md b/docs/en/rules/Azure.ACR.ContentTrust.md index 3369f2ad4b..a3041c50fe 100644 --- a/docs/en/rules/Azure.ACR.ContentTrust.md +++ b/docs/en/rules/Azure.ACR.ContentTrust.md @@ -118,6 +118,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 5](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level5) - [Content trust in Azure Container Registry](https://learn.microsoft.com/azure/container-registry/container-registry-content-trust) - [Content trust in Docker](https://docs.docker.com/engine/security/trust/content_trust/) - [Overview of customer-managed keys](https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys#before-you-enable-a-customer-managed-key) diff --git a/docs/en/rules/Azure.ACR.ExportPolicy.md b/docs/en/rules/Azure.ACR.ExportPolicy.md index d5180b6406..a9923c162f 100644 --- a/docs/en/rules/Azure.ACR.ExportPolicy.md +++ b/docs/en/rules/Azure.ACR.ExportPolicy.md @@ -153,6 +153,7 @@ such as in the case of public registries. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Data loss prevention for Azure Container Registry](https://learn.microsoft.com/azure/container-registry/data-loss-prevention) - [Azure Security Benchmark - Monitor anomalies and threats targeting sensitive data](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data) - [Azure Policy - Container registries should have exports disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_ExportPolicy_AuditDeny.json) diff --git a/docs/en/rules/Azure.ACR.Firewall.md b/docs/en/rules/Azure.ACR.Firewall.md index 17ce7b9a07..6960a5220f 100644 --- a/docs/en/rules/Azure.ACR.Firewall.md +++ b/docs/en/rules/Azure.ACR.Firewall.md @@ -107,6 +107,7 @@ you must enable trusted Microsoft services for the vulnerability assessment feat ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Restrict access using private endpoint](https://learn.microsoft.com/azure/container-registry/container-registry-private-link) - [Restrict access using firewall rules](https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks) - [Allow trusted services to securely access a network-restricted container registry](https://learn.microsoft.com/azure/container-registry/allow-access-trusted-services) diff --git a/docs/en/rules/Azure.ACR.Quarantine.md b/docs/en/rules/Azure.ACR.Quarantine.md index 6d011daadb..a4c2b2fd61 100644 --- a/docs/en/rules/Azure.ACR.Quarantine.md +++ b/docs/en/rules/Azure.ACR.Quarantine.md @@ -120,6 +120,7 @@ Image quarantine for Azure Container Registry is currently in preview. ## LINKS - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers) +- [Security: Level 5](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level5) - [How do I enable automatic image quarantine for a registry?](https://learn.microsoft.com/azure/container-registry/container-registry-faq#how-do-i-enable-automatic-image-quarantine-for-a-registry-) - [Quarantine Pattern](https://github.com/Azure/acr/tree/main/docs/preview/quarantine) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) diff --git a/docs/en/rules/Azure.AI.PrivateEndpoints.md b/docs/en/rules/Azure.AI.PrivateEndpoints.md index e0d5b5e3ca..6ceecc35d5 100644 --- a/docs/en/rules/Azure.AI.PrivateEndpoints.md +++ b/docs/en/rules/Azure.AI.PrivateEndpoints.md @@ -96,6 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 4](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level4) - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks) - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AI.PublicAccess.md b/docs/en/rules/Azure.AI.PublicAccess.md index 21e1608ff9..efed36c8ca 100644 --- a/docs/en/rules/Azure.AI.PublicAccess.md +++ b/docs/en/rules/Azure.AI.PublicAccess.md @@ -96,6 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks) - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AKS.AuthorizedIPs.md b/docs/en/rules/Azure.AKS.AuthorizedIPs.md index 8784b9cc8d..11697ba731 100644 --- a/docs/en/rules/Azure.AKS.AuthorizedIPs.md +++ b/docs/en/rules/Azure.AKS.AuthorizedIPs.md @@ -200,6 +200,7 @@ Set-AzAksCluster -Name '' -ResourceGroupName '' -ApiServer ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges) - [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.AutoUpgrade.md b/docs/en/rules/Azure.AKS.AutoUpgrade.md index b808d275e1..2abd006796 100644 --- a/docs/en/rules/Azure.AKS.AutoUpgrade.md +++ b/docs/en/rules/Azure.AKS.AutoUpgrade.md @@ -199,6 +199,7 @@ To address this issue at runtime use the following policies: ## LINKS - [OE:09 Task automation](https://learn.microsoft.com/azure/well-architected/operational-excellence/automate-tasks) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Supported Kubernetes versions in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions) - [Support policies for Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/support-policies) - [Automatically upgrade an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster) diff --git a/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md b/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md index 998dfa2970..eb36872e0e 100644 --- a/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md +++ b/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md @@ -247,6 +247,7 @@ Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Understand Azure Policy for Kubernetes clusters](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes) - [Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy](https://learn.microsoft.com/azure/aks/use-azure-policy) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.AzureRBAC.md b/docs/en/rules/Azure.AKS.AzureRBAC.md index b879f40dfc..19f087db73 100644 --- a/docs/en/rules/Azure.AKS.AzureRBAC.md +++ b/docs/en/rules/Azure.AKS.AzureRBAC.md @@ -189,6 +189,7 @@ az aks update -n '' -g '' --enable-azure-rbac ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Use Azure RBAC for Kubernetes Authorization](https://learn.microsoft.com/azure/aks/manage-azure-rbac) - [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.DefenderProfile.md b/docs/en/rules/Azure.AKS.DefenderProfile.md index 6292a0fcc6..c07251b5ee 100644 --- a/docs/en/rules/Azure.AKS.DefenderProfile.md +++ b/docs/en/rules/Azure.AKS.DefenderProfile.md @@ -86,6 +86,7 @@ Outbound access so that the Defender profile can connect to Microsoft Defender f ## LINKS - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction) - [Defender for Containers architecture](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-architecture?tabs=defender-for-container-arch-aks) - [Deploy the Defender profile](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-arm%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-profile) diff --git a/docs/en/rules/Azure.AKS.HttpAppRouting.md b/docs/en/rules/Azure.AKS.HttpAppRouting.md index 7e8efa240e..83800bbb5d 100644 --- a/docs/en/rules/Azure.AKS.HttpAppRouting.md +++ b/docs/en/rules/Azure.AKS.HttpAppRouting.md @@ -190,6 +190,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [HTTP application routing](https://learn.microsoft.com/azure/aks/http-application-routing) - [Migrate from HTTP application routing to the application routing add-on](https://learn.microsoft.com/azure/aks/app-routing-migration) - [What is Application Gateway for Containers?](https://learn.microsoft.com/azure/application-gateway/for-containers/overview) diff --git a/docs/en/rules/Azure.AKS.NetworkPolicy.md b/docs/en/rules/Azure.AKS.NetworkPolicy.md index 2819f00429..1a451a79e7 100644 --- a/docs/en/rules/Azure.AKS.NetworkPolicy.md +++ b/docs/en/rules/Azure.AKS.NetworkPolicy.md @@ -245,6 +245,7 @@ Existing AKS clusters must be redeployed to enable Network Policy. ## LINKS - [SE:04 Segmentation](https://learn.microsoft.com/azure/well-architected/security/segmentation) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-kubernetes-service-aks-security-baseline#ns-1-establish-network-segmentation-boundaries) - [Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/use-network-policies) - [Best practices for network connectivity and security in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-network#control-traffic-flow-with-network-policies) diff --git a/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md b/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md index 418abaee45..e78adc4c22 100644 --- a/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md +++ b/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md @@ -225,6 +225,7 @@ It also helps you to identify such fixes shipped to a core add-on, and node imag ## LINKS - [SE:01-Security Baseline](https://learn.microsoft.com/azure/well-architected/security/establish-baseline) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Automatically upgrade AKS cluster node OS images](https://learn.microsoft.com/azure/aks/auto-upgrade-node-os-image?tabs=azure-cli) - [Upgrade Azure Kubernetes Service (AKS) node images](https://learn.microsoft.com/azure/aks/node-image-upgrade) - [Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/node-updates-kured) diff --git a/docs/en/rules/Azure.AKS.SecretStore.md b/docs/en/rules/Azure.AKS.SecretStore.md index 69e64ff672..b8111d6c4c 100644 --- a/docs/en/rules/Azure.AKS.SecretStore.md +++ b/docs/en/rules/Azure.AKS.SecretStore.md @@ -190,6 +190,7 @@ az aks enable-addons --addons azure-keyvault-secrets-provider -n '' -g '' -g '' ## LINKS - [Key and secret management considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Operational considerations](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations) - [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) - [Automate the rotation of a secret for resources that use one set of authentication credentials](https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation) diff --git a/docs/en/rules/Azure.AKS.UseRBAC.md b/docs/en/rules/Azure.AKS.UseRBAC.md index 8173e7450a..77a140edd3 100644 --- a/docs/en/rules/Azure.AKS.UseRBAC.md +++ b/docs/en/rules/Azure.AKS.UseRBAC.md @@ -29,6 +29,7 @@ Consider redeploying the AKS cluster with RBAC enabled. ## LINKS - [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-ad-integration) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization) - [Best practices for authentication and authorization in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-identity#use-azure-active-directory) - [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) diff --git a/docs/en/rules/Azure.APIM.DefenderCloud.md b/docs/en/rules/Azure.APIM.DefenderCloud.md index 4aa873b813..bb349f5c05 100644 --- a/docs/en/rules/Azure.APIM.DefenderCloud.md +++ b/docs/en/rules/Azure.APIM.DefenderCloud.md @@ -87,6 +87,7 @@ This rule may currently generate false positive results for APIs only hosted on ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-introduction) - [Support and prerequisites for Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-prepare) diff --git a/docs/en/rules/Azure.APIM.EncryptValues.md b/docs/en/rules/Azure.APIM.EncryptValues.md index 9a3f330955..a05ad258b8 100644 --- a/docs/en/rules/Azure.APIM.EncryptValues.md +++ b/docs/en/rules/Azure.APIM.EncryptValues.md @@ -94,5 +94,6 @@ The identity needs permissions to get and list secrets from the Key Vault. Also ## LINKS - [Key storage](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage) +- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1) - [Prerequisites for key vault integration](https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal#prerequisites-for-key-vault-integration) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/namedvalues#keyvaultcontractcreatepropertiesorkeyvaultcontractpr) diff --git a/docs/en/rules/Azure.APIM.ProductApproval.md b/docs/en/rules/Azure.APIM.ProductApproval.md index a6ff9a5052..1574e0f7f6 100644 --- a/docs/en/rules/Azure.APIM.ProductApproval.md +++ b/docs/en/rules/Azure.APIM.ProductApproval.md @@ -98,6 +98,7 @@ resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = { ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#protect-nonidentity-based-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products) - [Subscriptions in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-subscriptions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/products) diff --git a/docs/en/rules/Azure.APIM.ProductSubscription.md b/docs/en/rules/Azure.APIM.ProductSubscription.md index c65a0ed4bc..ec89c3b08d 100644 --- a/docs/en/rules/Azure.APIM.ProductSubscription.md +++ b/docs/en/rules/Azure.APIM.ProductSubscription.md @@ -98,6 +98,7 @@ resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = { ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#protect-nonidentity-based-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products) - [Subscriptions in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-subscriptions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/products) diff --git a/docs/en/rules/Azure.APIM.SampleProducts.md b/docs/en/rules/Azure.APIM.SampleProducts.md index 251a99d418..11295a574e 100644 --- a/docs/en/rules/Azure.APIM.SampleProducts.md +++ b/docs/en/rules/Azure.APIM.SampleProducts.md @@ -35,4 +35,5 @@ This rule applies when analyzing API Management Services (in-flight) and running ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products) diff --git a/docs/en/rules/Azure.AppConfig.SecretLeak.md b/docs/en/rules/Azure.AppConfig.SecretLeak.md index ebb4325399..7e6d4b5ac1 100644 --- a/docs/en/rules/Azure.AppConfig.SecretLeak.md +++ b/docs/en/rules/Azure.AppConfig.SecretLeak.md @@ -111,6 +111,7 @@ For example: ## LINKS - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets) +- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1) - [IM-8: Restrict the exposure of credential and secrets](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-app-configuration-security-baseline#im-8-restrict-the-exposure-of-credential-and-secrets) - [Use Key Vault references in an ASP.NET Core app](https://learn.microsoft.com/azure/azure-app-configuration/use-key-vault-references-dotnet-core) - [Reload secrets and certificates from Key Vault automatically](https://learn.microsoft.com/azure/azure-app-configuration/reload-key-vault-secrets-dotnet) diff --git a/docs/en/rules/Azure.AppGw.OWASP.md b/docs/en/rules/Azure.AppGw.OWASP.md index 4ca5337cbd..34600830c8 100644 --- a/docs/en/rules/Azure.AppGw.OWASP.md +++ b/docs/en/rules/Azure.AppGw.OWASP.md @@ -102,5 +102,6 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [OWASP ModSecurity Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.Prevention.md b/docs/en/rules/Azure.AppGw.Prevention.md index 875437a4c9..05f3a940bf 100644 --- a/docs/en/rules/Azure.AppGw.Prevention.md +++ b/docs/en/rules/Azure.AppGw.Prevention.md @@ -108,5 +108,6 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Application Gateway WAF modes](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview#waf-modes) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.UseWAF.md b/docs/en/rules/Azure.AppGw.UseWAF.md index 43e08161d3..b9e478e87c 100644 --- a/docs/en/rules/Azure.AppGw.UseWAF.md +++ b/docs/en/rules/Azure.AppGw.UseWAF.md @@ -103,6 +103,7 @@ $AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' - ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.WAFEnabled.md b/docs/en/rules/Azure.AppGw.WAFEnabled.md index 45b9716b5b..cf2e9c03c8 100644 --- a/docs/en/rules/Azure.AppGw.WAFEnabled.md +++ b/docs/en/rules/Azure.AppGw.WAFEnabled.md @@ -104,6 +104,7 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.WAFRules.md b/docs/en/rules/Azure.AppGw.WAFRules.md index 874ef7a248..0dc79d11f1 100644 --- a/docs/en/rules/Azure.AppGw.WAFRules.md +++ b/docs/en/rules/Azure.AppGw.WAFRules.md @@ -103,6 +103,7 @@ resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = { ## LINKS - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Web Application Firewall CRS rule groups and rules](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules) diff --git a/docs/en/rules/Azure.AppService.NETVersion.md b/docs/en/rules/Azure.AppService.NETVersion.md index e51baee8f4..7e747e708e 100644 --- a/docs/en/rules/Azure.AppService.NETVersion.md +++ b/docs/en/rules/Azure.AppService.NETVersion.md @@ -125,6 +125,7 @@ resource web 'Microsoft.Web/sites@2023-01-01' = { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure ASP.NET](https://learn.microsoft.com/azure/app-service/configure-language-dotnet-framework) - [Configure an ASP.NET Core app for Azure App Service](https://learn.microsoft.com/azure/app-service/configure-language-dotnetcore) - [.NET Support Policy](https://dotnet.microsoft.com/platform/support/policy) diff --git a/docs/en/rules/Azure.AppService.NodeJsVersion.md b/docs/en/rules/Azure.AppService.NodeJsVersion.md index ac85d84134..6fd2ff71ee 100644 --- a/docs/en/rules/Azure.AppService.NodeJsVersion.md +++ b/docs/en/rules/Azure.AppService.NodeJsVersion.md @@ -160,6 +160,7 @@ resource windowsWeb 'Microsoft.Web/sites@2022-09-01' = { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Upgrade your App Service apps to Node 20 LTS by 30 April 2025](https://azure.microsoft.com/updates/action-required-upgrade-your-app-service-apps-to-node-20-lts-by-30-april-2025/) - [Node.js on App Service](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md) - [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites) diff --git a/docs/en/rules/Azure.AppService.PHPVersion.md b/docs/en/rules/Azure.AppService.PHPVersion.md index d1e7b446ea..bbec90e88b 100644 --- a/docs/en/rules/Azure.AppService.PHPVersion.md +++ b/docs/en/rules/Azure.AppService.PHPVersion.md @@ -114,6 +114,7 @@ From November 2022 - PHP is only supported on Linux-based plans. ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Set PHP Version](https://learn.microsoft.com/azure/app-service/configure-language-php?pivots=platform-linux#set-php-version) - [PHP on App Service](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites) diff --git a/docs/en/rules/Azure.AppService.RemoteDebug.md b/docs/en/rules/Azure.AppService.RemoteDebug.md index 5c9b9da78f..64e58ea005 100644 --- a/docs/en/rules/Azure.AppService.RemoteDebug.md +++ b/docs/en/rules/Azure.AppService.RemoteDebug.md @@ -112,6 +112,7 @@ resource web 'Microsoft.Web/sites@2023-01-01' = { ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [PV-2: Audit and enforce secure configurations](https://learn.microsoft.com/security/benchmark/azure/baselines/app-service-security-baseline#pv-2-audit-and-enforce-secure-configurations) - [Configure general settings](https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites) diff --git a/docs/en/rules/Azure.Arc.Kubernetes.Defender.md b/docs/en/rules/Azure.Arc.Kubernetes.Defender.md index 59c3bfe6c1..c837bf9fa6 100644 --- a/docs/en/rules/Azure.Arc.Kubernetes.Defender.md +++ b/docs/en/rules/Azure.Arc.Kubernetes.Defender.md @@ -108,6 +108,7 @@ resource defenderExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11 ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Defender for Containers architecture](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-architecture) - [Enable Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc) - [LT-1: Enable threat detection capabilities](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-arc-enabled-kubernetes-security-baseline#lt-1-enable-threat-detection-capabilities) diff --git a/docs/en/rules/Azure.Automation.EncryptVariables.md b/docs/en/rules/Azure.Automation.EncryptVariables.md index 7269801c9b..d7cccc817f 100644 --- a/docs/en/rules/Azure.Automation.EncryptVariables.md +++ b/docs/en/rules/Azure.Automation.EncryptVariables.md @@ -32,3 +32,4 @@ Key Vault improves security by tightly controlling access to secrets and improvi ## LINKS - [Variable assets in Azure Automation](https://learn.microsoft.com/azure/automation/shared-resources/variables) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.Automation.WebHookExpiry.md b/docs/en/rules/Azure.Automation.WebHookExpiry.md index c13f01a4fb..12c36b7b25 100644 --- a/docs/en/rules/Azure.Automation.WebHookExpiry.md +++ b/docs/en/rules/Azure.Automation.WebHookExpiry.md @@ -23,3 +23,7 @@ Do not create webhooks with an expiry time greater than 1 year (default). An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function. + +## LINKS + +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.BV.Immutable.md b/docs/en/rules/Azure.BV.Immutable.md index e0e0145b11..aec0a9fbf0 100644 --- a/docs/en/rules/Azure.BV.Immutable.md +++ b/docs/en/rules/Azure.BV.Immutable.md @@ -85,6 +85,7 @@ For cases where you are creating and destroying backups and vaults on a regulary ## LINKS - [Security design principles](https://learn.microsoft.com/azure/well-architected/security/security-principles) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Immutable vault for Azure Backup](https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?tabs=backup-vault) - [Restricted operations](https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?tabs=backup-vault#restricted-operations) - [Manage Azure Backup Immutable vault operations](https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=backup-vault) diff --git a/docs/en/rules/Azure.CDN.HTTP.md b/docs/en/rules/Azure.CDN.HTTP.md index c7d9c0c37c..fbc7afa858 100644 --- a/docs/en/rules/Azure.CDN.HTTP.md +++ b/docs/en/rules/Azure.CDN.HTTP.md @@ -26,5 +26,6 @@ Consider disabling HTTP support on the CDN endpoint origin. ## LINKS - [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#encrypt-data-in-transit) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure HTTPS on an Azure CDN custom domain](https://learn.microsoft.com/azure/cdn/cdn-custom-ssl) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cdn/profiles/endpoints) diff --git a/docs/en/rules/Azure.ContainerApp.ExternalIngress.md b/docs/en/rules/Azure.ContainerApp.ExternalIngress.md index 026a6bf04b..c4e8144078 100644 --- a/docs/en/rules/Azure.ContainerApp.ExternalIngress.md +++ b/docs/en/rules/Azure.ContainerApp.ExternalIngress.md @@ -126,6 +126,7 @@ If you don't need external ingress, enable this rule by: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking) - [Ingress in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ingress-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#ingress) diff --git a/docs/en/rules/Azure.ContainerApp.PublicAccess.md b/docs/en/rules/Azure.ContainerApp.PublicAccess.md index 02045b1bb6..cd06586551 100644 --- a/docs/en/rules/Azure.ContainerApp.PublicAccess.md +++ b/docs/en/rules/Azure.ContainerApp.PublicAccess.md @@ -116,6 +116,7 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline) - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/managedenvironments#vnetconfiguration) diff --git a/docs/en/rules/Azure.ContainerApp.RestrictIngress.md b/docs/en/rules/Azure.ContainerApp.RestrictIngress.md index ac6c5c6dbb..dd47bda585 100644 --- a/docs/en/rules/Azure.ContainerApp.RestrictIngress.md +++ b/docs/en/rules/Azure.ContainerApp.RestrictIngress.md @@ -152,6 +152,7 @@ If no rules are defined at all, the rule will not pass as it expects at least on ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline#ns-2-secure-cloud-services-with-network-controls) - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking) - [IP restrictions](https://learn.microsoft.com/azure/container-apps/ingress-overview#ip-restrictions) diff --git a/docs/en/rules/Azure.Cosmos.DefenderCloud.md b/docs/en/rules/Azure.Cosmos.DefenderCloud.md index 3af142eaf2..75fada3845 100644 --- a/docs/en/rules/Azure.Cosmos.DefenderCloud.md +++ b/docs/en/rules/Azure.Cosmos.DefenderCloud.md @@ -81,6 +81,7 @@ When Microsoft Defender for Cosmos DB is enabled at the subscription level, the ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/concept-defender-for-cosmos) - [Enable Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections) diff --git a/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md b/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md index 322ab9e177..46ca970677 100644 --- a/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md +++ b/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md @@ -106,6 +106,7 @@ To address this issue at runtime use the following policies: ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Restrict user access to data operations in Azure Cosmos DB](https://learn.microsoft.com/azure/cosmos-db/how-to-restrict-user-data) - [Secure access to data in Azure Cosmos DB](https://learn.microsoft.com/azure/cosmos-db/secure-access-to-data) - [How does Azure Cosmos DB secure my database?](https://learn.microsoft.com/azure/cosmos-db/database-security#how-does-azure-cosmos-db-secure-my-database) diff --git a/docs/en/rules/Azure.Cosmos.PublicAccess.md b/docs/en/rules/Azure.Cosmos.PublicAccess.md index 04b088d904..639c532972 100644 --- a/docs/en/rules/Azure.Cosmos.PublicAccess.md +++ b/docs/en/rules/Azure.Cosmos.PublicAccess.md @@ -81,6 +81,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure Azure Private Link for an Azure Cosmos DB account](https://learn.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints) - [Azure security baseline for Azure Cosmos DB](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline#ns-2-secure-cloud-services-with-network-controls) diff --git a/docs/en/rules/Azure.DNS.DNSSEC.md b/docs/en/rules/Azure.DNS.DNSSEC.md index 9699af39f8..e1896aa730 100644 --- a/docs/en/rules/Azure.DNS.DNSSEC.md +++ b/docs/en/rules/Azure.DNS.DNSSEC.md @@ -81,6 +81,7 @@ This rule only applies to Azure Public DNS zones. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [DNSSEC overview](https://learn.microsoft.com/azure/dns/dnssec) - [DNSSEC – What Is It and Why Is It Important?](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/dnszones/dnssecconfigs) diff --git a/docs/en/rules/Azure.Databricks.PublicAccess.md b/docs/en/rules/Azure.Databricks.PublicAccess.md index c1c3476a84..6255c6c025 100644 --- a/docs/en/rules/Azure.Databricks.PublicAccess.md +++ b/docs/en/rules/Azure.Databricks.PublicAccess.md @@ -84,6 +84,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Databricks WorkspaceProperties](https://learn.microsoft.com/azure/templates/Microsoft.Databricks/workspaces?pivots=deployment-language-bicep#:~:text=WorkspaceCustomParameters-,publicNetworkAccess,-The%20network%20access) - [Azure Databricks Private Link Overview](https://learn.microsoft.com/azure/databricks/security/network/classic/private-link) - [Network access](https://learn.microsoft.com/azure/databricks/security/network/) diff --git a/docs/en/rules/Azure.Databricks.SecureConnectivity.md b/docs/en/rules/Azure.Databricks.SecureConnectivity.md index 36e449d30d..6575ec7d44 100644 --- a/docs/en/rules/Azure.Databricks.SecureConnectivity.md +++ b/docs/en/rules/Azure.Databricks.SecureConnectivity.md @@ -92,6 +92,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure cluster connectivity (No Public IP / NPIP)](https://learn.microsoft.com/azure/databricks/security/network/secure-cluster-connectivity) - [Network access](https://learn.microsoft.com/azure/databricks/security/network/) - [Azure Databricks architecture overview](https://learn.microsoft.com/azure/databricks/getting-started/overview) diff --git a/docs/en/rules/Azure.Defender.Api.md b/docs/en/rules/Azure.Defender.Api.md index 723fdb4319..dcf181db40 100644 --- a/docs/en/rules/Azure.Defender.Api.md +++ b/docs/en/rules/Azure.Defender.Api.md @@ -107,6 +107,7 @@ Currently only REST APIs published in Azure API Management is supported. Not all ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-introduction) - [Support and prerequisites for Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-prepare) diff --git a/docs/en/rules/Azure.Defender.AppServices.md b/docs/en/rules/Azure.Defender.AppServices.md index bd3ec31507..9a22a3e36d 100644 --- a/docs/en/rules/Azure.Defender.AppServices.md +++ b/docs/en/rules/Azure.Defender.AppServices.md @@ -88,6 +88,7 @@ Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing applications and PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments) - [Introduction to Microsoft Defender for App Service](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction) - [App Service security best practices](https://learn.microsoft.com/azure/security/fundamentals/paas-applications-using-app-services) diff --git a/docs/en/rules/Azure.Defender.Arm.md b/docs/en/rules/Azure.Defender.Arm.md index e21cf0b7bd..3e2961e6b3 100644 --- a/docs/en/rules/Azure.Defender.Arm.md +++ b/docs/en/rules/Azure.Defender.Arm.md @@ -99,6 +99,7 @@ Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Resource Manager](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-resource-manager-introduction) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.Containers.md b/docs/en/rules/Azure.Defender.Containers.md index 6036d7a716..be4c3f5afe 100644 --- a/docs/en/rules/Azure.Defender.Containers.md +++ b/docs/en/rules/Azure.Defender.Containers.md @@ -109,6 +109,7 @@ Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) - [Azure security baseline for Container Registry](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline) diff --git a/docs/en/rules/Azure.Defender.CosmosDb.md b/docs/en/rules/Azure.Defender.CosmosDb.md index 7f0cfab001..a9afb71627 100644 --- a/docs/en/rules/Azure.Defender.CosmosDb.md +++ b/docs/en/rules/Azure.Defender.CosmosDb.md @@ -99,6 +99,7 @@ Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/concept-defender-for-cosmos) - [Enable Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections) diff --git a/docs/en/rules/Azure.Defender.Cspm.md b/docs/en/rules/Azure.Defender.Cspm.md index c25071bf93..f6555e303b 100644 --- a/docs/en/rules/Azure.Defender.Cspm.md +++ b/docs/en/rules/Azure.Defender.Cspm.md @@ -97,6 +97,7 @@ Set-AzSecurityPricing -Name 'CloudPosture' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Cloud Security Posture Management (CSPM)](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.Dns.md b/docs/en/rules/Azure.Defender.Dns.md index d6b7af2358..0f94dba26c 100644 --- a/docs/en/rules/Azure.Defender.Dns.md +++ b/docs/en/rules/Azure.Defender.Dns.md @@ -98,6 +98,7 @@ Set-AzSecurityPricing -Name 'Dns' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for DNS](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.KeyVault.md b/docs/en/rules/Azure.Defender.KeyVault.md index 7660554767..b0206f5300 100644 --- a/docs/en/rules/Azure.Defender.KeyVault.md +++ b/docs/en/rules/Azure.Defender.KeyVault.md @@ -97,6 +97,7 @@ Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Key Vault](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-introduction) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.OssRdb.md b/docs/en/rules/Azure.Defender.OssRdb.md index 34e8664c14..68b3381380 100644 --- a/docs/en/rules/Azure.Defender.OssRdb.md +++ b/docs/en/rules/Azure.Defender.OssRdb.md @@ -103,6 +103,7 @@ Microsoft Defender for open-source relational databases is currently available o ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-introduction) - [Enable Defender for OSS RDBs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) diff --git a/docs/en/rules/Azure.Defender.SQL.md b/docs/en/rules/Azure.Defender.SQL.md index 3675dd2714..d7e18fd3ad 100644 --- a/docs/en/rules/Azure.Defender.SQL.md +++ b/docs/en/rules/Azure.Defender.SQL.md @@ -97,6 +97,7 @@ Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure SQL Database and security](https://learn.microsoft.com/azure/architecture/framework/services/data/azure-sql-database-well-architected-framework#azure-sql-database-and-security) - [Introduction to Microsoft Defender for SQL](https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql) - [Azure security baseline for Azure SQL](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-sql-security-baseline) diff --git a/docs/en/rules/Azure.Defender.SQLOnVM.md b/docs/en/rules/Azure.Defender.SQLOnVM.md index 6a4673172f..bb4d25ea42 100644 --- a/docs/en/rules/Azure.Defender.SQLOnVM.md +++ b/docs/en/rules/Azure.Defender.SQLOnVM.md @@ -83,6 +83,7 @@ Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for SQL Servers on machines](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-sql-usage) - [Security considerations for SQL Server on Azure Virtual Machines](https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/security-considerations-best-practices?view=azuresql) - [Azure Security Benchmark - Data protection](https://learn.microsoft.com/security/benchmark/azure/security-controls-v2-data-protection) diff --git a/docs/en/rules/Azure.Defender.SecurityContact.md b/docs/en/rules/Azure.Defender.SecurityContact.md index 186b50b3c4..07a95dbea5 100644 --- a/docs/en/rules/Azure.Defender.SecurityContact.md +++ b/docs/en/rules/Azure.Defender.SecurityContact.md @@ -106,5 +106,6 @@ az security contact update -n 'default' --emails 'security@contoso.com' ## LINKS - [SE:12 Incident response](https://learn.microsoft.com/azure/well-architected/security/incident-response) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Quickstart: Configure email notifications for security alerts](https://learn.microsoft.com/azure/defender-for-cloud/configure-email-notifications) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.security/securitycontacts) diff --git a/docs/en/rules/Azure.Defender.Servers.md b/docs/en/rules/Azure.Defender.Servers.md index cd9785d32a..3645f89c86 100644 --- a/docs/en/rules/Azure.Defender.Servers.md +++ b/docs/en/rules/Azure.Defender.Servers.md @@ -87,6 +87,7 @@ Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction) - [Azure Monitor agent auto-provisioning](https://learn.microsoft.com/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.security/pricings) diff --git a/docs/en/rules/Azure.Defender.Storage.DataScan.md b/docs/en/rules/Azure.Defender.Storage.DataScan.md index 9766e455b3..73d4ea3e2a 100644 --- a/docs/en/rules/Azure.Defender.Storage.DataScan.md +++ b/docs/en/rules/Azure.Defender.Storage.DataScan.md @@ -125,6 +125,7 @@ See limitations for more information. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Sensitive data threat detection in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-data-sensitivity) - [Support and prerequisites for data-aware security posture](https://learn.microsoft.com/azure/defender-for-cloud/concept-data-security-posture-prepare) diff --git a/docs/en/rules/Azure.Defender.Storage.MalwareScan.md b/docs/en/rules/Azure.Defender.Storage.MalwareScan.md index cf7559c9be..6fe45ecc3e 100644 --- a/docs/en/rules/Azure.Defender.Storage.MalwareScan.md +++ b/docs/en/rules/Azure.Defender.Storage.MalwareScan.md @@ -131,6 +131,7 @@ See limitations for more information. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Malware Scanning in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan) - [Limitations](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations) diff --git a/docs/en/rules/Azure.Defender.Storage.md b/docs/en/rules/Azure.Defender.Storage.md index 565ee1da63..e1b94da373 100644 --- a/docs/en/rules/Azure.Defender.Storage.md +++ b/docs/en/rules/Azure.Defender.Storage.md @@ -126,6 +126,7 @@ Currently only the `Blob Storage`, `Azure Files` and `Azure Data Lake Storage Ge ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Storage security guide](https://learn.microsoft.com/azure/storage/blobs/security-recommendations) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction) diff --git a/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md b/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md index 56f8b5c574..22870d87ed 100644 --- a/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md +++ b/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md @@ -33,5 +33,6 @@ This rule checks for active security alerts in-flight in a subscription that are ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Manage and respond to security alerts](https://learn.microsoft.com/azure/defender-for-cloud/managing-and-responding-alerts) - [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview) diff --git a/docs/en/rules/Azure.DefenderCloud.Provisioning.md b/docs/en/rules/Azure.DefenderCloud.Provisioning.md index 6945281ece..be6cb22b24 100644 --- a/docs/en/rules/Azure.DefenderCloud.Provisioning.md +++ b/docs/en/rules/Azure.DefenderCloud.Provisioning.md @@ -32,3 +32,4 @@ This rule applies when analyzing resources deployed (in-flight) to Azure. ## LINKS - [Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.Deployment.AdminUsername.md b/docs/en/rules/Azure.Deployment.AdminUsername.md index f795766767..cbd64e6e4d 100644 --- a/docs/en/rules/Azure.Deployment.AdminUsername.md +++ b/docs/en/rules/Azure.Deployment.AdminUsername.md @@ -166,5 +166,6 @@ By default, the following values are used: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.Deployment.OuterSecret.md b/docs/en/rules/Azure.Deployment.OuterSecret.md index c9fb947ab7..bd7638a71b 100644 --- a/docs/en/rules/Azure.Deployment.OuterSecret.md +++ b/docs/en/rules/Azure.Deployment.OuterSecret.md @@ -95,5 +95,6 @@ If you use the `module` keyword your deployments always use the `inner` evaluati ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.resources/deployments?pivots=deployment-language-bicep) - [Deployment Function Scopes](https://learn.microsoft.com/azure/azure-resource-manager/templates/scope-functions?tabs=azure-powershell#function-resolution-in-scopes) diff --git a/docs/en/rules/Azure.Deployment.OutputSecretValue.md b/docs/en/rules/Azure.Deployment.OutputSecretValue.md index 6470409c94..88ffc2d2c5 100644 --- a/docs/en/rules/Azure.Deployment.OutputSecretValue.md +++ b/docs/en/rules/Azure.Deployment.OutputSecretValue.md @@ -109,6 +109,7 @@ When using Bicep, the built-in linter will also automatically check for common c ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure outputs in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/outputs#secure-outputs) - [Test cases for ARM templates](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-test-cases#outputs-cant-include-secrets) - [Outputs should not contain secrets](https://learn.microsoft.com/azure/azure-resource-manager/bicep/linter-rule-outputs-should-not-contain-secrets) diff --git a/docs/en/rules/Azure.Deployment.SecretLeak.md b/docs/en/rules/Azure.Deployment.SecretLeak.md index f040f2e7c9..66e7f12c54 100644 --- a/docs/en/rules/Azure.Deployment.SecretLeak.md +++ b/docs/en/rules/Azure.Deployment.SecretLeak.md @@ -98,6 +98,7 @@ Sensitive values detected include: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure parameters](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.Deployment.SecureParameter.md b/docs/en/rules/Azure.Deployment.SecureParameter.md index 904f133d49..279d959b2b 100644 --- a/docs/en/rules/Azure.Deployment.SecureParameter.md +++ b/docs/en/rules/Azure.Deployment.SecureParameter.md @@ -134,6 +134,7 @@ To override this rule: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure parameters](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.Deployment.SecureValue.md b/docs/en/rules/Azure.Deployment.SecureValue.md index 93b4eef0a1..2c49dbc034 100644 --- a/docs/en/rules/Azure.Deployment.SecureValue.md +++ b/docs/en/rules/Azure.Deployment.SecureValue.md @@ -98,6 +98,7 @@ If you find properties that are missing, please let us know by logging an issue ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure parameters](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md b/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md index 965a83cefd..3761537e65 100644 --- a/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md +++ b/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md @@ -79,5 +79,6 @@ For example: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Private Endpoints](https://learn.microsoft.com/azure/event-grid/network-security#private-endpoints) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.eventgrid/topics) diff --git a/docs/en/rules/Azure.EventHub.Firewall.md b/docs/en/rules/Azure.EventHub.Firewall.md index 5252d18ea9..7015a6cbb4 100644 --- a/docs/en/rules/Azure.EventHub.Firewall.md +++ b/docs/en/rules/Azure.EventHub.Firewall.md @@ -96,6 +96,7 @@ The firewall feature isn't supported in the `basic` tier. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure security baseline for Event Hub](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline) - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline#ns-1-establish-network-segmentation-boundaries) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline#ns-1-establish-network-segmentation-boundaries) diff --git a/docs/en/rules/Azure.Firewall.PolicyMode.md b/docs/en/rules/Azure.Firewall.PolicyMode.md index 958423b7f7..11870e059d 100644 --- a/docs/en/rules/Azure.Firewall.PolicyMode.md +++ b/docs/en/rules/Azure.Firewall.PolicyMode.md @@ -83,6 +83,7 @@ In order to take advantage of URL filtering with `HTTPS` traffic included in thr ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-firewall-security-baseline#ns-1-establish-network-segmentation-boundaries) - [Azure Firewall threat intelligence-based filtering](https://learn.microsoft.com/azure/firewall/threat-intel) - [Rule processing logic](https://learn.microsoft.com/azure/firewall/rule-processing#threat-intelligence) diff --git a/docs/en/rules/Azure.FrontDoor.Logs.md b/docs/en/rules/Azure.FrontDoor.Logs.md index 2508fe23f8..da8e4e2605 100644 --- a/docs/en/rules/Azure.FrontDoor.Logs.md +++ b/docs/en/rules/Azure.FrontDoor.Logs.md @@ -173,6 +173,7 @@ This rule applies to Azure Front Door Premium/ Standard/ Classic profiles. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [LT-4: Enable logging for security investigation](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-front-door-security-baseline#lt-4-enable-logging-for-security-investigation) - [Monitor metrics and logs in Azure Front Door](https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-standard-premium) - [Monitor metrics and logs in Azure Front Door Classic](https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-classic) diff --git a/docs/en/rules/Azure.FrontDoor.UseWAF.md b/docs/en/rules/Azure.FrontDoor.UseWAF.md index b3c9ad645d..b281081290 100644 --- a/docs/en/rules/Azure.FrontDoor.UseWAF.md +++ b/docs/en/rules/Azure.FrontDoor.UseWAF.md @@ -25,6 +25,7 @@ Consider enabling a WAF policy on each Front Door endpoint. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Azure Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors/frontendendpoints) diff --git a/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md b/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md index 03bb1994c8..7a5e0c681b 100644 --- a/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md +++ b/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md @@ -27,6 +27,7 @@ Consider enabling WAF policy. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Policy settings for Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-state) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies) diff --git a/docs/en/rules/Azure.FrontDoor.WAF.Mode.md b/docs/en/rules/Azure.FrontDoor.WAF.Mode.md index e63c4d879c..21cdcd0c77 100644 --- a/docs/en/rules/Azure.FrontDoor.WAF.Mode.md +++ b/docs/en/rules/Azure.FrontDoor.WAF.Mode.md @@ -31,6 +31,7 @@ Consider setting Front Door WAF policy to use protection mode. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Policy settings for Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-mode) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies) diff --git a/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md b/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md index edfe14390f..fe923ef0f4 100644 --- a/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md +++ b/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md @@ -167,4 +167,5 @@ For example: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/Microsoft.VirtualMachineImages/imageTemplates) diff --git a/docs/en/rules/Azure.ImageBuilder.ValidateHash.md b/docs/en/rules/Azure.ImageBuilder.ValidateHash.md index 38d939e13a..c606fcaf9f 100644 --- a/docs/en/rules/Azure.ImageBuilder.ValidateHash.md +++ b/docs/en/rules/Azure.ImageBuilder.ValidateHash.md @@ -167,4 +167,5 @@ For example: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/Microsoft.VirtualMachineImages/imageTemplates) diff --git a/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md b/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md index e4765bba3d..8ec3c6ac27 100644 --- a/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md +++ b/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md @@ -132,6 +132,7 @@ This rule only applies to pre-flight validation of Azure templates and Bicep fil ## LINKS - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/security-controls-v3-identity-management#im-3-manage-application-identities-securely-and-automatically) - [Configure cryptographic key auto-rotation in Azure Key Vault](https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults/keys) diff --git a/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md b/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md index 421aaf8c8a..ddd7c82b53 100644 --- a/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md +++ b/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md @@ -102,5 +102,6 @@ This rule currently only applies to Logic Apps using consumption plans. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure access and data in Azure Logic Apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-securing-a-logic-app) - [Azure security baseline for Logic Apps](https://learn.microsoft.com/azure/logic-apps/security-baseline#network-security) diff --git a/docs/en/rules/Azure.ML.ComputeVnet.md b/docs/en/rules/Azure.ML.ComputeVnet.md index 5531a673e5..5772cf6d81 100644 --- a/docs/en/rules/Azure.ML.ComputeVnet.md +++ b/docs/en/rules/Azure.ML.ComputeVnet.md @@ -90,6 +90,7 @@ resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes ## LINKS - [WAF - Azure services for securing network connectivity](https://learn.microsoft.com/azure/well-architected/security/design-network-connectivity) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Managed compute in a managed virtual network](https://learn.microsoft.com/azure/machine-learning/how-to-managed-network-compute) - [ML - Network security and isolation](https://learn.microsoft.com/azure/machine-learning/concept-enterprise-security#network-security-and-isolation) - [ML Compute](https://learn.microsoft.com/azure/machine-learning/azure-machine-learning-glossary#compute) diff --git a/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md b/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md index 6f227052b6..59b0e665aa 100644 --- a/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md +++ b/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md @@ -122,5 +122,6 @@ resource mariaDbServerFirewallRule 'Microsoft.DBforMariaDB/servers/firewallRules ## LINKS - [Network security and containment](https://learn.microsoft.com/azure/architecture/framework/security/design-network) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MariaDB firewall rules](https://learn.microsoft.com/azure/mariadb/concepts-firewall-rules#connecting-from-azure) - [Template reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/firewallrules) diff --git a/docs/en/rules/Azure.MariaDB.DefenderCloud.md b/docs/en/rules/Azure.MariaDB.DefenderCloud.md index f83f0c69f7..c31c6aab46 100644 --- a/docs/en/rules/Azure.MariaDB.DefenderCloud.md +++ b/docs/en/rules/Azure.MariaDB.DefenderCloud.md @@ -125,5 +125,6 @@ resource mariaDbDefender 'Microsoft.DBforMariaDB/servers/securityAlertPolicies@2 ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Enable Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.MariaDB.FirewallIPRange.md b/docs/en/rules/Azure.MariaDB.FirewallIPRange.md index 5561a0a645..34aa254fdc 100644 --- a/docs/en/rules/Azure.MariaDB.FirewallIPRange.md +++ b/docs/en/rules/Azure.MariaDB.FirewallIPRange.md @@ -31,6 +31,7 @@ This rule fails when the number of configured public IP addresses exceeds ten (1 ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MariaDB server firewall rules](https://learn.microsoft.com/azure/mariadb/concepts-firewall-rules) - [Create and manage Azure Database for MariaDB firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mariadb/howto-manage-firewall-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/firewallrules) diff --git a/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md b/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md index 21bafd1695..3111c8ded9 100644 --- a/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md +++ b/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md @@ -31,6 +31,7 @@ This rule fails when the number of configured firewall rules exceeds ten (10). ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MariaDB server firewall rules](https://learn.microsoft.com/azure/mariadb/concepts-firewall-rules) - [Create and manage Azure Database for MariaDB firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mariadb/howto-manage-firewall-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/firewallrules) diff --git a/docs/en/rules/Azure.MySQL.AllowAzureAccess.md b/docs/en/rules/Azure.MySQL.AllowAzureAccess.md index 4a869b1878..1c88e43c4b 100644 --- a/docs/en/rules/Azure.MySQL.AllowAzureAccess.md +++ b/docs/en/rules/Azure.MySQL.AllowAzureAccess.md @@ -34,5 +34,6 @@ This rule is only applicable for the Azure Database for MySQL Single Server depl ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MySQL server firewall rules](https://learn.microsoft.com/azure/mysql/concepts-firewall-rules#connecting-from-azure) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.DefenderCloud.md b/docs/en/rules/Azure.MySQL.DefenderCloud.md index 901f1be38f..1e2e2becd3 100644 --- a/docs/en/rules/Azure.MySQL.DefenderCloud.md +++ b/docs/en/rules/Azure.MySQL.DefenderCloud.md @@ -131,5 +131,6 @@ Azure Database for MySQL Flexible Server deployment model does not currently sup ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Enable Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.MySQL.FirewallIPRange.md b/docs/en/rules/Azure.MySQL.FirewallIPRange.md index 9da7d16c19..e8d26cd47a 100644 --- a/docs/en/rules/Azure.MySQL.FirewallIPRange.md +++ b/docs/en/rules/Azure.MySQL.FirewallIPRange.md @@ -30,6 +30,7 @@ This rule is only applicable for the Azure Database for MySQL Single Server depl ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and manage Azure Database for MySQL firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-firewall-using-portal) - [Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-vnet-using-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.FirewallRuleCount.md b/docs/en/rules/Azure.MySQL.FirewallRuleCount.md index 90fbd301e3..0bce4ec6db 100644 --- a/docs/en/rules/Azure.MySQL.FirewallRuleCount.md +++ b/docs/en/rules/Azure.MySQL.FirewallRuleCount.md @@ -32,6 +32,7 @@ This rule fails when the number of configured firewall rules exceeds ten (10). ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and manage Azure Database for MySQL firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-firewall-using-portal) - [Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-vnet-using-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.NSG.AnyInboundSource.md b/docs/en/rules/Azure.NSG.AnyInboundSource.md index 3dbe279c18..7866c27be8 100644 --- a/docs/en/rules/Azure.NSG.AnyInboundSource.md +++ b/docs/en/rules/Azure.NSG.AnyInboundSource.md @@ -221,6 +221,7 @@ resource asg 'Microsoft.Network/applicationSecurityGroups@2023-09-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Network Security Groups](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview) - [Service Tags Overview](https://learn.microsoft.com/azure/virtual-network/service-tags-overview) - [Logically segment subnets](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices#logically-segment-subnets) diff --git a/docs/en/rules/Azure.NSG.LateralTraversal.md b/docs/en/rules/Azure.NSG.LateralTraversal.md index 9cd41cbd69..937334c1c2 100644 --- a/docs/en/rules/Azure.NSG.LateralTraversal.md +++ b/docs/en/rules/Azure.NSG.LateralTraversal.md @@ -121,6 +121,7 @@ To suppress this rule for NSGs protecting subnets expected to allow outbound man ## LINKS - [SE:04 Segmentation](https://learn.microsoft.com/azure/well-architected/security/segmentation) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Logically segment subnets](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices#logically-segment-subnets) - [Plan virtual networks](https://learn.microsoft.com/azure/virtual-network/virtual-network-vnet-plan-design-arm#segmentation) - [Network security groups](https://learn.microsoft.com/azure/virtual-network/security-overview) diff --git a/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md b/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md index 3e3b008914..48f5aaba21 100644 --- a/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md +++ b/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md @@ -30,4 +30,5 @@ Determine if access from Azure services is required for the services connecting ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Firewall rules in Azure Database for PostgreSQL](https://learn.microsoft.com/azure/postgresql/concepts-firewall-rules#connecting-from-azure) diff --git a/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md b/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md index 5743aaa439..498a19bdbe 100644 --- a/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md +++ b/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md @@ -131,5 +131,6 @@ Azure Database for PostgreSQL Flexible Server deployment model does not currentl ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Enable Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md b/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md index 4fd5c6a97e..5ec9ad18e6 100644 --- a/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md +++ b/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md @@ -25,5 +25,6 @@ The PostgreSQL server has greater then ten (10) public IP addresses that are per ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Firewall rules in Azure Database for PostgreSQL - Single Server](https://learn.microsoft.com/azure/postgresql/concepts-firewall-rules) - [Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal](https://learn.microsoft.com/azure/postgresql/howto-manage-firewall-using-portal) diff --git a/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md b/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md index 49215dfa5e..f86de10e30 100644 --- a/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md +++ b/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md @@ -26,5 +26,6 @@ Some rules may not be needed. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Firewall rules in Azure Database for PostgreSQL - Single Server](https://learn.microsoft.com/azure/postgresql/concepts-firewall-rules) - [Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal](https://learn.microsoft.com/azure/postgresql/howto-manage-firewall-using-portal) diff --git a/docs/en/rules/Azure.RBAC.CoAdministrator.md b/docs/en/rules/Azure.RBAC.CoAdministrator.md index e05788c808..7ef1056322 100644 --- a/docs/en/rules/Azure.RBAC.CoAdministrator.md +++ b/docs/en/rules/Azure.RBAC.CoAdministrator.md @@ -28,5 +28,6 @@ Limit delegation of Co-administrator roles only to subscription that contain res ## LINKS - [Azure classic subscription administrators](https://learn.microsoft.com/azure/role-based-access-control/classic-administrators) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles](https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles) - [What is Azure AD Privileged Identity Management?](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) diff --git a/docs/en/rules/Azure.RBAC.LimitMGDelegation.md b/docs/en/rules/Azure.RBAC.LimitMGDelegation.md index f0d5efd947..1a7e8af7d1 100644 --- a/docs/en/rules/Azure.RBAC.LimitMGDelegation.md +++ b/docs/en/rules/Azure.RBAC.LimitMGDelegation.md @@ -24,3 +24,7 @@ Consider limiting the number of assignment inherited from Management Groups by s Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates. + +## LINKS + +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.RBAC.LimitOwner.md b/docs/en/rules/Azure.RBAC.LimitOwner.md index 704f94dcf0..f718928e20 100644 --- a/docs/en/rules/Azure.RBAC.LimitOwner.md +++ b/docs/en/rules/Azure.RBAC.LimitOwner.md @@ -30,4 +30,5 @@ Consider limiting the number of subscription Owners by using a more specific rol ## LINKS - [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Limit the number of subscription owners](https://learn.microsoft.com/azure/role-based-access-control/best-practices#limit-the-number-of-subscription-owners) diff --git a/docs/en/rules/Azure.RBAC.PIM.md b/docs/en/rules/Azure.RBAC.PIM.md index 19e4cd5555..3795bbcbfc 100644 --- a/docs/en/rules/Azure.RBAC.PIM.md +++ b/docs/en/rules/Azure.RBAC.PIM.md @@ -27,6 +27,7 @@ Consider using Privileged Identity Management (PIM) to activate privileged roles ## LINKS - [What is Azure AD Privileged Identity Management?](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Discover Azure resources to manage in Privileged Identity Management](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources) - [Configure Azure resource role settings in Privileged Identity Management](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings) - [Lower exposure of privileged accounts](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#lower-exposure-of-privileged-accounts) diff --git a/docs/en/rules/Azure.RBAC.UseGroups.md b/docs/en/rules/Azure.RBAC.UseGroups.md index 87da9c2513..0a63670e1d 100644 --- a/docs/en/rules/Azure.RBAC.UseGroups.md +++ b/docs/en/rules/Azure.RBAC.UseGroups.md @@ -24,4 +24,5 @@ Consider using groups for assigning permissions instead of individual user accou ## LINKS - [Avoid granular and custom permissions](https://learn.microsoft.com/azure/architecture/framework/security/design-admins#avoid-granular-and-custom-permissions) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview) diff --git a/docs/en/rules/Azure.RBAC.UseRGDelegation.md b/docs/en/rules/Azure.RBAC.UseRGDelegation.md index 544ba33f23..073af5eab6 100644 --- a/docs/en/rules/Azure.RBAC.UseRGDelegation.md +++ b/docs/en/rules/Azure.RBAC.UseRGDelegation.md @@ -25,5 +25,6 @@ Consider using RBAC assignments on resource groups instead of individual resourc ## LINKS - [Avoid granular and custom permissions](https://learn.microsoft.com/azure/architecture/framework/security/design-admins#avoid-granular-and-custom-permissions) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview) - [Best practices for Azure RBAC](https://learn.microsoft.com/azure/role-based-access-control/best-practices) diff --git a/docs/en/rules/Azure.Redis.FirewallIPRange.md b/docs/en/rules/Azure.Redis.FirewallIPRange.md index ced9d59c6e..0c8f8897ee 100644 --- a/docs/en/rules/Azure.Redis.FirewallIPRange.md +++ b/docs/en/rules/Azure.Redis.FirewallIPRange.md @@ -87,6 +87,7 @@ Firewall rules can be used with VNET injected caches, but not private endpoints. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure best practices for network security](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices) - [Azure Cache for Redis network isolation options](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation) - [Limitations of firewall rules](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation#limitations-of-firewall-rules) diff --git a/docs/en/rules/Azure.Redis.FirewallRuleCount.md b/docs/en/rules/Azure.Redis.FirewallRuleCount.md index a8ee398757..fc02e48b3f 100644 --- a/docs/en/rules/Azure.Redis.FirewallRuleCount.md +++ b/docs/en/rules/Azure.Redis.FirewallRuleCount.md @@ -89,6 +89,7 @@ Firewall rules can be used with VNet injected caches, but not private endpoints. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure best practices for network security](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices) - [Azure Cache for Redis network isolation options](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation) - [Limitations of firewall rules](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation#limitations-of-firewall-rules) diff --git a/docs/en/rules/Azure.Redis.PublicNetworkAccess.md b/docs/en/rules/Azure.Redis.PublicNetworkAccess.md index 3780226e93..8f6f0cc12a 100644 --- a/docs/en/rules/Azure.Redis.PublicNetworkAccess.md +++ b/docs/en/rules/Azure.Redis.PublicNetworkAccess.md @@ -114,6 +114,7 @@ For example: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Cache for Redis with Azure Private Link](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-private-link) - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) - [Migrate from VNet injection caches to Private Link caches](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-vnet-migration) diff --git a/docs/en/rules/Azure.SQL.AllowAzureAccess.md b/docs/en/rules/Azure.SQL.AllowAzureAccess.md index b93a2c6681..39beaea741 100644 --- a/docs/en/rules/Azure.SQL.AllowAzureAccess.md +++ b/docs/en/rules/Azure.SQL.AllowAzureAccess.md @@ -33,5 +33,6 @@ Determine if access from Azure services is required for the services connecting ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Connections from inside Azure](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql#connections-from-inside-azure) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQL.Auditing.md b/docs/en/rules/Azure.SQL.Auditing.md index 78ccc9e64a..b4926f95a9 100644 --- a/docs/en/rules/Azure.SQL.Auditing.md +++ b/docs/en/rules/Azure.SQL.Auditing.md @@ -138,6 +138,7 @@ To address this issue at runtime use the following policies: ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [LT-3: Enable logging for security investigation](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-sql-security-baseline#logging-and-threat-detection) - [Auditing for Azure SQL Database and Azure Synapse Analytics](https://learn.microsoft.com/azure/azure-sql/database/auditing-overview) - [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview) diff --git a/docs/en/rules/Azure.SQL.DefenderCloud.md b/docs/en/rules/Azure.SQL.DefenderCloud.md index 3fe79166d4..8f6c9adf69 100644 --- a/docs/en/rules/Azure.SQL.DefenderCloud.md +++ b/docs/en/rules/Azure.SQL.DefenderCloud.md @@ -70,6 +70,7 @@ Set-AzSqlDatabaseThreatDetectionPolicy -ResourceGroupName '' -Se ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [SQL Advanced Threat Protection](https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview) - [Microsoft Defender for SQL](https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.SQL.FirewallIPRange.md b/docs/en/rules/Azure.SQL.FirewallIPRange.md index e515851dc3..38b8241d2b 100644 --- a/docs/en/rules/Azure.SQL.FirewallIPRange.md +++ b/docs/en/rules/Azure.SQL.FirewallIPRange.md @@ -36,6 +36,7 @@ This rule assesses the combined IP addresses from each Allowed IP firewall entry ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure SQL Database and Azure Synapse IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql) - [Create and manage IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql#create-and-manage-ip-firewall-rules) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/firewallrules) diff --git a/docs/en/rules/Azure.SQL.FirewallRuleCount.md b/docs/en/rules/Azure.SQL.FirewallRuleCount.md index 735b024c14..f495984618 100644 --- a/docs/en/rules/Azure.SQL.FirewallRuleCount.md +++ b/docs/en/rules/Azure.SQL.FirewallRuleCount.md @@ -26,6 +26,7 @@ Some rules may not be needed. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure SQL Database and Azure Synapse IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql) - [Create and manage IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql#create-and-manage-ip-firewall-rules) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/firewallrules) diff --git a/docs/en/rules/Azure.SQL.VAScan.md b/docs/en/rules/Azure.SQL.VAScan.md index 3a4348424d..0cdeea71b4 100644 --- a/docs/en/rules/Azure.SQL.VAScan.md +++ b/docs/en/rules/Azure.SQL.VAScan.md @@ -82,6 +82,7 @@ The Classic configuration option is enabled by deploying the `Microsoft.Sql/serv ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [SQL vulnerability assessment helps you identify database vulnerabilities](https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview) - [What's the difference between the express and classic configuration?](https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview#whats-the-difference-between-the-express-and-classic-configuration) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.Storage.BlobAccessType.md b/docs/en/rules/Azure.Storage.BlobAccessType.md index 3d60954e68..b3cd4a9ab7 100644 --- a/docs/en/rules/Azure.Storage.BlobAccessType.md +++ b/docs/en/rules/Azure.Storage.BlobAccessType.md @@ -75,6 +75,7 @@ resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@20 ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Use Microsoft Entra ID for storage authentication](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#use-microsoft-entra-id-for-storage-authentication) - [Configure anonymous read access for containers and blobs](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure) - [Remediate anonymous read access to blob data](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent) diff --git a/docs/en/rules/Azure.Storage.Defender.DataScan.md b/docs/en/rules/Azure.Storage.Defender.DataScan.md index 54e5e4c6c8..7cb435f2ac 100644 --- a/docs/en/rules/Azure.Storage.Defender.DataScan.md +++ b/docs/en/rules/Azure.Storage.Defender.DataScan.md @@ -115,6 +115,7 @@ The following limitations currently apply for Microsoft Defender for Storage: ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Sensitive data threat detection in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-data-sensitivity) - [Support and prerequisites for data-aware security posture](https://learn.microsoft.com/azure/defender-for-cloud/concept-data-security-posture-prepare) diff --git a/docs/en/rules/Azure.Storage.Defender.MalwareScan.md b/docs/en/rules/Azure.Storage.Defender.MalwareScan.md index eba0810567..ad19f497e9 100644 --- a/docs/en/rules/Azure.Storage.Defender.MalwareScan.md +++ b/docs/en/rules/Azure.Storage.Defender.MalwareScan.md @@ -121,6 +121,7 @@ Not all services within storage accounts are currently supported. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Malware Scanning in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan) - [Limitations](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations) diff --git a/docs/en/rules/Azure.Storage.DefenderCloud.md b/docs/en/rules/Azure.Storage.DefenderCloud.md index 3f6df5f301..d3a09377db 100644 --- a/docs/en/rules/Azure.Storage.DefenderCloud.md +++ b/docs/en/rules/Azure.Storage.DefenderCloud.md @@ -119,6 +119,7 @@ To enable this rule, set the `AZURE_STORAGE_DEFENDER_PER_ACCOUNT` configuration ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction) - [Enable and configure Microsoft Defender for Storage](https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure) diff --git a/docs/en/rules/Azure.VM.PublicIPAttached.md b/docs/en/rules/Azure.VM.PublicIPAttached.md index 61662201f8..ba3bcd0cb3 100644 --- a/docs/en/rules/Azure.VM.PublicIPAttached.md +++ b/docs/en/rules/Azure.VM.PublicIPAttached.md @@ -96,6 +96,7 @@ resource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity) - [Dissociate public IP address from a VM](https://learn.microsoft.com/azure/virtual-network/ip-services/remove-public-ip-address-vm) - [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) diff --git a/docs/en/rules/Azure.VM.PublicKey.md b/docs/en/rules/Azure.VM.PublicKey.md index 1fc55bbfcb..abf6107391 100644 --- a/docs/en/rules/Azure.VM.PublicKey.md +++ b/docs/en/rules/Azure.VM.PublicKey.md @@ -143,6 +143,7 @@ resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = { ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline) - [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.ScriptExtensions.md b/docs/en/rules/Azure.VM.ScriptExtensions.md index 90118e5eab..5d5b7c590e 100644 --- a/docs/en/rules/Azure.VM.ScriptExtensions.md +++ b/docs/en/rules/Azure.VM.ScriptExtensions.md @@ -77,6 +77,7 @@ resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Windows Custom Script Extensions](https://learn.microsoft.com/azure/virtual-machines/extensions/custom-script-windows) - [Linux Custom Script Extensions](https://learn.microsoft.com/azure/virtual-machines/extensions/custom-script-linux) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines/extensions) diff --git a/docs/en/rules/Azure.VM.Updates.md b/docs/en/rules/Azure.VM.Updates.md index d9c1b463a8..6956973f89 100644 --- a/docs/en/rules/Azure.VM.Updates.md +++ b/docs/en/rules/Azure.VM.Updates.md @@ -28,5 +28,6 @@ Enable automatic updates at deployment time, then reconfigure as required to mee ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Automatic Guest Patching for Azure Virtual Machines and Scale Sets](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.UseManagedDisks.md b/docs/en/rules/Azure.VM.UseManagedDisks.md index 2697e97b90..19a3a167b5 100644 --- a/docs/en/rules/Azure.VM.UseManagedDisks.md +++ b/docs/en/rules/Azure.VM.UseManagedDisks.md @@ -197,6 +197,7 @@ To address this issue at runtime use the following policies: ## LINKS - [RE:01 Simplicity and efficiency](https://learn.microsoft.com/azure/well-architected/reliability/simplify) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Azure managed disks](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview) - [Reliability in Virtual Machines](https://learn.microsoft.com/azure/reliability/reliability-virtual-machines) - [Using disks in Azure Resource Manager Templates](https://learn.microsoft.com/azure/virtual-machines/using-managed-disks-template-deployments) diff --git a/docs/en/rules/Azure.VMSS.PublicIPAttached.md b/docs/en/rules/Azure.VMSS.PublicIPAttached.md index 05898b5b63..5ad99a0c21 100644 --- a/docs/en/rules/Azure.VMSS.PublicIPAttached.md +++ b/docs/en/rules/Azure.VMSS.PublicIPAttached.md @@ -134,6 +134,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity) - [Networking for scale sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking) - [Public IPv4 per virtual machine](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine) diff --git a/docs/en/rules/Azure.VMSS.PublicKey.md b/docs/en/rules/Azure.VMSS.PublicKey.md index eeb275c35c..46f5fb576d 100644 --- a/docs/en/rules/Azure.VMSS.PublicKey.md +++ b/docs/en/rules/Azure.VMSS.PublicKey.md @@ -212,6 +212,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = { ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline) - [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets) diff --git a/docs/en/rules/Azure.VMSS.ScriptExtensions.md b/docs/en/rules/Azure.VMSS.ScriptExtensions.md index d7dea73200..4c26feecd2 100644 --- a/docs/en/rules/Azure.VMSS.ScriptExtensions.md +++ b/docs/en/rules/Azure.VMSS.ScriptExtensions.md @@ -82,5 +82,6 @@ extensionProfile: { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure VMSS Extensions Overview](https://learn.microsoft.com/azure/virtual-machines/extensions/overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets/extensions) diff --git a/docs/en/rules/Azure.VNET.FirewallSubnet.md b/docs/en/rules/Azure.VNET.FirewallSubnet.md index 3f3d7b33c4..32fb13f3b1 100644 --- a/docs/en/rules/Azure.VNET.FirewallSubnet.md +++ b/docs/en/rules/Azure.VNET.FirewallSubnet.md @@ -115,6 +115,7 @@ resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = { ## LINKS - [Azure features for segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation#azure-features-for-segmentation) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Hub-spoke network topology in Azure](https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) - [Define an Azure network topology](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology) - [What is Azure Firewall?](https://learn.microsoft.com/azure/firewall/overview) diff --git a/docs/en/rules/Azure.VNET.PrivateSubnet.md b/docs/en/rules/Azure.VNET.PrivateSubnet.md index ce93344cca..afb1cd47a8 100644 --- a/docs/en/rules/Azure.VNET.PrivateSubnet.md +++ b/docs/en/rules/Azure.VNET.PrivateSubnet.md @@ -214,6 +214,7 @@ az network vnet subnet update -n '' -g '' --vnet-na ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Default outbound access](https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access) - [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity) - [What is Azure NAT Gateway?](https://learn.microsoft.com/azure/nat-gateway/nat-overview) diff --git a/docs/en/rules/Azure.VNET.UseNSGs.md b/docs/en/rules/Azure.VNET.UseNSGs.md index bdb7114218..f5284faca3 100644 --- a/docs/en/rules/Azure.VNET.UseNSGs.md +++ b/docs/en/rules/Azure.VNET.UseNSGs.md @@ -171,6 +171,7 @@ configuration: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Network Security Best Practices](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices#logically-segment-subnets) - [Azure Firewall FAQ](https://learn.microsoft.com/azure/firewall/firewall-faq#are-network-security-groups--nsgs--supported-on-the-azurefirewallsubnet) - [Forced tunneling configuration](https://learn.microsoft.com/azure/firewall/forced-tunneling#forced-tunneling-configuration) diff --git a/docs/working-with-baselines.md b/docs/working-with-baselines.md index 1f40c19405..42bac4eccb 100644 --- a/docs/working-with-baselines.md +++ b/docs/working-with-baselines.md @@ -79,6 +79,7 @@ The following baselines are available: - [Azure.Pillar.Reliability][7] — A baseline that only includes reliability rules. - [Azure.Pillar.Security][8] — A baseline that only includes security rules. - [Azure.Pillar.Security.L1][9] — A baseline that only includes security rules at with maturity level 1. +- [Azure.Pillar.Security.L2][10] — A baseline that only includes security rules with maturity level 2. [4]: en/baselines/Azure.Pillar.CostOptimization.md [5]: en/baselines/Azure.Pillar.OperationalExcellence.md @@ -86,6 +87,7 @@ The following baselines are available: [7]: en/baselines/Azure.Pillar.Reliability.md [8]: en/baselines/Azure.Pillar.Security.md [9]: en/baselines/Azure.Pillar.Security.L1.md + [10]: en/baselines/Azure.Pillar.Security.L2.md ## Additional standard baselines diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index 494401883d..825acea22e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -23,7 +23,7 @@ Rule 'Azure.ACR.Usage' -Ref 'AZR-000001' -Type 'Microsoft.ContainerRegistry/regi } # Synopsis: Consider enabling vulnerability scanning for container images. -Rule 'Azure.ACR.ContainerScan' -Ref 'AZR-000002' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; method = 'in-flight'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DS-6', 'PV-5') } { +Rule 'Azure.ACR.ContainerScan' -Ref 'AZR-000002' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; method = 'in-flight'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DS-6', 'PV-5'); 'Azure.WAF/maturity' = 'L2' } { $assessments = @(GetSubResources -ResourceType 'Microsoft.Security/assessments'); $Assert.GreaterOrEqual($assessments, '.', 1).Reason($LocalizedData.AssessmentNotFound); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index c39bd351c3..50a2a7544e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -88,6 +88,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['DS-6', 'PV-5'] + Azure.WAF/maturity: L5 spec: type: - Microsoft.ContainerRegistry/registries @@ -106,6 +107,8 @@ metadata: release: deprecated ruleSet: 2020_12 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L5 spec: with: - Azure.ACR.IsPremiumSKU @@ -151,6 +154,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: IM-1 + Azure.WAF/maturity: L1 spec: with: - Azure.ACR.IsPremiumSKU @@ -172,6 +176,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: with: - Azure.ACR.IsPremiumSKU @@ -195,6 +200,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: DP-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerRegistry/registries diff --git a/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml index dd2f6215d2..b79844c3dc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml @@ -22,6 +22,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.CognitiveServices/accounts @@ -105,6 +106,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L4 spec: type: - Microsoft.CognitiveServices/accounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index abdd2c1378..908f785889 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -41,6 +41,8 @@ metadata: release: GA # Replace ruleSet with suitable date. ruleSet: 2024_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -81,6 +83,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -103,6 +106,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: AM-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -144,6 +148,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -189,6 +194,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['IM-1', 'PA-7'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -209,6 +215,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: IM-8 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -229,6 +236,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: DP-7 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -251,6 +259,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['NS-1', 'DP-4'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -274,6 +283,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: PV-7 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -297,6 +307,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['IM-1', 'PA-7'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -388,6 +399,8 @@ metadata: release: GA ruleSet: 2023_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 index f687c1bc50..689e4e57c3 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 @@ -82,7 +82,7 @@ Rule 'Azure.APIM.HTTPBackend' -Ref 'AZR-000044' -Type 'Microsoft.ApiManagement/s } # Synopsis: Encrypt all API Management named values with Key Vault secrets. -Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8', 'DP-7') } { +Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8', 'DP-7'); 'Azure.WAF/maturity' = 'L1' } { $namedValues = @($TargetObject) if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $namedValues = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/namedValues') @@ -97,7 +97,7 @@ Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement } # Synopsis: Require subscription for products -Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $products = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products'); @@ -113,7 +113,7 @@ Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiMana } # Synopsis: Require approval for products -Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $products = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products'); @@ -129,7 +129,7 @@ Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManageme } # Synopsis: Remove sample products -Rule 'Azure.APIM.SampleProducts' -Ref 'AZR-000048' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.APIM.SampleProducts' -Ref 'AZR-000048' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $products = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products'); @@ -363,7 +363,7 @@ Rule 'Azure.APIM.PolicyBase' -Ref 'AZR-000371' -Type 'Microsoft.ApiManagement/se } # Synopsis: APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. -Rule 'Azure.APIM.DefenderCloud' -Ref 'AZR-000387' -Type 'Microsoft.ApiManagement/service' -If { HasRestApi } -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1' } { +Rule 'Azure.APIM.DefenderCloud' -Ref 'AZR-000387' -Type 'Microsoft.ApiManagement/service' -If { HasRestApi } -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1'; 'Azure.WAF/maturity' = 'L2' } { $apis = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/apis' | Where-Object { $Assert.HasDefaultValue($_, 'properties.apiType', 'http').Result }) $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.Security/apiCollections') diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 index f9080bb8a8..5621d92fcc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 @@ -41,7 +41,7 @@ Rule 'Azure.AppConfig.PurgeProtect' -Ref 'AZR-000313' -Type 'Microsoft.AppConfig } # Synopsis: Secrets stored as key values in an App Configuration Store may be leaked to unauthorized users. -Rule 'Azure.AppConfig.SecretLeak' -Ref 'AZR-000490' -Type 'Microsoft.AppConfiguration/configurationStores', 'Microsoft.AppConfiguration/configurationStores/keyValues' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8') } { +Rule 'Azure.AppConfig.SecretLeak' -Ref 'AZR-000490' -Type 'Microsoft.AppConfiguration/configurationStores', 'Microsoft.AppConfiguration/configurationStores/keyValues' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8'); 'Azure.WAF/maturity' = 'L1' } { $kv = @($TargetObject) if ($PSRule.TargetType -eq 'Microsoft.AppConfiguration/configurationStores') { $kv = @(GetSubResources -ResourceType 'Microsoft.AppConfiguration/configurationStores/keyValues', 'keyValues') diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml index 8e2a67f3e6..fb3ce3dee2 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml @@ -68,6 +68,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-6 + Azure.WAF/maturity: L2 spec: with: - Azure.IsAppGwPublic @@ -117,6 +118,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.AppGw.WithClassicWAF @@ -137,6 +140,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-6 + Azure.WAF/maturity: L2 spec: with: - Azure.IsAppGwPublic @@ -158,6 +162,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.AppGw.WithClassicWAF @@ -179,6 +185,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.AppGw.WithClassicWAF diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml index 53c2cbae6d..a39d3023c0 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml @@ -18,6 +18,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies @@ -38,6 +40,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies @@ -59,6 +63,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 index e22e627948..bb6ac65207 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 @@ -25,7 +25,7 @@ Rule 'Azure.AppService.MinTLS' -Ref 'AZR-000073' -Type 'Microsoft.Web/sites', 'M } # Synopsis: Disable remote debugging on App Service apps when not in use. -Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PV-2' } { +Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PV-2'; 'Azure.WAF/maturity' = 'L2' } { $siteConfigs = @(GetWebSiteConfig); if ($siteConfigs.Length -eq 0) { return $Assert.HasDefaultValue($TargetObject, 'properties.siteConfig.remoteDebuggingEnabled', $False); @@ -37,7 +37,7 @@ Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites } # Synopsis: Configure applications to use newer .NET Framework versions. -Rule 'Azure.AppService.NETVersion' -Ref 'AZR-000075' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.AppService.NETVersion' -Ref 'AZR-000075' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $siteConfigs = @(GetWebSiteConfig) if ($siteConfigs.Length -eq 0) { if ($Assert.HasFieldValue($TargetObject, 'properties.siteConfig.linuxFxVersion').Result -and $TargetObject.properties.siteConfig.linuxFxVersion -like 'DOTNETCORE|*') { @@ -69,7 +69,7 @@ Rule 'Azure.AppService.NETVersion' -Ref 'AZR-000075' -Type 'Microsoft.Web/sites' } # Synopsis: Configure applications to use newer PHP runtime versions. -Rule 'Azure.AppService.PHPVersion' -Ref 'AZR-000076' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.AppService.PHPVersion' -Ref 'AZR-000076' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $siteConfigs = @(GetWebSiteConfig) if ($siteConfigs.Length -eq 0) { if ($Assert.HasFieldValue($TargetObject, 'properties.siteConfig.linuxFxVersion').Result -and $TargetObject.properties.siteConfig.linuxFxVersion -like 'PHP|*') { @@ -170,7 +170,7 @@ Rule 'Azure.AppService.WebSecureFtp' -Ref 'AZR-000081' -With 'Azure.AppService.I } # Synopsis: Configure applications to use supported Node.js runtime versions. -Rule 'Azure.AppService.NodeJsVersion' -Ref 'AZR-000428' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots', 'Microsoft.Web/sites/slots/config' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.AppService.NodeJsVersion' -Ref 'AZR-000428' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots', 'Microsoft.Web/sites/slots/config' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $versions = Get-NodeVersions $pass = $true diff --git a/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 index 23ef4ce21f..1dea858e33 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. -Rule 'Azure.Arc.Kubernetes.Defender' -Ref 'AZR-000373' -Type 'Microsoft.Kubernetes/connectedClusters' -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1' } { +Rule 'Azure.Arc.Kubernetes.Defender' -Ref 'AZR-000373' -Type 'Microsoft.Kubernetes/connectedClusters' -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1'; 'Azure.WAF/maturity' = 'L2' } { $defender = @(GetSubResources -ResourceType 'Microsoft.KubernetesConfiguration/extensions' | Where-Object { $_.properties.extensionType -eq 'microsoft.azuredefender.kubernetes' }) $Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.ArcKubernetesDefender, $PSRule.TargetName) diff --git a/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 index 9b3b1e170d..c2834cc604 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Ensure variables are encrypted -Rule 'Azure.Automation.EncryptVariables' -Ref 'AZR-000086' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-5' } { +Rule 'Azure.Automation.EncryptVariables' -Ref 'AZR-000086' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-5'; 'Azure.WAF/maturity' = 'L2' } { $variables = GetSubResources -ResourceType 'Microsoft.Automation/automationAccounts/variables'; if ($variables.Length -eq 0) { return $Assert.Pass(); @@ -18,7 +18,7 @@ Rule 'Azure.Automation.EncryptVariables' -Ref 'AZR-000086' -Type 'Microsoft.Auto } # Synopsis: Ensure webhook expiry is not longer than one year -Rule 'Azure.Automation.WebHookExpiry' -Ref 'AZR-000087' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Automation.WebHookExpiry' -Ref 'AZR-000087' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $webhooks = GetSubResources -ResourceType 'Microsoft.Automation/automationAccounts/webhooks'; if ($webhooks.Length -eq 0) { return $Assert.Pass(); diff --git a/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml index 0432eeb288..17da82d35a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: BR-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.DataProtection/backupVaults diff --git a/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml index f8df49108b..9599a42b08 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: DP-3 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Cdn/profiles/endpoints diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index 799a8c8f9a..05eb48bdf5 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: IP ingress restrictions mode should be set to allow action for all rules defined. -Rule 'Azure.ContainerApp.RestrictIngress' -Ref 'AZR-000380' -Type 'Microsoft.App/containerApps' -If { HasIngress } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-2' } { +Rule 'Azure.ContainerApp.RestrictIngress' -Ref 'AZR-000380' -Type 'Microsoft.App/containerApps' -If { HasIngress } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-2'; 'Azure.WAF/maturity' = 'L2' } { $restrictions = @($TargetObject.properties.configuration.ingress.ipSecurityRestrictions) if (!$restrictions) { return $Assert.Fail() diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml index 1e69c1306b..c197e7ac00 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml @@ -94,6 +94,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.App/managedEnvironments @@ -115,6 +116,8 @@ metadata: release: GA ruleSet: 2023_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.ContainerApp.WithIngress diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 07755b9aaa..90c12d36d0 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -7,7 +7,7 @@ #region Rules # Synopsis: Enable Microsoft Defender for Azure Cosmos DB. -Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration.AZURE_COSMOS_DEFENDER_PER_ACCOUNT -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1' } { +Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration.AZURE_COSMOS_DEFENDER_PER_ACCOUNT -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1'; 'Azure.WAF/maturity' = 'L2' } { $defender = @(GetSubResources -ResourceType 'Microsoft.Security/advancedThreatProtectionSettings' | Where-Object { $_.properties.isEnabled -eq $True }) $Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.SubResourceNotFound, 'Microsoft.Security/advancedThreatProtectionSettings') diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml index f44e2bb2e5..3e5ad5ef1d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['IM-1', 'IM-2'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts @@ -106,6 +107,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 index 1d764dc8c9..01d9909113 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Ensure public DNS zones are configured with DNSSEC. -Rule 'Azure.DNS.DNSSEC' -Ref 'AZR-000456' -Type 'Microsoft.Network/dnsZones' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.DNS.DNSSEC' -Ref 'AZR-000456' -Type 'Microsoft.Network/dnsZones' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $configs = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Network/dnsZones') { $configs = @(GetSubResources -ResourceType 'Microsoft.Network/dnsZones/dnssecConfigs'); diff --git a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml index 010cb423cc..dc2cf3b969 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml @@ -16,6 +16,8 @@ metadata: release: GA ruleSet: 2023_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Databricks/workspaces @@ -55,6 +57,8 @@ metadata: release: GA ruleSet: 2024_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Databricks/workspaces diff --git a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 index 57f53a4e1f..381df02853 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Microsoft Defender for Cloud email and phone contact details should be set -Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription', 'Microsoft.Security/securityContacts' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription', 'Microsoft.Security/securityContacts' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $contacts = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Subscription') { $contacts = @(GetSubResources -ResourceType 'Microsoft.Security/securityContacts'); @@ -24,7 +24,7 @@ Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azu } # Synopsis: Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights -Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisioning' -Ref 'AZR-000210' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { +Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisioning' -Ref 'AZR-000210' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4'; 'Azure.WAF/maturity' = 'L2' } { $provisioning = @(GetSubResources -ResourceType 'Microsoft.Security/autoProvisioningSettings'); $Null -ne $provisioning -and $provisioning.Length -gt 0; foreach ($s in $provisioning) { @@ -33,7 +33,7 @@ Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisionin } # Synopsis: Enable Malware Scanning in Microsoft Defender for Storage. -Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $malwareConfigured = @($TargetObject.properties.extensions | Where-Object name -eq 'OnUploadMalwareScanning' | Where-Object isEnabled -eq 'True') @@ -41,7 +41,7 @@ Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Se } # Synopsis: Enable sensitive data threat detection in Microsoft Defender for Storage. -Rule 'Azure.Defender.Storage.DataScan' -Alias 'Azure.Defender.Storage.SensitiveData' -Ref 'AZR-000385' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Defender.Storage.DataScan' -Alias 'Azure.Defender.Storage.SensitiveData' -Ref 'AZR-000385' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $sensitiveConfigured = @($TargetObject.properties.extensions | Where-Object name -eq 'SensitiveDataDiscovery' | Where-Object isEnabled -eq 'True') diff --git a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml index b899253ca9..723816927a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -44,6 +45,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -71,6 +73,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: [ 'DP-2', 'LT-1' ] + Azure.WAF/maturity: L2 spec: level: Error where: @@ -95,6 +98,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -119,6 +123,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: [ 'DP-2', 'LT-1' ] + Azure.WAF/maturity: L2 spec: level: Error where: @@ -146,6 +151,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -170,6 +176,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -194,6 +201,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -218,6 +226,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -242,6 +251,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -266,6 +276,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -293,6 +304,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: [ 'DP-2', 'LT-1' ] + Azure.WAF/maturity: L2 spec: level: Error where: @@ -317,6 +329,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: diff --git a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 index b64944e05b..4ebf4922d8 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 @@ -8,27 +8,27 @@ #region Rules # Synopsis: Avoid outputting sensitive deployment values. -Rule 'Azure.Deployment.OutputSecretValue' -Ref 'AZR-000279' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.OutputSecretValue' -Ref 'AZR-000279' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.Create($PSRule.Issue.Get('PSRule.Rules.Azure.Template.OutputSecretValue')); } # Synopsis: Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string) -Rule 'Azure.Deployment.AdminUsername' -Ref 'AZR-000284' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.AdminUsername' -Ref 'AZR-000284' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { RecurseDeploymentSensitive -Deployment $TargetObject } # Synopsis: Use secure parameters for any parameter that contains sensitive information. -Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { GetSecureParameter -Deployment $TargetObject } # Synopsis: Use secure parameters for setting properties of resources that contain sensitive information. -Rule 'Azure.Deployment.SecureValue' -Ref 'AZR-000316' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.SecureValue' -Ref 