From 7c4e00a8d55a1ed50b205ee77154aad81e94153e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 20:24:32 +0000 Subject: [PATCH 1/6] Initial plan From 85ab778740dd100a984bac58110a247f9903c146 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 20:38:24 +0000 Subject: [PATCH 2/6] Add Azure.WAF/maturity: L2 labels and Azure.Pillar.Security.L2 baseline - Add Azure.Pillar.Security.L2 baseline to WAF.Rule.yaml - Add 'Azure.WAF/maturity' = 'L2' labels to PS1 rule files covering: NSG, VNET, FrontDoor, EventHub, MariaDB, MySQL, PostgreSQL, Redis, SQL, ContainerApp, LogicApp, VMSS, VM, Subscription/RBAC, APIM, Defender, Storage, Cosmos, Arc, AppService, Automation, KeyVault, DNS, Deployment, AppConfig, ACR rules - Add Azure.WAF/maturity: L2 labels to YAML rule files covering: ACR, AI, AKS, AppGw, AppGwWAF, BV, CDN, ContainerApp, Cosmos, Databricks, Defender, EventGrid, Firewall, FrontDoor, FrontDoorWAF, ImageBuilder, ML, Redis rules Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/changelog.md | 4 ++++ .../rules/Azure.ACR.Rule.ps1 | 2 +- .../rules/Azure.ACR.Rule.yaml | 6 ++++++ .../rules/Azure.AI.Rule.yaml | 2 ++ .../rules/Azure.AKS.Rule.yaml | 13 ++++++++++++ .../rules/Azure.APIM.Rule.ps1 | 10 ++++----- .../rules/Azure.AppConfig.Rule.ps1 | 2 +- .../rules/Azure.AppGw.Rule.yaml | 8 +++++++ .../rules/Azure.AppGwWAF.Rule.yaml | 6 ++++++ .../rules/Azure.AppService.Rule.ps1 | 8 +++---- .../rules/Azure.Arc.Rule.ps1 | 2 +- .../rules/Azure.Automation.Rule.ps1 | 4 ++-- .../rules/Azure.BV.Rule.yaml | 1 + .../rules/Azure.CDN.Rule.yaml | 1 + .../rules/Azure.ContainerApp.Rule.ps1 | 2 +- .../rules/Azure.ContainerApp.Rule.yaml | 3 +++ .../rules/Azure.Cosmos.Rule.ps1 | 2 +- .../rules/Azure.Cosmos.Rule.yaml | 2 ++ .../rules/Azure.DNS.Rule.ps1 | 2 +- .../rules/Azure.Databricks.Rule.yaml | 4 ++++ .../rules/Azure.Defender.Rule.ps1 | 8 +++---- .../rules/Azure.Defender.Rule.yaml | 13 ++++++++++++ .../rules/Azure.Deployment.Rule.ps1 | 12 +++++------ .../rules/Azure.EventGrid.Rule.yaml | 1 + .../rules/Azure.EventHub.Rule.ps1 | 2 +- .../rules/Azure.Firewall.Rule.yaml | 3 +++ .../rules/Azure.FrontDoor.Rule.ps1 | 4 ++-- .../rules/Azure.FrontDoor.Rule.yaml | 3 +++ .../rules/Azure.FrontDoorWAF.Rule.yaml | 8 +++++++ .../rules/Azure.ImageBuilder.Rule.yaml | 4 ++++ .../rules/Azure.KeyVault.Rule.ps1 | 2 +- .../rules/Azure.LogicApp.Rule.ps1 | 2 +- .../rules/Azure.ML.Rule.yaml | 1 + .../rules/Azure.MariaDB.Rule.ps1 | 8 +++---- .../rules/Azure.MySQL.Rule.ps1 | 8 +++---- .../rules/Azure.NSG.Rule.ps1 | 4 ++-- .../rules/Azure.PostgreSQL.Rule.ps1 | 8 +++---- .../rules/Azure.Redis.Rule.ps1 | 4 ++-- .../rules/Azure.Redis.Rule.yaml | 1 + .../rules/Azure.SQL.Rule.ps1 | 12 +++++------ .../rules/Azure.Storage.Rule.ps1 | 8 +++---- .../rules/Azure.Subscription.Rule.ps1 | 14 ++++++------- .../rules/Azure.VM.Rule.ps1 | 10 ++++----- .../rules/Azure.VMSS.Rule.ps1 | 6 +++--- .../rules/Azure.VNET.Rule.ps1 | 6 +++--- src/PSRule.Rules.Azure/rules/WAF.Rule.yaml | 21 +++++++++++++++++++ 46 files changed, 181 insertions(+), 76 deletions(-) diff --git a/docs/changelog.md b/docs/changelog.md index 953a25e7049..4591de7fbef 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -30,6 +30,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased +- New features: + - Added `Azure.Pillar.Security.L2` WAF baseline for the Security pillar Level 2 maturity baseline by @Copilot. +- Updated rules: + - Added `Azure.WAF/maturity: L2` labels to Security pillar rules covering network ingress, authentication, hardening, deployment practices, and maintenance by @Copilot. - Updated rules: - Azure Kubernetes Service: - Updated `Azure.AKS.Version` to use `1.33.7` as the minimum version by @BernieWhite. diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index 494401883dc..825acea22e5 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -23,7 +23,7 @@ Rule 'Azure.ACR.Usage' -Ref 'AZR-000001' -Type 'Microsoft.ContainerRegistry/regi } # Synopsis: Consider enabling vulnerability scanning for container images. -Rule 'Azure.ACR.ContainerScan' -Ref 'AZR-000002' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; method = 'in-flight'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DS-6', 'PV-5') } { +Rule 'Azure.ACR.ContainerScan' -Ref 'AZR-000002' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12'; method = 'in-flight'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DS-6', 'PV-5'); 'Azure.WAF/maturity' = 'L2' } { $assessments = @(GetSubResources -ResourceType 'Microsoft.Security/assessments'); $Assert.GreaterOrEqual($assessments, '.', 1).Reason($LocalizedData.AssessmentNotFound); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index c39bd351c3e..fbbd6358fce 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -88,6 +88,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['DS-6', 'PV-5'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerRegistry/registries @@ -106,6 +107,8 @@ metadata: release: deprecated ruleSet: 2020_12 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.ACR.IsPremiumSKU @@ -151,6 +154,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: IM-1 + Azure.WAF/maturity: L2 spec: with: - Azure.ACR.IsPremiumSKU @@ -172,6 +176,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: with: - Azure.ACR.IsPremiumSKU @@ -195,6 +200,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: DP-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerRegistry/registries diff --git a/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml index dd2f6215d2a..aac1c4e11ed 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml @@ -22,6 +22,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.CognitiveServices/accounts @@ -105,6 +106,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.CognitiveServices/accounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index abdd2c13780..908f7858892 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -41,6 +41,8 @@ metadata: release: GA # Replace ruleSet with suitable date. ruleSet: 2024_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -81,6 +83,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -103,6 +106,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: AM-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -144,6 +148,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -189,6 +194,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['IM-1', 'PA-7'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -209,6 +215,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: IM-8 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -229,6 +236,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: DP-7 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -251,6 +259,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['NS-1', 'DP-4'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -274,6 +283,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: PV-7 + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -297,6 +307,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['IM-1', 'PA-7'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters @@ -388,6 +399,8 @@ metadata: release: GA ruleSet: 2023_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 index f687c1bc502..c68ef078f60 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 @@ -82,7 +82,7 @@ Rule 'Azure.APIM.HTTPBackend' -Ref 'AZR-000044' -Type 'Microsoft.ApiManagement/s } # Synopsis: Encrypt all API Management named values with Key Vault secrets. -Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8', 'DP-7') } { +Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8', 'DP-7'); 'Azure.WAF/maturity' = 'L2' } { $namedValues = @($TargetObject) if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $namedValues = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/namedValues') @@ -97,7 +97,7 @@ Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement } # Synopsis: Require subscription for products -Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $products = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products'); @@ -113,7 +113,7 @@ Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiMana } # Synopsis: Require approval for products -Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $products = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products'); @@ -129,7 +129,7 @@ Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManageme } # Synopsis: Remove sample products -Rule 'Azure.APIM.SampleProducts' -Ref 'AZR-000048' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.APIM.SampleProducts' -Ref 'AZR-000048' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $products = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products'); @@ -363,7 +363,7 @@ Rule 'Azure.APIM.PolicyBase' -Ref 'AZR-000371' -Type 'Microsoft.ApiManagement/se } # Synopsis: APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. -Rule 'Azure.APIM.DefenderCloud' -Ref 'AZR-000387' -Type 'Microsoft.ApiManagement/service' -If { HasRestApi } -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1' } { +Rule 'Azure.APIM.DefenderCloud' -Ref 'AZR-000387' -Type 'Microsoft.ApiManagement/service' -If { HasRestApi } -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1'; 'Azure.WAF/maturity' = 'L2' } { $apis = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/apis' | Where-Object { $Assert.HasDefaultValue($_, 'properties.apiType', 'http').Result }) $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.Security/apiCollections') diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 index f9080bb8a85..43aff07a6f2 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 @@ -41,7 +41,7 @@ Rule 'Azure.AppConfig.PurgeProtect' -Ref 'AZR-000313' -Type 'Microsoft.AppConfig } # Synopsis: Secrets stored as key values in an App Configuration Store may be leaked to unauthorized users. -Rule 'Azure.AppConfig.SecretLeak' -Ref 'AZR-000490' -Type 'Microsoft.AppConfiguration/configurationStores', 'Microsoft.AppConfiguration/configurationStores/keyValues' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8') } { +Rule 'Azure.AppConfig.SecretLeak' -Ref 'AZR-000490' -Type 'Microsoft.AppConfiguration/configurationStores', 'Microsoft.AppConfiguration/configurationStores/keyValues' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8'); 'Azure.WAF/maturity' = 'L2' } { $kv = @($TargetObject) if ($PSRule.TargetType -eq 'Microsoft.AppConfiguration/configurationStores') { $kv = @(GetSubResources -ResourceType 'Microsoft.AppConfiguration/configurationStores/keyValues', 'keyValues') diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml index 8e2a67f3e6b..fb3ce3dee2e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml @@ -68,6 +68,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-6 + Azure.WAF/maturity: L2 spec: with: - Azure.IsAppGwPublic @@ -117,6 +118,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.AppGw.WithClassicWAF @@ -137,6 +140,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-6 + Azure.WAF/maturity: L2 spec: with: - Azure.IsAppGwPublic @@ -158,6 +162,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.AppGw.WithClassicWAF @@ -179,6 +185,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.AppGw.WithClassicWAF diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml index 53c2cbae6d9..a39d3023c06 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml @@ -18,6 +18,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies @@ -38,6 +40,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies @@ -59,6 +63,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 index e22e6279486..bb6ac652075 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1 @@ -25,7 +25,7 @@ Rule 'Azure.AppService.MinTLS' -Ref 'AZR-000073' -Type 'Microsoft.Web/sites', 'M } # Synopsis: Disable remote debugging on App Service apps when not in use. -Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PV-2' } { +Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PV-2'; 'Azure.WAF/maturity' = 'L2' } { $siteConfigs = @(GetWebSiteConfig); if ($siteConfigs.Length -eq 0) { return $Assert.HasDefaultValue($TargetObject, 'properties.siteConfig.remoteDebuggingEnabled', $False); @@ -37,7 +37,7 @@ Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites } # Synopsis: Configure applications to use newer .NET Framework versions. -Rule 'Azure.AppService.NETVersion' -Ref 'AZR-000075' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.AppService.NETVersion' -Ref 'AZR-000075' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $siteConfigs = @(GetWebSiteConfig) if ($siteConfigs.Length -eq 0) { if ($Assert.HasFieldValue($TargetObject, 'properties.siteConfig.linuxFxVersion').Result -and $TargetObject.properties.siteConfig.linuxFxVersion -like 'DOTNETCORE|*') { @@ -69,7 +69,7 @@ Rule 'Azure.AppService.NETVersion' -Ref 'AZR-000075' -Type 'Microsoft.Web/sites' } # Synopsis: Configure applications to use newer PHP runtime versions. -Rule 'Azure.AppService.PHPVersion' -Ref 'AZR-000076' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.AppService.PHPVersion' -Ref 'AZR-000076' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $siteConfigs = @(GetWebSiteConfig) if ($siteConfigs.Length -eq 0) { if ($Assert.HasFieldValue($TargetObject, 'properties.siteConfig.linuxFxVersion').Result -and $TargetObject.properties.siteConfig.linuxFxVersion -like 'PHP|*') { @@ -170,7 +170,7 @@ Rule 'Azure.AppService.WebSecureFtp' -Ref 'AZR-000081' -With 'Azure.AppService.I } # Synopsis: Configure applications to use supported Node.js runtime versions. -Rule 'Azure.AppService.NodeJsVersion' -Ref 'AZR-000428' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots', 'Microsoft.Web/sites/slots/config' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.AppService.NodeJsVersion' -Ref 'AZR-000428' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots', 'Microsoft.Web/sites/slots/config' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $versions = Get-NodeVersions $pass = $true diff --git a/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 index 23ef4ce21fe..1dea858e334 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Arc.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. -Rule 'Azure.Arc.Kubernetes.Defender' -Ref 'AZR-000373' -Type 'Microsoft.Kubernetes/connectedClusters' -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1' } { +Rule 'Azure.Arc.Kubernetes.Defender' -Ref 'AZR-000373' -Type 'Microsoft.Kubernetes/connectedClusters' -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-1'; 'Azure.WAF/maturity' = 'L2' } { $defender = @(GetSubResources -ResourceType 'Microsoft.KubernetesConfiguration/extensions' | Where-Object { $_.properties.extensionType -eq 'microsoft.azuredefender.kubernetes' }) $Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.ArcKubernetesDefender, $PSRule.TargetName) diff --git a/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 index 9b3b1e170dd..c2834cc6041 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Ensure variables are encrypted -Rule 'Azure.Automation.EncryptVariables' -Ref 'AZR-000086' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-5' } { +Rule 'Azure.Automation.EncryptVariables' -Ref 'AZR-000086' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-5'; 'Azure.WAF/maturity' = 'L2' } { $variables = GetSubResources -ResourceType 'Microsoft.Automation/automationAccounts/variables'; if ($variables.Length -eq 0) { return $Assert.Pass(); @@ -18,7 +18,7 @@ Rule 'Azure.Automation.EncryptVariables' -Ref 'AZR-000086' -Type 'Microsoft.Auto } # Synopsis: Ensure webhook expiry is not longer than one year -Rule 'Azure.Automation.WebHookExpiry' -Ref 'AZR-000087' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Automation.WebHookExpiry' -Ref 'AZR-000087' -Type 'Microsoft.Automation/automationAccounts' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $webhooks = GetSubResources -ResourceType 'Microsoft.Automation/automationAccounts/webhooks'; if ($webhooks.Length -eq 0) { return $Assert.Pass(); diff --git a/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml index 0432eeb2887..17da82d35af 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.BV.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: BR-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.DataProtection/backupVaults diff --git a/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml index f8df49108bc..9599a42b080 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.CDN.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: DP-3 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Cdn/profiles/endpoints diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index 799a8c8f9ab..05eb48bdf5d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: IP ingress restrictions mode should be set to allow action for all rules defined. -Rule 'Azure.ContainerApp.RestrictIngress' -Ref 'AZR-000380' -Type 'Microsoft.App/containerApps' -If { HasIngress } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-2' } { +Rule 'Azure.ContainerApp.RestrictIngress' -Ref 'AZR-000380' -Type 'Microsoft.App/containerApps' -If { HasIngress } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-2'; 'Azure.WAF/maturity' = 'L2' } { $restrictions = @($TargetObject.properties.configuration.ingress.ipSecurityRestrictions) if (!$restrictions) { return $Assert.Fail() diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml index 1e69c1306b3..c197e7ac005 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml @@ -94,6 +94,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.App/managedEnvironments @@ -115,6 +116,8 @@ metadata: release: GA ruleSet: 2023_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: with: - Azure.ContainerApp.WithIngress diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 07755b9aaac..90c12d36d09 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -7,7 +7,7 @@ #region Rules # Synopsis: Enable Microsoft Defender for Azure Cosmos DB. -Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration.AZURE_COSMOS_DEFENDER_PER_ACCOUNT -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1' } { +Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration.AZURE_COSMOS_DEFENDER_PER_ACCOUNT -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1'; 'Azure.WAF/maturity' = 'L2' } { $defender = @(GetSubResources -ResourceType 'Microsoft.Security/advancedThreatProtectionSettings' | Where-Object { $_.properties.isEnabled -eq $True }) $Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.SubResourceNotFound, 'Microsoft.Security/advancedThreatProtectionSettings') diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml index f44e2bb2e53..3e5ad5ef1d2 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['IM-1', 'IM-2'] + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts @@ -106,6 +107,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 index 1d764dc8c97..01d99091137 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.DNS.