Skip to content

Azure Cloud Misconfiguration

Name Description
azure-aks-api-iprange Ensure AKS has an API Server Authorized IP Ranges enabled
azure-aks-logging-enable Ensure AKS logging to Azure Monitoring is Configured
azure-aks-networkpolicy Ensure AKS cluster has Network Policy configured
azure-aks-private-cluster Ensure that AKS enables private clusters
azure-aks-rbac-enabled Ensure RBAC is enabled on AKS clusters
azure-appsvc-ad-enabled Ensure that Register with Azure Active Directory is enabled on App Service
azure-appsvc-auth-enabled Ensure App Service Authentication is set on Azure App Service
azure-appsvc-cors-restrictive Ensure that CORS disallows every resource to access app services
azure-appsvc-disable-debug Ensure that remote debugging is not enabled for app services
azure-appsvc-ftp-disabled Ensure FTP deployments are disabled
azure-appsvc-http-redirect Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
azure-appsvc-http-tls-version Ensure web app is using the latest version of TLS encryption
azure-appsvc-http-version Ensure that 'HTTP Version' is the latest if used to run the web app
azure-automn-variable-encrypted Ensure that Automation account variables are encrypted
azure-batch-keyvault Ensure that Azure Batch account uses key vault to encrypt data
azure-dashboard-disable Ensure Kube Dashboard is disabled
azure-db-audit-enabled Ensure that 'Auditing' is set to 'On' for SQL servers
azure-db-audit-retention Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
azure-db-public-ingress Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
azure-funcapp-auth-enabled Ensure that function apps enables Authentication
azure-funcapp-http-version Ensure that 'HTTP Version' is the latest, if used to run the Function app
azure-funcapp-https-only Ensure that Function apps is only accessible over HTTPS
azure-machine-scaleset-auth Ensure Azure linux scale set does not use basic authentication
azure-machine-scaleset-encrypt Ensure that Virtual machine scale sets have encryption at host enabled
azure-machine-sensitive-data Ensure that no sensitive credentials are exposed in VM custom_data
azure-mariadb-public-ingress Ensure 'public network access enabled' is set to 'False' for MariaDB servers
azure-mariadb-ssl-enabled Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers
azure-monitor-audit-activities Ensure audit profile captures all the activities
azure-monitor-log-retention Ensure that Activity Log Retention is set 365 days or greater
azure-mssql-audit-retention Ensure an audit log retention period greater than 90 days.
azure-mssql-email-service Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers
azure-mssql-send-alerts Ensure that 'Send Alerts To' is enabled for MSSQL servers
azure-mssql-threat-types Ensure that 'Threat Detection types' is set to 'All'
azure-mssql-tls-version Ensure MSSQL is using the latest version of TLS encryption
azure-mysql-enforce-ssl Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
azure-mysql-public-ingress Ensure 'public network access enabled' is set to 'False' for mySQL servers
azure-mysql-tls-version Ensure MySQL is using the latest version of TLS encryption
azure-network-log-retention Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
azure-network-public-rdp Ensure that RDP access is restricted from the internet
azure-network-public-udp Ensure that UDP Services are restricted from the Internet
azure-psql-enforce-ssl Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
azure-psql-param-conn-throttling Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
azure-psql-public-ingress Ensure that PostgreSQL server disables public network access
azure-seccntr-email-alerts Ensure that 'Send email notification for high severity alerts' is set to 'On'
azure-storage-public-access Ensure that 'Public access level' is set to Private for blob containers
azure-storage-public-ingress Ensure default network access rule for Storage Accounts is set to deny
azure-storage-secure-xfer Ensure that 'Secure transfer required' is set to 'Enabled'
azure-storage-tls-version Ensure Storage Account is using the latest version of TLS encryption
azure-storage-trust-msft Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
azure-storsync-public-ingress Ensure that Azure File Sync disables public network access
azure-vault-allow-firewall Ensure that key vault allows firewall rules settings
azure-vault-key-expiry Ensure that the expiration date is set on all keys
azure-vault-purge-protection Ensure that key vault enables purge protection
azure-vault-secret-expiry Ensure that the expiration date is set on all secrets