'AZR-000316' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { RecurseSecureValue -Deployment $TargetObject } # Synopsis: Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters -Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources/deployments' -If { IsParentDeployment } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources/deployments' -If { IsParentDeployment } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $template = @($TargetObject.properties.template); if ($template.resources.Length -eq 0) { return $Assert.Pass(); @@ -53,7 +53,7 @@ Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources } # Synopsis: The deployment parameter leaks sensitive information. -Rule 'Azure.Deployment.SecretLeak' -Ref 'AZR-000459' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.SecretLeak' -Ref 'AZR-000459' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.Create($PSRule.Issue.Get('PSRule.Rules.Azure.Template.ParameterSecureAssignment')); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml index 101a1ed4e9..b0d0b80922 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.EventGrid/topics diff --git a/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 index c3867a1782..583559ff24 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 @@ -14,7 +14,7 @@ Rule 'Azure.EventHub.Usage' -Ref 'AZR-000101' -Type 'Microsoft.EventHub/namespac } # Synopsis: Access to the namespace endpoints should be restricted to only allowed sources. -Rule 'Azure.EventHub.Firewall' -Ref 'AZR-000422' -Type 'Microsoft.EventHub/namespaces', 'Microsoft.EventHub/namespaces/networkRuleSets' -If { Test-IsNoBasicTier } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1', 'NS-2' } { +Rule 'Azure.EventHub.Firewall' -Ref 'AZR-000422' -Type 'Microsoft.EventHub/namespaces', 'Microsoft.EventHub/namespaces/networkRuleSets' -If { Test-IsNoBasicTier } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1', 'NS-2'; 'Azure.WAF/maturity' = 'L2' } { # NB: Microsoft.EventHub/namespaces/networkRuleSets overrides properties.publicNetworkAccess and properties.defaultAction property. $firewalls = @($TargetObject) diff --git a/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml index 0ec72eb709..527ebd1d3c 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml @@ -68,6 +68,8 @@ metadata: release: 'GA' ruleSet: '2020_06' Azure.WAF/pillar: 'Security' + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/azureFirewalls @@ -92,6 +94,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/firewallPolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 index a59f714a04..7533e98690 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 @@ -19,7 +19,7 @@ Rule 'Azure.FrontDoor.MinTLS' -Ref 'AZR-000106' -Type 'Microsoft.Network/frontDo } # Synopsis: Audit and monitor access through Azure Front Door profiles. -Rule 'Azure.FrontDoor.Logs' -Ref 'AZR-000107' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Cdn/profiles' -With 'Azure.FrontDoor.IsStandardOrPremium', 'Azure.FrontDoor.IsClassic' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { +Rule 'Azure.FrontDoor.Logs' -Ref 'AZR-000107' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Cdn/profiles' -With 'Azure.FrontDoor.IsStandardOrPremium', 'Azure.FrontDoor.IsClassic' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4'; 'Azure.WAF/maturity' = 'L2' } { $logCategoryGroups = 'audit', 'allLogs' $diagnostics = @(GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings', 'Microsoft.Network/frontDoors/providers/diagnosticSettings', 'Microsoft.Cdn/profiles/providers/diagnosticSettings' | ForEach-Object { $_.Properties.logs | Where-Object { @@ -68,7 +68,7 @@ Rule 'Azure.FrontDoor.ProbePath' -Ref 'AZR-000110' -Type 'Microsoft.Network/fron } # Synopsis: Enable Web Application Firewall (WAF) policies on each Front Door endpoint. -Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-6' } { +Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-6'; 'Azure.WAF/maturity' = 'L2' } { $endpoints = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Network/frontDoors') { $endpoints = @($TargetObject.Properties.frontendEndpoints); diff --git a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml index 81b4154c2c..08c2c783a0 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml @@ -63,6 +63,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -83,6 +85,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-6 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml index b0ca0d05b1..7f4d49b861 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml @@ -17,6 +17,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -37,6 +39,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -57,6 +61,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -83,6 +89,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml index b56a5af76d..eae005d3f2 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml @@ -16,6 +16,8 @@ metadata: release: GA ruleSet: 2025_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.VirtualMachineImages/imageTemplates @@ -53,6 +55,8 @@ metadata: release: GA ruleSet: 2025_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.VirtualMachineImages/imageTemplates diff --git a/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 index feb72f85ed..7b84f6dec7 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 @@ -103,7 +103,7 @@ Rule 'Azure.KeyVault.KeyName' -Ref 'AZR-000122' -Type 'Microsoft.KeyVault/vaults } # Synopsis: Key Vault keys should have auto-rotation enabled. -Rule 'Azure.KeyVault.AutoRotationPolicy' -Ref 'AZR-000123' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/keys' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'IM-3' } { +Rule 'Azure.KeyVault.AutoRotationPolicy' -Ref 'AZR-000123' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/keys' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'IM-3'; 'Azure.WAF/maturity' = 'L2' } { $keys = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.KeyVault/vaults') { diff --git a/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 index 999b9fb2a2..094581ed3e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Access IPs should be limited for HTTP triggers -Rule 'Azure.LogicApp.LimitHTTPTrigger' -Ref 'AZR-000130' -Type 'Microsoft.Logic/workflows' -If { LogicAppWithHttpTrigger } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.LogicApp.LimitHTTPTrigger' -Ref 'AZR-000130' -Type 'Microsoft.Logic/workflows' -If { LogicAppWithHttpTrigger } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.GreaterOrEqual($TargetObject, 'Properties.accessControl.triggers.allowedCallerIpAddresses', 1); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml index 38be396be9..733272b28c 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml @@ -59,6 +59,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.MachineLearningServices/workspaces/computes diff --git a/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 index 9808aee761..1622e1180c 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Enable Microsoft Defender for Cloud for Azure Database for MariaDB. -Rule 'Azure.MariaDB.DefenderCloud' -Ref 'AZR-000330' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.DefenderCloud' -Ref 'AZR-000330' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.DBforMariaDB/servers') { $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforMariaDB/servers/securityAlertPolicies') if ($defenderConfigs.Length -eq 0) { @@ -101,7 +101,7 @@ Rule 'Azure.MariaDB.VNETRuleName' -Ref 'AZR-000339' -Type 'Microsoft.DBforMariaD } # Synopsis: Determine if access from Azure services is required. -Rule 'Azure.MariaDB.AllowAzureAccess' -Ref 'AZR-000342' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/firewallRules' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.AllowAzureAccess' -Ref 'AZR-000342' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/firewallRules' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallAllowAzureServices = @(GetMariaDBFirewallRule | Where-Object { $_.properties.startIpAddress -eq '0.0.0.0' -and $_.properties.endIpAddress -eq '0.0.0.0' }) @@ -109,7 +109,7 @@ Rule 'Azure.MariaDB.AllowAzureAccess' -Ref 'AZR-000342' -Type 'Microsoft.DBforMa } # Synopsis: Determine if there is an excessive number of firewall rules. -Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMariaDB/servers/firewallRules') $Assert.LessOrEqual($firewallRules, '.', 10). @@ -117,7 +117,7 @@ Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMa } # Synopsis: Determine if there is an excessive number of permitted IP addresses. -Rule 'Azure.MariaDB.FirewallIPRange' -Ref 'AZR-000344' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.FirewallIPRange' -Ref 'AZR-000344' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary [int]$public = [int]$summary.Public diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index 146096c63b..55f42ae22d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Determine if there is an excessive number of firewall rules -Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/firewallRules'); $Assert. LessOrEqual($firewallRules, '.', 10). @@ -14,7 +14,7 @@ Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMyS } # Synopsis: Determine if access from Azure services is required -Rule 'Azure.MySQL.AllowAzureAccess' -Ref 'AZR-000134' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.AllowAzureAccess' -Ref 'AZR-000134' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/firewallRules' | Where-Object { $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or ($_.properties.startIpAddress -eq '0.0.0.0' -and $_.properties.endIpAddress -eq '0.0.0.0') @@ -23,7 +23,7 @@ Rule 'Azure.MySQL.AllowAzureAccess' -Ref 'AZR-000134' -Type 'Microsoft.DBforMySQ } # Synopsis: Determine if there is an excessive number of permitted IP addresses -Rule 'Azure.MySQL.FirewallIPRange' -Ref 'AZR-000135' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.FirewallIPRange' -Ref 'AZR-000135' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary $Assert. LessOrEqual($summary, 'Public', 10). @@ -61,7 +61,7 @@ Rule 'Azure.MySQL.UseFlexible' -Ref 'AZR-000325' -Type 'Microsoft.DBforMySQL/fle } # Synopsis: Enable Microsoft Defender for Cloud for Azure Database for MySQL. -Rule 'Azure.MySQL.DefenderCloud' -Ref 'AZR-000328' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.DefenderCloud' -Ref 'AZR-000328' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.DBforMySQL/servers') { $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/securityAlertPolicies') if ($defenderConfigs.Length -eq 0) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 index a4c200f202..fa8c43002d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Network security groups should avoid any inbound rules -Rule 'Azure.NSG.AnyInboundSource' -Ref 'AZR-000137' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.NSG.AnyInboundSource' -Ref 'AZR-000137' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $inboundRules = @(GetOrderedNSGRules -Direction Inbound); $rules = $inboundRules | Where-Object { $_.properties.access -eq 'Allow' -and @@ -29,7 +29,7 @@ Rule 'Azure.NSG.DenyAllInbound' -Ref 'AZR-000138' -Type 'Microsoft.Network/netwo } # Synopsis: Lateral traversal from application servers should be blocked -Rule 'Azure.NSG.LateralTraversal' -Ref 'AZR-000139' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.NSG.LateralTraversal' -Ref 'AZR-000139' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $nsg = [PSRule.Rules.Azure.Runtime.Helper]::GetNetworkSecurityGroup(@(GetOrderedNSGRules -Direction Outbound)); $rdp = $nsg.Outbound('VirtualNetwork', 3389); diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index 7f27d774ad..78957e8b36 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Determine if there is an excessive number of firewall rules -Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/firewallRules'); $Assert. LessOrEqual($firewallRules, '.', 10). @@ -14,7 +14,7 @@ Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBf } # Synopsis: Determine if access from Azure services is required -Rule 'Azure.PostgreSQL.AllowAzureAccess' -Ref 'AZR-000150' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.AllowAzureAccess' -Ref 'AZR-000150' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/firewallRules' | Where-Object { $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or ($_.properties.startIpAddress -eq '0.0.0.0' -and $_.properties.endIpAddress -eq '0.0.0.0') @@ -23,7 +23,7 @@ Rule 'Azure.PostgreSQL.AllowAzureAccess' -Ref 'AZR-000150' -Type 'Microsoft.DBfo } # Synopsis: Determine if there is an excessive number of permitted IP addresses -Rule 'Azure.PostgreSQL.FirewallIPRange' -Ref 'AZR-000151' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.FirewallIPRange' -Ref 'AZR-000151' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary $Assert. LessOrEqual($summary, 'Public', 10). @@ -56,7 +56,7 @@ Rule 'Azure.PostgreSQL.GeoRedundantBackup' -Ref 'AZR-000326' -Type 'Microsoft.DB } # Synopsis: Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. -Rule 'Azure.PostgreSQL.DefenderCloud' -Ref 'AZR-000327' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.DefenderCloud' -Ref 'AZR-000327' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.DBforPostgreSQL/servers') { $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies') if ($defenderConfigs.Length -eq 0) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index 04f8953b85..5640a3bcaf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -76,7 +76,7 @@ Rule 'Azure.RedisEnterprise.Zones' -Ref 'AZR-000162' -Type 'Microsoft.Cache/redi } -Configure @{ AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST = @() } # Synopsis: Determine if there is an excessive number of firewall rules for the Redis cache. -Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $services = @($TargetObject); @@ -95,7 +95,7 @@ Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/re } # Synopsis: Determine if there is an excessive number of permitted IP addresses for the Redis cache. -Rule 'Azure.Redis.FirewallIPRange' -Ref 'AZR-000300' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Redis.FirewallIPRange' -Ref 'AZR-000300' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $services = @($TargetObject); diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index 0118769afe..fd87466cfd 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -88,6 +88,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Cache/Redis diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index fad5a70dbb..8fb2ce9045 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -8,7 +8,7 @@ #region SQL Logical Server # Synopsis: Determine if there is an excessive number of firewall rules -Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/firewallRules'); $Assert. LessOrEqual($firewallRules, '.', 10). @@ -16,7 +16,7 @@ Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/server } # Synopsis: Determine if access from Azure services is required -Rule 'Azure.SQL.AllowAzureAccess' -Ref 'AZR-000184' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.AllowAzureAccess' -Ref 'AZR-000184' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/firewallRules' | Where-Object { $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or ($_.properties.StartIpAddress -eq '0.0.0.0' -and $_.properties.EndIpAddress -eq '0.0.0.0') @@ -25,7 +25,7 @@ Rule 'Azure.SQL.AllowAzureAccess' -Ref 'AZR-000184' -Type 'Microsoft.Sql/servers } # Synopsis: Determine if there is an excessive number of permitted IP addresses -Rule 'Azure.SQL.FirewallIPRange' -Ref 'AZR-000185' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.FirewallIPRange' -Ref 'AZR-000185' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary $Assert. LessOrEqual($summary, 'Public', 