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Ensure public DNS zones are configured with DNSSEC. -Rule 'Azure.DNS.DNSSEC' -Ref 'AZR-000456' -Type 'Microsoft.Network/dnsZones' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.DNS.DNSSEC' -Ref 'AZR-000456' -Type 'Microsoft.Network/dnsZones' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $configs = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Network/dnsZones') { $configs = @(GetSubResources -ResourceType 'Microsoft.Network/dnsZones/dnssecConfigs'); diff --git a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml index 010cb423cc6..dc2cf3b9698 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml @@ -16,6 +16,8 @@ metadata: release: GA ruleSet: 2023_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Databricks/workspaces @@ -55,6 +57,8 @@ metadata: release: GA ruleSet: 2024_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Databricks/workspaces diff --git a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 index 57f53a4e1f8..381df028536 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Microsoft Defender for Cloud email and phone contact details should be set -Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription', 'Microsoft.Security/securityContacts' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription', 'Microsoft.Security/securityContacts' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $contacts = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Subscription') { $contacts = @(GetSubResources -ResourceType 'Microsoft.Security/securityContacts'); @@ -24,7 +24,7 @@ Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azu } # Synopsis: Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights -Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisioning' -Ref 'AZR-000210' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { +Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisioning' -Ref 'AZR-000210' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4'; 'Azure.WAF/maturity' = 'L2' } { $provisioning = @(GetSubResources -ResourceType 'Microsoft.Security/autoProvisioningSettings'); $Null -ne $provisioning -and $provisioning.Length -gt 0; foreach ($s in $provisioning) { @@ -33,7 +33,7 @@ Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisionin } # Synopsis: Enable Malware Scanning in Microsoft Defender for Storage. -Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $malwareConfigured = @($TargetObject.properties.extensions | Where-Object name -eq 'OnUploadMalwareScanning' | Where-Object isEnabled -eq 'True') @@ -41,7 +41,7 @@ Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Se } # Synopsis: Enable sensitive data threat detection in Microsoft Defender for Storage. -Rule 'Azure.Defender.Storage.DataScan' -Alias 'Azure.Defender.Storage.SensitiveData' -Ref 'AZR-000385' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Defender.Storage.DataScan' -Alias 'Azure.Defender.Storage.SensitiveData' -Ref 'AZR-000385' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $sensitiveConfigured = @($TargetObject.properties.extensions | Where-Object name -eq 'SensitiveDataDiscovery' | Where-Object isEnabled -eq 'True') diff --git a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml index b899253ca96..723816927a4 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -44,6 +45,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -71,6 +73,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: [ 'DP-2', 'LT-1' ] + Azure.WAF/maturity: L2 spec: level: Error where: @@ -95,6 +98,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -119,6 +123,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: [ 'DP-2', 'LT-1' ] + Azure.WAF/maturity: L2 spec: level: Error where: @@ -146,6 +151,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -170,6 +176,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -194,6 +201,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -218,6 +226,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -242,6 +251,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -266,6 +276,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: @@ -293,6 +304,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: [ 'DP-2', 'LT-1' ] + Azure.WAF/maturity: L2 spec: level: Error where: @@ -317,6 +329,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: LT-1 + Azure.WAF/maturity: L2 spec: level: Error where: diff --git a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 index b64944e05b3..4ebf4922d88 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 @@ -8,27 +8,27 @@ #region Rules # Synopsis: Avoid outputting sensitive deployment values. -Rule 'Azure.Deployment.OutputSecretValue' -Ref 'AZR-000279' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.OutputSecretValue' -Ref 'AZR-000279' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.Create($PSRule.Issue.Get('PSRule.Rules.Azure.Template.OutputSecretValue')); } # Synopsis: Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string) -Rule 'Azure.Deployment.AdminUsername' -Ref 'AZR-000284' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.AdminUsername' -Ref 'AZR-000284' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { RecurseDeploymentSensitive -Deployment $TargetObject } # Synopsis: Use secure parameters for any parameter that contains sensitive information. -Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { GetSecureParameter -Deployment $TargetObject } # Synopsis: Use secure parameters for setting properties of resources that contain sensitive information. -Rule 'Azure.Deployment.SecureValue' -Ref 'AZR-000316' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.SecureValue' -Ref 'AZR-000316' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { RecurseSecureValue -Deployment $TargetObject } # Synopsis: Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters -Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources/deployments' -If { IsParentDeployment } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources/deployments' -If { IsParentDeployment } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $template = @($TargetObject.properties.template); if ($template.resources.Length -eq 0) { return $Assert.Pass(); @@ -53,7 +53,7 @@ Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources } # Synopsis: The deployment parameter leaks sensitive information. -Rule 'Azure.Deployment.SecretLeak' -Ref 'AZR-000459' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Deployment.SecretLeak' -Ref 'AZR-000459' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.Create($PSRule.Issue.Get('PSRule.Rules.Azure.Template.ParameterSecureAssignment')); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml index 101a1ed4e92..b0d0b809221 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.EventGrid.Rule.yaml @@ -20,6 +20,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.EventGrid/topics diff --git a/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 index c3867a17820..583559ff24c 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.EventHub.Rule.ps1 @@ -14,7 +14,7 @@ Rule 'Azure.EventHub.Usage' -Ref 'AZR-000101' -Type 'Microsoft.EventHub/namespac } # Synopsis: Access to the namespace endpoints should be restricted to only allowed sources. -Rule 'Azure.EventHub.Firewall' -Ref 'AZR-000422' -Type 'Microsoft.EventHub/namespaces', 'Microsoft.EventHub/namespaces/networkRuleSets' -If { Test-IsNoBasicTier } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1', 'NS-2' } { +Rule 'Azure.EventHub.Firewall' -Ref 'AZR-000422' -Type 'Microsoft.EventHub/namespaces', 'Microsoft.EventHub/namespaces/networkRuleSets' -If { Test-IsNoBasicTier } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1', 'NS-2'; 'Azure.WAF/maturity' = 'L2' } { # NB: Microsoft.EventHub/namespaces/networkRuleSets overrides properties.publicNetworkAccess and properties.defaultAction property. $firewalls = @($TargetObject) diff --git a/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml index 0ec72eb7091..527ebd1d3ce 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Firewall.Rule.yaml @@ -68,6 +68,8 @@ metadata: release: 'GA' ruleSet: '2020_06' Azure.WAF/pillar: 'Security' + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/azureFirewalls @@ -92,6 +94,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/firewallPolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 index a59f714a044..7533e98690a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.ps1 @@ -19,7 +19,7 @@ Rule 'Azure.FrontDoor.MinTLS' -Ref 'AZR-000106' -Type 'Microsoft.Network/frontDo } # Synopsis: Audit and monitor access through Azure Front Door profiles. -Rule 'Azure.FrontDoor.Logs' -Ref 'AZR-000107' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Cdn/profiles' -With 'Azure.FrontDoor.IsStandardOrPremium', 'Azure.FrontDoor.IsClassic' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { +Rule 'Azure.FrontDoor.Logs' -Ref 'AZR-000107' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Cdn/profiles' -With 'Azure.FrontDoor.IsStandardOrPremium', 'Azure.FrontDoor.IsClassic' -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4'; 'Azure.WAF/maturity' = 'L2' } { $logCategoryGroups = 'audit', 'allLogs' $diagnostics = @(GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings', 'Microsoft.Network/frontDoors/providers/diagnosticSettings', 'Microsoft.Cdn/profiles/providers/diagnosticSettings' | ForEach-Object { $_.Properties.logs | Where-Object { @@ -68,7 +68,7 @@ Rule 'Azure.FrontDoor.ProbePath' -Ref 'AZR-000110' -Type 'Microsoft.Network/fron } # Synopsis: Enable Web Application Firewall (WAF) policies on each Front Door endpoint. -Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-6' } { +Rule 'Azure.FrontDoor.UseWAF' -Ref 'AZR-000111' -Type 'Microsoft.Network/frontDoors', 'Microsoft.Network/frontDoors/frontendEndpoints' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-6'; 'Azure.WAF/maturity' = 'L2' } { $endpoints = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Network/frontDoors') { $endpoints = @($TargetObject.Properties.frontendEndpoints); diff --git a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml index 81b4154c2c5..08c2c783a03 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.FrontDoor.Rule.yaml @@ -63,6 +63,8 @@ metadata: release: GA ruleSet: 2020_06 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -83,6 +85,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-6 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml index b0ca0d05b1b..7f4d49b861d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.FrontDoorWAF.Rule.yaml @@ -17,6 +17,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -37,6 +39,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -57,6 +61,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies @@ -83,6 +89,8 @@ metadata: release: GA ruleSet: 2022_09 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.Network/frontdoorwebapplicationfirewallpolicies diff --git a/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml index b56a5af76d5..eae005d3f28 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ImageBuilder.Rule.yaml @@ -16,6 +16,8 @@ metadata: release: GA ruleSet: 2025_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.VirtualMachineImages/imageTemplates @@ -53,6 +55,8 @@ metadata: release: GA ruleSet: 2025_03 Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 spec: type: - Microsoft.VirtualMachineImages/imageTemplates diff --git a/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 index feb72f85ed4..7b84f6dec7d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1 @@ -103,7 +103,7 @@ Rule 'Azure.KeyVault.KeyName' -Ref 'AZR-000122' -Type 'Microsoft.KeyVault/vaults } # Synopsis: Key Vault keys should have auto-rotation enabled. -Rule 'Azure.KeyVault.AutoRotationPolicy' -Ref 'AZR-000123' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/keys' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'IM-3' } { +Rule 'Azure.KeyVault.AutoRotationPolicy' -Ref 'AZR-000123' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/keys' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'IM-3'; 'Azure.WAF/maturity' = 'L2' } { $keys = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.KeyVault/vaults') { diff --git a/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 index 999b9fb2a26..094581ed3e5 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.LogicApp.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Access IPs should be limited for HTTP triggers -Rule 'Azure.LogicApp.LimitHTTPTrigger' -Ref 'AZR-000130' -Type 'Microsoft.Logic/workflows' -If { LogicAppWithHttpTrigger } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.LogicApp.LimitHTTPTrigger' -Ref 'AZR-000130' -Type 'Microsoft.Logic/workflows' -If { LogicAppWithHttpTrigger } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.GreaterOrEqual($TargetObject, 'Properties.accessControl.triggers.allowedCallerIpAddresses', 1); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml index 38be396be91..733272b28ca 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ML.Rule.yaml @@ -59,6 +59,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-1 + Azure.WAF/maturity: L2 spec: type: - Microsoft.MachineLearningServices/workspaces/computes diff --git a/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 index 9808aee7619..1622e1180c3 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MariaDB.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Enable Microsoft Defender for Cloud for Azure Database for MariaDB. -Rule 'Azure.MariaDB.DefenderCloud' -Ref 'AZR-000330' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.DefenderCloud' -Ref 'AZR-000330' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.DBforMariaDB/servers') { $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforMariaDB/servers/securityAlertPolicies') if ($defenderConfigs.Length -eq 0) { @@ -101,7 +101,7 @@ Rule 'Azure.MariaDB.VNETRuleName' -Ref 'AZR-000339' -Type 'Microsoft.DBforMariaD } # Synopsis: Determine if access from Azure services is required. -Rule 'Azure.MariaDB.AllowAzureAccess' -Ref 'AZR-000342' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/firewallRules' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.AllowAzureAccess' -Ref 'AZR-000342' -Type 'Microsoft.DBforMariaDB/servers', 'Microsoft.DBforMariaDB/servers/firewallRules' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallAllowAzureServices = @(GetMariaDBFirewallRule | Where-Object { $_.properties.startIpAddress -eq '0.0.0.0' -and $_.properties.endIpAddress -eq '0.0.0.0' }) @@ -109,7 +109,7 @@ Rule 'Azure.MariaDB.AllowAzureAccess' -Ref 'AZR-000342' -Type 'Microsoft.DBforMa } # Synopsis: Determine if there is an excessive number of firewall rules. -Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMariaDB/servers/firewallRules') $Assert.LessOrEqual($firewallRules, '.', 10). @@ -117,7 +117,7 @@ Rule 'Azure.MariaDB.FirewallRuleCount'-Ref 'AZR-000343' -Type 'Microsoft.DBforMa } # Synopsis: Determine if there is an excessive number of permitted IP addresses. -Rule 'Azure.MariaDB.FirewallIPRange' -Ref 'AZR-000344' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MariaDB.FirewallIPRange' -Ref 'AZR-000344' -Type 'Microsoft.DBforMariaDB/servers' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary [int]$public = [int]$summary.Public diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index 146096c63bf..55f42ae22de 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Determine if there is an excessive number of firewall rules -Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/firewallRules'); $Assert. LessOrEqual($firewallRules, '.', 10). @@ -14,7 +14,7 @@ Rule 'Azure.MySQL.FirewallRuleCount' -Ref 'AZR-000133' -Type 'Microsoft.DBforMyS } # Synopsis: Determine if access from Azure services is required -Rule 'Azure.MySQL.AllowAzureAccess' -Ref 'AZR-000134' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.AllowAzureAccess' -Ref 'AZR-000134' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/firewallRules' | Where-Object { $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or ($_.properties.startIpAddress -eq '0.0.0.0' -and $_.properties.endIpAddress -eq '0.0.0.0') @@ -23,7 +23,7 @@ Rule 'Azure.MySQL.AllowAzureAccess' -Ref 'AZR-000134' -Type 'Microsoft.DBforMySQ } # Synopsis: Determine if there is an excessive number of permitted IP addresses -Rule 'Azure.MySQL.FirewallIPRange' -Ref 'AZR-000135' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.FirewallIPRange' -Ref 'AZR-000135' -Type 'Microsoft.DBforMySQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary $Assert. LessOrEqual($summary, 'Public', 10). @@ -61,7 +61,7 @@ Rule 'Azure.MySQL.UseFlexible' -Ref 'AZR-000325' -Type 'Microsoft.DBforMySQL/fle } # Synopsis: Enable Microsoft Defender for Cloud for Azure Database for MySQL. -Rule 'Azure.MySQL.DefenderCloud' -Ref 'AZR-000328' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.MySQL.DefenderCloud' -Ref 'AZR-000328' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.DBforMySQL/servers') { $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/securityAlertPolicies') if ($defenderConfigs.Length -eq 0) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 index a4c200f202b..fa8c43002d9 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.NSG.