10). @@ -33,7 +33,7 @@ Rule 'Azure.SQL.FirewallIPRange' -Ref 'AZR-000185' -Type 'Microsoft.Sql/servers' } # Synopsis: Enable Microsoft Defender for Cloud for Azure SQL logical server -Rule 'Azure.SQL.DefenderCloud' -Alias 'Azure.SQL.ThreatDetection' -Ref 'AZR-000186' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-3' } { +Rule 'Azure.SQL.DefenderCloud' -Alias 'Azure.SQL.ThreatDetection' -Ref 'AZR-000186' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-3'; 'Azure.WAF/maturity' = 'L2' } { $configs = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/securityAlertPolicies'); if ($configs.Length -eq 0) { return $Assert.Fail($LocalizedData.SubResourceNotFound, 'Microsoft.Sql/servers/securityAlertPolicies'); @@ -44,7 +44,7 @@ Rule 'Azure.SQL.DefenderCloud' -Alias 'Azure.SQL.ThreatDetection' -Ref 'AZR-0001 } # Synopsis: Enable auditing for Azure SQL logical server. -Rule 'Azure.SQL.Auditing' -Ref 'AZR-000187' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-3' } { +Rule 'Azure.SQL.Auditing' -Ref 'AZR-000187' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-3'; 'Azure.WAF/maturity' = 'L2' } { $configs = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/auditingSettings'); if ($configs.Length -eq 0) { return $Assert.Fail($LocalizedData.SubResourceNotFound, 'Microsoft.Sql/servers/auditingSettings'); @@ -99,7 +99,7 @@ Rule 'Azure.SQL.AADOnly' -Ref 'AZR-000369' -Type 'Microsoft.Sql/servers', 'Micro } # Synopsis: Ensure SQL logical server has a vulnerability assessment scan enabled. -Rule 'Azure.SQL.VAScan' -Ref 'AZR-000455' -Type 'Microsoft.Sql/servers', 'Microsoft.Sql/servers/sqlVulnerabilityAssessments' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.VAScan' -Ref 'AZR-000455' -Type 'Microsoft.Sql/servers', 'Microsoft.Sql/servers/sqlVulnerabilityAssessments' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $configs = @($TargetObject); $classicConfigs = @(); if ($PSRule.TargetType -eq 'Microsoft.Sql/servers') { diff --git a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 index 99bb596b89..d47f752f6f 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 @@ -34,7 +34,7 @@ Rule 'Azure.Storage.SoftDelete' -Ref 'AZR-000197' -Type 'Microsoft.Storage/stora } # Synopsis: Use containers configured with a private access type that requires authorization. -Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices/containers' -If { !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices/containers' -If { !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $containers = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Storage/storageAccounts') { $containers = @(GetSubResources -ResourceType 'Microsoft.Storage/storageAccounts/blobServices/containers'); @@ -93,21 +93,21 @@ Rule 'Azure.Storage.ContainerSoftDelete' -Ref 'AZR-000289' -Type 'Microsoft.Stor } # Synopsis: Enable Malware Scanning in Microsoft Defender for Storage. -Rule 'Azure.Storage.Defender.MalwareScan' -Alias 'Azure.Storage.DefenderCloud.MalwareScan' -Ref 'AZR-000384' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Storage.Defender.MalwareScan' -Alias 'Azure.Storage.DefenderCloud.MalwareScan' -Ref 'AZR-000384' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $malwareDisabled = @(GetSubResources -ResourceType 'Microsoft.Security/DefenderForStorageSettings' | Where-Object { $_.properties.malwareScanning.onUpload.isEnabled -eq $False }) $Assert.Count($malwareDisabled, '.', 0).Reason($LocalizedData.ResStorageMalwareScanning, $PSRule.TargetName) } # Synopsis: Enable sensitive data threat detection in Microsoft Defender for Storage. -Rule 'Azure.Storage.Defender.DataScan' -Alias 'Azure.Storage.DefenderCloud.SensitiveData' -Ref 'AZR-000391' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Storage.Defender.DataScan' -Alias 'Azure.Storage.DefenderCloud.SensitiveData' -Ref 'AZR-000391' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $sensitiveDisabled = @(GetSubResources -ResourceType 'Microsoft.Security/DefenderForStorageSettings' | Where-Object { $_.properties.sensitiveDataDiscovery.isEnabled -eq $False }) $Assert.Count($sensitiveDisabled, '.', 0).Reason($LocalizedData.ResStorageSensitiveDataThreatDetection, $PSRule.TargetName) } # Synopsis: Enable Microsoft Defender for Storage for storage accounts. -Rule 'Azure.Storage.DefenderCloud' -Ref 'AZR-000386' -Type 'Microsoft.Storage/storageAccounts' -If { $Configuration.AZURE_STORAGE_DEFENDER_PER_ACCOUNT -eq $True } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Storage.DefenderCloud' -Ref 'AZR-000386' -Type 'Microsoft.Storage/storageAccounts' -If { $Configuration.AZURE_STORAGE_DEFENDER_PER_ACCOUNT -eq $True } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $defender = @(GetSubResources -ResourceType 'Microsoft.Security/DefenderForStorageSettings' | Where-Object { $_.properties.isEnabled -eq $True }) $Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.SubResourceNotFound, 'Microsoft.Security/DefenderForStorageSettings') diff --git a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 index ec122041c4..f448b4b2e0 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 @@ -8,7 +8,7 @@ #region RBAC # Synopsis: Use groups for assigning permissions instead of individual user accounts -Rule 'Azure.RBAC.UseGroups' -Ref 'AZR-000203' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.UseGroups' -Ref 'AZR-000203' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.ObjectType -eq 'User' @@ -19,7 +19,7 @@ Rule 'Azure.RBAC.UseGroups' -Ref 'AZR-000203' -Type 'Microsoft.Subscription' -Ta } # Synopsis: Limit the number of subscription Owners -Rule 'Azure.RBAC.LimitOwner' -Ref 'AZR-000204' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.LimitOwner' -Ref 'AZR-000204' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.RoleDefinitionName -eq 'Owner' -and @@ -32,7 +32,7 @@ Rule 'Azure.RBAC.LimitOwner' -Ref 'AZR-000204' -Type 'Microsoft.Subscription' -T } # Synopsis: Limit RBAC inheritance from Management Groups -Rule 'Azure.RBAC.LimitMGDelegation' -Ref 'AZR-000205' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.LimitMGDelegation' -Ref 'AZR-000205' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and ($_.Scope -like "/providers/Microsoft.Management/managementGroups/*") @@ -43,7 +43,7 @@ Rule 'Azure.RBAC.LimitMGDelegation' -Ref 'AZR-000205' -Type 'Microsoft.Subscript } # Synopsis: Avoid using classic co-administrator roles -Rule 'Azure.RBAC.CoAdministrator' -Ref 'AZR-000206' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.CoAdministrator' -Ref 'AZR-000206' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.RoleDefinitionName -eq 'CoAdministrator' @@ -54,7 +54,7 @@ Rule 'Azure.RBAC.CoAdministrator' -Ref 'AZR-000206' -Type 'Microsoft.Subscriptio } # Synopsis: Use RBAC assignments on resource groups instead of individual resources -Rule 'Azure.RBAC.UseRGDelegation' -Ref 'AZR-000207' -Type 'Microsoft.Resources/resourceGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.UseRGDelegation' -Ref 'AZR-000207' -Type 'Microsoft.Resources/resourceGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.Scope -like "/subscriptions/*/resourceGroups/*/providers/*" @@ -65,7 +65,7 @@ Rule 'Azure.RBAC.UseRGDelegation' -Ref 'AZR-000207' -Type 'Microsoft.Resources/r } # Synopsis: Use JiT role activation with PIM -Rule 'Azure.RBAC.PIM' -Ref 'AZR-000208' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.PIM' -Ref 'AZR-000208' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { # Get PIM assignment $assignments = @(GetSubResources -ResourceType 'Microsoft.Authorization/roleAssignments' | Where-Object { $_.DisplayName -eq 'MS-PIM' -and $_.ObjectType -eq 'ServicePrincipal' @@ -117,7 +117,7 @@ Rule 'Azure.Monitor.ServiceHealth' -Ref 'AZR-000211' -Type 'Microsoft.Subscripti #region Security # Synopsis: Alerts that have not received a response may indicate a security issue that requires attention. -Rule 'Azure.DefenderCloud.ActiveAlerts' -Ref 'AZR-000489' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.DefenderCloud.ActiveAlerts' -Ref 'AZR-000489' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $alerts = @(GetSubResources -ResourceType 'Microsoft.Security/Locations/alerts' | Where-Object { $_.properties.status -eq 'Active' -and $_.properties.severity -in @('High', 'Medium') diff --git a/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 index 8824b6e87a..0d8c5ef8a4 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 @@ -8,7 +8,7 @@ #region Virtual machine # Synopsis: Virtual machines should use managed disks -Rule 'Azure.VM.UseManagedDisks' -Ref 'AZR-000238' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4'; 'Azure.Policy/id' = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' } { +Rule 'Azure.VM.UseManagedDisks' -Ref 'AZR-000238' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4'; 'Azure.Policy/id' = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'; 'Azure.WAF/maturity' = 'L2' } { # Check OS disk $Assert. NullOrEmpty($TargetObject, 'properties.storageProfile.osDisk.vhd.uri'). @@ -60,7 +60,7 @@ Rule 'Azure.VM.AcceleratedNetworking' -Ref 'AZR-000244' -If { SupportsAccelerate } # Synopsis: Linux VMs should use public key pair -Rule 'Azure.VM.PublicKey' -Ref 'AZR-000245' -If { VMHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VM.PublicKey' -Ref 'AZR-000245' -If { VMHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.HasFieldValue($TargetObject, 'Properties.osProfile.linuxConfiguration.disablePasswordAuthentication', $True) } @@ -71,7 +71,7 @@ Rule 'Azure.VM.Agent' -Ref 'AZR-000246' -Type 'Microsoft.Compute/virtualMachines } # Synopsis: Ensure automatic updates are enabled at deployment -Rule 'Azure.VM.Updates' -Ref 'AZR-000247' -Type 'Microsoft.Compute/virtualMachines' -If { IsWindowsOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'ES-3' } { +Rule 'Azure.VM.Updates' -Ref 'AZR-000247' -Type 'Microsoft.Compute/virtualMachines' -If { IsWindowsOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'ES-3'; 'Azure.WAF/maturity' = 'L2' } { $Assert.HasDefaultValue($TargetObject, 'Properties.osProfile.windowsConfiguration.enableAutomaticUpdates', $True) } @@ -218,7 +218,7 @@ Rule 'Azure.VM.PPGName' -Ref 'AZR-000260' -Type 'Microsoft.Compute/proximityPlac #endregion Proximity Placement Groups # Synopsis: Protect Custom Script Extensions commands -Rule 'Azure.VM.ScriptExtensions' -Ref 'AZR-000332' -Type 'Microsoft.Compute/virtualMachines', 'Microsoft.Compute/virtualMachines/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VM.ScriptExtensions' -Ref 'AZR-000332' -Type 'Microsoft.Compute/virtualMachines', 'Microsoft.Compute/virtualMachines/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $vmConfig = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Compute/virtualMachines') { @@ -294,7 +294,7 @@ Rule 'Azure.VM.MaintenanceConfig' -Ref 'AZR-000375' -Type 'Microsoft.Compute/vir #region Public IP # Synopsis: Avoid attaching public IPs directly to virtual machines. -Rule 'Azure.VM.PublicIPAttached' -Ref 'AZR-000449' -Type 'Microsoft.Network/networkInterfaces' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VM.PublicIPAttached' -Ref 'AZR-000449' -Type 'Microsoft.Network/networkInterfaces' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $configurations = @($TargetObject.properties.ipConfigurations) if ($configurations.Count -eq 0) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 index b91cfaf7f6..03bf3aab5c 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 @@ -45,13 +45,13 @@ Rule 'Azure.VMSS.ComputerName' -Ref 'AZR-000262' -Type 'Microsoft.Compute/virtua } # Synopsis: Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. -Rule 'Azure.VMSS.PublicKey' -Ref 'AZR-000288' -Type 'Microsoft.Compute/virtualMachineScaleSets' -If { VMSSHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4' } { +Rule 'Azure.VMSS.PublicKey' -Ref 'AZR-000288' -Type 'Microsoft.Compute/virtualMachineScaleSets' -If { VMSSHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4'; 'Azure.WAF/maturity' = 'L2' } { $Assert.In($TargetObject, 'properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication', $True). Reason($LocalizedData.VMSSPublicKey, $PSRule.TargetName) } # Synopsis: Protect Custom Script Extensions commands -Rule 'Azure.VMSS.ScriptExtensions' -Ref 'AZR-000333' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Computer/virtualMachineScaleSets/CustomScriptExtension', 'Microsoft.Compute/virtualMachineScaleSets/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VMSS.ScriptExtensions' -Ref 'AZR-000333' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Computer/virtualMachineScaleSets/CustomScriptExtension', 'Microsoft.Compute/virtualMachineScaleSets/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $vmssConfig = @($TargetObject); ## Extension Prof @@ -118,7 +118,7 @@ Rule 'Azure.VMSS.ZoneBalance' -Ref 'AZR-000438' -Type 'Microsoft.Compute/virtual } # Synopsis: Avoid attaching public IPs directly to virtual machine scale set instances. -Rule 'Azure.VMSS.PublicIPAttached' -Ref 'AZR-000450' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VMSS.PublicIPAttached' -Ref 'AZR-000450' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.Compute/virtualMachineScaleSets') { $configurations = @( $TargetObject.properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations | ForEach-Object { $_.properties.ipConfigurations } | Where-Object { $null -ne $_ } diff --git a/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 index bc50beb2b8..de7cd06c24 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 @@ -8,7 +8,7 @@ #region Virtual Network # Synopsis: Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. -Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1' } { +Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1'; 'Azure.WAF/maturity' = 'L2' } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet'); foreach ($exclusion in $Configuration.GetStringValues('AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG')) { if ($exclusion) { @@ -126,7 +126,7 @@ Rule 'Azure.VNET.BastionSubnet' -Ref 'AZR-000314' -Type 'Microsoft.Network/virtu } # Synopsis: Use Azure Firewall to filter network traffic to and from Azure resources. -Rule 'Azure.VNET.FirewallSubnet' -Ref 'AZR-000322' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VNET.FirewallSubnet' -Ref 'AZR-000322' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $subnets = @(GetVirtualNetworkSubnetNames) $Assert.In($subnets, '.', @('AzureFirewallSubnet')).ReasonFrom('properties.subnets', $LocalizedData.SubnetNotFound, 'AzureFirewallSubnet') } @@ -154,7 +154,7 @@ Rule 'Azure.VNET.FirewallSubnetNAT' -Ref 'AZR-000448' -Level 'Warning' -Type 'Mi } # Synopsis: Disable default outbound access for virtual machines. -Rule 'Azure.VNET.PrivateSubnet' -Ref 'AZR-000447' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VNET.PrivateSubnet' -Ref 'AZR-000447' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'AzureBastionSubnet') if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @( diff --git a/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml index cb5696d4d6..a93b4b3e37 100644 --- a/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml @@ -43,6 +43,27 @@ spec: labels: Azure.WAF/maturity: L1 +--- +# Synopsis: Microsoft Azure Well-Architected Framework - Security pillar Level 2 maturity baseline. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Baseline +metadata: + name: Azure.Pillar.Security.L2 + annotations: + taxonomy: Azure.WAF + pillar: Security + maturity: L2 + export: true + moduleVersion: v1.40.0 + experimental: true +spec: + rule: + tag: + release: GA + Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 + --- # Synopsis: Microsoft Azure Well-Architected Framework - Operational Excellence pillar specific baseline. apiVersion: github.com/microsoft/PSRule/v1