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Network security groups should avoid any inbound rules -Rule 'Azure.NSG.AnyInboundSource' -Ref 'AZR-000137' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.NSG.AnyInboundSource' -Ref 'AZR-000137' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $inboundRules = @(GetOrderedNSGRules -Direction Inbound); $rules = $inboundRules | Where-Object { $_.properties.access -eq 'Allow' -and @@ -29,7 +29,7 @@ Rule 'Azure.NSG.DenyAllInbound' -Ref 'AZR-000138' -Type 'Microsoft.Network/netwo } # Synopsis: Lateral traversal from application servers should be blocked -Rule 'Azure.NSG.LateralTraversal' -Ref 'AZR-000139' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.NSG.LateralTraversal' -Ref 'AZR-000139' -Type 'Microsoft.Network/networkSecurityGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $nsg = [PSRule.Rules.Azure.Runtime.Helper]::GetNetworkSecurityGroup(@(GetOrderedNSGRules -Direction Outbound)); $rdp = $nsg.Outbound('VirtualNetwork', 3389); diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index 7f27d774adf..78957e8b36e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -6,7 +6,7 @@ # # Synopsis: Determine if there is an excessive number of firewall rules -Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/firewallRules'); $Assert. LessOrEqual($firewallRules, '.', 10). @@ -14,7 +14,7 @@ Rule 'Azure.PostgreSQL.FirewallRuleCount' -Ref 'AZR-000149' -Type 'Microsoft.DBf } # Synopsis: Determine if access from Azure services is required -Rule 'Azure.PostgreSQL.AllowAzureAccess' -Ref 'AZR-000150' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.AllowAzureAccess' -Ref 'AZR-000150' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/firewallRules' | Where-Object { $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or ($_.properties.startIpAddress -eq '0.0.0.0' -and $_.properties.endIpAddress -eq '0.0.0.0') @@ -23,7 +23,7 @@ Rule 'Azure.PostgreSQL.AllowAzureAccess' -Ref 'AZR-000150' -Type 'Microsoft.DBfo } # Synopsis: Determine if there is an excessive number of permitted IP addresses -Rule 'Azure.PostgreSQL.FirewallIPRange' -Ref 'AZR-000151' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.FirewallIPRange' -Ref 'AZR-000151' -Type 'Microsoft.DBforPostgreSQL/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary $Assert. LessOrEqual($summary, 'Public', 10). @@ -56,7 +56,7 @@ Rule 'Azure.PostgreSQL.GeoRedundantBackup' -Ref 'AZR-000326' -Type 'Microsoft.DB } # Synopsis: Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. -Rule 'Azure.PostgreSQL.DefenderCloud' -Ref 'AZR-000327' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.PostgreSQL.DefenderCloud' -Ref 'AZR-000327' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.DBforPostgreSQL/servers') { $defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies') if ($defenderConfigs.Length -eq 0) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index 04f8953b85f..5640a3bcaf8 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -76,7 +76,7 @@ Rule 'Azure.RedisEnterprise.Zones' -Ref 'AZR-000162' -Type 'Microsoft.Cache/redi } -Configure @{ AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST = @() } # Synopsis: Determine if there is an excessive number of firewall rules for the Redis cache. -Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $services = @($TargetObject); @@ -95,7 +95,7 @@ Rule 'Azure.Redis.FirewallRuleCount' -Ref 'AZR-000299' -Type 'Microsoft.Cache/re } # Synopsis: Determine if there is an excessive number of permitted IP addresses for the Redis cache. -Rule 'Azure.Redis.FirewallIPRange' -Ref 'AZR-000300' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Redis.FirewallIPRange' -Ref 'AZR-000300' -Type 'Microsoft.Cache/redis', 'Microsoft.Cache/redis/firewallRules' -If { HasPublicNetworkAccess } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $services = @($TargetObject); diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index 0118769afea..fd87466cfd5 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -88,6 +88,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 + Azure.WAF/maturity: L2 spec: type: - Microsoft.Cache/Redis diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index fad5a70dbbf..8fb2ce90452 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -8,7 +8,7 @@ #region SQL Logical Server # Synopsis: Determine if there is an excessive number of firewall rules -Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/firewallRules'); $Assert. LessOrEqual($firewallRules, '.', 10). @@ -16,7 +16,7 @@ Rule 'Azure.SQL.FirewallRuleCount' -Ref 'AZR-000183' -Type 'Microsoft.Sql/server } # Synopsis: Determine if access from Azure services is required -Rule 'Azure.SQL.AllowAzureAccess' -Ref 'AZR-000184' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.AllowAzureAccess' -Ref 'AZR-000184' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $firewallRules = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/firewallRules' | Where-Object { $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or ($_.properties.StartIpAddress -eq '0.0.0.0' -and $_.properties.EndIpAddress -eq '0.0.0.0') @@ -25,7 +25,7 @@ Rule 'Azure.SQL.AllowAzureAccess' -Ref 'AZR-000184' -Type 'Microsoft.Sql/servers } # Synopsis: Determine if there is an excessive number of permitted IP addresses -Rule 'Azure.SQL.FirewallIPRange' -Ref 'AZR-000185' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.FirewallIPRange' -Ref 'AZR-000185' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $summary = GetIPAddressSummary $Assert. LessOrEqual($summary, 'Public', 10). @@ -33,7 +33,7 @@ Rule 'Azure.SQL.FirewallIPRange' -Ref 'AZR-000185' -Type 'Microsoft.Sql/servers' } # Synopsis: Enable Microsoft Defender for Cloud for Azure SQL logical server -Rule 'Azure.SQL.DefenderCloud' -Alias 'Azure.SQL.ThreatDetection' -Ref 'AZR-000186' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-3' } { +Rule 'Azure.SQL.DefenderCloud' -Alias 'Azure.SQL.ThreatDetection' -Ref 'AZR-000186' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-3'; 'Azure.WAF/maturity' = 'L2' } { $configs = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/securityAlertPolicies'); if ($configs.Length -eq 0) { return $Assert.Fail($LocalizedData.SubResourceNotFound, 'Microsoft.Sql/servers/securityAlertPolicies'); @@ -44,7 +44,7 @@ Rule 'Azure.SQL.DefenderCloud' -Alias 'Azure.SQL.ThreatDetection' -Ref 'AZR-0001 } # Synopsis: Enable auditing for Azure SQL logical server. -Rule 'Azure.SQL.Auditing' -Ref 'AZR-000187' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-3' } { +Rule 'Azure.SQL.Auditing' -Ref 'AZR-000187' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-3'; 'Azure.WAF/maturity' = 'L2' } { $configs = @(GetSubResources -ResourceType 'Microsoft.Sql/servers/auditingSettings'); if ($configs.Length -eq 0) { return $Assert.Fail($LocalizedData.SubResourceNotFound, 'Microsoft.Sql/servers/auditingSettings'); @@ -99,7 +99,7 @@ Rule 'Azure.SQL.AADOnly' -Ref 'AZR-000369' -Type 'Microsoft.Sql/servers', 'Micro } # Synopsis: Ensure SQL logical server has a vulnerability assessment scan enabled. -Rule 'Azure.SQL.VAScan' -Ref 'AZR-000455' -Type 'Microsoft.Sql/servers', 'Microsoft.Sql/servers/sqlVulnerabilityAssessments' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.SQL.VAScan' -Ref 'AZR-000455' -Type 'Microsoft.Sql/servers', 'Microsoft.Sql/servers/sqlVulnerabilityAssessments' -Tag @{ release = 'GA'; ruleSet = '2025_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $configs = @($TargetObject); $classicConfigs = @(); if ($PSRule.TargetType -eq 'Microsoft.Sql/servers') { diff --git a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 index 99bb596b892..d47f752f6f4 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1 @@ -34,7 +34,7 @@ Rule 'Azure.Storage.SoftDelete' -Ref 'AZR-000197' -Type 'Microsoft.Storage/stora } # Synopsis: Use containers configured with a private access type that requires authorization. -Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices/containers' -If { !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.Storage.BlobAccessType' -Ref 'AZR-000199' -Type 'Microsoft.Storage/storageAccounts', 'Microsoft.Storage/storageAccounts/blobServices/containers' -If { !(IsFileStorage) } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $containers = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Storage/storageAccounts') { $containers = @(GetSubResources -ResourceType 'Microsoft.Storage/storageAccounts/blobServices/containers'); @@ -93,21 +93,21 @@ Rule 'Azure.Storage.ContainerSoftDelete' -Ref 'AZR-000289' -Type 'Microsoft.Stor } # Synopsis: Enable Malware Scanning in Microsoft Defender for Storage. -Rule 'Azure.Storage.Defender.MalwareScan' -Alias 'Azure.Storage.DefenderCloud.MalwareScan' -Ref 'AZR-000384' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Storage.Defender.MalwareScan' -Alias 'Azure.Storage.DefenderCloud.MalwareScan' -Ref 'AZR-000384' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'GA'; ruleSet = '2024_03'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $malwareDisabled = @(GetSubResources -ResourceType 'Microsoft.Security/DefenderForStorageSettings' | Where-Object { $_.properties.malwareScanning.onUpload.isEnabled -eq $False }) $Assert.Count($malwareDisabled, '.', 0).Reason($LocalizedData.ResStorageMalwareScanning, $PSRule.TargetName) } # Synopsis: Enable sensitive data threat detection in Microsoft Defender for Storage. -Rule 'Azure.Storage.Defender.DataScan' -Alias 'Azure.Storage.DefenderCloud.SensitiveData' -Ref 'AZR-000391' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Storage.Defender.DataScan' -Alias 'Azure.Storage.DefenderCloud.SensitiveData' -Ref 'AZR-000391' -Type 'Microsoft.Storage/storageAccounts' -If { IsPublicNetworkAccessEnabled } -Tag @{ release = 'preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $sensitiveDisabled = @(GetSubResources -ResourceType 'Microsoft.Security/DefenderForStorageSettings' | Where-Object { $_.properties.sensitiveDataDiscovery.isEnabled -eq $False }) $Assert.Count($sensitiveDisabled, '.', 0).Reason($LocalizedData.ResStorageSensitiveDataThreatDetection, $PSRule.TargetName) } # Synopsis: Enable Microsoft Defender for Storage for storage accounts. -Rule 'Azure.Storage.DefenderCloud' -Ref 'AZR-000386' -Type 'Microsoft.Storage/storageAccounts' -If { $Configuration.AZURE_STORAGE_DEFENDER_PER_ACCOUNT -eq $True } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') } { +Rule 'Azure.Storage.DefenderCloud' -Ref 'AZR-000386' -Type 'Microsoft.Storage/storageAccounts' -If { $Configuration.AZURE_STORAGE_DEFENDER_PER_ACCOUNT -eq $True } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1'); 'Azure.WAF/maturity' = 'L2' } { $defender = @(GetSubResources -ResourceType 'Microsoft.Security/DefenderForStorageSettings' | Where-Object { $_.properties.isEnabled -eq $True }) $Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.SubResourceNotFound, 'Microsoft.Security/DefenderForStorageSettings') diff --git a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 index ec122041c4b..f448b4b2e0d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 @@ -8,7 +8,7 @@ #region RBAC # Synopsis: Use groups for assigning permissions instead of individual user accounts -Rule 'Azure.RBAC.UseGroups' -Ref 'AZR-000203' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.UseGroups' -Ref 'AZR-000203' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.ObjectType -eq 'User' @@ -19,7 +19,7 @@ Rule 'Azure.RBAC.UseGroups' -Ref 'AZR-000203' -Type 'Microsoft.Subscription' -Ta } # Synopsis: Limit the number of subscription Owners -Rule 'Azure.RBAC.LimitOwner' -Ref 'AZR-000204' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.LimitOwner' -Ref 'AZR-000204' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.RoleDefinitionName -eq 'Owner' -and @@ -32,7 +32,7 @@ Rule 'Azure.RBAC.LimitOwner' -Ref 'AZR-000204' -Type 'Microsoft.Subscription' -T } # Synopsis: Limit RBAC inheritance from Management Groups -Rule 'Azure.RBAC.LimitMGDelegation' -Ref 'AZR-000205' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.LimitMGDelegation' -Ref 'AZR-000205' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and ($_.Scope -like "/providers/Microsoft.Management/managementGroups/*") @@ -43,7 +43,7 @@ Rule 'Azure.RBAC.LimitMGDelegation' -Ref 'AZR-000205' -Type 'Microsoft.Subscript } # Synopsis: Avoid using classic co-administrator roles -Rule 'Azure.RBAC.CoAdministrator' -Ref 'AZR-000206' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.CoAdministrator' -Ref 'AZR-000206' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.RoleDefinitionName -eq 'CoAdministrator' @@ -54,7 +54,7 @@ Rule 'Azure.RBAC.CoAdministrator' -Ref 'AZR-000206' -Type 'Microsoft.Subscriptio } # Synopsis: Use RBAC assignments on resource groups instead of individual resources -Rule 'Azure.RBAC.UseRGDelegation' -Ref 'AZR-000207' -Type 'Microsoft.Resources/resourceGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.UseRGDelegation' -Ref 'AZR-000207' -Type 'Microsoft.Resources/resourceGroups' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { $assignments = @($TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Authorization/roleAssignments' -and $_.Scope -like "/subscriptions/*/resourceGroups/*/providers/*" @@ -65,7 +65,7 @@ Rule 'Azure.RBAC.UseRGDelegation' -Ref 'AZR-000207' -Type 'Microsoft.Resources/r } # Synopsis: Use JiT role activation with PIM -Rule 'Azure.RBAC.PIM' -Ref 'AZR-000208' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7' } { +Rule 'Azure.RBAC.PIM' -Ref 'AZR-000208' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PA-7'; 'Azure.WAF/maturity' = 'L2' } { # Get PIM assignment $assignments = @(GetSubResources -ResourceType 'Microsoft.Authorization/roleAssignments' | Where-Object { $_.DisplayName -eq 'MS-PIM' -and $_.ObjectType -eq 'ServicePrincipal' @@ -117,7 +117,7 @@ Rule 'Azure.Monitor.ServiceHealth' -Ref 'AZR-000211' -Type 'Microsoft.Subscripti #region Security # Synopsis: Alerts that have not received a response may indicate a security issue that requires attention. -Rule 'Azure.DefenderCloud.ActiveAlerts' -Ref 'AZR-000489' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.DefenderCloud.ActiveAlerts' -Ref 'AZR-000489' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $alerts = @(GetSubResources -ResourceType 'Microsoft.Security/Locations/alerts' | Where-Object { $_.properties.status -eq 'Active' -and $_.properties.severity -in @('High', 'Medium') diff --git a/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 index 8824b6e87aa..0d8c5ef8a47 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 @@ -8,7 +8,7 @@ #region Virtual machine # Synopsis: Virtual machines should use managed disks -Rule 'Azure.VM.UseManagedDisks' -Ref 'AZR-000238' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4'; 'Azure.Policy/id' = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' } { +Rule 'Azure.VM.UseManagedDisks' -Ref 'AZR-000238' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4'; 'Azure.Policy/id' = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'; 'Azure.WAF/maturity' = 'L2' } { # Check OS disk $Assert. NullOrEmpty($TargetObject, 'properties.storageProfile.osDisk.vhd.uri'). @@ -60,7 +60,7 @@ Rule 'Azure.VM.AcceleratedNetworking' -Ref 'AZR-000244' -If { SupportsAccelerate } # Synopsis: Linux VMs should use public key pair -Rule 'Azure.VM.PublicKey' -Ref 'AZR-000245' -If { VMHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VM.PublicKey' -Ref 'AZR-000245' -If { VMHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $Assert.HasFieldValue($TargetObject, 'Properties.osProfile.linuxConfiguration.disablePasswordAuthentication', $True) } @@ -71,7 +71,7 @@ Rule 'Azure.VM.Agent' -Ref 'AZR-000246' -Type 'Microsoft.Compute/virtualMachines } # Synopsis: Ensure automatic updates are enabled at deployment -Rule 'Azure.VM.Updates' -Ref 'AZR-000247' -Type 'Microsoft.Compute/virtualMachines' -If { IsWindowsOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'ES-3' } { +Rule 'Azure.VM.Updates' -Ref 'AZR-000247' -Type 'Microsoft.Compute/virtualMachines' -If { IsWindowsOS } -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'ES-3'; 'Azure.WAF/maturity' = 'L2' } { $Assert.HasDefaultValue($TargetObject, 'Properties.osProfile.windowsConfiguration.enableAutomaticUpdates', $True) } @@ -218,7 +218,7 @@ Rule 'Azure.VM.PPGName' -Ref 'AZR-000260' -Type 'Microsoft.Compute/proximityPlac #endregion Proximity Placement Groups # Synopsis: Protect Custom Script Extensions commands -Rule 'Azure.VM.ScriptExtensions' -Ref 'AZR-000332' -Type 'Microsoft.Compute/virtualMachines', 'Microsoft.Compute/virtualMachines/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VM.ScriptExtensions' -Ref 'AZR-000332' -Type 'Microsoft.Compute/virtualMachines', 'Microsoft.Compute/virtualMachines/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $vmConfig = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Compute/virtualMachines') { @@ -294,7 +294,7 @@ Rule 'Azure.VM.MaintenanceConfig' -Ref 'AZR-000375' -Type 'Microsoft.Compute/vir #region Public IP # Synopsis: Avoid attaching public IPs directly to virtual machines. -Rule 'Azure.VM.PublicIPAttached' -Ref 'AZR-000449' -Type 'Microsoft.Network/networkInterfaces' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VM.PublicIPAttached' -Ref 'AZR-000449' -Type 'Microsoft.Network/networkInterfaces' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $configurations = @($TargetObject.properties.ipConfigurations) if ($configurations.Count -eq 0) { diff --git a/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 index b91cfaf7f60..03bf3aab5c9 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 @@ -45,13 +45,13 @@ Rule 'Azure.VMSS.ComputerName' -Ref 'AZR-000262' -Type 'Microsoft.Compute/virtua } # Synopsis: Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. -Rule 'Azure.VMSS.PublicKey' -Ref 'AZR-000288' -Type 'Microsoft.Compute/virtualMachineScaleSets' -If { VMSSHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4' } { +Rule 'Azure.VMSS.PublicKey' -Ref 'AZR-000288' -Type 'Microsoft.Compute/virtualMachineScaleSets' -If { VMSSHasLinuxOS } -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-4'; 'Azure.WAF/maturity' = 'L2' } { $Assert.In($TargetObject, 'properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication', $True). Reason($LocalizedData.VMSSPublicKey, $PSRule.TargetName) } # Synopsis: Protect Custom Script Extensions commands -Rule 'Azure.VMSS.ScriptExtensions' -Ref 'AZR-000333' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Computer/virtualMachineScaleSets/CustomScriptExtension', 'Microsoft.Compute/virtualMachineScaleSets/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VMSS.ScriptExtensions' -Ref 'AZR-000333' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Computer/virtualMachineScaleSets/CustomScriptExtension', 'Microsoft.Compute/virtualMachineScaleSets/extensions' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $vmssConfig = @($TargetObject); ## Extension Prof @@ -118,7 +118,7 @@ Rule 'Azure.VMSS.ZoneBalance' -Ref 'AZR-000438' -Type 'Microsoft.Compute/virtual } # Synopsis: Avoid attaching public IPs directly to virtual machine scale set instances. -Rule 'Azure.VMSS.PublicIPAttached' -Ref 'AZR-000450' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VMSS.PublicIPAttached' -Ref 'AZR-000450' -Type 'Microsoft.Compute/virtualMachineScaleSets', 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines' -Tag @{ release = 'GA'; ruleSet = '2024_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { if ($PSRule.TargetType -eq 'Microsoft.Compute/virtualMachineScaleSets') { $configurations = @( $TargetObject.properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations | ForEach-Object { $_.properties.ipConfigurations } | Where-Object { $null -ne $_ } diff --git a/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 index bc50beb2b8e..de7cd06c24a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.VNET.Rule.ps1 @@ -8,7 +8,7 @@ #region Virtual Network # Synopsis: Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. -Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1' } { +Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'NS-1'; 'Azure.WAF/maturity' = 'L2' } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet'); foreach ($exclusion in $Configuration.GetStringValues('AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG')) { if ($exclusion) { @@ -126,7 +126,7 @@ Rule 'Azure.VNET.BastionSubnet' -Ref 'AZR-000314' -Type 'Microsoft.Network/virtu } # Synopsis: Use Azure Firewall to filter network traffic to and from Azure resources. -Rule 'Azure.VNET.FirewallSubnet' -Ref 'AZR-000322' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VNET.FirewallSubnet' -Ref 'AZR-000322' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $subnets = @(GetVirtualNetworkSubnetNames) $Assert.In($subnets, '.', @('AzureFirewallSubnet')).ReasonFrom('properties.subnets', $LocalizedData.SubnetNotFound, 'AzureFirewallSubnet') } @@ -154,7 +154,7 @@ Rule 'Azure.VNET.FirewallSubnetNAT' -Ref 'AZR-000448' -Level 'Warning' -Type 'Mi } # Synopsis: Disable default outbound access for virtual machines. -Rule 'Azure.VNET.PrivateSubnet' -Ref 'AZR-000447' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { +Rule 'Azure.VNET.PrivateSubnet' -Ref 'AZR-000447' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.WAF/maturity' = 'L2' } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'AzureBastionSubnet') if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @( diff --git a/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml index cb5696d4d63..a93b4b3e37c 100644 --- a/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/WAF.Rule.yaml @@ -43,6 +43,27 @@ spec: labels: Azure.WAF/maturity: L1 +--- +# Synopsis: Microsoft Azure Well-Architected Framework - Security pillar Level 2 maturity baseline. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Baseline +metadata: + name: Azure.Pillar.Security.L2 + annotations: + taxonomy: Azure.WAF + pillar: Security + maturity: L2 + export: true + moduleVersion: v1.40.0 + experimental: true +spec: + rule: + tag: + release: GA + Azure.WAF/pillar: Security + labels: + Azure.WAF/maturity: L2 + --- # Synopsis: Microsoft Azure Well-Architected Framework - Operational Excellence pillar specific baseline. apiVersion: github.com/microsoft/PSRule/v1 From 54e1ab2b1422fd9c2d005c8de91156c838291818 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 20:42:46 +0000 Subject: [PATCH 3/6] Add Azure.Pillar.Security.L2 baseline, L2 maturity labels, and documentation updates Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> Agent-Logs-Url: https://github.com/Azure/PSRule.Rules.Azure/sessions/cb5289a6-ff5c-4508-a616-491e22344823 --- docs/changelog.md | 6 +++--- docs/working-with-baselines.md | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/changelog.md b/docs/changelog.md index 4591de7fbef..5873e2dcecd 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -31,9 +31,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased - New features: - - Added `Azure.Pillar.Security.L2` WAF baseline for the Security pillar Level 2 maturity baseline by @Copilot. -- Updated rules: - - Added `Azure.WAF/maturity: L2` labels to Security pillar rules covering network ingress, authentication, hardening, deployment practices, and maintenance by @Copilot. + - Added `Azure.Pillar.Security.L2` experimental baseline for the Security pillar Level 2 maturity. + [#3726](https://github.com/Azure/PSRule.Rules.Azure/issues/3726) + - Added `Azure.WAF/maturity: L2` labels to Security pillar rules covering network ingress, authentication controls, workload hardening, deployment practices, and maintenance. - Updated rules: - Azure Kubernetes Service: - Updated `Azure.AKS.Version` to use `1.33.7` as the minimum version by @BernieWhite. diff --git a/docs/working-with-baselines.md b/docs/working-with-baselines.md index 1f40c194059..42bac4eccb1 100644 --- a/docs/working-with-baselines.md +++ b/docs/working-with-baselines.md @@ -79,6 +79,7 @@ The following baselines are available: - [Azure.Pillar.Reliability][7] — A baseline that only includes reliability rules. - [Azure.Pillar.Security][8] — A baseline that only includes security rules. - [Azure.Pillar.Security.L1][9] — A baseline that only includes security rules at with maturity level 1. +- [Azure.Pillar.Security.L2][10] — A baseline that only includes security rules with maturity level 2. [4]: en/baselines/Azure.Pillar.CostOptimization.md [5]: en/baselines/Azure.Pillar.OperationalExcellence.md @@ -86,6 +87,7 @@ The following baselines are available: [7]: en/baselines/Azure.Pillar.Reliability.md [8]: en/baselines/Azure.Pillar.Security.md [9]: en/baselines/Azure.Pillar.Security.L1.md + [10]: en/baselines/Azure.Pillar.Security.L2.md ## Additional standard baselines From 3ca1908d7c85d03b00338f44757a8828b5a62ead Mon Sep 17 00:00:00 2001 From: Bernie White Date: Thu, 26 Mar 2026 20:04:56 +0100 Subject: [PATCH 4/6] Add doc link --- docs/en/rules/Azure.ACR.ContainerScan.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/en/rules/Azure.ACR.ContainerScan.md b/docs/en/rules/Azure.ACR.ContainerScan.md index 2b7f393de51..f4b055da3ee 100644 --- a/docs/en/rules/Azure.ACR.ContainerScan.md +++ b/docs/en/rules/Azure.ACR.ContainerScan.md @@ -99,6 +99,7 @@ This rule applies when analyzing resources deployed (in-flight) to Azure and doe ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for container registries](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-container-registries-introduction) - [Container security in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) From 91a76b05b2c611f913e9ac79d04396b4d3f08585 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 19:13:00 +0000 Subject: [PATCH 5/6] Add Security: Level 2 maturity model link to updated rule documentation files Agent-Logs-Url: https://github.com/Azure/PSRule.Rules.Azure/sessions/cf754a70-bcce-449c-95ef-ef1709ce2eca Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- docs/en/rules/Azure.ACR.AnonymousAccess.md | 1 + docs/en/rules/Azure.ACR.ContentTrust.md | 1 + docs/en/rules/Azure.ACR.ExportPolicy.md | 1 + docs/en/rules/Azure.ACR.Firewall.md | 1 + docs/en/rules/Azure.ACR.Quarantine.md | 1 + docs/en/rules/Azure.AI.PrivateEndpoints.md | 1 + docs/en/rules/Azure.AI.PublicAccess.md | 1 + docs/en/rules/Azure.AKS.AuthorizedIPs.md | 1 + docs/en/rules/Azure.AKS.AutoUpgrade.md | 1 + docs/en/rules/Azure.AKS.AzurePolicyAddOn.md | 1 + docs/en/rules/Azure.AKS.AzureRBAC.md | 1 + docs/en/rules/Azure.AKS.DefenderProfile.md | 1 + docs/en/rules/Azure.AKS.HttpAppRouting.md | 1 + docs/en/rules/Azure.AKS.NetworkPolicy.md | 1 + docs/en/rules/Azure.AKS.NodeAutoUpgrade.md | 1 + docs/en/rules/Azure.AKS.SecretStore.md | 1 + docs/en/rules/Azure.AKS.SecretStoreRotation.md | 1 + docs/en/rules/Azure.AKS.UseRBAC.md | 1 + docs/en/rules/Azure.APIM.DefenderCloud.md | 1 + docs/en/rules/Azure.APIM.EncryptValues.md | 1 + docs/en/rules/Azure.APIM.ProductApproval.md | 1 + docs/en/rules/Azure.APIM.ProductSubscription.md | 1 + docs/en/rules/Azure.APIM.SampleProducts.md | 1 + docs/en/rules/Azure.AppConfig.SecretLeak.md | 1 + docs/en/rules/Azure.AppGw.OWASP.md | 1 + docs/en/rules/Azure.AppGw.Prevention.md | 1 + docs/en/rules/Azure.AppGw.UseWAF.md | 1 + docs/en/rules/Azure.AppGw.WAFEnabled.md | 1 + docs/en/rules/Azure.AppGw.WAFRules.md | 1 + docs/en/rules/Azure.AppService.NETVersion.md | 1 + docs/en/rules/Azure.AppService.NodeJsVersion.md | 1 + docs/en/rules/Azure.AppService.PHPVersion.md | 1 + docs/en/rules/Azure.AppService.RemoteDebug.md | 1 + docs/en/rules/Azure.Arc.Kubernetes.Defender.md | 1 + docs/en/rules/Azure.Automation.EncryptVariables.md | 1 + docs/en/rules/Azure.Automation.WebHookExpiry.md | 4 ++++ docs/en/rules/Azure.BV.Immutable.md | 1 + docs/en/rules/Azure.CDN.HTTP.md | 1 + docs/en/rules/Azure.ContainerApp.ExternalIngress.md | 1 + docs/en/rules/Azure.ContainerApp.PublicAccess.md | 1 + docs/en/rules/Azure.ContainerApp.RestrictIngress.md | 1 + docs/en/rules/Azure.Cosmos.DefenderCloud.md | 1 + docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md | 1 + docs/en/rules/Azure.Cosmos.PublicAccess.md | 1 + docs/en/rules/Azure.DNS.DNSSEC.md | 1 + docs/en/rules/Azure.Databricks.PublicAccess.md | 1 + docs/en/rules/Azure.Databricks.SecureConnectivity.md | 1 + docs/en/rules/Azure.Defender.Api.md | 1 + docs/en/rules/Azure.Defender.AppServices.md | 1 + docs/en/rules/Azure.Defender.Arm.md | 1 + docs/en/rules/Azure.Defender.Containers.md | 1 + docs/en/rules/Azure.Defender.CosmosDb.md | 1 + docs/en/rules/Azure.Defender.Cspm.md | 1 + docs/en/rules/Azure.Defender.Dns.md | 1 + docs/en/rules/Azure.Defender.KeyVault.md | 1 + docs/en/rules/Azure.Defender.OssRdb.md | 1 + docs/en/rules/Azure.Defender.SQL.md | 1 + docs/en/rules/Azure.Defender.SQLOnVM.md | 1 + docs/en/rules/Azure.Defender.SecurityContact.md | 1 + docs/en/rules/Azure.Defender.Servers.md | 1 + docs/en/rules/Azure.Defender.Storage.DataScan.md | 1 + docs/en/rules/Azure.Defender.Storage.MalwareScan.md | 1 + docs/en/rules/Azure.Defender.Storage.md | 1 + docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md | 1 + docs/en/rules/Azure.DefenderCloud.Provisioning.md | 1 + docs/en/rules/Azure.Deployment.AdminUsername.md | 1 + docs/en/rules/Azure.Deployment.OuterSecret.md | 1 + docs/en/rules/Azure.Deployment.OutputSecretValue.md | 1 + docs/en/rules/Azure.Deployment.SecretLeak.md | 1 + docs/en/rules/Azure.Deployment.SecureParameter.md | 1 + docs/en/rules/Azure.Deployment.SecureValue.md | 1 + docs/en/rules/Azure.EventGrid.TopicPublicAccess.md | 1 + docs/en/rules/Azure.EventHub.Firewall.md | 1 + docs/en/rules/Azure.Firewall.PolicyMode.md | 1 + docs/en/rules/Azure.FrontDoor.Logs.md | 1 + docs/en/rules/Azure.FrontDoor.UseWAF.md | 1 + docs/en/rules/Azure.FrontDoor.WAF.Enabled.md | 1 + docs/en/rules/Azure.FrontDoor.WAF.Mode.md | 1 + docs/en/rules/Azure.ImageBuilder.CustomizeHash.md | 1 + docs/en/rules/Azure.ImageBuilder.ValidateHash.md | 1 + docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md | 1 + docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md | 1 + docs/en/rules/Azure.ML.ComputeVnet.md | 1 + docs/en/rules/Azure.MariaDB.AllowAzureAccess.md | 1 + docs/en/rules/Azure.MariaDB.DefenderCloud.md | 1 + docs/en/rules/Azure.MariaDB.FirewallIPRange.md | 1 + docs/en/rules/Azure.MariaDB.FirewallRuleCount.md | 1 + docs/en/rules/Azure.MySQL.AllowAzureAccess.md | 1 + docs/en/rules/Azure.MySQL.DefenderCloud.md | 1 + docs/en/rules/Azure.MySQL.FirewallIPRange.md | 1 + docs/en/rules/Azure.MySQL.FirewallRuleCount.md | 1 + docs/en/rules/Azure.NSG.AnyInboundSource.md | 1 + docs/en/rules/Azure.NSG.LateralTraversal.md | 1 + docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md | 1 + docs/en/rules/Azure.PostgreSQL.DefenderCloud.md | 1 + docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md | 1 + docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md | 1 + docs/en/rules/Azure.RBAC.CoAdministrator.md | 1 + docs/en/rules/Azure.RBAC.LimitMGDelegation.md | 4 ++++ docs/en/rules/Azure.RBAC.LimitOwner.md | 1 + docs/en/rules/Azure.RBAC.PIM.md | 1 + docs/en/rules/Azure.RBAC.UseGroups.md | 1 + docs/en/rules/Azure.RBAC.UseRGDelegation.md | 1 + docs/en/rules/Azure.Redis.FirewallIPRange.md | 1 + docs/en/rules/Azure.Redis.FirewallRuleCount.md | 1 + docs/en/rules/Azure.Redis.PublicNetworkAccess.md | 1 + docs/en/rules/Azure.SQL.AllowAzureAccess.md | 1 + docs/en/rules/Azure.SQL.Auditing.md | 1 + docs/en/rules/Azure.SQL.DefenderCloud.md | 1 + docs/en/rules/Azure.SQL.FirewallIPRange.md | 1 + docs/en/rules/Azure.SQL.FirewallRuleCount.md | 1 + docs/en/rules/Azure.SQL.VAScan.md | 1 + docs/en/rules/Azure.Storage.BlobAccessType.md | 1 + docs/en/rules/Azure.Storage.Defender.DataScan.md | 1 + docs/en/rules/Azure.Storage.Defender.MalwareScan.md | 1 + docs/en/rules/Azure.Storage.DefenderCloud.md | 1 + docs/en/rules/Azure.VM.PublicIPAttached.md | 1 + docs/en/rules/Azure.VM.PublicKey.md | 1 + docs/en/rules/Azure.VM.ScriptExtensions.md | 1 + docs/en/rules/Azure.VM.Updates.md | 1 + docs/en/rules/Azure.VM.UseManagedDisks.md | 1 + docs/en/rules/Azure.VMSS.PublicIPAttached.md | 1 + docs/en/rules/Azure.VMSS.PublicKey.md | 1 + docs/en/rules/Azure.VMSS.ScriptExtensions.md | 1 + docs/en/rules/Azure.VNET.FirewallSubnet.md | 1 + docs/en/rules/Azure.VNET.PrivateSubnet.md | 1 + docs/en/rules/Azure.VNET.UseNSGs.md | 1 + 127 files changed, 133 insertions(+) diff --git a/docs/en/rules/Azure.ACR.AnonymousAccess.md b/docs/en/rules/Azure.ACR.AnonymousAccess.md index d44f3b18404..97d9795bbde 100644 --- a/docs/en/rules/Azure.ACR.AnonymousAccess.md +++ b/docs/en/rules/Azure.ACR.AnonymousAccess.md @@ -143,6 +143,7 @@ For example: You are a software vendor and intend to distribute container images ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Make your container registry content publicly available](https://learn.microsoft.com/azure/container-registry/anonymous-pull-access) - [Azure security baseline for Container Registry](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline) - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#im-1-use-centralized-identity-and-authentication-system) diff --git a/docs/en/rules/Azure.ACR.ContentTrust.md b/docs/en/rules/Azure.ACR.ContentTrust.md index 3369f2ad4bc..d7fef146f04 100644 --- a/docs/en/rules/Azure.ACR.ContentTrust.md +++ b/docs/en/rules/Azure.ACR.ContentTrust.md @@ -118,6 +118,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Content trust in Azure Container Registry](https://learn.microsoft.com/azure/container-registry/container-registry-content-trust) - [Content trust in Docker](https://docs.docker.com/engine/security/trust/content_trust/) - [Overview of customer-managed keys](https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys#before-you-enable-a-customer-managed-key) diff --git a/docs/en/rules/Azure.ACR.ExportPolicy.md b/docs/en/rules/Azure.ACR.ExportPolicy.md index d5180b64066..a9923c162f4 100644 --- a/docs/en/rules/Azure.ACR.ExportPolicy.md +++ b/docs/en/rules/Azure.ACR.ExportPolicy.md @@ -153,6 +153,7 @@ such as in the case of public registries. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Data loss prevention for Azure Container Registry](https://learn.microsoft.com/azure/container-registry/data-loss-prevention) - [Azure Security Benchmark - Monitor anomalies and threats targeting sensitive data](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data) - [Azure Policy - Container registries should have exports disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_ExportPolicy_AuditDeny.json) diff --git a/docs/en/rules/Azure.ACR.Firewall.md b/docs/en/rules/Azure.ACR.Firewall.md index 17ce7b9a07c..6960a5220f1 100644 --- a/docs/en/rules/Azure.ACR.Firewall.md +++ b/docs/en/rules/Azure.ACR.Firewall.md @@ -107,6 +107,7 @@ you must enable trusted Microsoft services for the vulnerability assessment feat ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Restrict access using private endpoint](https://learn.microsoft.com/azure/container-registry/container-registry-private-link) - [Restrict access using firewall rules](https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks) - [Allow trusted services to securely access a network-restricted container registry](https://learn.microsoft.com/azure/container-registry/allow-access-trusted-services) diff --git a/docs/en/rules/Azure.ACR.Quarantine.md b/docs/en/rules/Azure.ACR.Quarantine.md index 6d011daadb7..2de46e77624 100644 --- a/docs/en/rules/Azure.ACR.Quarantine.md +++ b/docs/en/rules/Azure.ACR.Quarantine.md @@ -120,6 +120,7 @@ Image quarantine for Azure Container Registry is currently in preview. ## LINKS - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [How do I enable automatic image quarantine for a registry?](https://learn.microsoft.com/azure/container-registry/container-registry-faq#how-do-i-enable-automatic-image-quarantine-for-a-registry-) - [Quarantine Pattern](https://github.com/Azure/acr/tree/main/docs/preview/quarantine) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) diff --git a/docs/en/rules/Azure.AI.PrivateEndpoints.md b/docs/en/rules/Azure.AI.PrivateEndpoints.md index e0d5b5e3ca0..fca9707372d 100644 --- a/docs/en/rules/Azure.AI.PrivateEndpoints.md +++ b/docs/en/rules/Azure.AI.PrivateEndpoints.md @@ -96,6 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks) - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AI.PublicAccess.md b/docs/en/rules/Azure.AI.PublicAccess.md index 21e1608ff96..efed36c8cac 100644 --- a/docs/en/rules/Azure.AI.PublicAccess.md +++ b/docs/en/rules/Azure.AI.PublicAccess.md @@ -96,6 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks) - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AKS.AuthorizedIPs.md b/docs/en/rules/Azure.AKS.AuthorizedIPs.md index 8784b9cc8dc..11697ba7312 100644 --- a/docs/en/rules/Azure.AKS.AuthorizedIPs.md +++ b/docs/en/rules/Azure.AKS.AuthorizedIPs.md @@ -200,6 +200,7 @@ Set-AzAksCluster -Name '' -ResourceGroupName '' -ApiServer ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges) - [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.AutoUpgrade.md b/docs/en/rules/Azure.AKS.AutoUpgrade.md index b808d275e18..2abd0067964 100644 --- a/docs/en/rules/Azure.AKS.AutoUpgrade.md +++ b/docs/en/rules/Azure.AKS.AutoUpgrade.md @@ -199,6 +199,7 @@ To address this issue at runtime use the following policies: ## LINKS - [OE:09 Task automation](https://learn.microsoft.com/azure/well-architected/operational-excellence/automate-tasks) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Supported Kubernetes versions in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions) - [Support policies for Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/support-policies) - [Automatically upgrade an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster) diff --git a/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md b/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md index 998dfa2970f..eb36872e0e4 100644 --- a/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md +++ b/docs/en/rules/Azure.AKS.AzurePolicyAddOn.md @@ -247,6 +247,7 @@ Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Understand Azure Policy for Kubernetes clusters](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes) - [Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy](https://learn.microsoft.com/azure/aks/use-azure-policy) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.AzureRBAC.md b/docs/en/rules/Azure.AKS.AzureRBAC.md index b879f40dfc5..19f087db73a 100644 --- a/docs/en/rules/Azure.AKS.AzureRBAC.md +++ b/docs/en/rules/Azure.AKS.AzureRBAC.md @@ -189,6 +189,7 @@ az aks update -n '' -g '' --enable-azure-rbac ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Use Azure RBAC for Kubernetes Authorization](https://learn.microsoft.com/azure/aks/manage-azure-rbac) - [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.DefenderProfile.md b/docs/en/rules/Azure.AKS.DefenderProfile.md index 6292a0fcc68..c07251b5ee1 100644 --- a/docs/en/rules/Azure.AKS.DefenderProfile.md +++ b/docs/en/rules/Azure.AKS.DefenderProfile.md @@ -86,6 +86,7 @@ Outbound access so that the Defender profile can connect to Microsoft Defender f ## LINKS - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction) - [Defender for Containers architecture](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-architecture?tabs=defender-for-container-arch-aks) - [Deploy the Defender profile](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-arm%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-profile) diff --git a/docs/en/rules/Azure.AKS.HttpAppRouting.md b/docs/en/rules/Azure.AKS.HttpAppRouting.md index 7e8efa240e5..83800bbb5d1 100644 --- a/docs/en/rules/Azure.AKS.HttpAppRouting.md +++ b/docs/en/rules/Azure.AKS.HttpAppRouting.md @@ -190,6 +190,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [HTTP application routing](https://learn.microsoft.com/azure/aks/http-application-routing) - [Migrate from HTTP application routing to the application routing add-on](https://learn.microsoft.com/azure/aks/app-routing-migration) - [What is Application Gateway for Containers?](https://learn.microsoft.com/azure/application-gateway/for-containers/overview) diff --git a/docs/en/rules/Azure.AKS.NetworkPolicy.md b/docs/en/rules/Azure.AKS.NetworkPolicy.md index 2819f004295..1a451a79e7d 100644 --- a/docs/en/rules/Azure.AKS.NetworkPolicy.md +++ b/docs/en/rules/Azure.AKS.NetworkPolicy.md @@ -245,6 +245,7 @@ Existing AKS clusters must be redeployed to enable Network Policy. ## LINKS - [SE:04 Segmentation](https://learn.microsoft.com/azure/well-architected/security/segmentation) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-kubernetes-service-aks-security-baseline#ns-1-establish-network-segmentation-boundaries) - [Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/use-network-policies) - [Best practices for network connectivity and security in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-network#control-traffic-flow-with-network-policies) diff --git a/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md b/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md index 418abaee456..e78adc4c227 100644 --- a/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md +++ b/docs/en/rules/Azure.AKS.NodeAutoUpgrade.md @@ -225,6 +225,7 @@ It also helps you to identify such fixes shipped to a core add-on, and node imag ## LINKS - [SE:01-Security Baseline](https://learn.microsoft.com/azure/well-architected/security/establish-baseline) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Automatically upgrade AKS cluster node OS images](https://learn.microsoft.com/azure/aks/auto-upgrade-node-os-image?tabs=azure-cli) - [Upgrade Azure Kubernetes Service (AKS) node images](https://learn.microsoft.com/azure/aks/node-image-upgrade) - [Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/node-updates-kured) diff --git a/docs/en/rules/Azure.AKS.SecretStore.md b/docs/en/rules/Azure.AKS.SecretStore.md index 69e64ff6724..b8111d6c4c1 100644 --- a/docs/en/rules/Azure.AKS.SecretStore.md +++ b/docs/en/rules/Azure.AKS.SecretStore.md @@ -190,6 +190,7 @@ az aks enable-addons --addons azure-keyvault-secrets-provider -n '' -g '' -g '' ## LINKS - [Key and secret management considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Operational considerations](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#operational-considerations) - [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) - [Automate the rotation of a secret for resources that use one set of authentication credentials](https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation) diff --git a/docs/en/rules/Azure.AKS.UseRBAC.md b/docs/en/rules/Azure.AKS.UseRBAC.md index 8173e7450a7..77a140edd34 100644 --- a/docs/en/rules/Azure.AKS.UseRBAC.md +++ b/docs/en/rules/Azure.AKS.UseRBAC.md @@ -29,6 +29,7 @@ Consider redeploying the AKS cluster with RBAC enabled. ## LINKS - [Access and identity options for Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/concepts-identity#azure-ad-integration) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization) - [Best practices for authentication and authorization in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-identity#use-azure-active-directory) - [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) diff --git a/docs/en/rules/Azure.APIM.DefenderCloud.md b/docs/en/rules/Azure.APIM.DefenderCloud.md index 4aa873b8132..bb349f5c052 100644 --- a/docs/en/rules/Azure.APIM.DefenderCloud.md +++ b/docs/en/rules/Azure.APIM.DefenderCloud.md @@ -87,6 +87,7 @@ This rule may currently generate false positive results for APIs only hosted on ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-introduction) - [Support and prerequisites for Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-prepare) diff --git a/docs/en/rules/Azure.APIM.EncryptValues.md b/docs/en/rules/Azure.APIM.EncryptValues.md index 9a3f3309559..91af4f9f9fb 100644 --- a/docs/en/rules/Azure.APIM.EncryptValues.md +++ b/docs/en/rules/Azure.APIM.EncryptValues.md @@ -94,5 +94,6 @@ The identity needs permissions to get and list secrets from the Key Vault. Also ## LINKS - [Key storage](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Prerequisites for key vault integration](https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal#prerequisites-for-key-vault-integration) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/namedvalues#keyvaultcontractcreatepropertiesorkeyvaultcontractpr) diff --git a/docs/en/rules/Azure.APIM.ProductApproval.md b/docs/en/rules/Azure.APIM.ProductApproval.md index a6ff9a5052e..1574e0f7f66 100644 --- a/docs/en/rules/Azure.APIM.ProductApproval.md +++ b/docs/en/rules/Azure.APIM.ProductApproval.md @@ -98,6 +98,7 @@ resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = { ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#protect-nonidentity-based-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products) - [Subscriptions in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-subscriptions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/products) diff --git a/docs/en/rules/Azure.APIM.ProductSubscription.md b/docs/en/rules/Azure.APIM.ProductSubscription.md index c65a0ed4bc1..ec89c3b08d5 100644 --- a/docs/en/rules/Azure.APIM.ProductSubscription.md +++ b/docs/en/rules/Azure.APIM.ProductSubscription.md @@ -98,6 +98,7 @@ resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = { ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#protect-nonidentity-based-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products) - [Subscriptions in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-subscriptions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/products) diff --git a/docs/en/rules/Azure.APIM.SampleProducts.md b/docs/en/rules/Azure.APIM.SampleProducts.md index 251a99d418b..11295a574e9 100644 --- a/docs/en/rules/Azure.APIM.SampleProducts.md +++ b/docs/en/rules/Azure.APIM.SampleProducts.md @@ -35,4 +35,5 @@ This rule applies when analyzing API Management Services (in-flight) and running ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and publish a product](https://learn.microsoft.com/azure/api-management/api-management-howto-add-products) diff --git a/docs/en/rules/Azure.AppConfig.SecretLeak.md b/docs/en/rules/Azure.AppConfig.SecretLeak.md index ebb4325399b..5dd8dfc71a5 100644 --- a/docs/en/rules/Azure.AppConfig.SecretLeak.md +++ b/docs/en/rules/Azure.AppConfig.SecretLeak.md @@ -111,6 +111,7 @@ For example: ## LINKS - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [IM-8: Restrict the exposure of credential and secrets](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-app-configuration-security-baseline#im-8-restrict-the-exposure-of-credential-and-secrets) - [Use Key Vault references in an ASP.NET Core app](https://learn.microsoft.com/azure/azure-app-configuration/use-key-vault-references-dotnet-core) - [Reload secrets and certificates from Key Vault automatically](https://learn.microsoft.com/azure/azure-app-configuration/reload-key-vault-secrets-dotnet) diff --git a/docs/en/rules/Azure.AppGw.OWASP.md b/docs/en/rules/Azure.AppGw.OWASP.md index 4ca5337cbd9..34600830c85 100644 --- a/docs/en/rules/Azure.AppGw.OWASP.md +++ b/docs/en/rules/Azure.AppGw.OWASP.md @@ -102,5 +102,6 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [OWASP ModSecurity Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.Prevention.md b/docs/en/rules/Azure.AppGw.Prevention.md index 875437a4c9b..05f3a940bfd 100644 --- a/docs/en/rules/Azure.AppGw.Prevention.md +++ b/docs/en/rules/Azure.AppGw.Prevention.md @@ -108,5 +108,6 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Application Gateway WAF modes](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview#waf-modes) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.UseWAF.md b/docs/en/rules/Azure.AppGw.UseWAF.md index 43e08161d30..b9e478e87ce 100644 --- a/docs/en/rules/Azure.AppGw.UseWAF.md +++ b/docs/en/rules/Azure.AppGw.UseWAF.md @@ -103,6 +103,7 @@ $AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' - ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.WAFEnabled.md b/docs/en/rules/Azure.AppGw.WAFEnabled.md index 45b9716b5bd..cf2e9c03c8e 100644 --- a/docs/en/rules/Azure.AppGw.WAFEnabled.md +++ b/docs/en/rules/Azure.AppGw.WAFEnabled.md @@ -104,6 +104,7 @@ Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/applicationgateways) diff --git a/docs/en/rules/Azure.AppGw.WAFRules.md b/docs/en/rules/Azure.AppGw.WAFRules.md index 874ef7a2486..0dc79d11f15 100644 --- a/docs/en/rules/Azure.AppGw.WAFRules.md +++ b/docs/en/rules/Azure.AppGw.WAFRules.md @@ -103,6 +103,7 @@ resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = { ## LINKS - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [What is Azure Web Application Firewall on Azure Application Gateway?](https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview) - [Web Application Firewall CRS rule groups and rules](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules) diff --git a/docs/en/rules/Azure.AppService.NETVersion.md b/docs/en/rules/Azure.AppService.NETVersion.md index e51baee8f4d..7e747e708ed 100644 --- a/docs/en/rules/Azure.AppService.NETVersion.md +++ b/docs/en/rules/Azure.AppService.NETVersion.md @@ -125,6 +125,7 @@ resource web 'Microsoft.Web/sites@2023-01-01' = { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure ASP.NET](https://learn.microsoft.com/azure/app-service/configure-language-dotnet-framework) - [Configure an ASP.NET Core app for Azure App Service](https://learn.microsoft.com/azure/app-service/configure-language-dotnetcore) - [.NET Support Policy](https://dotnet.microsoft.com/platform/support/policy) diff --git a/docs/en/rules/Azure.AppService.NodeJsVersion.md b/docs/en/rules/Azure.AppService.NodeJsVersion.md index ac85d841346..6fd2ff71ee4 100644 --- a/docs/en/rules/Azure.AppService.NodeJsVersion.md +++ b/docs/en/rules/Azure.AppService.NodeJsVersion.md @@ -160,6 +160,7 @@ resource windowsWeb 'Microsoft.Web/sites@2022-09-01' = { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Upgrade your App Service apps to Node 20 LTS by 30 April 2025](https://azure.microsoft.com/updates/action-required-upgrade-your-app-service-apps-to-node-20-lts-by-30-april-2025/) - [Node.js on App Service](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md) - [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites) diff --git a/docs/en/rules/Azure.AppService.PHPVersion.md b/docs/en/rules/Azure.AppService.PHPVersion.md index d1e7b446ea8..bbec90e88bb 100644 --- a/docs/en/rules/Azure.AppService.PHPVersion.md +++ b/docs/en/rules/Azure.AppService.PHPVersion.md @@ -114,6 +114,7 @@ From November 2022 - PHP is only supported on Linux-based plans. ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Set PHP Version](https://learn.microsoft.com/azure/app-service/configure-language-php?pivots=platform-linux#set-php-version) - [PHP on App Service](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites) diff --git a/docs/en/rules/Azure.AppService.RemoteDebug.md b/docs/en/rules/Azure.AppService.RemoteDebug.md index 5c9b9da78fc..64e58ea0058 100644 --- a/docs/en/rules/Azure.AppService.RemoteDebug.md +++ b/docs/en/rules/Azure.AppService.RemoteDebug.md @@ -112,6 +112,7 @@ resource web 'Microsoft.Web/sites@2023-01-01' = { ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [PV-2: Audit and enforce secure configurations](https://learn.microsoft.com/security/benchmark/azure/baselines/app-service-security-baseline#pv-2-audit-and-enforce-secure-configurations) - [Configure general settings](https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites) diff --git a/docs/en/rules/Azure.Arc.Kubernetes.Defender.md b/docs/en/rules/Azure.Arc.Kubernetes.Defender.md index 59c3bfe6c14..c837bf9fa6e 100644 --- a/docs/en/rules/Azure.Arc.Kubernetes.Defender.md +++ b/docs/en/rules/Azure.Arc.Kubernetes.Defender.md @@ -108,6 +108,7 @@ resource defenderExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11 ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Defender for Containers architecture](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-architecture) - [Enable Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc) - [LT-1: Enable threat detection capabilities](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-arc-enabled-kubernetes-security-baseline#lt-1-enable-threat-detection-capabilities) diff --git a/docs/en/rules/Azure.Automation.EncryptVariables.md b/docs/en/rules/Azure.Automation.EncryptVariables.md index 7269801c9b1..d7cccc817f6 100644 --- a/docs/en/rules/Azure.Automation.EncryptVariables.md +++ b/docs/en/rules/Azure.Automation.EncryptVariables.md @@ -32,3 +32,4 @@ Key Vault improves security by tightly controlling access to secrets and improvi ## LINKS - [Variable assets in Azure Automation](https://learn.microsoft.com/azure/automation/shared-resources/variables) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.Automation.WebHookExpiry.md b/docs/en/rules/Azure.Automation.WebHookExpiry.md index c13f01a4fbb..12c36b7b256 100644 --- a/docs/en/rules/Azure.Automation.WebHookExpiry.md +++ b/docs/en/rules/Azure.Automation.WebHookExpiry.md @@ -23,3 +23,7 @@ Do not create webhooks with an expiry time greater than 1 year (default). An expiry time of 1 year is the default for webhook creation. Webhooks should be programmatically rotated at regular intervals - Microsoft recommends setting a shorter time than the default of 1 year. If authentication is required for a webhook consider implementing a pre-shared key in the header - or using an Azure Function. + +## LINKS + +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.BV.Immutable.md b/docs/en/rules/Azure.BV.Immutable.md index e0e0145b11c..aec0a9fbf08 100644 --- a/docs/en/rules/Azure.BV.Immutable.md +++ b/docs/en/rules/Azure.BV.Immutable.md @@ -85,6 +85,7 @@ For cases where you are creating and destroying backups and vaults on a regulary ## LINKS - [Security design principles](https://learn.microsoft.com/azure/well-architected/security/security-principles) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Immutable vault for Azure Backup](https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?tabs=backup-vault) - [Restricted operations](https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?tabs=backup-vault#restricted-operations) - [Manage Azure Backup Immutable vault operations](https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=backup-vault) diff --git a/docs/en/rules/Azure.CDN.HTTP.md b/docs/en/rules/Azure.CDN.HTTP.md index c7d9c0c37ca..fbc7afa8587 100644 --- a/docs/en/rules/Azure.CDN.HTTP.md +++ b/docs/en/rules/Azure.CDN.HTTP.md @@ -26,5 +26,6 @@ Consider disabling HTTP support on the CDN endpoint origin. ## LINKS - [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#encrypt-data-in-transit) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure HTTPS on an Azure CDN custom domain](https://learn.microsoft.com/azure/cdn/cdn-custom-ssl) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cdn/profiles/endpoints) diff --git a/docs/en/rules/Azure.ContainerApp.ExternalIngress.md b/docs/en/rules/Azure.ContainerApp.ExternalIngress.md index 026a6bf04bd..c4e8144078b 100644 --- a/docs/en/rules/Azure.ContainerApp.ExternalIngress.md +++ b/docs/en/rules/Azure.ContainerApp.ExternalIngress.md @@ -126,6 +126,7 @@ If you don't need external ingress, enable this rule by: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking) - [Ingress in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ingress-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#ingress) diff --git a/docs/en/rules/Azure.ContainerApp.PublicAccess.md b/docs/en/rules/Azure.ContainerApp.PublicAccess.md index 02045b1bb6a..cd06586551e 100644 --- a/docs/en/rules/Azure.ContainerApp.PublicAccess.md +++ b/docs/en/rules/Azure.ContainerApp.PublicAccess.md @@ -116,6 +116,7 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline) - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/managedenvironments#vnetconfiguration) diff --git a/docs/en/rules/Azure.ContainerApp.RestrictIngress.md b/docs/en/rules/Azure.ContainerApp.RestrictIngress.md index ac6c5c6dbb0..dd47bda5856 100644 --- a/docs/en/rules/Azure.ContainerApp.RestrictIngress.md +++ b/docs/en/rules/Azure.ContainerApp.RestrictIngress.md @@ -152,6 +152,7 @@ If no rules are defined at all, the rule will not pass as it expects at least on ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline#ns-2-secure-cloud-services-with-network-controls) - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking) - [IP restrictions](https://learn.microsoft.com/azure/container-apps/ingress-overview#ip-restrictions) diff --git a/docs/en/rules/Azure.Cosmos.DefenderCloud.md b/docs/en/rules/Azure.Cosmos.DefenderCloud.md index 3af142eaf2b..75fada3845b 100644 --- a/docs/en/rules/Azure.Cosmos.DefenderCloud.md +++ b/docs/en/rules/Azure.Cosmos.DefenderCloud.md @@ -81,6 +81,7 @@ When Microsoft Defender for Cosmos DB is enabled at the subscription level, the ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/concept-defender-for-cosmos) - [Enable Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections) diff --git a/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md b/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md index 322ab9e177b..46ca970677d 100644 --- a/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md +++ b/docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md @@ -106,6 +106,7 @@ To address this issue at runtime use the following policies: ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Restrict user access to data operations in Azure Cosmos DB](https://learn.microsoft.com/azure/cosmos-db/how-to-restrict-user-data) - [Secure access to data in Azure Cosmos DB](https://learn.microsoft.com/azure/cosmos-db/secure-access-to-data) - [How does Azure Cosmos DB secure my database?](https://learn.microsoft.com/azure/cosmos-db/database-security#how-does-azure-cosmos-db-secure-my-database) diff --git a/docs/en/rules/Azure.Cosmos.PublicAccess.md b/docs/en/rules/Azure.Cosmos.PublicAccess.md index 04b088d904c..639c532972a 100644 --- a/docs/en/rules/Azure.Cosmos.PublicAccess.md +++ b/docs/en/rules/Azure.Cosmos.PublicAccess.md @@ -81,6 +81,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Configure Azure Private Link for an Azure Cosmos DB account](https://learn.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints) - [Azure security baseline for Azure Cosmos DB](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline#ns-2-secure-cloud-services-with-network-controls) diff --git a/docs/en/rules/Azure.DNS.DNSSEC.md b/docs/en/rules/Azure.DNS.DNSSEC.md index 9699af39f89..e1896aa7308 100644 --- a/docs/en/rules/Azure.DNS.DNSSEC.md +++ b/docs/en/rules/Azure.DNS.DNSSEC.md @@ -81,6 +81,7 @@ This rule only applies to Azure Public DNS zones. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [DNSSEC overview](https://learn.microsoft.com/azure/dns/dnssec) - [DNSSEC – What Is It and Why Is It Important?](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/dnszones/dnssecconfigs) diff --git a/docs/en/rules/Azure.Databricks.PublicAccess.md b/docs/en/rules/Azure.Databricks.PublicAccess.md index c1c3476a844..6255c6c0257 100644 --- a/docs/en/rules/Azure.Databricks.PublicAccess.md +++ b/docs/en/rules/Azure.Databricks.PublicAccess.md @@ -84,6 +84,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Databricks WorkspaceProperties](https://learn.microsoft.com/azure/templates/Microsoft.Databricks/workspaces?pivots=deployment-language-bicep#:~:text=WorkspaceCustomParameters-,publicNetworkAccess,-The%20network%20access) - [Azure Databricks Private Link Overview](https://learn.microsoft.com/azure/databricks/security/network/classic/private-link) - [Network access](https://learn.microsoft.com/azure/databricks/security/network/) diff --git a/docs/en/rules/Azure.Databricks.SecureConnectivity.md b/docs/en/rules/Azure.Databricks.SecureConnectivity.md index 36e449d30d8..6575ec7d44d 100644 --- a/docs/en/rules/Azure.Databricks.SecureConnectivity.md +++ b/docs/en/rules/Azure.Databricks.SecureConnectivity.md @@ -92,6 +92,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure cluster connectivity (No Public IP / NPIP)](https://learn.microsoft.com/azure/databricks/security/network/secure-cluster-connectivity) - [Network access](https://learn.microsoft.com/azure/databricks/security/network/) - [Azure Databricks architecture overview](https://learn.microsoft.com/azure/databricks/getting-started/overview) diff --git a/docs/en/rules/Azure.Defender.Api.md b/docs/en/rules/Azure.Defender.Api.md index 723fdb4319d..dcf181db400 100644 --- a/docs/en/rules/Azure.Defender.Api.md +++ b/docs/en/rules/Azure.Defender.Api.md @@ -107,6 +107,7 @@ Currently only REST APIs published in Azure API Management is supported. Not all ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-introduction) - [Support and prerequisites for Defender for APIs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-prepare) diff --git a/docs/en/rules/Azure.Defender.AppServices.md b/docs/en/rules/Azure.Defender.AppServices.md index bd3ec31507a..9a22a3e36d6 100644 --- a/docs/en/rules/Azure.Defender.AppServices.md +++ b/docs/en/rules/Azure.Defender.AppServices.md @@ -88,6 +88,7 @@ Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing applications and PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments) - [Introduction to Microsoft Defender for App Service](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction) - [App Service security best practices](https://learn.microsoft.com/azure/security/fundamentals/paas-applications-using-app-services) diff --git a/docs/en/rules/Azure.Defender.Arm.md b/docs/en/rules/Azure.Defender.Arm.md index e21cf0b7bde..3e2961e6b3e 100644 --- a/docs/en/rules/Azure.Defender.Arm.md +++ b/docs/en/rules/Azure.Defender.Arm.md @@ -99,6 +99,7 @@ Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Resource Manager](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-resource-manager-introduction) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.Containers.md b/docs/en/rules/Azure.Defender.Containers.md index 6036d7a7166..be4c3f5afea 100644 --- a/docs/en/rules/Azure.Defender.Containers.md +++ b/docs/en/rules/Azure.Defender.Containers.md @@ -109,6 +109,7 @@ Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) - [Azure security baseline for Container Registry](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline) diff --git a/docs/en/rules/Azure.Defender.CosmosDb.md b/docs/en/rules/Azure.Defender.CosmosDb.md index 7f0cfab001c..a9afb716275 100644 --- a/docs/en/rules/Azure.Defender.CosmosDb.md +++ b/docs/en/rules/Azure.Defender.CosmosDb.md @@ -99,6 +99,7 @@ Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/concept-defender-for-cosmos) - [Enable Microsoft Defender for Azure Cosmos DB](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections) diff --git a/docs/en/rules/Azure.Defender.Cspm.md b/docs/en/rules/Azure.Defender.Cspm.md index c25071bf934..f6555e303b5 100644 --- a/docs/en/rules/Azure.Defender.Cspm.md +++ b/docs/en/rules/Azure.Defender.Cspm.md @@ -97,6 +97,7 @@ Set-AzSecurityPricing -Name 'CloudPosture' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Cloud Security Posture Management (CSPM)](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.Dns.md b/docs/en/rules/Azure.Defender.Dns.md index d6b7af23589..0f94dba26cd 100644 --- a/docs/en/rules/Azure.Defender.Dns.md +++ b/docs/en/rules/Azure.Defender.Dns.md @@ -98,6 +98,7 @@ Set-AzSecurityPricing -Name 'Dns' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for DNS](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.KeyVault.md b/docs/en/rules/Azure.Defender.KeyVault.md index 76605547671..b0206f53005 100644 --- a/docs/en/rules/Azure.Defender.KeyVault.md +++ b/docs/en/rules/Azure.Defender.KeyVault.md @@ -97,6 +97,7 @@ Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Key Vault](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-introduction) - [Quickstart: Enable enhanced security features](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security) diff --git a/docs/en/rules/Azure.Defender.OssRdb.md b/docs/en/rules/Azure.Defender.OssRdb.md index 34e8664c14e..68b33813804 100644 --- a/docs/en/rules/Azure.Defender.OssRdb.md +++ b/docs/en/rules/Azure.Defender.OssRdb.md @@ -103,6 +103,7 @@ Microsoft Defender for open-source relational databases is currently available o ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-introduction) - [Enable Defender for OSS RDBs](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) diff --git a/docs/en/rules/Azure.Defender.SQL.md b/docs/en/rules/Azure.Defender.SQL.md index 3675dd2714a..d7e18fd3ad4 100644 --- a/docs/en/rules/Azure.Defender.SQL.md +++ b/docs/en/rules/Azure.Defender.SQL.md @@ -97,6 +97,7 @@ Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure SQL Database and security](https://learn.microsoft.com/azure/architecture/framework/services/data/azure-sql-database-well-architected-framework#azure-sql-database-and-security) - [Introduction to Microsoft Defender for SQL](https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql) - [Azure security baseline for Azure SQL](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-sql-security-baseline) diff --git a/docs/en/rules/Azure.Defender.SQLOnVM.md b/docs/en/rules/Azure.Defender.SQLOnVM.md index 6a4673172f8..bb4d25ea42a 100644 --- a/docs/en/rules/Azure.Defender.SQLOnVM.md +++ b/docs/en/rules/Azure.Defender.SQLOnVM.md @@ -83,6 +83,7 @@ Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for SQL Servers on machines](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-sql-usage) - [Security considerations for SQL Server on Azure Virtual Machines](https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/security-considerations-best-practices?view=azuresql) - [Azure Security Benchmark - Data protection](https://learn.microsoft.com/security/benchmark/azure/security-controls-v2-data-protection) diff --git a/docs/en/rules/Azure.Defender.SecurityContact.md b/docs/en/rules/Azure.Defender.SecurityContact.md index 186b50b3c49..07a95dbea5f 100644 --- a/docs/en/rules/Azure.Defender.SecurityContact.md +++ b/docs/en/rules/Azure.Defender.SecurityContact.md @@ -106,5 +106,6 @@ az security contact update -n 'default' --emails 'security@contoso.com' ## LINKS - [SE:12 Incident response](https://learn.microsoft.com/azure/well-architected/security/incident-response) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Quickstart: Configure email notifications for security alerts](https://learn.microsoft.com/azure/defender-for-cloud/configure-email-notifications) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.security/securitycontacts) diff --git a/docs/en/rules/Azure.Defender.Servers.md b/docs/en/rules/Azure.Defender.Servers.md index cd9785d32ae..3645f89c860 100644 --- a/docs/en/rules/Azure.Defender.Servers.md +++ b/docs/en/rules/Azure.Defender.Servers.md @@ -87,6 +87,7 @@ Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard' ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Microsoft Defender for Containers](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction) - [Azure Monitor agent auto-provisioning](https://learn.microsoft.com/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.security/pricings) diff --git a/docs/en/rules/Azure.Defender.Storage.DataScan.md b/docs/en/rules/Azure.Defender.Storage.DataScan.md index 9766e455b35..73d4ea3e2ad 100644 --- a/docs/en/rules/Azure.Defender.Storage.DataScan.md +++ b/docs/en/rules/Azure.Defender.Storage.DataScan.md @@ -125,6 +125,7 @@ See limitations for more information. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Sensitive data threat detection in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-data-sensitivity) - [Support and prerequisites for data-aware security posture](https://learn.microsoft.com/azure/defender-for-cloud/concept-data-security-posture-prepare) diff --git a/docs/en/rules/Azure.Defender.Storage.MalwareScan.md b/docs/en/rules/Azure.Defender.Storage.MalwareScan.md index cf7559c9bed..6fe45ecc3e8 100644 --- a/docs/en/rules/Azure.Defender.Storage.MalwareScan.md +++ b/docs/en/rules/Azure.Defender.Storage.MalwareScan.md @@ -131,6 +131,7 @@ See limitations for more information. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Malware Scanning in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan) - [Limitations](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations) diff --git a/docs/en/rules/Azure.Defender.Storage.md b/docs/en/rules/Azure.Defender.Storage.md index 565ee1da63a..e1b94da3735 100644 --- a/docs/en/rules/Azure.Defender.Storage.md +++ b/docs/en/rules/Azure.Defender.Storage.md @@ -126,6 +126,7 @@ Currently only the `Blob Storage`, `Azure Files` and `Azure Data Lake Storage Ge ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Storage security guide](https://learn.microsoft.com/azure/storage/blobs/security-recommendations) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction) diff --git a/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md b/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md index 56f8b5c574d..22870d87ed9 100644 --- a/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md +++ b/docs/en/rules/Azure.DefenderCloud.ActiveAlerts.md @@ -33,5 +33,6 @@ This rule checks for active security alerts in-flight in a subscription that are ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Manage and respond to security alerts](https://learn.microsoft.com/azure/defender-for-cloud/managing-and-responding-alerts) - [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview) diff --git a/docs/en/rules/Azure.DefenderCloud.Provisioning.md b/docs/en/rules/Azure.DefenderCloud.Provisioning.md index 6945281ece7..be6cb22b245 100644 --- a/docs/en/rules/Azure.DefenderCloud.Provisioning.md +++ b/docs/en/rules/Azure.DefenderCloud.Provisioning.md @@ -32,3 +32,4 @@ This rule applies when analyzing resources deployed (in-flight) to Azure. ## LINKS - [Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/enable-data-collection) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.Deployment.AdminUsername.md b/docs/en/rules/Azure.Deployment.AdminUsername.md index f795766767b..cbd64e6e4d6 100644 --- a/docs/en/rules/Azure.Deployment.AdminUsername.md +++ b/docs/en/rules/Azure.Deployment.AdminUsername.md @@ -166,5 +166,6 @@ By default, the following values are used: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.Deployment.OuterSecret.md b/docs/en/rules/Azure.Deployment.OuterSecret.md index c9fb947ab7b..bd7638a71b2 100644 --- a/docs/en/rules/Azure.Deployment.OuterSecret.md +++ b/docs/en/rules/Azure.Deployment.OuterSecret.md @@ -95,5 +95,6 @@ If you use the `module` keyword your deployments always use the `inner` evaluati ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.resources/deployments?pivots=deployment-language-bicep) - [Deployment Function Scopes](https://learn.microsoft.com/azure/azure-resource-manager/templates/scope-functions?tabs=azure-powershell#function-resolution-in-scopes) diff --git a/docs/en/rules/Azure.Deployment.OutputSecretValue.md b/docs/en/rules/Azure.Deployment.OutputSecretValue.md index 6470409c94a..88ffc2d2c58 100644 --- a/docs/en/rules/Azure.Deployment.OutputSecretValue.md +++ b/docs/en/rules/Azure.Deployment.OutputSecretValue.md @@ -109,6 +109,7 @@ When using Bicep, the built-in linter will also automatically check for common c ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure outputs in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/outputs#secure-outputs) - [Test cases for ARM templates](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-test-cases#outputs-cant-include-secrets) - [Outputs should not contain secrets](https://learn.microsoft.com/azure/azure-resource-manager/bicep/linter-rule-outputs-should-not-contain-secrets) diff --git a/docs/en/rules/Azure.Deployment.SecretLeak.md b/docs/en/rules/Azure.Deployment.SecretLeak.md index f040f2e7c91..66e7f12c546 100644 --- a/docs/en/rules/Azure.Deployment.SecretLeak.md +++ b/docs/en/rules/Azure.Deployment.SecretLeak.md @@ -98,6 +98,7 @@ Sensitive values detected include: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure parameters](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.Deployment.SecureParameter.md b/docs/en/rules/Azure.Deployment.SecureParameter.md index 904f133d496..279d959b2b5 100644 --- a/docs/en/rules/Azure.Deployment.SecureParameter.md +++ b/docs/en/rules/Azure.Deployment.SecureParameter.md @@ -134,6 +134,7 @@ To override this rule: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure parameters](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.Deployment.SecureValue.md b/docs/en/rules/Azure.Deployment.SecureValue.md index 93b4eef0a1a..2c49dbc034b 100644 --- a/docs/en/rules/Azure.Deployment.SecureValue.md +++ b/docs/en/rules/Azure.Deployment.SecureValue.md @@ -98,6 +98,7 @@ If you find properties that are missing, please let us know by logging an issue ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure parameters](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters#secure-parameters) - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter) - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file) diff --git a/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md b/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md index 965a83cefdf..3761537e65a 100644 --- a/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md +++ b/docs/en/rules/Azure.EventGrid.TopicPublicAccess.md @@ -79,5 +79,6 @@ For example: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Private Endpoints](https://learn.microsoft.com/azure/event-grid/network-security#private-endpoints) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.eventgrid/topics) diff --git a/docs/en/rules/Azure.EventHub.Firewall.md b/docs/en/rules/Azure.EventHub.Firewall.md index 5252d18ea9f..7015a6cbb42 100644 --- a/docs/en/rules/Azure.EventHub.Firewall.md +++ b/docs/en/rules/Azure.EventHub.Firewall.md @@ -96,6 +96,7 @@ The firewall feature isn't supported in the `basic` tier. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure security baseline for Event Hub](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline) - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline#ns-1-establish-network-segmentation-boundaries) - [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/event-hubs-security-baseline#ns-1-establish-network-segmentation-boundaries) diff --git a/docs/en/rules/Azure.Firewall.PolicyMode.md b/docs/en/rules/Azure.Firewall.PolicyMode.md index 958423b7f78..11870e059dd 100644 --- a/docs/en/rules/Azure.Firewall.PolicyMode.md +++ b/docs/en/rules/Azure.Firewall.PolicyMode.md @@ -83,6 +83,7 @@ In order to take advantage of URL filtering with `HTTPS` traffic included in thr ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [NS-1: Establish network segmentation boundaries](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-firewall-security-baseline#ns-1-establish-network-segmentation-boundaries) - [Azure Firewall threat intelligence-based filtering](https://learn.microsoft.com/azure/firewall/threat-intel) - [Rule processing logic](https://learn.microsoft.com/azure/firewall/rule-processing#threat-intelligence) diff --git a/docs/en/rules/Azure.FrontDoor.Logs.md b/docs/en/rules/Azure.FrontDoor.Logs.md index 2508fe23f8c..da8e4e2605f 100644 --- a/docs/en/rules/Azure.FrontDoor.Logs.md +++ b/docs/en/rules/Azure.FrontDoor.Logs.md @@ -173,6 +173,7 @@ This rule applies to Azure Front Door Premium/ Standard/ Classic profiles. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [LT-4: Enable logging for security investigation](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-front-door-security-baseline#lt-4-enable-logging-for-security-investigation) - [Monitor metrics and logs in Azure Front Door](https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-standard-premium) - [Monitor metrics and logs in Azure Front Door Classic](https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-classic) diff --git a/docs/en/rules/Azure.FrontDoor.UseWAF.md b/docs/en/rules/Azure.FrontDoor.UseWAF.md index b3c9ad645db..b2810812902 100644 --- a/docs/en/rules/Azure.FrontDoor.UseWAF.md +++ b/docs/en/rules/Azure.FrontDoor.UseWAF.md @@ -25,6 +25,7 @@ Consider enabling a WAF policy on each Front Door endpoint. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Azure Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors/frontendendpoints) diff --git a/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md b/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md index 03bb1994c8a..7a5e0c681b9 100644 --- a/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md +++ b/docs/en/rules/Azure.FrontDoor.WAF.Enabled.md @@ -27,6 +27,7 @@ Consider enabling WAF policy. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Policy settings for Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-state) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies) diff --git a/docs/en/rules/Azure.FrontDoor.WAF.Mode.md b/docs/en/rules/Azure.FrontDoor.WAF.Mode.md index e63c4d879ce..21cdcd0c77e 100644 --- a/docs/en/rules/Azure.FrontDoor.WAF.Mode.md +++ b/docs/en/rules/Azure.FrontDoor.WAF.Mode.md @@ -31,6 +31,7 @@ Consider setting Front Door WAF policy to use protection mode. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall) - [Policy settings for Web Application Firewall on Azure Front Door](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-mode) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoorwebapplicationfirewallpolicies) diff --git a/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md b/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md index edfe14390f8..fe923ef0f4f 100644 --- a/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md +++ b/docs/en/rules/Azure.ImageBuilder.CustomizeHash.md @@ -167,4 +167,5 @@ For example: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/Microsoft.VirtualMachineImages/imageTemplates) diff --git a/docs/en/rules/Azure.ImageBuilder.ValidateHash.md b/docs/en/rules/Azure.ImageBuilder.ValidateHash.md index 38d939e13ad..c606fcaf9f9 100644 --- a/docs/en/rules/Azure.ImageBuilder.ValidateHash.md +++ b/docs/en/rules/Azure.ImageBuilder.ValidateHash.md @@ -167,4 +167,5 @@ For example: ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/Microsoft.VirtualMachineImages/imageTemplates) diff --git a/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md b/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md index e4765bba3d7..8ec3c6ac273 100644 --- a/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md +++ b/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md @@ -132,6 +132,7 @@ This rule only applies to pre-flight validation of Azure templates and Bicep fil ## LINKS - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/security-controls-v3-identity-management#im-3-manage-application-identities-securely-and-automatically) - [Configure cryptographic key auto-rotation in Azure Key Vault](https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults/keys) diff --git a/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md b/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md index 421aaf8c8a5..ddd7c82b539 100644 --- a/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md +++ b/docs/en/rules/Azure.LogicApp.LimitHTTPTrigger.md @@ -102,5 +102,6 @@ This rule currently only applies to Logic Apps using consumption plans. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Secure access and data in Azure Logic Apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-securing-a-logic-app) - [Azure security baseline for Logic Apps](https://learn.microsoft.com/azure/logic-apps/security-baseline#network-security) diff --git a/docs/en/rules/Azure.ML.ComputeVnet.md b/docs/en/rules/Azure.ML.ComputeVnet.md index 5531a673e56..5772cf6d818 100644 --- a/docs/en/rules/Azure.ML.ComputeVnet.md +++ b/docs/en/rules/Azure.ML.ComputeVnet.md @@ -90,6 +90,7 @@ resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes ## LINKS - [WAF - Azure services for securing network connectivity](https://learn.microsoft.com/azure/well-architected/security/design-network-connectivity) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Managed compute in a managed virtual network](https://learn.microsoft.com/azure/machine-learning/how-to-managed-network-compute) - [ML - Network security and isolation](https://learn.microsoft.com/azure/machine-learning/concept-enterprise-security#network-security-and-isolation) - [ML Compute](https://learn.microsoft.com/azure/machine-learning/azure-machine-learning-glossary#compute) diff --git a/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md b/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md index 6f227052b69..59b0e665aa0 100644 --- a/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md +++ b/docs/en/rules/Azure.MariaDB.AllowAzureAccess.md @@ -122,5 +122,6 @@ resource mariaDbServerFirewallRule 'Microsoft.DBforMariaDB/servers/firewallRules ## LINKS - [Network security and containment](https://learn.microsoft.com/azure/architecture/framework/security/design-network) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MariaDB firewall rules](https://learn.microsoft.com/azure/mariadb/concepts-firewall-rules#connecting-from-azure) - [Template reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/firewallrules) diff --git a/docs/en/rules/Azure.MariaDB.DefenderCloud.md b/docs/en/rules/Azure.MariaDB.DefenderCloud.md index f83f0c69f7b..c31c6aab46f 100644 --- a/docs/en/rules/Azure.MariaDB.DefenderCloud.md +++ b/docs/en/rules/Azure.MariaDB.DefenderCloud.md @@ -125,5 +125,6 @@ resource mariaDbDefender 'Microsoft.DBforMariaDB/servers/securityAlertPolicies@2 ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Enable Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.MariaDB.FirewallIPRange.md b/docs/en/rules/Azure.MariaDB.FirewallIPRange.md index 5561a0a645c..34aa254fdc3 100644 --- a/docs/en/rules/Azure.MariaDB.FirewallIPRange.md +++ b/docs/en/rules/Azure.MariaDB.FirewallIPRange.md @@ -31,6 +31,7 @@ This rule fails when the number of configured public IP addresses exceeds ten (1 ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MariaDB server firewall rules](https://learn.microsoft.com/azure/mariadb/concepts-firewall-rules) - [Create and manage Azure Database for MariaDB firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mariadb/howto-manage-firewall-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/firewallrules) diff --git a/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md b/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md index 21bafd16953..3111c8ded92 100644 --- a/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md +++ b/docs/en/rules/Azure.MariaDB.FirewallRuleCount.md @@ -31,6 +31,7 @@ This rule fails when the number of configured firewall rules exceeds ten (10). ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MariaDB server firewall rules](https://learn.microsoft.com/azure/mariadb/concepts-firewall-rules) - [Create and manage Azure Database for MariaDB firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mariadb/howto-manage-firewall-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformariadb/servers/firewallrules) diff --git a/docs/en/rules/Azure.MySQL.AllowAzureAccess.md b/docs/en/rules/Azure.MySQL.AllowAzureAccess.md index 4a869b1878f..1c88e43c4bf 100644 --- a/docs/en/rules/Azure.MySQL.AllowAzureAccess.md +++ b/docs/en/rules/Azure.MySQL.AllowAzureAccess.md @@ -34,5 +34,6 @@ This rule is only applicable for the Azure Database for MySQL Single Server depl ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Database for MySQL server firewall rules](https://learn.microsoft.com/azure/mysql/concepts-firewall-rules#connecting-from-azure) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.DefenderCloud.md b/docs/en/rules/Azure.MySQL.DefenderCloud.md index 901f1be38fb..1e2e2becd33 100644 --- a/docs/en/rules/Azure.MySQL.DefenderCloud.md +++ b/docs/en/rules/Azure.MySQL.DefenderCloud.md @@ -131,5 +131,6 @@ Azure Database for MySQL Flexible Server deployment model does not currently sup ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Enable Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.MySQL.FirewallIPRange.md b/docs/en/rules/Azure.MySQL.FirewallIPRange.md index 9da7d16c191..e8d26cd47a8 100644 --- a/docs/en/rules/Azure.MySQL.FirewallIPRange.md +++ b/docs/en/rules/Azure.MySQL.FirewallIPRange.md @@ -30,6 +30,7 @@ This rule is only applicable for the Azure Database for MySQL Single Server depl ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and manage Azure Database for MySQL firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-firewall-using-portal) - [Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-vnet-using-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.FirewallRuleCount.md b/docs/en/rules/Azure.MySQL.FirewallRuleCount.md index 90fbd301e37..0bce4ec6db2 100644 --- a/docs/en/rules/Azure.MySQL.FirewallRuleCount.md +++ b/docs/en/rules/Azure.MySQL.FirewallRuleCount.md @@ -32,6 +32,7 @@ This rule fails when the number of configured firewall rules exceeds ten (10). ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Create and manage Azure Database for MySQL firewall rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-firewall-using-portal) - [Create and manage Azure Database for MySQL VNet service endpoints and VNet rules by using the Azure portal](https://learn.microsoft.com/azure/mysql/single-server/how-to-manage-vnet-using-portal) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.NSG.AnyInboundSource.md b/docs/en/rules/Azure.NSG.AnyInboundSource.md index 3dbe279c186..7866c27be87 100644 --- a/docs/en/rules/Azure.NSG.AnyInboundSource.md +++ b/docs/en/rules/Azure.NSG.AnyInboundSource.md @@ -221,6 +221,7 @@ resource asg 'Microsoft.Network/applicationSecurityGroups@2023-09-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Network Security Groups](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview) - [Service Tags Overview](https://learn.microsoft.com/azure/virtual-network/service-tags-overview) - [Logically segment subnets](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices#logically-segment-subnets) diff --git a/docs/en/rules/Azure.NSG.LateralTraversal.md b/docs/en/rules/Azure.NSG.LateralTraversal.md index 9cd41cbd697..937334c1c2c 100644 --- a/docs/en/rules/Azure.NSG.LateralTraversal.md +++ b/docs/en/rules/Azure.NSG.LateralTraversal.md @@ -121,6 +121,7 @@ To suppress this rule for NSGs protecting subnets expected to allow outbound man ## LINKS - [SE:04 Segmentation](https://learn.microsoft.com/azure/well-architected/security/segmentation) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Logically segment subnets](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices#logically-segment-subnets) - [Plan virtual networks](https://learn.microsoft.com/azure/virtual-network/virtual-network-vnet-plan-design-arm#segmentation) - [Network security groups](https://learn.microsoft.com/azure/virtual-network/security-overview) diff --git a/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md b/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md index 3e3b0089140..48f5aaba21e 100644 --- a/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md +++ b/docs/en/rules/Azure.PostgreSQL.AllowAzureAccess.md @@ -30,4 +30,5 @@ Determine if access from Azure services is required for the services connecting ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Firewall rules in Azure Database for PostgreSQL](https://learn.microsoft.com/azure/postgresql/concepts-firewall-rules#connecting-from-azure) diff --git a/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md b/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md index 5743aaa439e..498a19bdbe7 100644 --- a/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md +++ b/docs/en/rules/Azure.PostgreSQL.DefenderCloud.md @@ -131,5 +131,6 @@ Azure Database for PostgreSQL Flexible Server deployment model does not currentl ## LINKS - [Security operations](https://learn.microsoft.com/azure/architecture/framework/security/security-operations) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Enable Microsoft Defender for open-source relational databases](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md b/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md index 4fd5c6a97e7..5ec9ad18e6b 100644 --- a/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md +++ b/docs/en/rules/Azure.PostgreSQL.FirewallIPRange.md @@ -25,5 +25,6 @@ The PostgreSQL server has greater then ten (10) public IP addresses that are per ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Firewall rules in Azure Database for PostgreSQL - Single Server](https://learn.microsoft.com/azure/postgresql/concepts-firewall-rules) - [Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal](https://learn.microsoft.com/azure/postgresql/howto-manage-firewall-using-portal) diff --git a/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md b/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md index 49215dfa5e4..f86de10e30e 100644 --- a/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md +++ b/docs/en/rules/Azure.PostgreSQL.FirewallRuleCount.md @@ -26,5 +26,6 @@ Some rules may not be needed. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Firewall rules in Azure Database for PostgreSQL - Single Server](https://learn.microsoft.com/azure/postgresql/concepts-firewall-rules) - [Create and manage firewall rules for Azure Database for PostgreSQL - Single Server using the Azure portal](https://learn.microsoft.com/azure/postgresql/howto-manage-firewall-using-portal) diff --git a/docs/en/rules/Azure.RBAC.CoAdministrator.md b/docs/en/rules/Azure.RBAC.CoAdministrator.md index e05788c8081..7ef10563225 100644 --- a/docs/en/rules/Azure.RBAC.CoAdministrator.md +++ b/docs/en/rules/Azure.RBAC.CoAdministrator.md @@ -28,5 +28,6 @@ Limit delegation of Co-administrator roles only to subscription that contain res ## LINKS - [Azure classic subscription administrators](https://learn.microsoft.com/azure/role-based-access-control/classic-administrators) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles](https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles) - [What is Azure AD Privileged Identity Management?](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) diff --git a/docs/en/rules/Azure.RBAC.LimitMGDelegation.md b/docs/en/rules/Azure.RBAC.LimitMGDelegation.md index f0d5efd9475..1a7e8af7d12 100644 --- a/docs/en/rules/Azure.RBAC.LimitMGDelegation.md +++ b/docs/en/rules/Azure.RBAC.LimitMGDelegation.md @@ -24,3 +24,7 @@ Consider limiting the number of assignment inherited from Management Groups by s Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates. + +## LINKS + +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) diff --git a/docs/en/rules/Azure.RBAC.LimitOwner.md b/docs/en/rules/Azure.RBAC.LimitOwner.md index 704f94dcf00..f718928e207 100644 --- a/docs/en/rules/Azure.RBAC.LimitOwner.md +++ b/docs/en/rules/Azure.RBAC.LimitOwner.md @@ -30,4 +30,5 @@ Consider limiting the number of subscription Owners by using a more specific rol ## LINKS - [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Limit the number of subscription owners](https://learn.microsoft.com/azure/role-based-access-control/best-practices#limit-the-number-of-subscription-owners) diff --git a/docs/en/rules/Azure.RBAC.PIM.md b/docs/en/rules/Azure.RBAC.PIM.md index 19e4cd5555f..3795bbcbfce 100644 --- a/docs/en/rules/Azure.RBAC.PIM.md +++ b/docs/en/rules/Azure.RBAC.PIM.md @@ -27,6 +27,7 @@ Consider using Privileged Identity Management (PIM) to activate privileged roles ## LINKS - [What is Azure AD Privileged Identity Management?](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Discover Azure resources to manage in Privileged Identity Management](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources) - [Configure Azure resource role settings in Privileged Identity Management](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings) - [Lower exposure of privileged accounts](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#lower-exposure-of-privileged-accounts) diff --git a/docs/en/rules/Azure.RBAC.UseGroups.md b/docs/en/rules/Azure.RBAC.UseGroups.md index 87da9c25135..0a63670e1d8 100644 --- a/docs/en/rules/Azure.RBAC.UseGroups.md +++ b/docs/en/rules/Azure.RBAC.UseGroups.md @@ -24,4 +24,5 @@ Consider using groups for assigning permissions instead of individual user accou ## LINKS - [Avoid granular and custom permissions](https://learn.microsoft.com/azure/architecture/framework/security/design-admins#avoid-granular-and-custom-permissions) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview) diff --git a/docs/en/rules/Azure.RBAC.UseRGDelegation.md b/docs/en/rules/Azure.RBAC.UseRGDelegation.md index 544ba33f23d..073af5eab6d 100644 --- a/docs/en/rules/Azure.RBAC.UseRGDelegation.md +++ b/docs/en/rules/Azure.RBAC.UseRGDelegation.md @@ -25,5 +25,6 @@ Consider using RBAC assignments on resource groups instead of individual resourc ## LINKS - [Avoid granular and custom permissions](https://learn.microsoft.com/azure/architecture/framework/security/design-admins#avoid-granular-and-custom-permissions) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview) - [Best practices for Azure RBAC](https://learn.microsoft.com/azure/role-based-access-control/best-practices) diff --git a/docs/en/rules/Azure.Redis.FirewallIPRange.md b/docs/en/rules/Azure.Redis.FirewallIPRange.md index ced9d59c6e8..0c8f8897eea 100644 --- a/docs/en/rules/Azure.Redis.FirewallIPRange.md +++ b/docs/en/rules/Azure.Redis.FirewallIPRange.md @@ -87,6 +87,7 @@ Firewall rules can be used with VNET injected caches, but not private endpoints. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure best practices for network security](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices) - [Azure Cache for Redis network isolation options](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation) - [Limitations of firewall rules](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation#limitations-of-firewall-rules) diff --git a/docs/en/rules/Azure.Redis.FirewallRuleCount.md b/docs/en/rules/Azure.Redis.FirewallRuleCount.md index a8ee398757d..fc02e48b3f5 100644 --- a/docs/en/rules/Azure.Redis.FirewallRuleCount.md +++ b/docs/en/rules/Azure.Redis.FirewallRuleCount.md @@ -89,6 +89,7 @@ Firewall rules can be used with VNet injected caches, but not private endpoints. ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure best practices for network security](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices) - [Azure Cache for Redis network isolation options](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation) - [Limitations of firewall rules](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-network-isolation#limitations-of-firewall-rules) diff --git a/docs/en/rules/Azure.Redis.PublicNetworkAccess.md b/docs/en/rules/Azure.Redis.PublicNetworkAccess.md index 3780226e937..8f6f0cc12ac 100644 --- a/docs/en/rules/Azure.Redis.PublicNetworkAccess.md +++ b/docs/en/rules/Azure.Redis.PublicNetworkAccess.md @@ -114,6 +114,7 @@ For example: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure Cache for Redis with Azure Private Link](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-private-link) - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints) - [Migrate from VNet injection caches to Private Link caches](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-vnet-migration) diff --git a/docs/en/rules/Azure.SQL.AllowAzureAccess.md b/docs/en/rules/Azure.SQL.AllowAzureAccess.md index b93a2c66817..39beaea7414 100644 --- a/docs/en/rules/Azure.SQL.AllowAzureAccess.md +++ b/docs/en/rules/Azure.SQL.AllowAzureAccess.md @@ -33,5 +33,6 @@ Determine if access from Azure services is required for the services connecting ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Connections from inside Azure](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql#connections-from-inside-azure) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQL.Auditing.md b/docs/en/rules/Azure.SQL.Auditing.md index 78ccc9e64a5..b4926f95a94 100644 --- a/docs/en/rules/Azure.SQL.Auditing.md +++ b/docs/en/rules/Azure.SQL.Auditing.md @@ -138,6 +138,7 @@ To address this issue at runtime use the following policies: ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [LT-3: Enable logging for security investigation](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-sql-security-baseline#logging-and-threat-detection) - [Auditing for Azure SQL Database and Azure Synapse Analytics](https://learn.microsoft.com/azure/azure-sql/database/auditing-overview) - [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview) diff --git a/docs/en/rules/Azure.SQL.DefenderCloud.md b/docs/en/rules/Azure.SQL.DefenderCloud.md index 3fe79166d44..8f6c9adf699 100644 --- a/docs/en/rules/Azure.SQL.DefenderCloud.md +++ b/docs/en/rules/Azure.SQL.DefenderCloud.md @@ -70,6 +70,7 @@ Set-AzSqlDatabaseThreatDetectionPolicy -ResourceGroupName '' -Se ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [SQL Advanced Threat Protection](https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview) - [Microsoft Defender for SQL](https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/securityalertpolicies) diff --git a/docs/en/rules/Azure.SQL.FirewallIPRange.md b/docs/en/rules/Azure.SQL.FirewallIPRange.md index e515851dc37..38b8241d2bd 100644 --- a/docs/en/rules/Azure.SQL.FirewallIPRange.md +++ b/docs/en/rules/Azure.SQL.FirewallIPRange.md @@ -36,6 +36,7 @@ This rule assesses the combined IP addresses from each Allowed IP firewall entry ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure SQL Database and Azure Synapse IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql) - [Create and manage IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql#create-and-manage-ip-firewall-rules) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/firewallrules) diff --git a/docs/en/rules/Azure.SQL.FirewallRuleCount.md b/docs/en/rules/Azure.SQL.FirewallRuleCount.md index 735b024c144..f495984618b 100644 --- a/docs/en/rules/Azure.SQL.FirewallRuleCount.md +++ b/docs/en/rules/Azure.SQL.FirewallRuleCount.md @@ -26,6 +26,7 @@ Some rules may not be needed. ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure SQL Database and Azure Synapse IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql) - [Create and manage IP firewall rules](https://learn.microsoft.com/azure/azure-sql/database/firewall-configure?view=azuresql#create-and-manage-ip-firewall-rules) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/firewallrules) diff --git a/docs/en/rules/Azure.SQL.VAScan.md b/docs/en/rules/Azure.SQL.VAScan.md index 3a4348424d0..0cdeea71b4b 100644 --- a/docs/en/rules/Azure.SQL.VAScan.md +++ b/docs/en/rules/Azure.SQL.VAScan.md @@ -82,6 +82,7 @@ The Classic configuration option is enabled by deploying the `Microsoft.Sql/serv ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [SQL vulnerability assessment helps you identify database vulnerabilities](https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview) - [What's the difference between the express and classic configuration?](https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview#whats-the-difference-between-the-express-and-classic-configuration) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.Storage.BlobAccessType.md b/docs/en/rules/Azure.Storage.BlobAccessType.md index 3d60954e683..b3cd4a9ab73 100644 --- a/docs/en/rules/Azure.Storage.BlobAccessType.md +++ b/docs/en/rules/Azure.Storage.BlobAccessType.md @@ -75,6 +75,7 @@ resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@20 ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Use Microsoft Entra ID for storage authentication](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#use-microsoft-entra-id-for-storage-authentication) - [Configure anonymous read access for containers and blobs](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure) - [Remediate anonymous read access to blob data](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent) diff --git a/docs/en/rules/Azure.Storage.Defender.DataScan.md b/docs/en/rules/Azure.Storage.Defender.DataScan.md index 54e5e4c6c81..7cb435f2acc 100644 --- a/docs/en/rules/Azure.Storage.Defender.DataScan.md +++ b/docs/en/rules/Azure.Storage.Defender.DataScan.md @@ -115,6 +115,7 @@ The following limitations currently apply for Microsoft Defender for Storage: ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Sensitive data threat detection in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-data-sensitivity) - [Support and prerequisites for data-aware security posture](https://learn.microsoft.com/azure/defender-for-cloud/concept-data-security-posture-prepare) diff --git a/docs/en/rules/Azure.Storage.Defender.MalwareScan.md b/docs/en/rules/Azure.Storage.Defender.MalwareScan.md index eba08105670..ad19f497e9e 100644 --- a/docs/en/rules/Azure.Storage.Defender.MalwareScan.md +++ b/docs/en/rules/Azure.Storage.Defender.MalwareScan.md @@ -121,6 +121,7 @@ Not all services within storage accounts are currently supported. ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Malware Scanning in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan) - [Limitations](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations) diff --git a/docs/en/rules/Azure.Storage.DefenderCloud.md b/docs/en/rules/Azure.Storage.DefenderCloud.md index 3f6df5f301f..d3a09377db7 100644 --- a/docs/en/rules/Azure.Storage.DefenderCloud.md +++ b/docs/en/rules/Azure.Storage.DefenderCloud.md @@ -119,6 +119,7 @@ To enable this rule, set the `AZURE_STORAGE_DEFENDER_PER_ACCOUNT` configuration ## LINKS - [SE:10 Monitoring and threat detection](https://learn.microsoft.com/azure/well-architected/security/monitor-threats) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction) - [Enable and configure Microsoft Defender for Storage](https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure) diff --git a/docs/en/rules/Azure.VM.PublicIPAttached.md b/docs/en/rules/Azure.VM.PublicIPAttached.md index 61662201f8a..ba3bcd0cb3c 100644 --- a/docs/en/rules/Azure.VM.PublicIPAttached.md +++ b/docs/en/rules/Azure.VM.PublicIPAttached.md @@ -96,6 +96,7 @@ resource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity) - [Dissociate public IP address from a VM](https://learn.microsoft.com/azure/virtual-network/ip-services/remove-public-ip-address-vm) - [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) diff --git a/docs/en/rules/Azure.VM.PublicKey.md b/docs/en/rules/Azure.VM.PublicKey.md index 1fc55bbfcbd..abf6107391f 100644 --- a/docs/en/rules/Azure.VM.PublicKey.md +++ b/docs/en/rules/Azure.VM.PublicKey.md @@ -143,6 +143,7 @@ resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = { ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline) - [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.ScriptExtensions.md b/docs/en/rules/Azure.VM.ScriptExtensions.md index 90118e5eabf..5d5b7c590e4 100644 --- a/docs/en/rules/Azure.VM.ScriptExtensions.md +++ b/docs/en/rules/Azure.VM.ScriptExtensions.md @@ -77,6 +77,7 @@ resource script 'Microsoft.Compute/virtualMachines/extensions@2015-06-15' = { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Windows Custom Script Extensions](https://learn.microsoft.com/azure/virtual-machines/extensions/custom-script-windows) - [Linux Custom Script Extensions](https://learn.microsoft.com/azure/virtual-machines/extensions/custom-script-linux) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines/extensions) diff --git a/docs/en/rules/Azure.VM.Updates.md b/docs/en/rules/Azure.VM.Updates.md index d9c1b463a8f..6956973f896 100644 --- a/docs/en/rules/Azure.VM.Updates.md +++ b/docs/en/rules/Azure.VM.Updates.md @@ -28,5 +28,6 @@ Enable automatic updates at deployment time, then reconfigure as required to mee ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Automatic Guest Patching for Azure Virtual Machines and Scale Sets](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.UseManagedDisks.md b/docs/en/rules/Azure.VM.UseManagedDisks.md index 2697e97b905..19a3a167b55 100644 --- a/docs/en/rules/Azure.VM.UseManagedDisks.md +++ b/docs/en/rules/Azure.VM.UseManagedDisks.md @@ -197,6 +197,7 @@ To address this issue at runtime use the following policies: ## LINKS - [RE:01 Simplicity and efficiency](https://learn.microsoft.com/azure/well-architected/reliability/simplify) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Introduction to Azure managed disks](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview) - [Reliability in Virtual Machines](https://learn.microsoft.com/azure/reliability/reliability-virtual-machines) - [Using disks in Azure Resource Manager Templates](https://learn.microsoft.com/azure/virtual-machines/using-managed-disks-template-deployments) diff --git a/docs/en/rules/Azure.VMSS.PublicIPAttached.md b/docs/en/rules/Azure.VMSS.PublicIPAttached.md index 05898b5b632..5ad99a0c215 100644 --- a/docs/en/rules/Azure.VMSS.PublicIPAttached.md +++ b/docs/en/rules/Azure.VMSS.PublicIPAttached.md @@ -134,6 +134,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity) - [Networking for scale sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking) - [Public IPv4 per virtual machine](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine) diff --git a/docs/en/rules/Azure.VMSS.PublicKey.md b/docs/en/rules/Azure.VMSS.PublicKey.md index eeb275c35c8..46f5fb576df 100644 --- a/docs/en/rules/Azure.VMSS.PublicKey.md +++ b/docs/en/rules/Azure.VMSS.PublicKey.md @@ -212,6 +212,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = { ## LINKS - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline) - [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets) diff --git a/docs/en/rules/Azure.VMSS.ScriptExtensions.md b/docs/en/rules/Azure.VMSS.ScriptExtensions.md index d7dea73200f..4c26feecd2b 100644 --- a/docs/en/rules/Azure.VMSS.ScriptExtensions.md +++ b/docs/en/rules/Azure.VMSS.ScriptExtensions.md @@ -82,5 +82,6 @@ extensionProfile: { ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Azure VMSS Extensions Overview](https://learn.microsoft.com/azure/virtual-machines/extensions/overview) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets/extensions) diff --git a/docs/en/rules/Azure.VNET.FirewallSubnet.md b/docs/en/rules/Azure.VNET.FirewallSubnet.md index 3f3d7b33c4b..32fb13f3b15 100644 --- a/docs/en/rules/Azure.VNET.FirewallSubnet.md +++ b/docs/en/rules/Azure.VNET.FirewallSubnet.md @@ -115,6 +115,7 @@ resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = { ## LINKS - [Azure features for segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation#azure-features-for-segmentation) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Hub-spoke network topology in Azure](https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) - [Define an Azure network topology](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology) - [What is Azure Firewall?](https://learn.microsoft.com/azure/firewall/overview) diff --git a/docs/en/rules/Azure.VNET.PrivateSubnet.md b/docs/en/rules/Azure.VNET.PrivateSubnet.md index ce93344ccab..afb1cd47a87 100644 --- a/docs/en/rules/Azure.VNET.PrivateSubnet.md +++ b/docs/en/rules/Azure.VNET.PrivateSubnet.md @@ -214,6 +214,7 @@ az network vnet subnet update -n '' -g '' --vnet-na ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Default outbound access](https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access) - [Plan for inbound and outbound internet connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity) - [What is Azure NAT Gateway?](https://learn.microsoft.com/azure/nat-gateway/nat-overview) diff --git a/docs/en/rules/Azure.VNET.UseNSGs.md b/docs/en/rules/Azure.VNET.UseNSGs.md index bdb71142188..f5284faca38 100644 --- a/docs/en/rules/Azure.VNET.UseNSGs.md +++ b/docs/en/rules/Azure.VNET.UseNSGs.md @@ -171,6 +171,7 @@ configuration: ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) +- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) - [Network Security Best Practices](https://learn.microsoft.com/azure/security/fundamentals/network-best-practices#logically-segment-subnets) - [Azure Firewall FAQ](https://learn.microsoft.com/azure/firewall/firewall-faq#are-network-security-groups--nsgs--supported-on-the-azurefirewallsubnet) - [Forced tunneling configuration](https://learn.microsoft.com/azure/firewall/forced-tunneling#forced-tunneling-configuration) From 58d05da2686a4920d70666a9bf1878117a38c2dd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 19:27:46 +0000 Subject: [PATCH 6/6] Reclassify maturity levels for ACR.AnonymousAccess, APIM.EncryptValues, AppConfig.SecretLeak (L1), AI.PrivateEndpoints (L4), ACR.Quarantine/ContentTrust (L5) Agent-Logs-Url: https://github.com/Azure/PSRule.Rules.Azure/sessions/5915218c-ac34-4966-b7db-04037485eb09 Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- docs/en/rules/Azure.ACR.AnonymousAccess.md | 2 +- docs/en/rules/Azure.ACR.ContentTrust.md | 2 +- docs/en/rules/Azure.ACR.Quarantine.md | 2 +- docs/en/rules/Azure.AI.PrivateEndpoints.md | 2 +- docs/en/rules/Azure.APIM.EncryptValues.md | 2 +- docs/en/rules/Azure.AppConfig.SecretLeak.md | 2 +- src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml | 6 +++--- src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml | 2 +- src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/en/rules/Azure.ACR.AnonymousAccess.md b/docs/en/rules/Azure.ACR.AnonymousAccess.md index 97d9795bbde..54b4c121850 100644 --- a/docs/en/rules/Azure.ACR.AnonymousAccess.md +++ b/docs/en/rules/Azure.ACR.AnonymousAccess.md @@ -143,7 +143,7 @@ For example: You are a software vendor and intend to distribute container images ## LINKS - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) -- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) +- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1) - [Make your container registry content publicly available](https://learn.microsoft.com/azure/container-registry/anonymous-pull-access) - [Azure security baseline for Container Registry](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline) - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/container-registry-security-baseline#im-1-use-centralized-identity-and-authentication-system) diff --git a/docs/en/rules/Azure.ACR.ContentTrust.md b/docs/en/rules/Azure.ACR.ContentTrust.md index d7fef146f04..a3041c50fe0 100644 --- a/docs/en/rules/Azure.ACR.ContentTrust.md +++ b/docs/en/rules/Azure.ACR.ContentTrust.md @@ -118,7 +118,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = ## LINKS - [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle) -- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) +- [Security: Level 5](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level5) - [Content trust in Azure Container Registry](https://learn.microsoft.com/azure/container-registry/container-registry-content-trust) - [Content trust in Docker](https://docs.docker.com/engine/security/trust/content_trust/) - [Overview of customer-managed keys](https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys#before-you-enable-a-customer-managed-key) diff --git a/docs/en/rules/Azure.ACR.Quarantine.md b/docs/en/rules/Azure.ACR.Quarantine.md index 2de46e77624..a4c2b2fd61a 100644 --- a/docs/en/rules/Azure.ACR.Quarantine.md +++ b/docs/en/rules/Azure.ACR.Quarantine.md @@ -120,7 +120,7 @@ Image quarantine for Azure Container Registry is currently in preview. ## LINKS - [Monitor Azure resources in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/architecture/framework/security/monitor-resources#containers) -- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) +- [Security: Level 5](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level5) - [How do I enable automatic image quarantine for a registry?](https://learn.microsoft.com/azure/container-registry/container-registry-faq#how-do-i-enable-automatic-image-quarantine-for-a-registry-) - [Quarantine Pattern](https://github.com/Azure/acr/tree/main/docs/preview/quarantine) - [Secure the images and run time](https://learn.microsoft.com/azure/aks/operator-best-practices-container-image-management#secure-the-images-and-run-time) diff --git a/docs/en/rules/Azure.AI.PrivateEndpoints.md b/docs/en/rules/Azure.AI.PrivateEndpoints.md index fca9707372d..6ceecc35d51 100644 --- a/docs/en/rules/Azure.AI.PrivateEndpoints.md +++ b/docs/en/rules/Azure.AI.PrivateEndpoints.md @@ -96,7 +96,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { ## LINKS - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) -- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) +- [Security: Level 4](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level4) - [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks) - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.APIM.EncryptValues.md b/docs/en/rules/Azure.APIM.EncryptValues.md index 91af4f9f9fb..a05ad258b86 100644 --- a/docs/en/rules/Azure.APIM.EncryptValues.md +++ b/docs/en/rules/Azure.APIM.EncryptValues.md @@ -94,6 +94,6 @@ The identity needs permissions to get and list secrets from the Key Vault. Also ## LINKS - [Key storage](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys#key-storage) -- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) +- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1) - [Prerequisites for key vault integration](https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal#prerequisites-for-key-vault-integration) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/namedvalues#keyvaultcontractcreatepropertiesorkeyvaultcontractpr) diff --git a/docs/en/rules/Azure.AppConfig.SecretLeak.md b/docs/en/rules/Azure.AppConfig.SecretLeak.md index 5dd8dfc71a5..7e6d4b5ac1c 100644 --- a/docs/en/rules/Azure.AppConfig.SecretLeak.md +++ b/docs/en/rules/Azure.AppConfig.SecretLeak.md @@ -111,7 +111,7 @@ For example: ## LINKS - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets) -- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2) +- [Security: Level 1](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level1) - [IM-8: Restrict the exposure of credential and secrets](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-app-configuration-security-baseline#im-8-restrict-the-exposure-of-credential-and-secrets) - [Use Key Vault references in an ASP.NET Core app](https://learn.microsoft.com/azure/azure-app-configuration/use-key-vault-references-dotnet-core) - [Reload secrets and certificates from Key Vault automatically](https://learn.microsoft.com/azure/azure-app-configuration/reload-key-vault-secrets-dotnet) diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index fbbd6358fce..50a2a7544e6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -88,7 +88,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['DS-6', 'PV-5'] - Azure.WAF/maturity: L2 + Azure.WAF/maturity: L5 spec: type: - Microsoft.ContainerRegistry/registries @@ -108,7 +108,7 @@ metadata: ruleSet: 2020_12 Azure.WAF/pillar: Security labels: - Azure.WAF/maturity: L2 + Azure.WAF/maturity: L5 spec: with: - Azure.ACR.IsPremiumSKU @@ -154,7 +154,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: IM-1 - Azure.WAF/maturity: L2 + Azure.WAF/maturity: L1 spec: with: - Azure.ACR.IsPremiumSKU diff --git a/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml index aac1c4e11ed..b79844c3dc7 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml @@ -106,7 +106,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: NS-2 - Azure.WAF/maturity: L2 + Azure.WAF/maturity: L4 spec: type: - Microsoft.CognitiveServices/accounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 index c68ef078f60..689e4e57c31 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 @@ -82,7 +82,7 @@ Rule 'Azure.APIM.HTTPBackend' -Ref 'AZR-000044' -Type 'Microsoft.ApiManagement/s } # Synopsis: Encrypt all API Management named values with Key Vault secrets. -Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8', 'DP-7'); 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8', 'DP-7'); 'Azure.WAF/maturity' = 'L1' } { $namedValues = @($TargetObject) if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') { $namedValues = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/namedValues') diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 index 43aff07a6f2..5621d92fcc2 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.ps1 @@ -41,7 +41,7 @@ Rule 'Azure.AppConfig.PurgeProtect' -Ref 'AZR-000313' -Type 'Microsoft.AppConfig } # Synopsis: Secrets stored as key values in an App Configuration Store may be leaked to unauthorized users. -Rule 'Azure.AppConfig.SecretLeak' -Ref 'AZR-000490' -Type 'Microsoft.AppConfiguration/configurationStores', 'Microsoft.AppConfiguration/configurationStores/keyValues' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8'); 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AppConfig.SecretLeak' -Ref 'AZR-000490' -Type 'Microsoft.AppConfiguration/configurationStores', 'Microsoft.AppConfiguration/configurationStores/keyValues' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('IM-8'); 'Azure.WAF/maturity' = 'L1' } { $kv = @($TargetObject) if ($PSRule.TargetType -eq 'Microsoft.AppConfiguration/configurationStores') { $kv = @(GetSubResources -ResourceType 'Microsoft.AppConfiguration/configurationStores/keyValues', 'keyValues')